Centre for Internet and Society

Is Data Protection Enough?

elonnai — 2012-03-22T05:28:51Z

The following note looks briefly at different sides of the privacy debate, and asks the question whether a Data Protection law is enough privacy protection for India.

In a recent article, Rahul Matthan explained how many threats to personal privacy come from a lack of data protection laws – particularly in the context of the UID – and he thus urges India to pass a law that is focused on data protection. He said, “We don’t question this lack of personal space. It is part of the compromise we make when we choose to live in India.” Though his argument has a surface appeal, there are also many cases emerging in the news today that suggest that India is concerned with a much broader scope of privacy than just data protection. In the DNA, a news article covered a recent court decision that concluded that watching pornography at home is not an obscenity and does not qualify as a public exhibition, even when there are visitors to the home. In that case, police arrested persons who hosted a party under section 292 (obscenity) of the Indian Penal Code for watching pornography and housing strippers. The judge ruled that the activities that were taking place were done in private and thus did not amount to an offense under section 292. This is an important decision about the protections of spatial privacy being afforded to individuals. The bungalow was considered a private space, and the computer a private possession. In other words, India does have a greater understanding of privacy and the need for its protection, and it extends beyond data protection. In another news item, the Hindu reported that 5,000 to 6,000 phones are tapped on average daily. The article speculated that this number could increase in response to the 2G scam and other scams that are coming out. The type of privacy violation that wiretapping poses is likewise not a question of data protection, but of how a nation guards against an unwanted invasion of personal space and when security takes precedence over privacy. Are Indian citizens willing to subject themselves to phone taps to try to eliminate – or at least minimize – the number of scams that are occurring? In yet another news item, it was reported that in the North, councils are attempting to ban the sale of cell phones to unmarried women to help prevent unsolicited affairs with members from different castes. This again raises questions not of data protection or informational privacy, but of personal privacy. How will phone companies know that a woman is married? Will parents suddenly begin regulating their daughters’ phones? Does an existing legislation afford protection to women in this situation? Though data protection is a component of privacy, it is only one component. There are many definitions of privacy, and privacy in itself is somewhat of a difficult word to define, but India should recognize that there are privacy protections and privacy debates that extend beyond data protection. It is too easy to characterize India as large and communal and overlook these important questions.

Returning to Rahul Matthan’s article, Matthan says, “The vast majority of our country that remains under-served by the government will gladly exchange personal privacy for better public service.” I was particularly intrigued by this statement, because it suggests that privacy is an expendable right, and that government service cannot improve without privacy compromises. The logical extension of this concept is that privacy is not a fundamental right but only a consumer issue, and that policymakers can always trade off privacy in exchange for better public benefits, for better security, and for cheaper products. A legal system needs to address the case at hand, but it needs to be mindful of the larger consequences as well. There is no doubt that the UID project demands a data protection law, but India is facing questions of privacy that extend beyond data protection, and the steps that are being taken to answer those questions need to be applauded and brought into the current debate. If we legislate away rights, we must do so by weighing the cost and finding it acceptable.

Sources

http://www.thehindu.com/news/national/article905944.ece

http://is.gd/hJWD8 http://is.gd/hJWSX

http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage

Matthan, Rahul. The Mint:Technology. Nov. 24 2010

For more details visit https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough

Internet-driven Developments — Structural Changes and Tipping Points

elonnai — 2012-12-28T15:34:51Z

A symposium on Internet Driven Developments: Structural Changes and Tipping Points was held in Cambridge, Massachusetts at Harvard University from December 6 to 8, 2012. The symposium was sponsored by the Ford Foundation and the MacArthur Foundation and was hosted by the Berkman Center for Internet & Society. In this blog post, I summarize the discussions that took place over the two days and add my own personal reflections on the issues.

The symposium served as an inaugural event for the Global Network of Interdisciplinary Centers, which currently includes as its members:

The Berkman Center for Internet and Society at Harvard University
The Alexander von Humboldt Institute for Internet & Society
The Centre for Internet and Society, Bangalore
The Center for Technology & Society at the Fundacao Getulio Vargas Law School, Keio University
The MIT Media Lab and its Center for Civic Media
The NEXA Center for Internet & Society at Politicnico di Torino.

Individuals and researchers from the Centers focused on understanding the effects of internet and society. The participants were brought together to explore the past, present, and future tipping points of the internet, to identify knowledge gaps, and to find areas of collaboration and future action between institutes and individuals. Specifically, the symposium set out to examine fundamental questions about the internet, identify structural changes that are occurring because of the internet, and the forces that are catalyzing these changes. Questions asked and discussed included:

What forces are changing production and service models?
What forces are influencing entrepreneurship and innovation? and
What forces are changing political participation?

Production and Service Models

Discussion

When participants discussed the changes that are happening to production and service models, concepts such as big data, algorithms, peer based models of production, and intermediaries were identified as actors and tools that are driving change in production and service models in the context of the internet. For example, big data and algorithms are being used to alter the nature, scope, and reach of business by allowing for the personalization and customization of services. To this end, many organizations have incorporated customer participation into business models, and provide platforms for feedback and input. The personalization of services has placed greater emphasis on the voice of the customer, allowing customers to guide and influence business by voicing preferences, satisfaction levels, etc. In this way, consumers can determine what type of service they want, and can also make political statements through their choices and feedback. In the process, however, such platforms generate and depend on large amounts of data and thus raise concerns about privacy.

Knowledge gaps that were identified during the conversation included how to predict what would make a participatory platform and peer based model successful, and how these platforms can be effectively researched. When looking at big data, a knowledge gap that was identified included how to ensure that data are collected ethically and accurately, as well as the related question: once large data sets are collected, how can the data be analyzed and used in a meaningful way?

There was also discussion about the increasingly critical and powerful role that intermediaries serve within the scope of the internet as they act as the platform provider and regulator for internet content. Intermediaries both allow for content to be posted on the internet, and determine what information is accessed through the filtering of web searches. Increasingly, governments are seeking to regulate intermediaries and create strict rules of compliance with governmental mandates. At the same time governments are placing the responsibility and liability of regulating what content is posted on internet on intermediaries, essentially placing them in the role of an adjudicator. This is one example of how the relationship between the private sector, the government, and the individual is changing, because it is only recently that private intermediaries have been held responsible first to governments, and only secondarily to customers.

Knowledge gaps identified in the discussion on intermediaries included understanding and researching how intermediaries decide to filter content found through searches. On what basis is each filter done? Are there actors influencing this process? And what are the economics behind the process?

Personal Thoughts

When reflecting on how the internet is changing and influencing the production of goods and services, I personally would add to the points discussed in the meeting the fact that the internet has also impacted the job economy. Reports show that jobs in the extraction and manufacturing sector are decreasing, as the internet has created a mandatory new tech oriented skill set that often outweighs the need for other skill sets. This change is far reaching as the job economy influences what skills students choose to learn, why and for what purposes individuals migrate across borders for employment, and in what industries governments invest money towards domestic development. In addition to changing the nature of skills in demand, the nature of the services themselves is changing. Though services are becoming more personalized and tailored to the individual, this personalization is automated, and replacing the ‘human touch’ that was once prized in business. Whether customers care if the service they are given is generated by an algorithm or delivered by an individual may depend on a person’s preference, but the European Union has seen this shift as being significant enough to address automated decision making in Article 15 of the EU directive, which provides individuals the right to not be subject to a decision which legally impacts him/her which is based only on automated processing of data. This directive encompasses decisions such as evaluation of a person’s performance at work, creditworthiness, reliability, conduct, etc.

The internet has also increased the cost of small mistakes made by businesses, as any mistake will now potentially impact millions of customers. The impact of any mistake makes risk management much more important and difficult, as businesses must seek to anticipate and mitigate any and all mistakes. The internet has also created a new level of dependency on the network, as businesses shift all of their services and functions over to the internet. Thus, if the network goes down, businesses will lose revenue and customers. This level of dependency on the network that exists today is different from past reliance’s on technology — in the sense that in the past there was not one single type of technology that would be essential for many businesses to run. The closest analogue was transportation: if trucks, trains, or ships were unavailable, multiple industries would be impacted. The difference is that those who relied on rail could shift temporarily to ships or trucks. Those relying on the network have no alternatives. Furthermore, past technologies were constantly evolving in the resources they depended on — from coal to gas, etc, but for the internet, it seems that the resource is not evolving, so much as expanding as increased bandwidth and connectivity are the solution to allowing technological evolution and innovation through the internet.

As discussed above, intermediaries are becoming key and powerful players, but they also seem to be increasingly placed between a rock and a hard place, as governments around the world are asking national and multinational intermediaries to filter content that violates national laws in one context, but not another context. Furthermore, intermediaries are increasingly being asked to comply with law enforcement requests for access to data that is often not within the jurisdiction of the requesting country. The difficult position intermediaries are placed in demonstrates how the architecture of the internet is borderless but the regulation and use of the internet is still tied to borders and jurisdiction.

Entrepreneurship and Innovation

Discussion

When discussing entrepreneurship and innovation it was pointed out by participants that grey markets and market failures are important indicators for possibilities of new business models and forms of innovation. Because of that, it is important to study what has failed and why when identifying new possibilities and trends. The importance of policies and laws that allow for innovation and entrepreneurship was also highlighted.

Personal Thoughts

When thinking about entrepreneurship and innovation on the internet and forces driving them, it seems clear that tethering, conglomerating, and organizing information from multiple sources is one direction that innovation is headed. Services are coming out that have the ability to search the internet based on individual preferences and provide more accurate data quickly. This removes the need for individuals to search the internet at length to find the information or products they want. Along the same lines, it seems that there is a greater trend towards personalization. Services are finding new and innovative ways to bring individuals customized products. Another trend is the digitization of all services — from moving libraries online, to bookstores online, to grocery stores online. Lastly, there is a constant demand for new applications to be developed. These can range from applications enabling communication through social networking, to applications that act as personal financial consultants, to applications that act as personal trainers. The ability for concepts, trends, etc to go viral on the internet has also added another dimension to entrepreneurship and innovation as any individual can potentially become successful by something going viral. The ability for something to go viral on the internet does not just impact entrepreneurship and innovation, but also impacts political participation and production and service models.

Political Participation

Discussions also centered on how political participation is changing as the internet is being used as a new platform for participation. For example, it is now possible for individuals to leverage their voice and message to local and global communities. Furthermore, this message can be communicated on a seemingly personal scale. Individuals from one community are able to connect to communities from another location — both local and abroad, and to work together to catalyze change. Messages and communications can be spread easily to millions of people and can go viral. This ability has changed and created new public spheres, where anyone can contribute to a dialogue from anywhere. Empowerment is shifting as well, because the internet allows for new power structures to be created by any actor who knows how to leverage the network. These factors allow for more voices to be heard and for greater citizen participation. The role of the youth in political movements was also emphasized in the discussions. On the other hand governments have responded by more heavily regulating speech and content on the internet when dissenting voices and campaigns are seen as a threat. It was also brought out that though emerging forms of online political participation have been heralded by many for achievements such as facilitating democracy, transparency, and bringing a voice to the silenced — many have warned that analysis of these political forms of participation overlook individual contributions and time. Other critiques that were discussed included the fact that digital revolutions also exclude individuals who do not have access to the internet or to platforms/applications and overlook actions and movements that take place offline.

Knowledge gaps that were identified included understanding the basics of the change that is happening in political participation through the internet. For example, it is unclear who the actors are that determine the conditions and scope for these changes, and like participatory forms of business, what enables and mobilizes change. Furthermore, it is unclear who specifically benefits from these changes and how, and who participates in the changes — and in what capacity. Additionally, much of the change has been quantified in the dialogue of the ‘global’ — global voices, global movements — but that dialogue ignores the local.

Personal Thoughts

In addition to the discussions on political participation, I believe the internet has created the possibility for ‘social governance’. To address situations in which there is no particular law against an action, but individuals come together and speak out against actions that they see on the internet that they believe should be stopped or changed. Depending on the extent individuals choose to enforce these decisions, this can be potentially dangerous as individuals are essentially rewriting laws and social norms without subjecting them to the crucible of consensus decision-making or review. In addition, forms of political participation are not changing just in terms of how the individual engages politically with states and governments, but also in the ways that politicians are engaging with citizens. For example, politicians are using Facebook and Twitter as means to communicate and gather feedback from supporters. Politicians are also using technology to reach more individuals with their messages — from experimenting with 3D holograms, to web casting, to using technology like CCTV cameras to prove transparency. The impact of this could be interesting, as technology is becoming a mediating tool that works in both directions between citizens and governments. Is this changing the traditional understandings of the State and the relationship between the State and the citizen?

Conclusion and ways forward

The discussions also pulled out dichotomies that apply to the internet and illustrate tensions arising from different forces. These dichotomies can be shaped by individuals and actors attempting to regulate the internet, as for example with new models of regulation vs. old models of regulation, private vs. public, local vs. global, owned vs. unowned, and zoned vs. unzoned. These dichotomies can be shaped by how the internet is used. For example, fair vs. unfair, just vs. unjust, represented vs. silenced, and uniform vs. diverse.

Common questions being asked and areas for potential research that came out of these discussions included information communication and media, how to address different and at times contradictory policies and levels of development in different countries, and what is the impact of big data on different sectors and industries like e-health and journalism? What is the importance of ICT in creating economic progress? How is the Internet changing the nature of democracy?

When discussing ways forward and areas for future collaboration it was brought out that exploring ways to leverage open data, ways to effectively use and build off of perspectives and experiences from other contexts and cultures, and ways to share resources across borders including funding, human presence, and expertise were important questions to answer. Common challenges that were identified by participants ranged from cyber security and the rise of state and non-state actors in cyber warfare, finding adequate funding to support research, sustaining international collaborations, ensuring that research is meaningful and can translate into useful resources for policy and law makers, and ensuring that projects are designed with a long-term objective and vision in mind.

The discussions, presentations, and contributions by participants during the two day symposium were interesting and important as they demonstrated just how multi-faced the internet is, and how it is never one dimensional. How the internet is researched, how it is used, and how it is regulated will be constantly changing. Whether this change is a step forward, or a re-invention of what has already been done, is up to all who use the internet including the individual, the corporation, the researcher, the policy maker, and the government.

For more details visit https://cis-india.org/internet-governance/blog/internet-driven-developments

Internet Privacy in India

elonnai — 2014-01-08T13:51:06Z

Internet privacy encompasses a wide range of issues and topics. It can be understood as privacy rights that an individual has online with respect to their data, and violations of the same that take place online. Given the dynamic nature of the online sphere, privacy concerns and issues are rapidly changing.

The Changing Nature of Information

For example – the way in which the internet allows data to be produced, collected, combined, shared, stored, and analyzed is constantly changing and re-defining personal data and what type of protections personal data deserves and can be given. For example, seemingly harmless data such IP address, key words used in searches, websites visited, can now be combined and analysed to identify individuals and learn personal information about an individual. From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet. In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used. For example, law enforcement routinely troll social media sites for information that might be useful in an investigation.

The Blurry Line between the Public and Private Sphere

The above example also highlights how the “sphere” of information on the internet is unclear i.e. is information posted on social media public information – free for use by any individual or entity including law enforcement, employees, data mining companies etc. or is information posted on social media – private, and thus requires authorization for further use. For example, in India, in 2013 the Mumbai police established a “social media lab” for the purposes of monitoring and tracking user behavior and activities.[1]

Authorization is not required for the lab to monitor individuals and their behavior, and individuals are not made aware of the same, as the project claims to analyze only publicly available information. Similar dilemmas have been dealt with by other countries. For example, in the U.S, individuals have contested the use of their tweets without permission,[2] while courts in the US have ruled that tweets, private and public, can be obtained by law enforcement with only a subpoena, as technically the information has been shared with another entity, and is therefore no longer private.[3] Indian Courts have yet to deal directly with the question of social media content being public or private information.

The Complication of Jurisdiction

The borderless nature of information flows over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in. Thus, for example an Indian using Gmail, will be subject to the laws of the United States. On one hand this could be seen as a positive, if one country has stronger privacy protections than another, but could also be damaging to privacy in the reverse situation – where one company has lower privacy standards and safeguards. In addition to the dilemma of different levels of protection being provided over data as it flows through different jurisdictions, access by law enforcement to data stored in a different jurisdiction, or data from one country accessible to law enforcement because it is being processed in their jurisdiction, are two other complications that arise. These complications cannot be emphasized more than with the case of the NSA Leaks. Because Indian data was residing in US servers, the US government could access and use the data with no obligation to the individual.[4] In response to the NSA leaks, the government of India has stated that all facts need to be known before any action is taken, while citizens initially sought to hold the companies who disclosed the data to US security agencies such as Google, Facebook etc. accountable.[5]

Despite this, because the companies were acting within the legal limits of the United States where they were incorporated, they could not be held liable. In response to the dilemma, many actors in India, including government and industry are asking for the establishment of 'domestic servers'. For example, Dr. Kamlesh Bajaj, CEO of Data Security Council of India was quoted in Forbes magazine promoting the establishment of India centric social media platforms.[6] Similarly, after the PRISM scandal became public, the National Security Advisor requested the Telecom Department to only route traffic data through Indian servers.[7]

In these contexts, the internet is a driving force behind a growing privacy debate and awareness in India.

Current Policy for Internet Privacy in India

Currently, India's most comprehensive legal provisions that speak to privacy on the internet can be found in the Information Technology Act (ITA) 2000. The ITA contains a number of provisions that can, in some cases, safeguard online privacy, or in other cases, dilute online privacy. Provisions that clearly protect user privacy include: penalizing child pornography,[8]penalizing, hacking and fraud[9] and defining data protection standards for body corporate.[10]

Provisions that serve to dilute user privacy speak to access by law enforcement to user's personal information stored by body corporate[11] collection and monitoring of internet traffic data[12] and real time monitoring, interception, and decryption of online communications.[13] Additionally, legislative gaps in the ITA serve to weaken the privacy of online users. For example, the ITA does not address questions and circumstances like the evidentiary status of social media content in India, merging and sharing of data across databases, whether individuals can transmit images of their own “private areas” across the internet, if users have the right to be notified of the presence of cookies and do-not track options, the use of electronic personal identifiers across data bases, and if individuals have the right to request service providers to take down and delete their personal content.

Online Data Protection

Since 2010, there has been an increasing recognition by both the government and the public that India needs privacy legislation, specifically one that addresses the collection, processing, and use of personal data. The push for adequate data protection standards in India has come both from industry and industrial bodies like DSCI – who regard strong data protection standards as an integral part of business, and from the public, who has voiced increasing concerns that governmental projects, such as the UID, involved with collecting, processing, and using personal data are presently not adequately regulated and are collecting and processing data in such a way that abuses individual privacy. As mentioned above, India's most comprehensive data protection standards are found in the ITA and are known as the Information Technology “Reasonable security practices and procedures and sensitive personal data or information” Rules 2011.[14]

The Rules seek to provide rights to the individual with regards to their information and obligate body corporate to take steps towards protecting the privacy of consumer's information. Among other things, the Rules define “sensitive personal information' and require that any corporate body must publish an online privacy policy, provide individuals with the right to access and correct their information, obtain consent before disclosing sensitive personal information ' except in the case of law enforcement, provide individuals the ability to withdraw consent, establish a grievance officer, require companies to ensure equivalent levels of protection when transferring information, and put in place reasonable security practices. Though the Rules are the strongest form of data protection in India, they have not been recognized by the European Union as meeting the EU standards of “data secure”[15] and many gaps still exist. For example, the Rules apply only to:

Body corporate and not to the government
Electronically generated and transmitted information
A limited scope of sensitive personal information.
A body corporate when a contractual agreement is not already in place.

These gaps leave a number of bodies unregulated and types of information unprotected, and limits the scope of the Rules. It is also unclear to what extent companies are adhering to these Rules, and if they are applying the Rules only to the use of their website or if they are also applying the Rules to their core business practices.

Cyber Cafés

In 2011 the Guidelines for Cyber Café Rules were notified under the Information Technology Act. These Rules, among other things, require Cyber Café’s to retain the following details for every user for a period of one year: details of identification, name, address, contact number, gender, date, computer terminal identification, log in time, and log out time. These details must be submitted to the same agency as directed, on a monthly basis.[16] Cyber Cafes must also retain the history of websites accessed and logs of proxy servers installed at the cyber café for a period of one year.[17] Furthermore, Cyber Café’s must ensure that the partitions between cubicles do not exceed four and half feet in height from floor level.[18] Lastly, the cyber café owner is required to provide every related document, register, and information to any officer authorized by the registration agency on demand.[19] In effect, the identification and retention requirements of these rules both impact privacy and freedom of expression, as cyber cafes users cannot use the facility anonymously and all their information, including browser history, is stored on an a-priori basis. The disclosure provisions in these rules also impact privacy and demonstrate a dilution of access standards for law enforcement to users internet communications as the provision does not define:

An authorization process by which the registration agency follows to authorize individuals to conduct inspections.
Circumstances on which inspection of a Cyber Café by an authorized officer is necessary and permissible.
The process for which information can be requested, and instead vaguely requires cyber café owners to disclose information “on demand”.

Online Surveillance and Access

The ITA also allows for the interference of user privacy online by defining broad standards of access to law enforcement and security agencies, and providing the government with the power to determine what tools individuals can use to protect their privacy. This is most clearly demonstrated by provisions that permit the interception, monitoring, and decryption of digital communications[20] provide for the collection and monitoring of traffic data[21] and allow the government to set the national encryption standard.[22] In particular, the structure of these provisions and the lack of safeguards incorporated, serve as a dilution to user privacy. For example, though these provisions create a framework for interception they are missing a number of internationally recognized safeguards and practices, such as notice to the individual, judicial oversight, and transparency requirements. Furthermore, the provisions place extensive security and technical obligations on the service provider – as they are required to extend all facilities necessary to security agencies for interception and decryption, and hold the service provider liable for imprisonment up to seven years for non-compliance. This creates an environment where it is unlikely that the service provider would challenge any request for access or interception from law enforcement. Interception is also regulated through provisions and rules under the Indian Telegraph Act 1885 and subsequent ISP and UAS licenses.

Scope of Surveillance and Access

The extent to which the Government of India lawfully intercepts communications is not entirely clear, but in 2011 news items quoted that in the month of July 8,736 phones and e-mail accounts were under lawful surveillance.[23]

Though this number is representative of authorized interception, there have been a number of instances of unauthorized interceptions that have taken place as well. For example, in 2013 it was found that in Himachel Pradesh 1371 phones were tapped based on verbal approval, while the Home Ministry had only authorized interception of 170.[24] This demonstrates that there are instances of when existing safeguards for interception and surveillance are undermined and highlights the challenge of enforcement for even existing safeguards.

Demonstrating the tensions between right to privacy and governmental access to communications, and at the same time highlighting the issue of jurisdiction was the standoff between RIM/BlackBerry and the Indian Government. For several years, the Indian Government has requested that RIM provide access to the company’s communication traffic, both BIS and BES, as Indian security agencies have been unable to decrypt the data. Solutions that the Indian Government has proposed include: RIM providing the decryption keys to the government, RIM establishing a local server, local ISPs and telcos developing an indigenous monitoring solution. In 2012, RIM finally established a server in Mumbai and in 2013 provided a lawful interception solution that satisfied the Indian Government.[25]

The implementation of the Central Monitoring System by the Indian Government is another example of the Government seeking greater access to communications. The system will allow security agencies to bypass service providers and directly intercept communications. It is unclear if the system will provide for the interception of only telephonic communications or if it will also allow for the interception of digital communications and internet traffic. It is also unclear what checks and balances exist in the system. By removing the service provider from the equation the government is not only taking away a potential check, as service providers can resist unauthorized requests, but it is also taking away the possibility for companies to be transparent about the interception requests that they comply with.

Future frameworks for privacy in India: The Report of the Group of Experts on Privacy

In October 2012 the Report of the Group of Experts on Privacy was published by a committee of experts chaired by Justice A.P. Shah.[26] The report creates a set of recommendations for a privacy framework and legislation in India. Most importantly, the Report recognizes privacy as a fundamental right and defines nine National Privacy Principles that would apply to all data controllers both in the private sector and the public sector. This would work to ensure that businesses and governments are held accountable to protecting privacy and that legislation and practices found across sectors, states/governments, organizations, and governmental bodies are harmonized. The privacy principles are in line with global standards including the EU, OECD, and APEC principles on privacy, and include: notice, choice & consent, collection limitation, purpose limitation, access and correction, accountability, openness, disclosure of information, security.

The Report also envisions a system of co-regulation, in which the National Privacy Principles will be binding for every data controller, but Self Regulatory Organizations at the industry level will have the option of developing principles for that specific sector. The principles developed by industry must be approved by the privacy commissioner and be in compliance with the National Privacy Principles. In addition to defining principles, the Report recommends the establishment of a privacy commissioner for overseeing the implementation of the right to privacy in India and specifies that aggrieved individuals can seek redress either through issuing a complaint the privacy commissioner or going before a court.

The nine national privacy principles include:

Notice: Principle 1: Notice

A data controller shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:

During Collection

What personal information is being collected;
Purposes for which personal information is being collected;
Uses of collected personal information;
Whether or not personal information may be disclosed to third persons;
Security safeguards established by the data controller in relation to the personal information;
Processes available to data subjects to access and correct their own personal information;
Contact details of the privacy officers and SRO ombudsmen for filing complaints.

Other Notices
Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Service providers would have to explain how the information would be used and if it may be disclosed to third persons such as advertisers, processing Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.

Example of Implementation: A telecom service provider must make available to individuals a privacy policy before any personal information is collected by the company. The notice must include all categories of information as identified in the principle of notice. For example, the service provider must identify the types of personal information that will be collected from the individual from the initial start of the service and during the course of the consumer using the service. For a telecom service provider this could range from name and address to location data. The notice must identify if information will be disclosed to third parties such as advertisers, processers, or other telecom companies. If a data breach that was the responsibility of the company takes place, the company must notify all affected customers. If individuals have their personal data accessed or intercepted by Indian law enforcement or for other legal purposes, they have the right to be notified of the access after the case or other purpose for the data has been met.

Principle 2: Choice and Consent

A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required.

Example of implementation: If an individual is signing up to a service, a company can only begin collecting, processing, using and disclosing their data after consent has been taken. If the provision of information is mandated by law, as is the case for the census, this information must be anonymized after a certain amount of time if it is published in public databases. If there is a case where consent is not possible, such as in a medical emergency, consent before processing information, does not need to be taken.

Principle 3: Collection Limitation

A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.

Example of Implementation: If a bank is collecting information to open an account for a potential customer, they must collect only that information which is absolutely necessary for the purpose of opening the account, after they have taken the consent of the individual.

Principle 4: Purpose Limitation

Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.

Example of Implementation: If a bank is collecting information from a customer for opening a bank account, the bank can only use that information for the purpose of opening the account and any other reasons consented to. After a bank has used the information to open an account, it must be destroyed. If the information is retained by the bank, it must be done so with consent, for a specific purpose, with the ability of the individual to access and correct the stored information, and in a secure fashion.

Principle 5: Access and Correction

Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.

Example of Implementation: An individual who has opened a bank account, has the right to access the information that was initially provided and subsequently generated. If there is a mistake, the individual has the right to correct the mistake. If the individual requests information related to him that is stored on a family member from the bank, the bank cannot disclose this information without explicit consent from the family member as it would impact the privacy of another.

Principle 6: Disclosure of Information

A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.

Example of Implementation: If a website, like a social media site, collects information about how a consumer uses its website, this information cannot be sold or shared with other websites or partners, unless notice of such sharing has been given to the individual and consent has been taken from the individual. If websites provide information to law enforcement, this must be done in accordance with laws in force, and cannot be done through informal means. The social media site would be prohibited from publishing, sharing, or making public the personal information in any way without obtaining informed consent.

Principle 7: Security

A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.

Example of Implementation: If a company is a telecommunication company, it must have security measures in place to protect customers communications data from loss, unauthorized access, destruction, use, processing, storage, modification, denanonmyization, unauthorized disclosure, or other forseeable risk. This could include encrypting communications data, having in place strong access controls, and establishing clear chain of custody for the handling and processing communications data.

Principle 8: Openness

A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.

Example of Implementation: If a hospital is collecting and processing personal information of, for example, 1,000 patients, their policies and practices must reflect and be applicable to the amount, sensitivity, and nature of information that they are collecting. The policies about the same must be made available to all individuals – this includes individuals of different intelligence, skill, and developmental levels.

Principle 9: Accountability

The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.

Example of Implementation: To ensure that a hospital is in compliance with the national privacy principles, it must undertake activities like running trainings and providing educational information to employees on how to handle patient related information, conducting audits, and establishing an officer or body for overseeing the implementation of privacy.

Public Discourses on Privacy

In India, there have been a number of important discourses related to privacy around various projects and topics. These discourses have been driving public awareness about privacy in India, and represent an important indication of public perception of privacy and privacy concerns.

The Unique Identification Project

One of these discourses is a public dialogue and debate on the Unique Identification Project. Since 2009 the Government of India has been rolling out an identity scheme known as UID or Aadhaar. The scheme is applicable to all residents in India, and seeks to provide individuals with an identity based on their fingerprints, iris scans, and photograph. The project has been heavily supported by some, and at the same time, heavily critiqued by others. Of those critiquing the project, which included a Parliamentary Standing Committee on Finance,[27] privacy has been a driving force behind the concerns about the project. Arguing that not only does the UID Bill not have sufficient privacy safeguards in its provisions[28] but the design of the project and the technology of the project places individual privacy at risk. For example, the project relies on centralized storage of biometrics collected under the scheme; it does not account for or address how transaction data that is generated each time an individual identifies himself/herself with the UID will be stored, processed, and shared; and does not provide adequate security measures to protect sensitive information like biometrics.

The Human DNA Profiling Bill

In 2006 the Department of Biotechnology piloted a draft human DNA Profiling Bill with the objective of creating DNA databases at the national and regional levels, and enabling the creation and storage of DNA profiles for forensic purposes. Since 2006 there have been two more drafts of the bill released to the public, and an expert committee has been created to finalize the text of the bill. Individuals, including the Centre for Internet and Society, publicly raising concern about the bill, cite a lack of privacy safeguards in the provisions, and expansive circumstances and reasons that the bill permits the creation and storage of DNA profiles.[29]

Surveillance

For many years there has been running public discourse about the surveillance that the Indian government has been undertaking. This discourse is growing and is now being linked to privacy and the need for India to enact a privacy legislation. As discussed above, the current surveillance regime is lacking on many fronts, while at the same time the government continues to seek greater interception powers and more access to larger sets of information in more granularity. Projects like the Central Monitoring System, NATGRID, and Lawful Interception Solutions have caused individuals to question the government on the proportionality of State surveillance and ask for a comprehensive privacy legislation that also regulates surveillance.

The need for strong and enforceable surveillance provisions is not unique to India, and in 2013 the International Principles on the Application of Human Rights to the Surveillance of Communications were drafted. The principles lay out standards that ensure that surveillance is in compliance with international human rights law and serve as safeguards that countries can incorporate into their regimes to ensure the same. The principles include: legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, safeguards against illegitimate access. Along with defining safeguards, the principles highlight the challenge of rapidly changing technology and how it is constantly changing how information can be surveilled by governments and what information surveilled by governments, and how information can be combined and analysed to draw conclusions about individuals.

A Privacy Legislation for India

Since 2010, there has been a strong public discourse around the need for a privacy legislation in India. In November 2010, a “Privacy Approach” paper was released to the public which envisioned the creation of a data protection legislation. In 2011, the Department of Personnel and Training released a draft privacy bill that defined a privacy regime that encompassed data protection, surveillance, and mass marketing, and recognized privacy as a fundamental right.[31] In 2012 the Report of the Group of Experts on Privacy, as discussed above, was published.[32] Presently, the Department of Personnel and Training is drafting the text of the Governments Privacy Bill. In 2013, the Centre for Internet and Society drafted the Citizen’s Privacy Protection Bill – a citizen’s version of a privacy legislation for India.[33] From April 2013 – October 2013, the Centre for Internet and Society, in collaboration with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India, held a series of seven Privacy Roundtables across India. The objective of the Roundtables was to gain public feedback to a privacy framework in India. Topics discussed during the meetings included, how to define sensitive personal information vs. Personal information, if co-regulation should be a model adopted as a regulatory framework, and what should be the legal exceptions to the right to privacy.[34]

Conclusion

Clearly, privacy is an emerging and increasingly important field in India’s internet society. As companies collect greater amounts of information from and about online users, and as the government continues to seek greater access and surveillance capabilities, it is critical that India prioritizes privacy and puts in place strong safeguards to protect the privacy of both Indians and foreigners whose data resides temporarily or permanently in India. The first step towards this is the enactment of a comprehensive privacy legislation recognizing privacy as a fundamental right. The Report of the Group of Experts on Privacy and the government considering a draft privacy bill are all steps in the right direction.

[1]. http://www.zdnet.com/in/india-sets-up-social-media-monitoring-lab-7000012758/

[2]. http://www.techdirt.com/articles/20130203/18510621869/investigative-journalist-claims-her-public-tweets-arent-publishable-threatens-to-sue-blogger-who-does-exactly-that.shtml

[3]. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us

[4]. http://www.bbc.co.uk/news/technology-24744695

[5]. http://www.thehindu.com/news/national/sc-to-hear-pil-on-us-surveillance-of-internet-data/article4829549.ece

[6]. http://forbesindia.com/article/checkin/indias-internet-privacy-woes/35971/1

[7]. http://www.thehindubusinessline.com/industry-and-economy/info-tech/route-domestic-net-traffic-via-india-servers-nsa-tells-operators/article5022791.ece

[8]. ITA section 67

[9]. ITA section 43, 66, and 66F

[10]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011.

[11]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011. section 6(1)

[12]. Information Technology (Procedure and Safeguards for monitoring and collection of Traffic Data or other information) Rules 2009

[13]. Information Technology (Procedure and Safeguards for intercepting, monitoring, and decryption) Rules 2009

[14]. Ibid footnote 6

[15]. Business Standard. Data secure status for India is vital: Sharma on the FTA with EU. September 3rd 2013. Available at: http://www.business-standard.com/article/economy-policy/data-secure-status-for-india-is-vital-sharma-on-fta-with-eu-113090300889_1.html

[16]. Guidelines for Cyber Cafe Rules 5(2) & 5(3). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR315E_10511(1).pdf

[17]. Guidelines for Cyber Cafe Rules 5(4)

[18]. Guidelines for Cyber Cafe Rules 5(6)

[18]. Guidelines for Cyber Café Rules 5(6)

[19]. Guidelines for Cyber Café Rules 7(1)

[20]. Ibid footnote 9

[21]. Ibid footnote 8

[22]. ITA section 84A

[23]. Jain, B. 8,736 phone and e-mail accounts tapped by different government agencies in July. September 17th 2011. Available at: http://articles.economictimes.indiatimes.com/2011-09-17/news/30169231_1_phone-tap-e-mail-accounts-indian-telegraph-act

[24]. The Economic Times. Action to be taken in ‘phone tapping’ during BJP rule: Virbhadra Singh. March 6th 2013. Available at: http://articles.economictimes.indiatimes.com/2013-03-06/news/37500338_1_illegal-phone-virbhadra-singh-previous-bjp-regime

[25]. Chaudhary, A. BlackBerry’s Tussle with Indian Govt. Finally Ends; BB Provides Interception System. http://www.medianama.com/2013/07/223-blackberrys-tussle-with-indian-govt-finally-ends-bb-provides-interception-system/

[26]. Report of the Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[27]. http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf

[28]. http://www.indianexpress.com/news/uid-bill-skips-vital-privacy-issues/688614/

[29]. http://www.epw.in/authors/elonnai-hickok

[30]. http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf

[31]. http://www.iltb.net/2011/06/analysis-of-the-privacy-bill-2011/

[32]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[33]. http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft

[34]. http://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings

For more details visit https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india

Intermediary Liability Resources

elonnai — 2014-07-03T06:45:48Z

We bring you a list of intermediary resources as part of research on internet governance. This blog post will be updated on an ongoing basis.

Shielding the Messengers: Protecting Platforms for Expression and Innovation. The Centre for Democracy and Technology. December 2012, available at: https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf: This paper analyses the impact that intermediary liability regimes have on freedom of expression, privacy, and innovation. In doing so, the paper highlights different models of intermediary liability regimes, reviews different technological means of restricting access to content, and provides recommendations for intermediary liability regimes and provides alternative ways of addressing illegal content online.
Internet Intermediaries: Dilemma of Liability: Article 19. 2013, available at: http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf:This Policy Document reviews different components of intermediary liability and highlights the challenges and risks that current models of liability have to online freedom of expression. Relying on international standards for freedom of expression and comparative law, the document includes recommendations and alternative models that provide stronger protection for freedom of expression. The key recommendation in the document include: web hosting providers or hosts should be immune from liability to third party content if they have not modified the content, privatised enforcement should not be a model and removal orders should come only from courts or adjudicatory bodies, the model of notice to notice should replace notice and takedown regimes, in cases of alleged serious criminality clear conditions should be in place and defined.
Comparative Analysis of the National Approaches to the Liability of Internet Intermediaries: Prepared by Daniel Seng for WIPO, available at http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf:This Report reviews the intermediary liability regimes and associated laws in place across fifteen different contexts with a focus on civil copyright liability for internet intermediaries. The Report seeks to find similarities and differences across the regimes studied and highlight principles and components in different that can be used in international treaties and instruments, upcoming policies, and court decisions.
Freedom of Expression, Indirect Censorship, & Liability for Internet Intermediaries. The Electronic Frontier Foundation. February 2011, available at: http://infojustice.org/download/tpp/tpp-civil-society/EFF%20presentation%20ISPs%20and%20Freedom%20of%20Expression.pdf:This presentation was created for the Trans-Pacific Partnership Stakeholder Forum in Chile and highlights that for freedom of expression to be protected, clear legal protections for internet intermediaries are needed and advocates for a regime that provides blanket immunity to intermediaries or is based on judicial takedown notices.
Study on the Liability of Internet Intermediaries. Contracted by the European Commission. 2007, available at: http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf. This Report provides insight on the application of the intermediary liability sections of the EU e-commerce directive and studies the impact of the regulations under the Directive on the functioning of intermediary information society services. To achieve this objective, the study identifies relavant case law across member states, calls out and evaluates developing trends across Member States, and draws conclusions.
Internet Intermediary Liability: Identifying Best Practices for Africa. Nicolo Zingales for the Association for Progressive Communications, available at: https://www.apc.org/en/system/files/APCInternetIntermediaryLiability_BestPracticesAfrica_20131125.pdf: This background paper seeks to identify challenges and opportunities in addressing intermediary liability for countries in the African Union and recommend safeguards that can be included in emerging intermediary liability regimes in the context of human rights. The paper also reviews different models of intermediary liability and discusses the limitations, scope, and modes of operation of each model.
The Liability of Internet Intermediaries in Nigeria, Kenya, South Africa, and Uganda: An uncertain terrain. Association for Progressive Communications. October 2012, available at: http://www.academia.edu/2484536/The_liability_of_internet_intermediaries_in_Nigeria_Kenya_South_Africa_and_Uganda_An_uncertain_terrain:This Report reviews intermediary liability in Nigeria, Kenya, South Africa and Uganda – providing background to the political context, relevant legislation, and present challenges . In doing so, the Report provides insight into how intermediary liability has changed in recent years in these contexts and explores past and present debates on intermediary liability. The Report concludes with recommendations for stakeholders affected by intermediary liability.
The Fragmentation of intermediary liability in the UK. Daithi Mac Sithigh. 2013, available at: http://jiplp.oxfordjournals.org/content/8/7/521.full.pdf?keytype=ref&ijkey=zuL8aFSzKJqkozT. This article looks at the application of the Electronic Commerce Directive across Europe and argues that it is being intermixed and subsequently replaced with provisions from national legislation and provisions of law from area specific legislation. Thus, the article argues that systems for intermediary liability are diving into multiple systems – for example for content related to copyright intermediaries are being placed with new responsibilities while for content related to defamation, there is a reducing in the liability that intermediaries are held to.
Regimes of Legal Liability for Online Intermediaries: an Overview. OECD, available at: http://www.oecd.org/sti/ieconomy/45509050.pdf. This article provides an overview of different intermediary liability regimes including EU and US.
Closing the Gap: Indian Online Intermediaries and a Liability System Not Yet Fit for Purpose. GNI. 2014, available at: http://www.globalnetworkinitiative.org/sites/default/files/Closing%20the%20Gap%20-%20Copenhagen%20Economics_March%202014_0.pdf. This Report argues that the provisions of the Information Technology Act 2000 are not adequate to deal with ICT innovations , and argues that the current liability regime in India is hurting the Indian internet economy.
Intermediary Liability in India. Centre for Internet and Society. 2011, available at: http://cis-india.org/internet-governance/intermediary-liability-in-india.pdf. This report reviews and ‘tests’ the effect of the Indian intermediary liability on freedom of expression. The report concludes that the present regime in India has a chilling effect on free expression and offers recommendations on how the Indian regime can be amended to protect this right.
The Liability of Internet Service providers and the exercise of the freedom of expression in Latin America have been explored in detail through the course of this research paper by Claudio Ruiz Gallardo and J. Carlos Lara Galvez. The paper explores the efficacy and the implementation of proposals to put digital communication channels under the oversight of certain State sponsored institutions in varying degrees. The potential consequence of legal intervention in media and digital platforms, on the development of individual rights and freedoms has been addressed through the course of this study. The paper tries to arrive at relevant conclusions with respect to the enforcement of penalties that seek to redress the liability of communication intermediaries and the mechanism that may be used to oversee the balance between the interests at stake as well as take comparative experiences into account. The paper also analyses the liability of technical facilitators of communications while at the same time attempting to define a threshold beyond which the interference into the working of these intermediaries may constitute an offence of the infringement of the privacy of users. Ultimately, it aims to derive a balance between the necessity for intervention, the right of the users who communicate via the internet and interests of the economic actors who may be responsible for the service: http://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/02-Liability_Internet_Service_Providers_exercise_freedom_expression_Latin_America_Ruiz_Gallardo_Lara_Galvez.pdf

Click to read the newsletter from the Association of Progressive Communications. The summaries for the reports can be found below:

Internet Intermediaries: The Dilemma of Liability in Africa. APC News, May 2014, available at: http://www.apc.org/en/node/19279/. This report summarizes the challenges facing internet content regulators in Africa, and the effects of these regulations on the state of the internet in Africa. Many African countries do not protect intermediaries from potential liability, so some intermediaries are too afraid to transmit or host content on the internet in those countries. The report calls for a universal rights protection for internet intermediaries.

APC’s Frequently Asked Questions on Internet Intermediary Liability: APC, May 2014, available at: http://www.apc.org/en/node/19291/. This report addresses common questions pertaining to internet intermediaries, which are entities which provide services that enable people to use the internet, from network providers to search engines to comments sections on blogs. Specifically, the report outlines different models of intermediary liability, defining two main models. The “Generalist” model intermediary liability is judged according to the general rules of civil and criminal law, while the “Safe Harbour” model protects intermediaries with a legal safe zone.

New Developments in South Africa: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-new-developments-south-afri. This interview with researchers Alex Comninos and Andrew Rens goes into detail about the challenges of intermediary in South Africa. The researchers discuss the balance that needs to be struck between insulating intermediaries from a fear of liability and protecting women’s rights in an environment that is having trouble dealing with violence against women. They also discuss South Africa’s three strikes policy for those who pirate material.

Preventing Hate Speech Online In Kenya: APCNews, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-preventing-hate-speech-onli. This interview with Grace Githaiga investigates the uncertain fate of internet intermediaries under Kenya’s new regime. The new government has mandated everyone to register their SIM cards, and indicated that it was monitoring text messages and flagging those that were deemed risky. This has led to a reduction in the amount of hate speech via text messages. Many intermediaries, such as newspaper comments sections, have established rules on how readers should post on their platforms. Githaiga goes on to discuss the issue of surveillance and the lack of a data protection law in Kenya, which she sees as the most pressing internet issue in Kenya.

New Laws in Uganda Make Internet Providers More Vulnerable to Liability and State Intervention: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-uganda-make-internet-providers-more-vulne. In an interview, Lilian Nalwoga discusses Uganda’s recent anti-pornography law that can send intermediaries to prison. The Anti-Pornography Act of 2014 criminalizes any sort of association with any form of pornography, and targets ISPs, content providers, and developers, making them liable for content that goes through their systems. This makes being an intermediary extremely risky in Uganda. The other issue with the law is a vague definition of pornography. Nalwoga also explains the Anti-Homosexuality Act of 2014 bans any promotion or recognition of homosexual relations, and the monitoring technology the government is using to enforce these laws.

New Laws Affecting Intermediary Liability in Nigeria: APCNews, May 2014, available at: http://www.apc.org/en/news/new-laws-affecting-intermediary-liability-nigeria. Gbenga Sesan, executive director of Paradigm Initiative Nigeria, expounds on the latest trends in Nigerian intermediary liability. The Nigerian Communications Commission has a new law that mandates ISPs store users data for at least here years, and wants to make content hosts responsible for what users do on their networks. Additionally, in Nigeria, internet users register with their real name and prove that you are the person who is registration. Sesan goes on to discuss the lack of safe harbor provisions for intermediaries and the remaining freedom of anonymity on social networks in Nigeria.

Internet Policies That Affect Africans: APC News, May 2014, available at: http://www.apc.org/en/news/intermediary-liability-internet-policies-affect-af. The Associsation for Progressive Communcations interviews researcher Nicolo Zingales about the trend among African governments establishing further regulations to control the flow of information on the internet and hold intermediaries liable for content they circulate. Zingales criticizes intermediary liability for “creating a system of adverse incentives for free speech.” He goes on to offer examples of intermediaries and explain the concept of “safe harbor” legislative frameworks. Asked to identify best and worst practices in Africa, he highlights South Africa’s safe harbor as a good practice, and mentions the registration of users via ID cards as a worst practice.

Towards Internet Intermediary Responsibility: Carly Nyst, November 2013, available at: http://www.genderit.org/feminist-talk/towards-internet-intermediary-responsibility. Nyst argues for a middle ground between competing goals in internet regulation in Africa. Achieving one goal, of protecting free speech through internet intermediaries seems at odds with the goal of protecting women’s rights and limiting hate speech, because one demands intermediaries be protected in a legal safe harbor and the other requires intermediaries be vigilant and police their content. Nyst’s solution is not intermediary liability but responsibility, a role defined by empowerment, and establishing an intermediary responsibility to promote positive gender attitudes.

For more details visit https://cis-india.org/internet-governance/blog/intermediary-liability-resources

Indian Law and the Necessary Proportionate Principles

elonnai — 2015-03-14T02:15:32Z

For more details visit https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf

High Level Comparison and Analysis of the Use and Regulation of DNA Based Technology Bill 2017

elonnai — 2017-08-11T02:16:52Z

This blog post seeks to provide a high level comparison of the 2017 and 2015 DNA Profiling Bill - calling out positive changes, remaining issues, and missing provisions.

In July 2017 the Law Commission published a report on DNA profiling and the “Draft Use and Regulation of DNA Based Technology Bill 2017”. India has been contemplating a draft DNA Profiling Bill since 2007. There have been two publicly available versions of the bill, 2012, and 2015, and one version in 2016. In 2013, the Department of Biotechnology formulated an Expert Committee to discuss different aspects and issues raised regarding the Bill towards finalizing the text. The Centre for Internet and Society was a member of the Expert Committee, and in its conclusion, issued a note of dissent to the Expert Committee for DNA Profiling.

This post provides a high level overview of the Use and Regulation of DNA Based Technology Bill 2017 and calls out positive changes from the 2015 Bill, remaining issues, and missing provisions. The post also calls out if, and where, CIS's recommendations to the Expert Committee have been incorporated.

If enacted, the 2017 Bill will establish national and regional DNA data banks that will maintain five different types of indices: a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. The data banks will be led by a Director, responsible for communicating information with requesting entities, foreign states, and international organizations. Information relating to DNA profiles, DNA samples, and records maintained in a DNA laboratory can be made available in six instances: to law enforcement and investigating agencies, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for taking defence of an accused, for investigation of civil disputes, and other cases which might be specified by regulations. Offences related to unauthorized disclosure of information in the DNA data bank, obtaining information from DNA data banks without authorization, unlawful access to information in the DNA Data Bank, using DNA sample or result without authorization, and destroying, altering, contaminating, or tampering with biological evidence.

Below are some key positive changes from the 2015 Bill, remaining issues, and missing safeguards from the 2017 Bill:

Positive Changes: The Bill contains a number of positive changes from the 2015 draft. Key ones include:

Consent: Section 21 prohibits the taking of samples from arrested persons without consent, except in the case of a specified offence - a specified offence being any offence punishable with death or imprisonment for a term exceeding seven years. If consent is refused, a magistrate can order the taking of the sample. This can be in the case of any matter listed in the Schedule of the Act. Section 22 provides for consent from volunteers. It is important to note that despite being an improvement from the 2015 Bill, which did not address instances of collection with our without consent, this provision is still broad as the list of offences under the Schedule is expansive and can be further expanded by the Central Government. Furthermore, the Magistrate can overrule a refusal of consent of the parent or guardian of a voluneet who is a minor, which does not provide adequate protection to childrens' rights.
Deletion: Section 31 defines instances for deletion of suspect profiles, under trial profiles, and all other profiles. Though a step in the right direction, as the 2015 Bill only addressed retention and deletion of the offenders index, this provision does not address the automatic removal of innocents.
Purpose limitation: Section 33 limits the purpose of profiles in the DNA Data Bank to that of facilitating identification. This is a positive step from the 2015 Bill - which enabled use of DNA profiles for the creation and maintenance of a population statistics data bank. Section 34 also limits the purposes for which information relating to DNA profiles, samples, and records can be made available.
Destruction of samples: Section 20 defines instances for destruction of DNA samples. Destruction of samples was not address in the 2015 Bill, and is an important protection as it prevents samples from being re-analyzed.
Comparison of profiles: Section 29 clarifies that if the individual is not an offender or a suspect, their information will not be compared with DNA profiles in the offenders’ or suspects index. This creates an important distinction between types of indices held in the data bank and the purpose for the same i.e missing persons are not treated as potential offenders. In the 2015 Bill, profiles entered in the offenders or crime scene index could be compared by the DNA Data Bank Manger against all profiles contained in the DNA Data Bank.
Re-testing: Section 24 allows for an accused person to request for a re-examination of fresh bodily substances if it is believed the sample has been contaminated. The closest provision to this in the 2015 was the creation a post - conviction right for DNA profiling - which is now deleted. It is important to note that fresh samples can easily be obtained from individuals, but if contamination happens at a crime scene, it is much more difficult to obtain a fresh sample.
Limiting Indices and including a crime scene index: The 2017 Bill limits the number of indices to five - a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. This is an improvement from the 2015 Bill which provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.

Remaining Issues: There are some remaining issues in the 2017 Bill. Some of these include:

Delegating and Expanding through Regulation: The Bill delegates a number of procedures to regulation - many which should be in the text of the Bill. For example: the format for receiving and storing DNA profiles, and additional criteria for entry, retention, and deletion of DNA profiles. Furthermore, a number of provisions allow for expansion through regulation. For example, the sources from which DNA can be collected from to be expanded as specified by regulations. Further purposes for making DNA profiles available can be defined by regulation. Important procedures such as privacy and security safeguards are also left to regulation.
Broad Powers and Composition of the Board: The Bill designates twenty one responsibilities to the Board. As pointed out in 1, many of these should be detailed in the text of the legislation.

While serving on the Expert Committee,CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. This recommendation has not been incorporated.

Ideally, the Board should also include privacy experts, an expert in ethics, as well as civil society. Towards this, the Board should be comprised of separate Committees to address these different functions. There should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues.

As a positive note, the reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This reccomendation has been incorporated.

CIS also provided language regarding how the Board could consult with the public:The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities. This language has not been fully incorporated

Lack of Authorization Procedure: Though the Bill defines instances of when DNA information can be made available, it fails to establish or refer to an authorization process for making information available and the decision currently seems to rest with the DNA Bank Director.
Expansive Schedule: The Bill creates a schedule containing a list of matters for DNA testing which includes whole acts and a range of civil disputes and matters that are broad and do not relate to criminal cases - most notably “issues relating to immigration or emigration and issues relating to establishment of individual identity.”
Unclear Data Stored: Though the Bill clarifies the circumstance that the identity of the individual will be associated with a profile, it allows for ‘information of data based on DNA testing and records relating thereto” to be stored, yet it is unclear what information this would entail.
Lack of procedures for chain of custody: Presently, the Bill defines quality assurance procedures for a sample that is already at the lab. There are no provisions defining a process for the examination of a crime scene and laying down standards for the chain of custody of a sample from the crime scene to a DNA laboratory.

Missing Safeguards:

There are some safeguards that, if added, would strengthen the Bill and ensure rights to the individual:

Notification to the individual: There are no provisions that ensure that notification is given to an individual if his/her information is accessed or made available.
Right to challenge: There are no provisions that give the individual the right to challenge the storage of their DNA.
Established profiling standard: Though the Law Commission report refers to the 13 CODIS standard, the Bill does not mandate the use of the 13 CODIS profiling standard.
Reporting standard: There are no standards for how matches or other information should be communicated from the DNA director to the authority or receiving entity including instances of partial matches.
Right to access and review: There are no provisions that allow an individual to review his/her information contained in the regional or the national database.
Lack of costing: There is no cost estimate in the report or a requirement for one to be carried out.
Study for the potential for false matches: This must consider the size of the population and large family size, i.e. relatively large numbers of closely related people and is particularly necessary given the the size over population as large as India's.

Importantly, in the DNA Expert Committee, CIS requested the Expert Committee that the Bill be brought in line with the nine national principles defined in the Report of Experts on Privacy led by Justice AP Shah. These include the principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness, and accountability. These principles have not been fully incorporated.

For more details visit https://cis-india.org/internet-governance/blog/high-level-comparison-and-analysis-of-the-use-and-regulation-of-dna-based-technology-bill-2017

Here’s why we need a lot more discussion on India’s new DNA Profiling Bill

elonnai — 2017-08-21T23:48:03Z

The DNA Profiling Bill 2017 is still missing a number of safeguards that would enable individual rights. The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated.

The article was published in the Hindustan Times on August 7, 2017.

The first step towards a DNA Profiling Bill was taken in 2007 with the ‘Draft DNA Profiling Bill” by the Centre for DNA Fingerprinting and Diagnostics. Since then, there has been a 2012, 2015, and a 2016 version of the Bill - the last not available to the public. In 2013, the Department of Biotechnology formulated an Expert Committee to deliberate on concerns raised about the Bill and finalise the text. The “Use and Regulation of DNA Based Technology Bill 2017” and the report by the Law Commission is a further evolution of the legislation and dialogue. The 2017 Bill contains a number of improvements from previous versions - yet there are still outstanding concerns that remain.

Positive changes in the Bill include provisions for consent, defined instances for deletion of profiles, limitation on purpose of the use of data in the DNA Data Bank, defined instances fo r destruction of biological samples, and the ability for an individual to request a re-test of bodily substances if they believe contamination has occurred.

Despite these changes the Bill still has an overly broad schedule defining instances of when DNA profiling can be used and is missing a number of safeguards that would enable individual rights. These include a right to notification of storage and access to information on the DNA databank, the right to appeal and challenge storage of DNA samples, and right to access and review personal information stored on the DNA Data Bank.

It is concerning that the 2017 Bill has left the defining of privacy and security safeguards to regulation — including implementation and sufficiency of protection, appropriate use and dissemination of DNA information, accuracy, security and confidentiality of DNA information, timely removal and deletion of obsolete or inaccurate DNA information, and other steps as necessary. Furthermore, though the Law Commission cites the use of the 13 CODIS (Combined DNA Index System) profiling standard as a means to protecting privacy in its report — this standard has yet to find its way in the text of the Bill.

The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. DNA is not foolproof - false matches can take place for multiple reasons. Importantly, the usefulness of DNA based technology to a legal system and the impact on individual rights is dependent and reflective of the social, legal, and political environment the technology is used in. DNA based technology can be a powerful tool for law enforcement, and it is important that a robust process and structure is given to the collection of DNA samples from a crime scene to the laboratory for analysis, to the DNA Bank for storage and comparison, but this structure needs to also be fully cognizant of the rights of individuals and the potential for misuse of the technology.

As society continues to rapidly become more and more data centric, and that data increasingly is a direct extension of the person, it is critical that legislation that is developed has clear protections of rights. In addition to amendments to the text of the draft 2017 Bill, this includes enacting a comprehensive privacy legislation in India. It is worrying that in the conclusion of its report, the Law Commission has referred to whether privacy is an integral part of Article 21 of the Constitution as merely “a matter of academic debate.” Privacy is recognised as a fundamental right in many democratic contexts – including many of those reviewed by the Law Commission as examples of contexts with DNA Profiling laws.

Policy needs to evolve past protections that are limited to process oriented legal privacy provisions, but instead to protections that are comprehensive — accounting for process and enabling the individual to control and know how her/his data is being used and by whom. Other countries have recognised this and are taking important steps to empower the individual. India needs to do the same for its citizens.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill

GSMA Research Outputs

elonnai — 2015-04-06T14:18:18Z

This is a collection of research under our GSMA project that we have undertaken in collaboration with Privacy International. The research has sought to understand different legal and regulatory aspects of security and surveillance in India and consists of blog entries and reports. Any feedback or comment is welcome.

Indian Law and the Necessary Proportionate Principles

The presentation shows that there are no comprehensive provisions for the principles of legitimate aim, competent judicial authority, proportionality, transparency, etc. whereas these are partially present for the principles of legality, necessity, adequacy, public oversight, safeguards for international cooperation, etc. The presentation also looks at the Indian intelligence agencies and shows us that there are nine agencies authorized to intercept communications along with at least eleven additional agencies. It further dwelves into the establishment and structure of Indian intelligence agencies and whom they report to, the sharing of information internationally as well as nationally. It shows us that India has MLAT agreements with 36 countries and request to CBI can be initiated informally or formally through court order. It then lists out the various regulatory and important bodies responsible for national security. Some cases of unlawful interception / leaks have been discussed along with examples of arrests based on digital evidence. The various government schemes, the telecommunication companies in India, telecom licenses requirements, government developed security and surveillance solutions, private security companies, security expos, export, import and selling of security and surveillance equipment, and the way forward are also discussed.

Click to download the PDF

Security, Surveillance and Data Sharing Schemes and Bodies in India

Following the 2008 Mumbai terrorist attacks, India had implemented a wide range of data sharing and surveillance schemes. Though developed under different governments the purpose of these schemes has been to increase public safety and security by tackling crime and terrorism. As such, two data sharing schemes have been proposed - the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & Systems (CCTNS), as well as several surveillance systems, such as the Lawful Intercept and Monitoring (LIM) system, the Network Traffic Analysis system (NETRA), state Internet Monitoring Systems and the Central Monitoring System (CMS). This chapter details the various schemes and provides policy recommendations for their improvement, with regards to the protection of the right to privacy and other human rights.

Click to download the PDF

Export and Import of Security Technologies in India: QA

The write-up examines in question-answer format the standards regulating the export of technologies that can be used for surveillance purposes, the department and legislation that governs exports and imports of security technologies in India, the procedure for obtaining an export licence for the export of SCOMET items, what is ITC (HS) and why is it important, and examples of ITC codes for technologies that can facilitate security or surveillance. The research finds answers to all these queries.

Click to download the PDF

Regulation of CCTV’s in India

In light of the increasing use and installation of CCTV’s in cities across India, and the role that CCTVs play in the Home Ministry's plans for implementing "Mega Policing Cities", this blog seeks to review various attempts to regulate the use of CCTV's in India, review international best practices, and provide preliminary recommendations for the regulation of CCTV's in India.

Click to download the PDF

Mutual Legal Assistance Treaties (MLATs) and Cross Border Sharing of Information in India

It is unclear the exact process that intelligence agencies in India share information with other agencies internationally. India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training is designated as the National Central Bureau of India.

Click to download the PDF

Composition of Service Providers in India

Telecom, at present, is one of the fastest-growing industries in India. As of January 2014, according to the Telecom Regulatory Authority of India (TRAI) there are 922 million wireless and over the wire subscribers in India, and 56.90 million broadband subscribers including wired, wireless and wimax subscribers. India’s overall wireless teledensity was quoted as having 893.31million subscribers, with a 0.79% (7.02 million) monthly addition.

Click to download the PDF

The Surveillance and Security Industry in India - An Analysis of Indian Security Expos

The ‘Spy Files’, a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world – a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals. These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites.

Click to download the PDF

An Analysis of News Items and Cases on Surveillance and Digital Evidence in India

In a technologically advanced era, with preponderance of electronic communications in both professional and social interactions and the ability to store such information in digital form, digital evidence has gained significance in civil as well as criminal litigation in India. In order to match the pace with the progressive technology, the Indian Courts have embarked on placing more and more reliance on the digital evidence and a portion of such digital evidence is obtained through electronic surveillance.

Click to download the PDF

Policy Recommendations for Surveillance Law in India and an Analysis of Legal Provisions on Surveillance in India and the Necessary & Proportionate Principles

The Government of India has created a legal framework which supports the carrying out of surveillance by authorities through its various laws and license agreements for service providers. The Centre for Internet and Society (CIS) acknowledges that lawful, warranted, targeted surveillance can potentially be a useful tool in aiding law enforcement agencies in tackling crime and terrorism. However, current Indian laws and license agreements appear to overextend the Government's surveillance capabilities in certain cases, while inadequately safeguarding individuals' right to privacy and data protection.

Click to download the PDF

The Surveillance Industry in India

India has the world's second largest population, an expanding middle class and undoubtedly a huge market which attracts international investors. Some of the world's largest corporations have offices in India, such as Google Incorporated and BlackBerry Limited. In the Information Age, the market revolves around data and companies which produce technologies capable of mining such data are on the rise. Simultaneously, companies selling surveillance technologies appear to be on the peak too, especially since the global War on Terror requires law enforcement agencies around the world to be equipped with the latest surveillance gear.

Click to download the PDF

State of Cyber Security and Surveillance in India: A Review of the Legal Landscape

The issue of cyber security and surveillance, especially unauthorised surveillance, though traditionally unprioritised, has recently gained much traction due to the increasing number of news reports regarding various instances of unauthorised surveillance and cyber crimes. In the case of unauthorised surveillance, more than the frequency of the instances, it is their sheer magnitude that has shocked civil society and especially civil rights groups. In the background of this ever increasing concern regarding surveillance as well as increasing concerns regarding cyber security due to the increased pervasiveness of technology in our society, this paper tries to discuss the legal and regulatory landscape regarding surveillance as well as cyber security.

Click to download the PDF

For more details visit https://cis-india.org/internet-governance/blog/gsma-research-outputs

GNI-Industry Dialogue Learning Session: Human Rights Impact Assessments and Due Diligence in the ICT sector

elonnai — 2016-04-06T15:42:41Z

Elonnai Hickok attended the meeting organized by Global Network Initiative on March 11, 2016 in Washington D.C.

The GNI welcomed its new observers from the Telecommunications Industry Dialogue by holding a learning session in conjunction with the GNI Board Meeting on March 10. This learning session aimed to increase understanding between the GNI and the ID by examining some of the common challenges that face ICT companies in the area of human rights due diligence and highlighting good practices. A second objective was to help the GNI develop a learning program and materials that will be useful for its members and draw on their expertise. Finally, this learning session informed the review of the GNI Implementation Guidelines that will take place during 2016.

The session took place according to the Chatham House Rule. Each short presentation was followed by a space for questions and answers.

Human Rights Impact Assessments in the ICT sector – Michael Samway
The Human Rights Due Diligence Process at Nokia – Laura Okkonen
Yahoo’s approach to Human Rights Impact Assessments– Nicole Karlebach and Katie Shay
Orange’s challenges and approach to doing business in Africa – Yves Nissim
Microsoft’s human rights impacts and the warrant case – Steve Crown and Bernard Shen
TeliaSonera’s approach to withdrawing from Eurasia – Patrik Hiselius
Considerations for company due diligence on the ground – Kathleen Reen and Babette Ngene, Internews

For discussion:

What are some of the common challenges facing current GNI member companies and ID member companies?
What do we consider to be good practices that are applicable to all?
What lessons can be applied to the review of the GNI Implementation Guidelines that will take place during 2016?

For more details visit https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector

GNI Assessment Finds ICT Companies Protect User Privacy and Freedom of Expression

elonnai — 2014-01-20T06:17:46Z

Elonnai Hickok analyses a public report recently published by GNI on the independent assessment process for Google, Microsoft, and Yahoo. The report finds Google, Microsoft, and Yahoo to be in compliance with the GNI principles on privacy and freedom of expression.

Introduction

In January 2014, the Global Network Initiative (GNI) published the Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo. GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.

Overview of the Public Report

The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the GNI principles on freedom of expression and privacy. The principles lay out broad guidelines that member companies should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with Implementation Guidelines to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.

Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.

The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.

A number of findings came out of the assessments undertaken for the Report including:

As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.
The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights.
Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles.

The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:

Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies.
Consider the impact of hardware on freedom of expression and privacy.
Improve external and internal reporting.
Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations.
Review executive management training.
Improve stakeholder engagement.
Improve communication with users.
Increase sharing of best practices.
The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights.

NSA leaks, global push for governmental surveillance reform, and the Public Report

With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five Principles on Global Government Surveillance Reform. Similar to other efforts to end mass and disproportionate surveillance, such as the Necessary and Proportionate principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.

Along these lines, on January 14^th, GNI released the statement “Surveillance Reforms to Protect Rights and Restore Trust”, urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.

Conclusion and way forward

Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.

The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.

For more details visit https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression

Feedback to the NIA Bill

elonnai — 2012-03-21T10:14:27Z

Malavika Jayaram and Elonnai Hickok introduce the formal submission of CIS to the proposed National Identification Authority of India (NIA) Bill, 2010, which would give every resident a unique identity. The submissions contain the detailed comments on the draft bill and the high level summary of concerns with the NIA Bill submitted to the UIDAI on 13 July, 2010.

The UID draft bill is a proposed legislation that authorizes the creation of a centralized database of unique identification numbers that will be issued to every resident of India. The purpose of such a database is characterized as ensuring that every resident is provided services and benefits. The UID project was first set up and introduced to the public in February 2009 by the planning committee. In June 2010, a draft bill was proposed which attracted public debates and opinions for over two weeks. Currently the bill is being considered by Parliament in the winter session (July-August 2010). If the Parliament of India approves the bill, it may be enacted during Winter 2010.

CIS has closely followed the UID project and reviewed the bill right from the time when it was first issued. and has worked to initiate and contribute to a public debate including attending of workshops in Delhi on 6 May, 2010 and in Bangalore on 16 May, 2010.

We respect the fact that civil society has many voices. That said, in our criticisms, suggestions, and analysis of the UID draft bill, we are asking for a simple, well-defined document, the language and structure of which expressly precludes abuse of a centralized identification database. The document should provide solely for its stated purpose of enabling the provision of benefits to the poor. Along with this mandate we believe the document should give clear rights of choice, control, and privacy to the Aadhaar number holder. Below is a summary of our general comments with citations to specific sections of the draft bill. A detailed section by section critique is attached along with our high level summary of concerns. The compilation and synthesis of detailed critiques was done by Malavika Jayaram.

Summary of High Concerns

Clarity of Definition and Purpose

Most importantly we find that in order to adhere to the stated purpose of the bill there is a need to limit and better define language in the relevant sections of the bill. This includes the powers and purpose of the Authority and the overarching scheme of the bill. We are concerned that the over-breadth and generality of the language will open up the opportunity for more information to be collected than originally stated. Further, definition will act to prevent uncontrolled or unwanted change in the project’s scope, and will clearly limit the usage of the Aadhaar numbers to the facilitation of the delivery of social welfare programs.

For the bill to be in line with its original purpose of reaching out to the poor, we also believe the issue of fees must be addressed. We find that there is an inadequate definition in the bill of what fees shall be applied for authentication of Aadhaar numbers. Also we find that it is incompatible with the bill’s stated purpose to require an individual to pay to be authenticated. The bill should provide that no charges will be levied for authentication by registrars and other service providers for certain categories of Aadhaar number holders (BPL, disabled, etc.), and that charges will be limited/capped in other cases. This will bring the bill in line with the statement in Chapter II 3 (1) “Every resident shall be entitled to obtain an Aadhaar number on providing his demographic information and biometric information to the Authority in such a manner as may be specified by regulations” and Chapter 3 (10 ) “The Authority shall take special measures to issue Aadhaar numbers to women, children, senior citizens, persons with disability, migrant unskilled and unorganized workers, nomadic tribes or such other persons who do not have any permanent dwelling house and such other categories of individuals as may be specified by regulations. If a fee must be permitted, a cap/safeguard should be put in place to ensure that the fee does not become a mechanism of abuse.

Protection of the Citizen

The bill should ensure the protection of citizens’ rights to privacy and freedom of choice. To do this it is important that the bill is voluntary, allows for the protection of anonymity, and is clear on how data will be collected, stored and deleted. Measures should be taken towards ensuring that the Aadhaar number is truly voluntary. Accordingly, a prohibition against the denial of goods, services, entitlements and benefits (private or public) for lack of a UID number – provided that an individual furnishes equivalent ID is necessary. The bill should also spell out the situations in which anonymity will be preserved and/or an Aadhaar number should not be requested such as a person’s sexuality/sexual orientation and marital status/history. Furthermore, the bill should require the Authority, registrars, enrolling agencies and service providers to delete/anonymize/obfuscate transaction data according to defined principles after appropriate periods of time in order to protect the privacy of citizens.

Motivations of the UID Bill

Since the submission of the high level summary, we note that a list of 221 agencies empanelled by the UIDAI has been uploaded onto the website (by a memo dated 15 July, 2010). A swift reading reveals that most of the agencies who are going to help enroll people into the UIDAI system are not NGOs, CSOs or other welfare oriented not-for-profit entities; rather, they are largely IT companies and commercial enterprises. This begs the question as to whether the UID scheme/Aadhaar is truly geared towards delivery of benefits and inclusivity of the poor and marginalized. Already concerns have been voiced that the “ecosystem” of registrars and enrolling agencies contemplated by the scheme, to the extent that it envisages a public-private partnership, could firstly, be “hijacked” or “captured” by commercial motives and result in sharing of data, security breaches, compromised identities, loss of privacy, data mining and customer profiling, and secondly, end up neglecting the very sections of society that the scheme allegedly most wants to help. The list of empanelled companies makes this even more likely and imminent a concern. Without casting aspersions on any of those entities, we would like to highlight that this sort of delegated structure raises several concerns.

Additionally, we find the speed and efficiency with which the UIDAI juggernaut is signing MoUs with states, banks and government agencies on the one hand, and issuing tenders, RFPs, RFQs and otherwise seeking proposals and awarding contracts to private entities – in the absence of any Parliament-sanctioned law (the bill is still a draft, and yet to even be placed before the Parliament) to be alarming. Along with news of the increasing costs of the project and doubts about how foolproof the technology will be, it is staggering to imagine that something that raises so many concerns is being pushed through without a more serious debate. The lack of formal procedures and open debates makes one wonder how democratic the actual process is.

Conclusion

To conclude, CIS believes that the UID bill threatens the rights of citizens in India, and appeals to the citizen to think critically of its implications and consequences.

1. Detailed Summary pdf (159kb)

2. High Level Summary (77kb)

For more details visit https://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill

Export and Import of Security Technologies in India: Q&A

elonnai — 2015-03-14T02:41:05Z

For more details visit https://cis-india.org/internet-governance/blog/export-and-import-of-security-technologies-in-india.pdf

Encryption Standards and Practices

elonnai — 2012-03-22T05:39:16Z

The below note looks at different types of encryption, varying practices of encryption in India, and the relationship between encryption, data security, and national security.

Introduction: Different Types of Encryption

When looking at the informational side of privacy, encryption is an important component to understand. Encryption in itself is a useful tool for protecting data that is highly personal in nature and is being stored, used in a transaction, or shared across multiple databases. The quality of encryption is judged by the ability to prevent an outside party from determining the original content of an encrypted message. There are many different types of encryption including:

Symmetric Key Encryption: Communicating parties share the same private key that is used to encrypt and decrypt the data. This form of encryption is the most basic, and is fast and effective, but there have been problems in the secure exchange of the unique keys between communicating parties over networks [1].

Asymmetric Key Encryption: This system relies on the use of two keys– one public, and one private. In this system only the user knows the private key. In order to ensure security in the system a mathematical algorithm that is easy to calculate in one direction, but nearly impossible to reverse calculate is often used. Use of a public and a private key asymmetric avoids the problem of secure exchange that is experienced by symmetric key encryption. The basis of the two keys should be so different, that it is possible to publicize one without the danger of being able to derive the original data. Decoding of data takes place in a two step process. The first step is to decrypt the symmetric key using the private key. The second step is to decode the data using the symmetric key and interpret the actual data[2].

One-way Hash Functions: One-way hash functions are mathematical algorithms that transform an input message into a message of fixed length. The key to the security of hash functions is that the inverse of the hash function must be impossible to prove[3].

Message Authentication Codes: MACs are data blocks appended to messages to protect the authentication and integrity of messages. MACs typically depend on the use of one-way hash functions[4].

Random Number Generators: An unpredictable sequence of numbers that is produced by a mathematical algorithm[5].

Encryption in India

Encryption in India is a hotly debated and very confusing subject. The government has issued one standard, but individuals and organizations follow completely different standards. According to a note issued by the Department of Telecommunications (“DOT”) in 2007, the use of bulk encryption is not permitted by Licensees, but nevertheless Licensees are still responsible for the privacy of consumers’ data (section 32.1). The same note pointed out that encryption up to 40 bit key length in the symmetric key algorithms is permitted, but any encryption higher than this may be used only with the written permission of the Licensor. Furthermore, if higher encryption is used, the decryption key must be split into two parts and deposited with the Licensor. The 40 bit key standard was previously established in 2002 in a note submitted by the DOT:“License Agreement for Provision of Internet Service (including Internet Telephony)’ issued by Department of Telecommunications”[6] Though a 40 bit standard has been established, there are many sectors that do not adhere to this rule. Below are a few sectoral examples:

A) Banking: ‘Report on Internet Banking’ by the Reserve Bank of India 22 June 2001:

"All transactions must be authenticated using a user ID and password. SSL/128 bit encryption must be used as the minimum level of security. As and when the regulatory framework is in place, all such transactions should be digitally certified by one of the licensed Certification Authorities.”[7]

B).Trade: The following advanced security products are advisable:

"Microprocessor based SMART cards, Dynamic Password (Secure ID Tokens), 64 bit/128 bit encryption"[8]

C).Trains: ‘Terms & Conditions’ for online Railway Booking 2010:

"Credit card details will travel on the Internet in a fully encrypted (128 bit, browser independent encryption) form. To ensure security, your card details are NOT stored in our Website.”[9]

The varying level of standards poses a serious obstacle to Indian business, as foreign countries do not trust that their data will be secure in India. Also, the differing standards will pose a compliance problem for Indian businesses attempting to launch their services on the cloud.

Data Security, Encryption, and Privacy:

To understand how encryption relates to privacy, it is important to begin by looking at data security vs. privacy. Security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time they are opposed to each other. First, data security and privacy are not the same. Breaches in data security occur when information is accessed without authorization. There is no loss of privacy, however, until that information is misused. Though data security is critical for protecting privacy, the principles of data security call for practices that threaten privacy principles. For example, data security focuses on data retention, logging, etc, while privacy focuses on the consent, restricted access to data, limited data retention, and anonymity[10]. If security measures are carried out without privacy interests in mind, surveillance can easily result in severe privacy violations. Thus, data security should influence and support a privacy regime but not drive it. In this context, encryption and data security will create an expectation of privacy, rather than undermine or overshadow privacy. By the same token encryption cannot be seen as the cure for privacy challenges. Encryption cannot adequately protect data, but when supported by a strong privacy and security regime – it can be very effective. It is also a good measuring rod for determining how committed a company has been to protecting a person’s privacy and ensuring the security of his or her data. In light of the symbiotic yet complicated relationship that privacy and data security have with each other, it would make sense for legislation and domestic encryption standards to be merged and addressed together. This would ensure that a) the standard is not archaic (as the current 40 bit one is); b) would take into account the threat to privacy that surveillance can impose and would address decryption when addressing encryption; and c) would anticipate the collection and cataloging of data and ensure security of the data and person as well as national security.

National Security and Encryption

Encryption is a subject that causes governments a great deal of concern. For example in order to preserve foreign policy and in national security interests, the US maintains export controls on encryption items [10]. This means that a license is required to export or re-export identified items. Though the Indian government currently does not have an analogous system, it would be prudent to consider one. Though the government is aware of the connection between encryption and national security, it seems to be addressing it by setting a low standard for the public which enables it to monitor communications etc. easily. It is important to remember though that today we live in a digital age where there are no boundaries. One cannot encrypt data at 40 bits in India and think it is safe, because that encryption can be broken everywhere else in the world. Despite the fact that there are no boundaries in the digital age, users of the internet and communication technologies are subject to different and potentially inconsistent regulatory and self-regulatory data security frameworks and consequently different encryption standards. One way to overcome this problem could be to set in fact a global standard for encryption that would be maximal for the prevention of data leaks. For instance, there are existing algorithms that are royalty free and available to the global public such as the Advanced Encryption Standard algorithm, which is available worldwide. The public disclosure and analysis of the algorithm bolsters the likelihood that it is genuinely secure, and its widespread use will lead to the expedited discovery of vulnerabilities and accelerated efforts to resolve potential weaknesses. Another concern that standardized encryption levels would resolve is the problem of differing export standards and export controls. As seen by the example of the US, industrialized nations often restrict the export of encryption algorithms that are of such strength that they are considered “dual use” – in other words, algorithms that are strong enough to be used for military as well as commercial purposes. Some countries require that the keys be shared, while others take a hands-off approach. In India joining a global standard or creating a national standard of maximum strength would work to address the current issue of inconsistencies among the required encryption levels.

The Relationship between the Market, the Individual, the State, and Encryption

Moving away from the technical language it is useful to break down encryption from a social science point of view. Who are the actors involved – what is their relationship with each other, and how does encryption come into the picture. When one looks at encryption it is possible to conceive of many different scenarios, each with different players. In the first scenario there is an individual and another individual. They are sending information back and forth. The third individual could be an entity, a business, or just another individual. The first two individuals want to keep their information away from this third, unknown person or entity. For that reason, the first two encrypt their communications. Encryption is a tool that has the ability to re-draw the lines between the public and private sphere by giving individuals the ability to form a very private line of communication, and thus a very private relationship in a space that is very non-private - such as the internet. In another scenario between the individuals and the markets – the market wants information about an individual to enhance its effectiveness and profits. To create trust, the market promises that information given is encrypted. Thus, the market is attempting to initiate a trusting relationship with individuals. This relationship though, is forced and false, because individuals must compromise how much information they disclose for a product or service in return.

In the second scenario, there is an individual, another individual, and a Government. In this situation the two individuals again say that they want to have a private conversation in a public space, and so it is encrypted, but the Government – which is worried about national security decides that it wants to listen in on the conversation. This places a new dynamic on the relationship. No longer are the two individuals private. Not only can the government hear their conversation, but they have no choice over whether their conversation is heard or not. This is a relationship based off of the premises of distrust between the government and individuals. It presupposes, and is biased in assuming, that if you have done nothing wrong – you have nothing to hide.Using the same set of actors, perhaps a government requires the collection of information about its citizenry that is sensitive. To ensure the privacy of its people, the government encrypts the information, but the individual has essentially lost control over his/her information. He/she is forced to trust that the Government will not misuse the information given.

In the third scenario there is a market, an, individual, and the government. The market gathers information about an individual on transactional levels, but encrypts it – because in the wrong hands – this information could be misused. The government still wants access to the information and so they demand the information. What does the market say? Does it side with the individual or the Government? If governments sanction the market, they can make it bend to their will. Thus, the government is in a position to control the market and the individual, but to what ends and for what means. In all of these situations the understood role of the market, the government, and the individual has been shifted by the ability to encrypt information. The idea of using encryption as a means to keep information safe speaks to a new relationship that has formed between the government, the market, and the individual.

Bibliography:

Burke, Jerome. McDonald, John. Architectural Support for Fast Symmetric-Key Cryptography
Munro, Paul. Public Key Encrpytion. University of Pittsburgh. 2004
Merkle, Ralph. One Way Hash Functions and DES.
Department of Commerce. Federal information Processing Standards Publication. The Keyed - Hash Message Authentication Code. http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf
http://www.ruskwig.com/random_encryption.htm
http://www.indentvoice.com/other/ISPLicense.pdf
Report on Internet Banking’ by The Reserve Bank of India: 22 June 2001
Internet Trading guidelines issued by Securities & Exchange Board of India: 31 January 2000
Website of IRCTC (a public sector undertaking under the Ministry of Railways)
American Bar Assiociation: International Guide to Privacy.
Department of Commerce: Bureau of Industry and Security – Encryption Export Controls. June 25 2010

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_encryption

DSCI Information Security Summit 2010 – A Report

elonnai — 2012-03-21T10:04:22Z

On 2 and 3 December 2010, the DSCI Information Security Summit 2010 took place in the Trident Hotel, Chennai. The two day summit included a broad spectrum of speakers/panels and topics, ranging from Securing Data & Systems to how to leverage the Cloud. The key speakers were Mr. Gulshan Rai, Director General, CERT-In, DIT, Mr. Rajeev Kapoor, Joint Secretary, DoPT, Govt. of India, Mr. Vakul Sharma, Advocate, Supreme Court of India and Dr. Kamlesh Bajaj, CEO, DSCI. Elonnai Hickok attended the summit.

Day one commenced with keynote address given by Jeffery Carr, Principal, GreyLogic, US who spoke about the gravity and risk that businesses and countries are facing in the digital age. A prominent theme in every presentation throughout the day was that India is facing both serious changes and challenges in light of evolving technology and global standards. A few specific challenges addressed were: encryption standards, the cloud, and securing business transactions. During the panel on encryption standards it was pointed out that India desperately needs a clear and comprehensive policy on encryption standards. Not only will this serve to facilitate transactions in India, but it will increase trade as foreign countries will have an enforced policy to ensure them that India is a safe destination to export to. The panel addressing the cloud focused on the challenges that businesses are facing in terms of the cloud in the Indian context. The three main challenges to the Cloud are:

data security and privacy
compliance requirements
legal and contractual requirements

It was pointed out that in particular the Indian legal environment is serving as an obstacle to businesses wishing to move to the cloud, because of policies such as 40 bit encryption, and the Indian Telecom licensing policy which do not permit data transfer outside the cloud. Discussed also were measures that organisations have adopted to address data protection challenges in the cloud including: Including security & privacy clauses in the contractual agreement, making the Cloud service provider liable for a data breach, and auditing the services of Cloud service providers. Further information about the Cloud in the Indian context can be found in the DSCI report on Data Protection Challenges in Cloud Computing: An Indian Perspective. In the session on Securing Business Transactions, the challenge of protecting data and transactions was addressed. Many approaches were presented which explained how securing systems has moved away from using security enables software to security embedded hardware. The first day concluded with a presentation of DSCI Study Reports, including their recent study on the State of Data Security and Privacy in the Indian BPO Industry, Service Provider Assessment Framework – A Study Report, and the DSCI Security Framework.

The second day included presentations and panel discussions on privacy, the economics of security, and security technologies. The presentation on privacy presented many different viewpoints which ranged from the stance that India has been taking the right steps towards securing individuals privacy, and in contrast, that India has seen a dilution of privacy standards in the recent years. Contributing to the panel on privacy, Vakul Sharma, Supreme Court Advocate created a timeline of privacy in India, dispelling the popular belief that India does not have a history of privacy. Mr. Sharma closed his presentation with a challenge to those who believe that India does not have adequate privacy protections - to return to the clauses in the ITA, see if they are indeed being followed, and then assess if India does not have adequate privacy protection. The panel on the Economics of Security spoke about the rising costs of security in the wake of cyber crime, and the rising cost of not adequately protecting one’s business. In the session on Technology Challenges to Fight Data Breaches and Cyber Crimes a debate evoked on current measures taken by industry and government to fight cyber crime, and steps that still need to be taken. Opening the session was a presentation by Mr. West, member of the National Cyber Forensics Training and Alliance. His presentation introduced a new approach taken by the States in which key stakeholders including students and local law enforcement were engaged when tracking down cyber criminals. Mr. West demonstrated the success of the program, and explained how such an approach could be easily adapted in India. From different comments made by the panel and audience it was clear from this session that there is a need for the Indian government to be more invested in funding and supporting smaller cybercrime initiatives. Closing the day was a panel on E-Security for the next five years including the application and enforcement of DSCI’s best practices for a Security and Privacy Framework.

The event was sponsored by: Trusted Computing Group, Computer Associates, McAfee, Verizon Business, Tata Consultancy Services, Deloitte, (ISC)2, BlackBerry, ACS, CSC, Microsoft, RSA, and Intel.

For more details visit https://cis-india.org/internet-governance/blog/dsci-information-summit

Draft International Principles on Communications Surveillance and Human Rights

elonnai — 2013-07-12T15:55:45Z

These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications. The Centre for Internet and Society has been contributing feedback to the principles.

The principles are still in draft form. The most recent version can be accessed here. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Our goal is that these principles will provide civil society groups, industry, and governments with a framework against which we can evaluate whether current or proposed surveillance laws and practices are consistent with human rights. We are concerned that governments are failing to develop legal frameworks to adhere to international human rights and adequately protect communications privacy, particularly in light of innovations in surveillance laws and techniques.

These principles are the outcome of a consultation with experts from civil society groups and industry across the world. It began with a meeting in Brussels in October 2012 to address shared concerns relating to the global expansion of government access to communications. Since the Brussels meeting we have conducted further consultations with international experts in communications surveillance law, policy and technology.[1]

We are now launching a global consultation on these principles. Please send us comments and suggestions by January 3rd 2013, by emailing rights (at) eff (dot) org.

Preamble
Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and association, and is recognised under international human rights law.[2] Activities that infringe on the right to privacy, including the surveillance of personal communications by public authorities, can only be justified where they are necessary for a legitimate aim, strictly proportionate, and prescribed by law.[3]

Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications generally limited access to personal communications by public authorities. In recent decades, those logistical barriers to mass surveillance have decreased significantly. The explosion of digital communications content and information about communications, or “communications metadata”, the falling cost of storing and mining large sets of data, and the commitment of personal content to third party service providers make surveillance possible at an unprecedented scale.[4]

While it is universally accepted that access to communications content must only occur in exceptional situations, the frequency with which public authorities are seeking access to information about an individual’s communications or use of electronic devices is rising dramatically—without adequate scrutiny. [5] When accessed and analysed, communications metadata may create a profile of an individual's private life, including medical conditions, political and religious viewpoints, interactions and interests, disclosing even greater detail than would be discernible from the content of a communication alone. [6] Despite this, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.

It is therefore necessary that governments, international organisations, civil society and private service providers articulate principles establishing the minimum necessary level of protection for digital communications and communications metadata (collectively "information") to match the goals articulated in international instruments on human rights— including a democratic society governed by the rule of law. The purpose of these principles is to:

Provide guidance for legislative changes and advancements related to communications and communications metadata to ensure that pervasive use of modern communications technology does not result in an erosion of privacy.
Establish appropriate safeguards to regulate access by public authorities (government agencies, departments, intelligence services or law enforcement agencies) to communications and communications metadata about an individual’s use of an electronic service or communication media.

We call on governments to establish stronger protections as required by their constitutions and human rights obligations, or as they recognize that technological changes or other factors require increased protection.

These principles focus primarily on rights to be asserted against state surveillance activities. We note that governments are required not only to respect human rights in their own conduct, but to protect and promote the human rights of individuals in general.[7] Companies are required to follow data protection rules and yet are also compelled to respond to lawful requests. Like other initiatives,[8] we hope to provide some clarity by providing the below principles on how state surveillance laws must protect human rights.

The Principles

Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process

Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorised public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.

Necessity: Laws allowing access to communications or communications metadata by authorised public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.

Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.

Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.

Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.

Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.[9]While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorisation by a competent authority, except when there is imminent risk of danger to human life. [10]

User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.

Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations, and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.

Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at a minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. [11]

Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.

Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.

Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.

Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.

Signatories

Organisations

Article 19 (International)
Bits of Freedom (Netherlands)
Center for Internet & Society India (CIS India)
Derechos Digitales (Chile)
Electronic Frontier Foundation (International)
Privacy International (International)
Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (Canada)
Statewatch (UK)

Individuals

Renata Avila, human rights lawyer (Guatemala)

Footnotes

[1]For more information about the background to these principles and the process undertaken, see https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance
[2]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.
[3]Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” p11, available at http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf. See also General Comments No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999, available at http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument.
[4]Communications metadata may include information about our identities (subscriber information, device information), interests, including medical conditions, political and religious viewpoints (websites visited, books and other materials read, watched or listened to, searches conducted, resources used), interactions (origins and destinations of communications, people interacted with, friends, family, acquaintances), location (places and times, proximities to others); in sum, logs of nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.
[5]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies, who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011.
[6]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at http://www2.technologyreview.com/article/409598/tr10-reality-mining/ and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 - 82.
[7]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf
[8]The Global Network Initiative establishes standards to help the ICT sector protect the privacy and free expression of their users. See http://www.globalnetworkinitiative.org/
[9]As defined by international and regional conventions mentioned above.
[10]Where judicial review is waived in such emergency cases, a warrant must be retroactively sought within 24 hours.
[11]One example of such a report is the US Wiretap report, published by the US Court service. Unfortunately this applies only to interception of communications, and not to access to communications metadata. See http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx. The UK Interception of Communications Commissioner publishes a report that includes some aggregate data but it is does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top.

For more details visit https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights