Centre for Internet and Society

Odia Wikipedia: Needs Assessment

subha — 2013-07-17T06:35:15Z

This blog encompasses the status of Odia Wikipedia and assessment of the needs for growth of the community.

This blog is part of the annual work plan for Odia Wikipedia which was updated on Odia Wikipedia and Meta Wiki.

Odia is one of the official languages of India. It is the official language of Odisha and the second official language of Jharkhand. Odia is also spoken in parts of West Bengal, Jharkhand, Chattisgarh and Andhra Pradesh. By 2011 census there are 3.6 crore Odia speakers across the world. Literacy rate of Odisha is 73.45 per cent (82.4 per cent male, 64.36 per cent female).

Majority of the computer users in Odisha were on Microsoft Windows platforms. Windows did not have a stable Odia language support until the release of Windows Vista. This would have forced majority of the computer users prefer English on Odia for internet communication. As per the 2011 census only 5.1 per cent of the 9,661,085 households of Odisha had computers and 1.4 per cent (357,460 households) of the households had access to internet. Odia Wikipedia has only 13 active contributors[1] who are based both in and out of Odisha and contributed to 3715 articles.[2]

Low computer/internet penetration, lack of promotion/outreach of Odia Wikipedia are some of the major factors which resulted in low Wikipedia participation. Odia Wikipedia celebrated its 9th anniversary on January 29, 2013 which is marked to be the date of its first edit in 2004.[3] The project was inactive for about 8 years until February 2011.[4]

Community building process slowly started by February-March 2011 by some of the active wikipedians in Bengaluru and gradually in six other cities in and out of Odisha.[5]The community so far has organized 18 meet-ups, 10 workshops and worked on a major media donation project on Wikimedia Commons.[6] Six on-wiki projects on various subjects[7] and rolled a Wikipedia education program.[8]

Fact Sheet

Wikimedia projects	No. of Editors/Contributors (2011-12)	No. of Editors (2012-13)	No. of Active editors (2011-12)	No. of Active editors (2012-13)	No. of Articles/ entries (2011-12)	No. of Articles/ entries (2012-13)	No. of Page views per months
Wikipedia	29	64	19	14	1951	3209	330161
Wiktionary	6	14	1	2	98	155	30618

Identified Needs

This section gives a broad idea of the challenges for community/wikipedia growth for which there is a need of programatic and technical intervention.

Lack of awareness

Lack of media presence: Mainstream Odia language media is still unaware of the presence and importance of Odia Wikipedia. There is a need for wider media coverage about Odia Wikipedia.
Lack of focussed meetups/outreach events due to dispersed community: Outreach events and meetups have not been customized for the target audience and have been done in a low scale because of the small community dispersed in six different cities. Physical meetups often have been more on technical issues and not much focus on designing strategies for growing content and community. Experienced wikipedians conducting outreach need to be trained properly to conduct productive outreach events.
More city centric communities: Majority of community members are located in three major cities; Bhubaneswar, Cuttack and Nalconagar. This has resulted in outreach events being more delimited to these three cities only. There is a need for taking Odia Wikipedia to more cities.
Target age group for outreach: Till date the targeted audience for outreach are mostly engineering/other students based in cities where English is predominantly the language of communication in terms of written/computer communication and partly verbal communication. Many of the elderly masses are unaware of even the existence of Odia Wikipedia. More of young professionals, elderly and retired professionals need to be involved in the outreach.

Accessibility issues

Technical hindrance

Lack of Unicode usage: Printing industry professionals still use non-Unicode fonts for typing. There are at least three major different typing schemes and font categories used across the industry (includes book/magazine/newspaper publishers, print/digital media). Font converter tools of high accuracy are needed for easy conversion of such available content and using them as primary resources.
Lack of support in typing schemes: Those who are experienced in typing schemes other than the ones used on Odia Wikipedia (InScript, Transliteration, Phonetic) often fail to adapt the typing schemes of Odia Wikipedia. There is a need of new typing schema for simplifying typing in Odia.

Content

Lack of Open-Source culture: There is very little presence of the open source methodology across academia, media industry and public and private sector organization. A lot of resources produced are either not digitized and distributed or copyrighted. This has been a road block to the Wikipedia community to make use of any kind of archived and digitized resource. Wikipedians need to be connected to more open source communities, exchange ideas/information and spreading words across other communities.
Lack of resource dissemination because of support: Some of the digitized resources are not being distributed because of shortage of manpower and resource. A book digitization project initiated by Srujanika faced many hindrances during distribution including copyright issues, hosting and manpower for support. Such resources need to be gathered and distributed for community use.

Community

Role of experienced wikipedians: There is a need of more experienced wikipedians coming forward to take the lead of projects along with their primary contribution for articles. Wikipedia could be a platform for them to reach out to more people who are in the domain of knowledge dissemination and language resource building.

[1]. Wikimedia stats. January 2013

[2].https://or.wikipedia.org/wiki/Special:Statistics

[3].http://en.wikipedia.org/wiki/Oriya_Wikipedia

[4].http://meta.wikimedia.org/wiki/Grants:Tinucherian_and_Shijualex/Wiki_Community_development_in_India_and_newsletter/Report#Bhubaneshwar

[5].http://shijualex.in/indic-language-wikipedias-statistical-report-2011/

[6].https://or.wikipedia.org/s/ay

[7].https://or.wikipedia.org/s/jf

[8]. https://or.wikipedia.org/s/cgj

For more details visit https://cis-india.org/openness/blog-old/odia-wikipedia-needs-assessment

Google Policy Fellowship Programme: Call for Applications

praskrishna — 2013-05-17T01:01:47Z

The Centre for Internet & Society (CIS) is inviting applications for the Google Policy Fellowship programme. Google is providing a USD 7,500 stipend to the India Fellow, who will be selected by July 1, 2013.

The Google Policy Fellowship offers successful candidates an opportunity to develop research and debate on the fellowship focus areas, which include Access to Knowledge, Openness in India, Freedom of Expression, Privacy, and Telecom, for a period of about ten weeks starting from July 7, 2013 upto October 1, 2013. CIS will select the India Fellow. Send in your applications for the position by June 15, 2013.

To apply, please send to google.fellowship@cis-india.org the following materials:

Statement of Purpose: A brief write-up outlining about your interest and qualifications for the programme including the relevant academic, professional and extracurricular experiences. As part of the write-up, also explain on what you hope to gain from participation in the programme and what research work concerning free expression online you would like to further through this programme. (About 1200 words max).
Resume
Three references

Fellowship Focus Areas

Access to Knowledge: Studies looking at access to knowledge issues in India in light of copyright law, consumers law, parallel imports and the interplay between pervasive technologies and intellectual property rights, targeted at policymakers, Members of Parliament, publishers, photographers, filmmakers, etc.

Openness in India: Studies with policy recommendations on open access to scholarly literature, free access to law, open content, open standards, free and open source software, aimed at policymakers, policy researchers, academics and the general public.

Freedom of Expression: Studies on policy, regulatory and legislative issues concerning censorship and freedom of speech and expression online, aimed at bloggers, journalists, authors and the general public.

Privacy: Studies on privacy issues like data protection and the right to information, limits to privacy in light of the provisions of the constitution, media norms and privacy, banking and financial privacy, workplace privacy, privacy and wire-tapping, e-governance and privacy, medical privacy, consumer privacy, etc., aimed at policymakers and the public.

Telecom: Building awareness and capacity on telecommunication policy in India for researchers and academicians, policymakers and regulators, consumer and civil society organisations, education and library institutions and lay persons through the creation of a dedicated web based resource focusing on knowledge dissemination.

Frequently Asked Questions

What is the Google Policy Fellowship program?

The Google Policy Fellowship program offers students interested in Internet and technology related policy issues with an opportunity to spend their summer working on these issues at the Centre for Internet and Society at Bangalore. Students will work for a period of ten weeks starting from June 1, 2013. The research agenda for the program is based on legal and policy frameworks in the region connected to the ground-level perceptions of the fellowship focus areas mentioned above.

I am an International student can I apply and participate in the program? Are there any age restrictions on participating?

Yes. You must be 18 years of age or older by January 1, 2013 to be eligible to participate in Google Policy Fellowship program in 2013.

Are there citizenship requirements for the Fellowship?

For the time being, we are only accepting students eligible to work in India (e.g. Indian citizens, permanent residents of India, and individuals presently holding an Indian student visa. Google cannot provide guidance or assistance on obtaining the necessary documentation to meet the criteria.

Who is eligible to participate as a student in Google Policy Fellowship program?

In order to participate in the program, you must be a student. Google defines a student as an individual enrolled in or accepted into an accredited institution including (but not necessarily limited to) colleges, universities, masters programs, PhD programs and undergraduate programs. Eligibility is based on enrollment in an accredited university by January 1, 2013.

I am an International student can I apply and participate in the program?

In order to participate in the program, you must be a student (see Google's definition of a student above). You must also be eligible to work in India (see section on citizen requirements for fellowship above). Google cannot provide guidance or assistance on obtaining the necessary documentation to meet this criterion.
I have been accepted into an accredited post-secondary school program, but have not yet begun attending. Can I still take part in the program?

As long as you are enrolled in a college or university program as of January 1, 2013, you are eligible to participate in the program.
I graduate in the middle of the program. Can I still participate?

As long as you are enrolled in a college or university program as of January 1, 2013, you are eligible to participate in the program.

Payments, Forms, and Other Administrative Stuff

How do payments work?

Google will provide a stipend of USD 7,500 equivalent to each Fellow for the summer.

Accepted students in good standing with their host organization will receive a USD 2,500 stipend payable shortly after they begin the Fellowship in June 2013.
Students who receive passing mid-term evaluations by their host organization will receive a USD 1,500 stipend shortly after the mid-term evaluation in July 2013.
Students who receive passing final evaluations by their host organization and who have submitted their final program evaluations will receive a USD 3,500 stipend shortly after final evaluations in August 2013.

Please note: Payments will be made by electronic bank transfer, and are contingent upon satisfactory evaluations by the host organization, completion of all required enrollment and other forms. Fellows are responsible for payment of any taxes associated with their receipt of the Fellowship stipend.

*While the three step payment structure given here corresponds to the one in the United States, disbursement of the amount may be altered as felt necessary.

What documentation is required from students?

Students should be prepared, upon request, to provide Google or the host organization with transcripts from their accredited institution as proof of enrollment or admission status. Transcripts do not need to be official (photo copy of original will be sufficient).

I would like to use the work I did for my Google Policy Fellowship to obtain course credit from my university. Is this acceptable?

Yes. If you need documentation from Google to provide to your school for course credit, you can contact Google. We will not provide documentation until we have received a final evaluation from your mentoring organization.

Host Organizations

What is Google's relationship with the Centre for Internet and Society?

Google provides the funding and administrative support for individual fellows directly. Google and the Centre for Internet and Society are not partners or affiliates. The Centre for Internet and Society does not represent the views or opinions of Google and cannot bind Google legally.

Important Dates

What is the program timeline?

June 15, 2013	Student Application Deadline. Applications must be received by midnight.
July 1, 2013	Student applicants are notified of the status of their applications.
July 2013	Students begin their fellowship with the host organization (start date to be determined by students and the host organization); Google issues initial student stipends.
August 2013	Mid-term evaluations; Google issues mid-term stipends.
October 2013	Final evaluations; Google issues final stipends.

For more details visit https://cis-india.org/internet-governance/blog/google-policy-fellowship-call-for-applications-2013

CIS anniversary

praskrishna — 2013-05-06T07:28:07Z

The Centre for Internet and Society will celebrate five years of its existence with an exhibition showcasing its works and accomplishments.

This was published in Hindu Business Line on May 5, 2013

The exhibition will be held concurrently at both Bangalore and Delhi offices from May 20 to 24, 2013, said a press release.

“To promote transparency, we're getting the general public to be our auditors by throwing open our account books and contracts which show how we have spent the Rs 8.3 crore received from our donors.”

The exhibition will also see artists like Kiran Subbaiah, Tara Kelton, Navin Thomas, Abhishek Hazra, among others exhibiting their works, as well as lectures.

For more details visit https://cis-india.org/news/the-hindu-business-line-may-5-2013-cis-anniversary

Celebrating 5 Years of CIS

praskrishna — 2014-02-25T09:15:58Z

The Centre for Internet & Society (CIS) is celebrating 5 years of its existence with an exhibition showcasing its activities and accomplishments. The exhibition will be held at its offices in Bangalore and Delhi from May 20 to 23, 2013.

Download all the posters exhibited during the recent exhibition here.

As a move to promote transparency, CIS is inviting the general public to be its auditors by throwing open its account books and contracts which show how it has spent the Rs. 13.13 crores received from its donors. The four-day event will see renowned artists like Kiran Subbaiah, Tara Kelton, Navin Thomas and Abhishek Hazra featuring their work and also giving live demonstrations.

Agenda

Open exhibition on all the 4 days from 10.00 a.m. to 8.00 p.m., in Bangalore and Delhi. The evening programmes will be held in Bangalore. Dinner will be served right afterwards.

Evening Programmes

May 20, 2013

18.00 19.00	Why did I buy a set-top box?: What we know, don't know and need to know about Digitalisation — A Talk by Vibodh Parthasarathi Why are we being asked to install set-top boxes? How will this change what we want, and pay for, on TV? Grappling with these questions, the talk will evaluate the rationale of the digital migration in cable currently underway, and the less talked about digital migration being planned for the public broadcaster. These scarcely debated and often contentious issues form the core of a recent Country Report on the Media in India, anchored by the speaker. The India Country Report, the first inter-sectoral and policy oriented study of our electronic media landscape, finds the ongoing digitalisation of cable, the infusion of digital tools in the press and the proposed digital switchover of the public broadcaster, posing varied challenges not only to journalism but to public interest at large. This report is part of a global initiative, Mapping Digital Media, examining opportunities and risks amidst the transitions to a digital media ecology across 50 countries. Video
19.00 19.30	Film Screening on Cyber Cafes of Rural India by Video Volunteers Video Volunteers in partnership with CIS have been documenting the cyber cafes of rural India. Kamini Menon and Christy Raj will do the screening of seven 2-minute films: Cyber Cafe Trends Slowly Changing in Imphal by Achungmei Kamei (Manipur) Transgender Interaction with Cyber Cafes by Christy Raj (Karnataka) Cyber Cafes Prevail Over Mobile Phones in Nagaland by Meribeni Kikon (Nagaland) Mobile Technology Threatens Cyber Cafes in HP by Avdhesh Negi (Himachal Pradesh) Cyber Cafe Visit - A Day's Journey by Saroj Paraste (Madhya Pradesh) The Challenges of Establishing Cyber Cafes by Rohini Pawar (Maharashtra) The Community Service Centre - Myth or Reality? by Neeru Rathod (Gujarat) Video
19.30 20.00	Hindustani Classical Performance by Aditya Dipankar
20.00	Dinner
RSVP: Bernadette Längle (bernadette@cis-india.org), Ph: +91 80 4092 6283 Prasad Krishna (prasad@cis-india.org).

May 21, 2013

18.00 19.00	Screening of Sabaka A young elephant trainer in India vows revenge against the cult that killed his family. He seeks help from the local Maharajah who refuses, and he sets out alone to battle the enemy... Sabaka is a 1954 film produced and directed by Frank Ferrin starring Boris Karloff, Reginald Denny, June Foray, et.al.
19.00 20.00	Slouching towards Tlön: An Encyclopedia for the 2nd century of Indian cinema — A Talk by Lawrence Liang Ashish Rajadhyaksha and Paul Willemen’s Encyclopedia of Indian cinema (1994) marked an important moment for the study of Indian film history. In the two decades since its publication we have seen a rise in the academic community working on Indian film history along with the rise of various new archival initiatives online. Materials that were hitherto unavailable have also made their way into the public domain via the efforts of film historians, cinephiles and other enthusiasts. It is perhaps fitting to think about what a collaborative encyclopedia of Indian cinema for the 21st century may look like. Using Rajadhayksha and Willemen’s Encyclopedia as a base, Lawrence has been working on an online version that incorporates moving images, photographs and archival materials and his presentation will open up questions of how one thinks of an online encyclopedia as well as larger conceptual questions of the relationship between the encyclopedias, the internet and moving image archives. Video
20.00	Dinner
RSVP: Bernadette Längle (bernadette@cis-india.org), Ph: +91 80 4092 6283, Prasad Krishna (prasad@cis-india.org).

May 22, 2013

Cybersecurity, Privacy and Surveillance

18.00 18.30	“The Indian Surveillance State”— A Talk by Maria Xynou The Central Monitoring System confirms that, starting from last month ‘Big Brother’ is a reality in India. But how do authorities get the tech to spy on us? Maria has started investigating surveillance technology companies operating in India. So far, 76 companies have been detected which are producing and selling different types of surveillance gear to Indian law enforcement agencies. Join us to see India´s first investigation of who is aiding our watchers! Video
18.30 19.00	Why Privacy and How? A Talk by Bernadette Langle "But I have nothing to hide!" That's what most people think. Are you sure? What about all the services you use for free, don't you think the service provider has to spend money on that, and that he needs to earn it somehow? Bernadette will show some alternatives and also how easy it can be, to put your messages in a virtual private envelope as you use to do with messages on paper. Video
19.00 19.45	Cyber Security Preview — Presentation by Laird Brown and Purba Sarkar CIS in cooperation with Citizen Lab, Munk School of Global Affairs at the University of Toronto, is developing a film project on cyber security in India from a civil society perspective. Laird will show the preview of the project. The preview will include an overview of the project along with a video footage from the first series of interviews. Video
19.45 20.00	Faking of Fingerprints: A Presentation by Bernadette Langle Bernadette will give a brief presentation on how easy it is to fake a fingerprint. Afterwards you can get hands-on. Fake a fingerprint yourself and take it with you to your home. Video Video
20.00	Dinner
RSVP: Bernadette Längle (bernadette@cis-india.org), Ph: +91 80 4092 6283, Prasad Krishna (prasad@cis-india.org).

May 23, 2013

Kannada Language and IT

18.00 18.15	Kannada in Modern Era: A Guest Talk by Dr. Chandrashekhara Kambara Dr. Chandrashekhara will be the chief guest for this session and will give a guest lecture. Video
18.15 19.30	From Palm Leaf to Tablet – Journey of Kannada: A Talk by Dr. U.B. Pavanaja Kannada language which has a history of 2000 years and quite rich in literature started on palm leaves. Kannada advanced with modern times adopting the marvels of Information Technology. This is accomplished by successfully implementing Kannada in various facets of IT. It is being used everywhere from data driven applications to websites to hand held devices like tablets. These aspects will be brought out during the talk. Summary in Kannada: ತಾಳೆಗರಿಯಿಂದ ಟ್ಯಾಬ್ಲೆಟ್ ತನಕ ಕನ್ನಡದ ಪಯಣ ಸುಮಾರು ಎರಡು ಸಾವಿರ ವರ್ಷಗಳ ಭವ್ಯ ಇತಿಹಾಸವಿರುವ ಕನ್ನಡ ಸಾಹಿತ್ಯದ ಉಗಮ ತಾಳೆಗರಿಗಳ ಮೇಲೆ ಆಯಿತು. ಕನ್ನಡ ಭಾಷೆಯು ಆಧುನಿಕ ಮಾಹಿತಿ ತಂತ್ರಜ್ಞಾನದ ಅದ್ಭುತ ಕೊಡುಗೆಗಳನ್ನು ತನ್ನದಾಗಿಸಿಕೊಂಡು ಬೆಳೆಯಿತು. ಮಾಹಿತಿ ತಂತ್ರಜ್ಞಾನದ ಎಲ್ಲ ಅಂಗಗಳಲ್ಲಿ ಕನ್ನಡವನ್ನು ಅಳವಡಿಸಿ ಬಳಸಿಕೊಳ್ಳುವುದರ ಮೂಲಕ ಇದು ಸಾಧ್ಯವಾಯಿತು. ಆನ್ವಯಿಕ ತಂತ್ರಾಂಶವಿರಲಿ, ಪ್ರತಿಸ್ಪಂದನಾತ್ಮಕ ಜಾಲತಾಣವಿರಲಿ, ಕೈಯಲ್ಲಿ ಹಿಡಿದು ಕೆಲಸ ಮಾಡುವ ಟ್ಯಾಬ್ಲೆಟ್ ಇರಲಿ –ಎಲ್ಲ ಕಡೆ ಕನ್ನಡದ ಬಳಕೆ ಆಗುತ್ತಿದೆ. ಈ ಎಲ್ಲ ವಿಷಯಗಳ ಕಡೆ ಒಂದು ಪಕ್ಷಿನೋಟವನ್ನು ಈ ಭಾಷಣದಲ್ಲಿ ನೀಡಲಾಗುವುದು. Video
19.30 20.00	Carnatic Music Performance by Nirmita Narasimhan Video
20.00	Dinner
RSVP: Bernadette Längle (bernadette@cis-india.org), Ph: +91 80 4092 6283 Prasad Krishna (prasad@cis-india.org).

About the Speakers

Vibodh Parthasarathi	Vibodh Parthasarathi works with the Centre for Culture and Media Governance, Jamia Millia Islamia, New Delhi. He is also a Board Member at the Centre for Internet and Society, Bangalore. He maintains a multidisciplinary interest in media and development policy, business history of creative industries, and governance of media infrastructure. At the Centre for Culture, Media & Governance, Jamia Millia Islamia, New Delhi, his ongoing research addresses media policy literacy, the TV news industry and the digital switchover in India. He is the co-editor of the critically acclaimed tri-series on Communication Process (Sage).
Lawrence Liang	Lawrence Liang is the Chairman of the Board at the Centre for Internet and Society. He is a graduate of the National Law School. He subsequently pursued his Masters degree in Law and Development at Warwick, on a Chevening Scholarship. His key areas of interest are law, technology and culture, the politics of copyright and he has been working closely with Sarai, New Delhi on a joint research project Intellectual Property and the Knowledge/Culture Commons. A keen follower of the open source movement in software, Lawrence has been working on ways of translating the open source ideas into the cultural domain. He has written extensively on these issues and is the author of The Public is Watching: Sex, Laws and Videotape and A Guide to Open Content Licenses. Lawrence has taught at NLS, the Asian College of Journalism, NALSAR, etc., and is currently working on a Ph.D. on the idea of cinematic justice at Jawaharlal Nehru University.
Maria Xynou	Maria Xynou is a Policy Associate on the Privacy Project at the CIS. She has previously interned with Privacy International and with the Parliament of Greece. Maria holds a Master of Science in Security Studies from the University College London (UCL).
Bernadette Langle	Bernadette Längle recently graduated in social and cultural anthropology, philosophy and computer science. She is also a so-called hacktivist together with one of the oldest hacker associations of the world, the Chaos Computer Club, having a lot of influence in German politics. As one of the core-team organizer of Chaos Communication Congress in Germany she also has a lot of experience in organizing events.
Laird Brown	Laird Brown is a strategic planner and writer. His core competencies are brand analysis, public relations, and resource management. Laird has worked at the United Nations in New York; high-tech ventures in North America, Europe, and India; and, is a guest speaker at ICT conferences internationally. He is currently working on a film project for CIS on cyber security in India with Purba Sarkar.
Purba Sarkar	Purba Sarkar is an associate producer with the cyber security film project. She holds a Bachelor in Technology degree from West Bengal University of Technology. Purba worked as a strategic advisor in the field of SAP Retail for 4 years before joining CIS in January, 2013.
Dr.Chandrashekhara Kambara	Dr. Chandrashekhara Kambara is a prominent poet, playwriter, folklorist, film director in Kannada language. He is also the founder-vice-chancellor of Kannada University in Hampi. He is known for his effective usage of North Karnataka dialect of Kannada language in his plays and poems and is often compared with D.R. Bendre. He has been conferred with many prestigious awards including the Jnanpith Award (the highest literary honour conferred in India) in 2011 for the year 2010, the Sahitya Akademi Award, the Padma Shri by Government of India, Kabir Samman, Kalidas Samman and Pampa Award. After his retirement, Kambara was nominated Member of Karnataka Legislative Council, to which he made significant contributions through his interventions.
Dr. U.B. Pavanaja	Dr U B Pavanaja holds a Master’s degree from Mysore University and Ph.D. from Mumbai University. He was a scientist at the Bhabha Atomic Research Centre, Mumbai, for about 15 years. He has done advanced research in Taiwan. He resigned from BARC in 1997 and dedicated himself fully for the cause of Computer and Indian languages. He has to his credit many firsts, viz., first Kannada website, first Kannada online magazine, first Indian language (Kannada) website to receive Golden Web Award, first Indian language (Kannada) editor for Palm OS, first Indian language (Kannada) editor for WinCE device (HP Jornado 720), first Indian language version (Kannada) of universally popular Logo (programming language for children) software, etc. His Kannada logo won the Manthan Award for the year 2006. He was a member of the technical advisory committee setup by the Govt. of Karnataka for Standardization of Kannada on Computers (2000). He is also a member of the Kannada Software Committee of Govt. of Karnataka (2008-current).

The Artists

Kiran Subbaiah	Kiran Subbaiah studied sculpture at Santiniketan, MSU Baroda and the RCA London. He was an artist in residence at the Rijksakademie Amsterdam where he worked on art that incorporated informatics and electro-mechanics. He is also known for making videos using custom-built tools that enable him to perform multi-person film-making tasks single-handed. His art is shown extensively in India and abroad. Subbaiah is based in Bangalore and is represented by the Chatterjee and Lal gallery in Mumbai. Kiran will present the Spectator, a robot that can sense the presence of human beings around it. It tries to appreciate them as works of art.
Tara Kelton	Tara Kelton is an artist and designer. She has been living in Brooklyn, USA and Bangalore, India for the last three years. She received her MFA from the Yale School of Art in 2009. Kelton’s video, print, and web-based works investigate moments in which technology alters our perception of the physical world. Kelton has taught at the Srishti School of Art, Design, and Technology and has recently exhibited her work at Vox Populi (USA), Franklin Street Works (USA), GALLERYSKE (Bangalore) and the India Design Forum (Mumbai). Tara will present Trace, a surveillance camera feed drawn in real-time by anonymous online workers.
Navin Thomas	Navin Thomas is a multimedia artist and a professional scrap market junkie, he spends a good quality of his precious time looking for obscure cultural misfits... after destroying most of himself in the 90's, he now spends his time restoring your mother's brother’s tin space toys and other unusual situations.
Abhishek Hazra	Abhishek Hazra approaches his art with a particular emphasis on the study of the historiography of science. He uses videos and prints that often integrate textual fragments drawn from real and fictional scenarios. He has previously exhibited and performed at Science Gallery, Dublin, HEART Herning Museum of Contemporary Art, Denmark, Astrup Fearnley Museum of Modern Art, Oslo, Casino Luxembourg Forum d’art Contemporain, Experiment Marathon Reykjavik, Reykjavik Art Museum and Kunstmuseum Bern. Abhishek was most recently an artist in residence at SymbioticA, the Centre for Excellence in Biological Arts, University of Western Australia, Perth. It was first performed as part of Beam Me Up, curated by Reinhard Storz and Gitanjali Dang, which was acknowledged by Pro Helvetia, New Delhi and German Book Office, New Delhi. Abhishek will be presenting #cloudrumble56 (attempted to re-animate sections of the Indian parliamentary archives — specifically, the transcripts of the scientist M.N. Saha's (1893-1956) interventions — through a performance that was transmitted only through live tweets on Twitter).
Aditya Dipankar	Aditya Dipankar started fiddling with music at the age of 4 when he started learning the tabla and then went on to play it for a long time. Years later, he discovered his strong inclination towards singing. Now, under the noble guidance of Pandit Vijay Sardeshmukh (Senior disciple of Pandit Kumar Gandharva), he is trying to understand the simplicity and spontaneity in the rich tradition of Hindustani classical music.
Nirmita Narasimhan	Nirmita Narasimhan is a Policy Director at CIS and works on accessibility for persons with disabilities. She was awarded the national award for empowerment of persons with disabilities by the President of India and also received the NIVH Excellence Award. Nirmita Narasimhan is a disciple of Dr. Radha Venkatachalam and renowned maestro Prof. T.R. Subramanyam. She began learning music at the age of 5 and went on to complete her Ph.D. in this subject from the Delhi University. Nirmita has been performing since 1995 and received several accolades such as the Sahitya Kala Parishad Scholarship and prizes in several competitions. She received the Gold medal in MA for standing first in the University and also stood first in MPhil. She has released a CD on Ponnayya Pillai compositions and also sung in an album of varnams. Nirmita has performed in different places in India such as Delhi, Chennai, Tirupathi and Bangalore as well as in Singapore and has also given several thematic concerts such as Eka Raga Sandhya and Pallavi concerts.
Sharath Chandra Ram	Sharath Chandra Ram (Sharathchandra Ramakrishnan) has interests in multimodal art, cognitive science, accessibility, digital humanities and network cultures. He is a faculty at the Centre for Experimental Media Arts at the Srishti School of Art Design and Technology. At the Centre for Internet and Society he helped set up and manage activities at the Metaculture Media Lab : an open hackerspace and alternative platform for research and exchange. His writings and musings at CIS maybe found here: http://cis-india.org/author/sharath He graduated from the University of Edinburgh with a degree in Artificial Intelligence specializing in interactive virtual environments. Previously as a Research Associate at the National Institute of Mental Health and Neurosciences he received a special mention award at the International Conference on Consciousness (2012) held at the National Institute of Advanced Studies for his work on ‘Cross modal Integration’. As an amateur radio broadcaster, he is a proponent of the free use of airwaves for relief work, education and transmission art. He has also been a development related radio journalist (PANOS @ Nepal, Voices UNDP@Bangalore), speaker at the International Ham Radio Convention (Port Blair, 2006) and as a film enthusiast has been a Press Reviewer for the Edinburgh International Film Festival.

Locations

Bangalore

Centre for Internet and Society
No. 194, Second 'C' Cross, Domlur,
2nd Stage, Bangalore - 560071,
Karnataka, India
Ph: +91 80 4092 6283
Fax: +91 80 2535 0955

Delhi

Centre for Internet and Society
G 15, Top floor
Behind Hauz Khas, G Block Market
Hauz Khas,
New Delhi 110016
Ph: + 91 011 40503285

Event Brochure

Event Flier

Event Posters/Banners and Videos

Accessibility

National Resource Kit (PDF, PNG)
NVDA E-Speak (PDF, PNG)
International Collaborations (PDF, PNG)
Partners (PDF, PNG)
Publications (PDF, PNG)
Timeline (PDF, PNG)
Inclusive Planet (PDF, PNG)

In the below video Anandhi Viswanathan gives a demo of the National Resource Kit project and Rameshwar Nagar gives a demo of the NVDA and ESpeak (Text-to-Speech) project during the exhibition.

Access to Knowledge

Broadcast Treaty (PDF, PNG)
Copyright (PDF, PNG)
Software Patent 1 (PDF, PNG)
Software Patent 2 (PDF, PNG)
Pervasive Technologies (PDF, PNG)

Access to Knowledge (Wikipedia)

Factsheet (PDF, PNG)
Reaching Out (PDF, PNG)
Outreach (PDF, PNG)
Bridging Gender Gap (PDF, PNG)
Press Coverage (PDF, PNG)
Education Programmes (PDF, PNG)
Team Achievements (PDF, PNG)
Visualization (PDF, PNG)

Openness

Open Access to Scholarly Literature (PDF, PNG)
Open Access to Law (PDF, PNG)
Open Standards (PDF, PNG)
Free/Open Source Software (PDF, PNG)

Internet Governance (Free Speech)

Blocking of Websites (PDF, PNG)
Freedom of Speech (PDF, PNG)
Intermediary Liability (PDF, PNG)
Internet Governance Forum (PDF, PNG)

Internet Governance (Privacy)

Privacy Events (PDF, PNG)
Timeline (PDF, PNG)
UID (1) (PDF, PNG)
UID (2) (PDF, PNG)
DNA (1) (PDF, PNG)
DNA (2) (PDF, PNG)

Telecom

Institutional Framework for Indian Telecommunication (PDF, PNG)
Growth of Telecom Industry in India (PDF, PNG)
Delicensed Spectrum (PDF, PNG)
Spectrum Sharing (PDF, PNG)

RAW Monographs

Archives and Access (PDF, PNG)
Internet, Society and Space in Indian Cities (PDF, PNG)
The Last Cultural Mile (PDF, PNG)
Porn, Law, Video Technology (PDF, PNG)
Re:Wiring Bodies (PDF, PNG)
Community Informatics and Open Government Data (Special Issue) (PDF, PNG)

News and Media

Media Coverage (PDF, PNG)
Organizational Chart (PDF)

For more details visit https://cis-india.org/internet-governance/events/celebrating-5-years-of-cis

Goa chapter

praskrishna — 2013-05-02T06:33:24Z

For more details visit https://cis-india.org/accessibility/blog/goa-chapter.pdf

Access to Knowledge Bulletin — May 2013

praskrishna — 2013-07-04T04:17:49Z

In this issue of our newsletter for 2013, we are pleased to bring you updates about the open exhibition held at our office for celebrating five years of our existence, Access to Knowledge work plan (2013-14), and the revised budget (September 2012 - February 2013).

Wikimedia Foundation, beginning from September 1, 2012, awarded the Centre for Internet & Society (CIS) a two-year grant of INR 26,000,000 to support and develop free knowledge in India. Consequently, Wikimedia Foundation’s India Program became the Access to Knowledge (A2K) program of CIS. In this newsletter, we are pleased to bring you updates about the recently concluded exhibition organised in our offices in Bangalore and Delhi and share with you the feedback to the Access to Knowledge work plan from the wikipedia community.

The A2K team consists of three members based in Bangalore: T. Vishnu Vardhan, Dr. U.B. Pavanaja and Subhashish Panigrahi and one member Nitika Tandon in Delhi. Noopur Raval, Programme Officer left the organisation on April 24, 2013. Archives of our newsletters are here.

Wikipedians from various communities can request for outreach programs, technical bugs, logistics-merchandize and media, public relations and communications at http://bit.ly/TOcXId.

Celebrating 5 Years of CIS
CIS is now 5 years old and we recently celebrated this by holding an open exhibition in our offices in Bangalore and Delhi from May 20 to 23, showcasing our work and accomplishments over the five year period. We had about 170 visitors coming in to our office. Renowned artists like Tara Kelton, Kiran Subbaiah, Navin Thomas, Abhishek Hazra and Sharath Chandra Ram exhibited their work. The four-day event attracted press coverage: Bangalore Mirror (May 18, 2013), DNA (May 19, 2013), Hindu (May 22, 2013), Prajavani (May 23, 2013), Udayavani (May 25, 2013) and Bangalore Mirror (May 31, 2013). Download all the posters that were part of the exhibition here.

Announcements

Access to Knowledge Work Plan (April 2013 - June 2014): CIS has announced its detailed plan with projection of outcomes and expected impact of the A2K programme activities. The document has been made in consultation with various stakeholders and keeping in mind the objectives, opportunities and challenges faced by each of the Indian language Wikimedia projects. Feel free to share any feedback.
WMF-A2K Revised Budget (draft) and Utilization (September 2012 - February 2013): In our effort to increase transparency with the working of CIS-A2K programme, we are sharing with you the A2K Programme Budget along with the utilization for the above period. The proposed revisions to the budget along with some notes are here.
CIS Signs MOU with TISS: has signed a MoU with TISS as part of which we will collaboratively work towards building Digital Knowledge Partnerships with select higher education institutions.
India Access to Knowledge IRC can be accessed here: May 13, 2013 (All Language Discussion) and May 26, 2013 (Odia Language Discussion).

Blog Entries

Odia Wikipedia: Needs Assessment (by Subhashish Panigrahi, May 11, 2013).
Access to Knowledge Work Plan: Synopsis of Feedback by Wikipedians (by Nitika Tandon, May 20, 2013).
Wikipedia Introductory Session organized for Data and India portal consultants (by Subhashish Panigrahi, May 30, 2013).
My First Wikipedia Training Workshop – Theatre Outreach Unit, University of Hyderabad (by T. Vishnu Vardhan, June 19, 2013).

Events Organised

Kannada Wikipedia Workshop (April 29, 2013, Govinda Pai Research Centre, MGM College Udupi). Dr. U.B. Pavanaja led the workshop and gave a talk on Kannada Wikipedia

Event Participated

Kannada IRC Meet (organised by the Wikipedia Community, May 7, 2013). Dr. U.B. Pavanaja participated in this.

Upcoming Event

Digital Humanities for Indian Higher Education (co-organised in collaboration with HEIRA-CSCS, Tumkur University, CILHE-TISS and CCS (IISc), Indian Institute of Science, Bangalore, July 13, 2013).

Press Coverage

Report on CIS 5 Years Celebration (Prajavani, May 23, 2013). Prajavani published a report of Dr. U.B. Pavanja’s talk “From Palm Leaf to Tablet – Journey of Kannada”.
Report on CIS 5 Years Celebration (Udayavani, May 25, 2013). Udayavani published a report of the evening programme hosted as part of the Centre for Internet and Society's 5 year celebrations in its Bangalore edition.
A Feature on Wikipedia and Telegu Wikipedians (HMTV, May 30 – 31, 2013). T. Vishnu Vardhan is quoted in this half an hour feature on Wikipedia and Telugu Wikipedians.
Wikipedia Live Phone-in Programme (HMTV, June 1, 2013). T. Vishnu Vardhan speaks about Telegu Wikipedia in the discussion that was telecasted live.

About CIS

CIS was registered as a society in Bangalore in 2008. As an independent, non-profit research organisation, it runs different policy research programmes such as Accessibility, Access to Knowledge, Openness, Internet Governance, and Telecom. The policy research programmes have resulted in outputs such as the e-Accessibility Policy Handbook for Persons with Disabilities with ITU and G3ict, and Digital Alternatives with a Cause?, Thinkathon Position Papers and the Digital Natives with a Cause? Report with Hivos, etc. We have conducted policy research for the Ministry of Communications & Information Technology, Ministry of Human Resource Development, Ministry of Personnel, Public Grievances and Pensions, Ministry of Social Justice and Empowerment, etc., on WIPO Treaties, Copyright Bill, NIA Bill, etc.

CIS is accredited as an observer at WIPO. CIS staff participates in the Standing Committee for Copyright and Related Rights (SCCR) meetings regularly held in Geneva, and participate in the discussions and comments on them from a public interest perspective. Our Policy Director, Nirmita Narasimhan won the National Award for Empowerment of Persons with Disabilities from the Government of India and also received the NIVH Excellence Award.

Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us
Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration
We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/access-to-knowledge-bulletin-may-2013

From Open Citizen Radio Networks to the Race for .RADIO gTLD

sharath — 2013-05-05T05:00:01Z

In light of the recent shutdown of INDYMEDIA ATHENS server and its associated antagonistic Internet radio streaming services, Radio98FM and Radio Entasi, Sharath Chandra Ram, takes a look at open radio networks run by citizen operators as well as the politics around internet radio and it’s growing potential as a medium for citizen activism.

On the afternoon of April 11, 2013, the president of the National University of Athens (NTUA) ,Simos Simopolous ordered the university’s Network Operations Centre (NOC) to pull the network plug off the IndyMedia Athens server that shared the university’s network infrastructure. With it went down the Internet radio stream of Radio98FM, an independent radio station broadcasting from within NUTA along with Radio Entasi. The takedown as it were later revealed, was an order by the Minister of Public Order, Nikos Dendias followed by the MP Adonis Georgiadis of the New Democracy Party tweeting in praise of the Minister’s decision. (Translate Tweet here : http://bit.ly/ZiBDuR ) Indymedia Athens still continues to be accessible through the Tor network at http://gutneffntqonah7l.onion/

The choice and use of broadcast networks in political and citizen uprisings have had a culturally specific side to it. The massive 2006 democracy movement in Nepal was fuelled entirely by pirate FM radio broadcasts, as most mountainous regions have no access to telephony, Internet or print news delivery services. Recently the world saw the power of social media , youtube and Twitter -- in Iran after the police killed student activist Neda and later in the landmark crisis of Tunisia.

By combining the power of seamless accessibility that the audio medium provides by allowing the user to multi-task, along with the viral broadcasting ability of the Internet, we indeed have an effective tool for networked citizen science. Are there popular models that the community can emulate, and what are the barriers to entry in a trans-medial paradigm such as Internet audio re-transmission?

An Overview of Open Radio Networks

Let’s a take a quick peek into the wireless radio –VoIP service named ECHOLINK that I am fortunate to have had access to, over the last decade. Available to only ‘licensed’ and verified amateur radio operators, one maybe rest assured that strict legalities have unfortunately made such an open and transparent trans-medial global networked infrastructure impossible for commercial deployment or of use to the common citizen.

The ECHOLINK network was made possible thanks to the relentless efforts of amateur radio operators from around the world. It has enabled numerous wireless VHF local repeaters and links around the globe to be accessible over the Internet from practically any remote machine/device connected to the Internet, for both transmission as well as reception.

A memorable event was when I connected to a local Florida repeater from my bedroom’s PC and ended up conversing with an amateur radio operator who was driving around in his car through the Hurricane Katrina flooded streets with a VHF Handheld FM Transceiver, limited food supply and a gallon of reserve fuel canned in his backseat. Despite this, there was a sense of brethren and calm in his crackling radio voice that made it to the Florida repeater and then all the way to my home-station in Bangalore.

More recently, after the Fukushima Tsunami and Nuclear fallout, we observed that the Japanese government had jammed almost every radio repeater link, including the Emergency Amateur Radio service in Japan as they did not want any international contact to be made regarding the situation. Nevertheless after hours of trying, I intercepted a number of conference link nodes in Japan with people passing on information to each other about the deteriorating conditions in various prefectures. Below is a recorded excerpt from a conversation between two concerned citizens that I intercepted:

The Internet Radio Linking Project (IRLP) was a precursor to the Echolink network, invented by Dave Cameron (Callsign: VE7LTD) who installed the first three Windows O/S based IRLP nodes in Vancouver, British Columbia in 1997, followed by a more reliable Linux Node (VE7RHS) in 1998, after which the IRLP network soon spread worldwide. Amateur Radio operators with a VHF handheld transceiver and a custom (also DIY) IRLP interface hardware could connect to any local node within their RF Range and by using particular DTMF codes could establish a connection to any other node in the world by referring to a global list of node numbers. (http://status.irlp.net/).

ECHOIRLP enables Radio network node owners to support both IRLP as well as ECHOLINK networks on their repeater. A publically open trans-medial network such as this would certainly transform global information dissemination and accessibility, citizen journalism, community networks as well as disaster management.

Impedances and Emerging Trends in Commercial radio webcasting:

Similar radio network paradigms, albeit highly commercial, already exist within the mobile phone infrastructure, and with location-based services and audio databases like Spotify and audio detection apps like SoundHound on the rise, one could expect a huge boom in Internet radio services with contextual advertising on personal devices in the coming years. As with the press wars during the early 1930s in America, when newspapers viewed radio broadcasting as a formidable competitor, various impedances have kept Internet streaming away from the space that local wireless broadcasters and telecommunications networks have enjoyed for so long.

Unlike in the US or EU Copyright law, in India, there is currently no copyright law that clearly regulates Internet webcasting and radio retransmission on the Internet. In the United States however, webcasting of copyrighted audio content as well as internet retransmission of over-the air FM and AM radio broadcasts are subject to a per-performance royalty and an ‘ephemeral’ license fee. For the royalty calculations, transmission to each individual recipient is considered to be one ‘performance’. Estimating the market value of a ‘performance’ however is tricky, and the standing example that served as a reference, was the agreement reached between the RIAA (Recording Industry Association of America) that represents a majority of record labels that own copyrighted sound recordings and YAHOO! Inc , a then major webcaster and Internet re-transmitter. The RIAA-Yahoo! Agreement involved a lump sump payment of USD 1.25 million for the first 1.5 billion transmissions that amounted to about 0.08 cents/performance. The initial proposal by the CARP (Copyright Arbitration Royalty Panel) however, set this at 0.14 cents/performance for pure internet webcasts and 0.07 cents/performance for over-the air retransmissions, which later was rejected and equalized to 0.07cents/performance for both, after another recommendation by the Register of Copyrights was accepted by the Librarian of Congress.

In addition to this, an ephemeral license fee has to be paid by a webcaster and is currently set to be at about 8.8 per cent of the gross performance fee. ‘Ephemeral recordings’ in traditional broadcasting refer to the temporary copy made off a phono-record to facilitate transmission of the final studio mix. The twist in webcasting however is that temporary server copies necessary for Internet retransmission are subject to this ephemeral license fee.

Another limitation is bandwidth. Unlike wireless radio broadcasting that has a radial spread over line of sight depending on the wattage of transmission, the number of listeners that a server’s Internet radio streaming can tend to simultaneously, depends on the available bandwidth at the transmitting end. For instance, a 128kbps homebrew audio transmitted over a 1Mbps line using ShoutCast or Icecast, could probably support no more than 10 listeners although the advantage that listeners maybe geographically disparate cannot be overlooked.

The possibility of having a central webspace that provides access to streams of re-transmission of say, every FM news channel across the world still remains unfeasible. The logical next step would be to install multiple repeater servers that can access radio Internet servers located in different parts of the world retransmitting both commercial FM broadcasts as well as independent radio broadcasts, and constructed similar to the Echolink infrastructure. Ofcourse this would only be possible with a community-funded initiative led by the global amateur radio community in tandem with commercial pubic service broadcasters who agree to sacrifice on re-transmission royalties in view of mass accessibility. This collaboration now seems very possible with the latest .RADIO gTLD community based application that was filed by the EBU in 2013.

The .RADIO TLD competition

With ICANN launching the gTLD program, a notable contest has started for ownership of the .radio gTLD. The latest applicant is the Eurovision Broadcasting Union (EBU), the largest international association of broadcasters with supporters including the World Broadcasting Unions (WBU) and the Association Mondiale des Radiodiffuseurs Communautaires (AMARC). The EBU has filed for a ‘community based designation’ application, a move that has been actively supported by the International Amateur Radio Union (IARU), (http://goo.gl/H23YF), the founding fathers of the global amateur radio community. The European Broadcasting union, created in 1950, is a not-for-profit association and is one of the key sector members and technical advisors of the International Telecommunications Union. It’s primary function has been to advocate and negotiate the interests of European public broadcasters.

But three other standard applications for the .RADIO domain have been made to the ICANN as early as in 2012 by – BRS Media, AFILIAS and Tin Dale (LLC) all of whom have decried the latest application of EBU. BRS Media, as early as in 1998, entered into an ingenious agreement with the Federated States of Micronesia (country code .FM) and Armenia (country code .AM) and began offering the pricey .FM and .AM domains to Internet radio broadcasters and media services. AFILIAS Inc., who own the .MOBI and .INFO top level domains with it’s employees and investors in the ICANN Board have applied for 31 additional TLDs apart from .RADIO.

The ICANN reviews each applicant on the basis of descriptions of their mission and purpose of interest in the .RADIO TLD. While all the others allow ‘Open registrations’ of second level .RADIO domain-names by any organization, the EBU application entails a much more restrictive registration process where the initial round of registrations shall be limited to existing broadcasters, trademark owners, internet radio, amateur radio broadcasters and radio professionals.

The support of AMARC as well as the International Amateur Radio Union (IARU), (http://goo.gl/H23YF), has helped EBU to fulfill ICANN’s important pre-requisites for a community-based TLD application – that is “to substantiate its status as representative of the community it names in application by submission of written endorsements in support of the application.”

Does this mean that we shall finally see the dawn of widely accessible Internet radio and digital re-transmissions of over the air broadcasts, with the amateur radio networks working in tandem with commercial public service broadcasters? Will the EBU truly be a representative of the global broadcasting community and will it treat US counterparts no different from EU and rest of the world? And finally, what impact shall all this have on Internet governance, dissemination of public opinion and citizen interventions? These are but some of the burning questions that shall surface in the near future.

Key References

http://www.echolink.org
http://www.irlp.net/
Summary of the Determination of the Librarian of Congress on Rates and Terms for Webcasting and Ephemeral Recordings (http://goo.gl/xPEj8)
http://newgtlds.icann.org/en/
http://www.arrl.org/

For more details visit https://cis-india.org/telecom/open-citizen-radio-networks-to-race-for-.radio-gtld

April 2013 Bulletin

praskrishna — 2013-05-31T08:07:38Z

The Centre for Internet & Society (CIS) welcomes you to the fourth issue of its newsletter for the year 2013. In this issue we bring you an overview of our research programs, updates of events organised by us, events we participated in, news and media coverage, and videos of some of our recent events.

Celebrating 5 Years of CIS
We at the Centre for Internet and Society celebrate 5 years of existence with an exhibition showcasing our work and accomplishments over this time. The exhibition will be held concurrently at both our Bangalore and Delhi offices from May 20 to 24, 2013, from 10 a.m. to 8 p.m.

Google Policy Fellowship
CIS is inviting applications for the Google Policy Fellowship programme. Google is providing a USD 7,500 stipend to the India fellow who will be selected by July 1, 2013. Fellowship focus areas include Access to Knowledge, Openness in India, Freedom of Expression, Privacy, and Telecom Send in your applications for the position by June 15, 2013.

Jobs
CIS invites applications for the posts of Developer (NVDA Screen Reader Project), and Programme Officer (Internet Governance). To apply send your resume to sunil@cis-india.org and pranesh@cis-india.org. CIS also invites applications for the post of Programme Officer (Access to Knowledge, Pilot Projects). To apply for this position send your resume to vishnu@cis-india.org.

Accessibility

CIS is doing two projects in partnership with the Hans Foundation. One is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and another is for developing a screen reader and text-to- speech synthesizer for Indian languages. CIS is also working with the World Blind Union and many other organisations to develop a Treaty for the Visually Impaired helped by the WIPO:

National Resource Kit for Persons with Disabilities
Anandhi Viswanathan from CIS and Manojna Yeluri from the Centre for Law and Policy Research are working in this project. Draft chapters have been published. Feedback and comments are invited from readers for the chapters on Himachal Pradesh, Goa, Jammu and Kashmir and Rajasthan:

The Himachal Pradesh Chapter (by Anandhi Viswanathan, April 30, 2013).
Goa Chapter (by Anandhi Viswanathan, April 30, 2013).
The Jammu & Kashmir Chapter (by Anandhi Viswanathan, April 30, 2013).
The Rajasthan Chapter (by Manojna Yeluri, April 30, 2013).

Note: All of these are early drafts and will be reviewed and updated.

Events Organised

Girls in ICT Day (April 25, 2013, Mitra Jyothi Auditorium, HSR Layout, Bangalore). Dr. U.B. Pavanaja gave a talk on Social Media and Kannada Language for Women with Disabilities. Sara Morais wrote an event report.
Global Accessibility Awareness Day (May 9, 2013, TERI, Southern Regional Centre, Domlur, Bangalore).

Announcement

CIS Gets ITU-D Sector Membership: CIS has become a sector member of ITU-D.

Access to Knowledge and Openness

The Wikimedia Foundation awarded CIS a two year grant of INR 26,000,000 to support and develop the growth of Indic language communities and projects by community collaborations and partnerships. This is being carried out by the Access to Knowledge team based in Delhi. CIS is also doing a project (Pervasive Technologies) on examining the relationship between production of pervasive technologies and intellectual property. CIS also promotes openness including open government data, open standards, open access, and free/libre/open source software through its Openness programme.

Wikipedia
Beginning from September 1, 2012, Wikimedia Foundation awarded CIS a two-year grant of INR 26,000,000 to support and develop free knowledge in India. The A2K team consists of four members based in Delhi: T. Vishnu Vardhan, Nitika Tandon and Subhashish Panigrahi, and one team member Dr. U.B. Pavanaja who is working from Bangalore office. Noopur Raval, Programme Officer has left the organisation. April 24, 2013 was her last working day.

Indic Wikipedia Visualisation Project

Indic Wikipedia Visualisation Project #2: Visualising Page Views and Project Pages.

Blog Entries

Indian WikiWomen celebrate Women’s History Month (by Netha Hussain, April 29, 2013).
Analysis of Konkani Wikipedia: Facts & Challenges (by Nitika Tandon, April 30, 2013).
Odia Wikipedia: Needs Assessment (by Subhashish Panigrahi, April 30, 2013).

Event Organised

Kannada Wikipedia Workshop (April 29, 2013, Govinda Pai Research Centre, MGM College Udupi). Dr. U.B. Pavanaja led the workshop and gave a talk on Kannada Wikipedia.

Events Co-organised
The following events were organised in the month of March but reports were written during the month of April. Vishnu Vardhan and Subhashish Panigrahi held meetings with wikipedians:

Kolkata Wiki Community Meetup (organised by CIS and Kolkata Wiki Community, March 14, 2013).
Odia Wikipedia - Cuttack Community Meetup (organised by CIS and Odia Wiki Community, Cuttack, March 16, 2013).
Odia Wikipedia – Bhubaneswar Community Meetup (organised by CIS and Odia Wiki Community, Bhubaneswar, March 17, 2013).

The following event was organised in the month of April. We will be publishing the report soon:

Telugu Wiki Mahotsavam 2013 (organised by Telugu Wikipedia Community and CIS, Hyderabad, April 9 – 11, 2013). Vishnu Vardhan was one of the trainers at the Wikipedia Academy at Centre for Good Governance on April 9, 2013. Vishnu Vardhan spoke about the Access to Knowledge work in one of the sessions of Wikimedia Meeting with Media Heads on April 10, 2013. Vishnu Vardhan gave a talk on A2K’s plans for the growth of Telegu Wikipedia in 2013-14 at the Telegu Wikipedia general meeting on April 11, 2013. Vishnu Vardhan also gave a talk about Access to Knowledge in the digital era at the Wiki Chaitanya Vedika on April 11, 2013.

Other Access to Knowledge Updates

WIPO

CIS Intervention on the Treaty for the Visually Impaired at SCCR/SS/GE/2/13 (Geneva, April 18 – 20, 2013). Pranesh Prakash participated in the session and spoke about the rights of the visually impaired.

Internet Governance

The Internet Governance programme conducts research around the various social, technical, and political underpinnings of global and national Internet governance, and includes online privacy, freedom of speech, and Internet governance mechanisms and processes. Currently, CIS is doing a project with Privacy International, London to facilitate research and events around surveillance, and freedom of speech and expression.

Information Technology

IT (Amendment) Act, 2008, 69A Rules: Draft and Final Version Comparison (by Jadine Lannon, April 27, 2013).
Indian Telegraph Act, 1885, 419A Rules and IT (Amendment) Act, 2008, 69 Rules (by Jadine Lannon, April 28, 2013).
IT (Amendment) Act, 2008, 69 Rules: Draft and Final Version Comparison (by Jadine Lannon, April 30, 2013).
IT (Amendment) Act, 2008, 69B Rules: Draft and Final Version Comparison (by Jadine Lannon, April 30, 2013).

Resources
The below rules were published recently:

Newspaper Column

Off the Record (by Nishant Shah, Indian Express, April 6, 2013).

Privacy

India´s ´Big Brother´: The Central Monitoring System (CMS) (by Maria Xynou, April 8, 2013).

Events Organised
Maria Xynou gives an overview of the discussions and recommendations from the privacy round tables held in Delhi and Bangalore:

A Privacy Round Table in Delhi (organized by CIS and Federation of Indian Chambers of Commerce and Industry, FICCI Federation House, Tansen Marg, New Delhi, April 3, 2013).
A Privacy Round Table in Bangalore (organized by CIS and Federation of Indian Chambers of Commerce and Industry, Jayamahal Palace, Jayamahal Road, Bangalore, April 20, 2013).

Announcements

2nd Expert Committee meeting on draft 'Human DNA Profiling Bill 2012': The Department of Biotechnology has constituted an Expert Committee to discuss various issues of this Bill in detail. Sunil Abraham has been nominated as one of the members of this Committee. A meeting of this Expert Committee has been scheduled for May 13, 2013 under the Chairmanship of Dr. T. S. Rao, Adviser, DBT.
Chinmayi Arun is one of the international experts supporting the Internet & Jurisdiction project, a global multi-stakeholder dialogue process.

Upcoming Events

A Privacy Round Table in Chennai (co-organised with Data Security Council of India and the Federation of Indian Chambers of Commerce and Industry, Residency Towers, Sir Thyagaraja Road, T Nagar, Chennai, May 18, 10.30 a.m. to 4.00 p.m.).
Consilience – 2013 (National Law School of India University, Bangalore, May 26 – 27, 2013).

Other Event Hosted

Or-bits.com — A Talk by Marialaura Ghidini (CIS, Bangalore, April 19, 2013). Marialaura Ghidini gave a talk abou the creation and activities of or-bits.com, a web-based curatorial platform that she founded in 2009.

News and Media

Clarify and define terms in IT rules, panel tells govt. (by Prashant Jha, Hindu, April 1, 2013).
India takes its first serious step toward privacy regulation – but it may be misguided (Privacy Surgeon, April 9, 2013).
Regulating Social Media: Unrealistic, Impossible, Necessary? (NDTV, April 11, 2013). Pranesh Prakash participated in a discussion on social media aired on NDTV.
Social media may influence 160 LS seats in 2014 (by Zia Haq, Hindustan Times, April 12, 2013).
Vote: Will Social Media Impact the Election? (by R. Jai Krishna, Wall Street Journal, April 15, 2013).
Untangling the web of India's 'ungovernable' Net (Deutsche Welle, April 15, 2013).
CIS in GNI Annual Report (April 25, 2013). CIS gets mentioned in GNI Annual Report. Sunil Abraham is quoted in it.
Is free speech an Indian value? (by Satarupa Sen Bhattacharya, India Together, April 27, 2013).

Knowledge Repository on Internet Access

CIS in partnership with the Ford Foundation is executing a project on Internet Access. It covers the history of the internet, technologies involved, principle and values of internet access, broadband market and universal access and will touch upon various polices and regulations which has an impact on internet access and bodies and mechanism which are responsible for formulation policies related to internet access. The blog posts and modules will be published in a new website: www.internet-institute.in.

Upcoming Event
We are hosting an “Institute on Internet and Society” with the support of Ford Foundation India, which is to be held from June 8, 2013 to June 14, 2013. Call for registration and relevant details have been announced.

The following units have been published:

Internet Infrastructure (by Srividya Vaidyanathan, April 30, 2013).
Internet Service Provider – Introduction (by Srividya Vaidyanathan, April 30, 2013).

Telecom

CIS is involved in promoting access and accessibility of telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

Prioritizing Communications & Energy (by Shyam Ponappa, Business Standard and Organizing India Blogspot, April 4, 2013).

Blog Entry

From Open Citizen Radio Networks to the Race for .RADIO gTLD (by Sharath Chandra Ram, April 30, 2013).

Event Participated

Broadband Policy Course (organised by Lirne Asia, Bangalore, April 5 – 6, 2013). Nirmita Narasimhan and Snehashish Ghosh attended the course.

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.
Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

For more details visit https://cis-india.org/about/newsletters/april-2013-bulletin

GNI Annual Report

praskrishna — 2013-04-25T07:14:33Z

For more details visit https://cis-india.org/internet-governance/blog/gni-annual-report.pdf

India's 'Big Brother': The Central Monitoring System (CMS)

maria — 2013-12-06T09:39:20Z

In this post, Maria Xynou looks at India´s Central Monitoring System (CMS) project and examines whether it can target individuals´ communications data, regardless of whether they are involved in illegal activity.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Starting from this month, all telecommunications and Internet communications in India will be analysed by the government and its agencies. What does that mean? It means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities. This totalitarian type of surveillance will be incorporated in none other than the Central Monitoring System (CMS).

The Central Monitoring System (CMS)

The Central Monitoring System (CMS) may just be another step in the wrong direction, especially since India currently lacks privacy laws which can protect citizens from potential abuse. Yet, all telecommunications and Internet communications are to be monitored by Indian authorities through the CMS, despite the fact that it remains unclear how our data will be used.

The CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and by the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. The CMS project is likely to start operating this month and the government plans on creating a platform that will include all the service providers in Delhi, Haryana and Karnataka. The Information Technology Amendment Act 2008 enables e-surveillance and central and regional databases will be created to help central and state level law enforcement agencies in interception and monitoring. Without any manual intervention from telecom service providers, the CMS will equip government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers. The CMS will also enable Call Data Records (CDR) analysis and data mining to identify the personal information of the target numbers.

The estimated set up cost of the CMS is Rs. 4 billion and it will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Research and Analysis Wing (R&AW), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Central Board of Direct Taxes (CBDT), the Narcotics Control Bureau, and the Enforcement Directorate (ED). In particular, last October, the NIA approached the Department of Telecom requesting its connection with the CMS, which would help it intercept phone calls and monitor social networking sites without the cooperation of telcos. However, the NIA is currently monitoring eight out of 10,000 telephone lines and if it is connected with the CMS, the NIA will also get access to e-mails and other social media platforms. Essentially, the CMS will be converging all the interception lines at one location and Indian law enforcement agencies will have access to them. The CMS will also be capable of intercepting our calls and analyzing our data on social networking sites. Thus, even our attempts to protect our data from ubiquitous surveillance would be futile.

In light of the CMS being installed soon, the Mumbai police took the initiative of setting up a ´social media lab´ last month, which aims to monitor Facebook, Twitter and other social networking sites. This lab would be staffed by 20 police officers who would keep an eye on issues being publicly discussed and track matters relating to public security. According to police spokesman Satyanarayan Choudhary, the lab will be used to identify trends among the youth and to plan law and order accordingly. However, fears have arisen that the lab may be used to stifle political debate and freedom of expression. The arrest of two Indian women last November over a Facebook post which criticized the shutdown of Mumbai after the death of politician Bal Thackeray was proof that the monitoring of our communications can potentially oppress our freedom and human rights. And now that all our online activity will be under the microscope...will the CMS security trade-off be worth it?

Surveillance in the name of Security

In a digitised world, threats to security have been digitised. Terrorism is considered to be a product of globalisation and as such, the Internet appears to be a tool used by terrorists. Hence governments all around the world are convinced that surveillance is probably one of the most effective methods in detecting and prosecuting terrorists, as all movement, action, interests, ideas and everything else that could define an individual are closely being monitored under the ´surveillance umbrella´ True; if everything about our existence is being closely monitored and analysed, it seems likely that we will instantly be detected and prosecuted if engaged in illegal activity. But is that the case with big data? According to security expert Bruce Schneier, searching for a terrorist through data mining is like looking for a needle in a haystack. Generally, the bigger the amount of data, the bigger the probability of an error in matching profiles. Hence, when our data is being analysed through data mining of big data, the probability of us being charged for a crime we did not commit is real. Nonetheless, the CMS is going to start operating soon in an attempt to enable law enforcement agencies to tackle crime and terrorism.

A few days ago, I had a very interesting chat with an employee at SAS Institute (India) Pvt. Ltd. in Bangalore, which is a wholly owned subsidiary of SAS Institute Inc. SAS is a company which produces software solutions and services to combat fraud in financial services, identify cross-sell opportunities in retail, and all the business issues it addresses are based on three capabilities: information management, analytics and business intelligence. Interestingly enough, SAS also produces social network analysis which ´helps institutions detect and prevent fraud by going beyond individual and account views to analyze all related activities and relationships at a network dimension´. In other words, social network analysis by SAS would mean that, through Facebook, for example, all of an individual's´ interests, activities, habits, relationships and everything else that could be, directly or indirectly, linked to an individual would be mapped out in relation to other individuals. If, for example, several individuals appear to have mutual interests and activities, there is a high probability that an individual will be associated with the same type of organization as the other individuals, which could potentially be a terrorist organization. Thus, an essential benefit of the social network analysis solution is that it uncovers previously unknown network connections and relationships, which significantly enables more efficient investigations.

According to the SAS employee I spoke to, the company provides social network analysis to Indian law enforcement agencies and aims at supporting the CMS project in an attempt to tackle crime and terrorism. Furthermore, the SAS employee argued that their social network analysis solution only analyzes open source data which is either way in the public online domain, hence respecting individuals´ online privacy. In support of the Mumbai ´social media lab´, cyber security expert, Vijay Mukhi, argued:

´There may be around 60 lakh twitter users in the city and millions of other social media network users. The police will require a budget of around Rs 500 crore and huge resources such as complex software, unique bandwidth and manpower to keep a track of all of them. To an extent, the police can monitor select people who have criminal backgrounds or links with anti-social or anti-national elements...[...]...Even the apprehension that police is reading your tweet is wrong. The volume of networking on social media sites is beyond anybody's capacity. Deleting any user's message is humanly impossible. It is even difficult to find the origin of messages and shares. However, during the recent Delhi gangrape incident such monitoring of data in public domain helped the police gauge the mood of the people.´

Another cyber security expert argued that the idea that the privacy of our messages and online activity would be intercepted is a misconception. The expert stated that:

´The police are actually looking out for open source intelligence for which information in public domain on these sites is enough. Through the lab, police can access what is in the open source and not the message you are sending to your friend.´

Cyber security experts also argued that the purpose of the creation of the Mumbai social media lab and the CMS in general is to ensure that Indian law enforcement agencies are better informed about current public opinion and trends among the youth, which would enable them to take better decisions on a policy level. It was also argued that, apparently, there is no harm in the creation of such monitoring centres, especially since other countries, such as the U.S., are conducting the same type of surveillance, while have enacted stringent privacy regulations. In other words, the monitoring of our communications appears to be justified, as long as it is in the name of security.

CMS targeting individuals: myth or reality?

The CMS is not a big deal, because it will not target us individually...or at least that is what cyber security experts in India appear to be claiming. But is that really the case? Lets look at the following hypothesis:

The CMS can surveille and target individuals, if Indian law enforcement agencies have access to individuals content and non-content data and are simultaneously equipped with the necessary technology to analyse their data.

The two independent variables of the hypothesis are: (1) Indian law enforcement agencies have access to individuals´ content and non-content data, (2) Indian law enforcement agencies are equipped with the necessary technology to analyse individuals´ content and non-content data. The dependent variable of the hypothesis is that the CMS can surveille and target individuals, which can only be proven once the two independent variables have been confirmed. Now lets look at the facts.

The surveillance industry in India is a vivid reality. ClearTrail is an Indian surveillance technology company which provides communication monitoring solutions to law enforcement agencies around the world and which is a regular sponsor of ISS world surveillance trade shows. In fact, ClearTrail sponsored the ISS world surveillance trade show in Dubai last month - another opportunity to sell its surveillance technologies to law enforcement agencies around the world. ClearTrail´s solutions include, but are not limited to, mass monitoring of IP and voice networks, targeted IP monitoring, tactical Wi-Fi monitoring and off-the-air interception. Indian law enforcement agencies are equipped with such technologies and solutions and thus have the technical capability of targeting us individually and of monitoring our ´private´ online activity.

Shoghi Communications Ltd. is just another example of an Indian surveillance technology company. WikiLeaks has published a brochure with one of Shoghi´s solutions: the Semi Active GSM Monitoring System. This system can be used to intercept communications from any GSM service providers in the world and has a 100% target call monitor rate. The fact that the system is equipped with IMSI analysis software enables it to extract the suspect´s actual mobile number from the network without any help from the service provider. Indian law enforcement agencies are probably being equipped with such systems by Shoghi Communications, which would enable the CMS to monitor telecommunications more effectively.

As previously mentioned, SAS provides Indian law enforcement agencies social network analysis solutions. In general, many companies, Indian and international, produce surveillance products and solutions which they supply to law enforcement agencies around the world. However, if such technology is used solely to analyse open source data, how do law enforcement agencies expect to detect criminals and terrorists? The probability of an individual involved in illegal activity to disclose secrets and plans in the public online sphere is most likely significantly low. So given that law enforcement agencies are equipped with the technology to analyse our data, how do they get access to our content data in order to detect criminals? In other words, how do they access our ´private´ online communications to define whether we are a terrorist or not?

Some of the biggest online companies in the world, such as Google and Microsoft, disclose our content data to law enforcement agencies around the world. Sure, a lawful order is a prerequisite for the disclosure of our data...but in the end of the day, law enforcement agencies can and do have access to our content data, such as our personal emails sent to friends, our browsing habits, the photos we sent online and every other content created or communicated via the Internet. Law enforcement requests reports published by companies, such as Google and Microsoft, confirm the fact that law enforcement agencies have access to both our content and non-content data, much of which was disclosed to Indian law enforcement agencies. Thus, having access to our ´private´ online data, all Indian law enforcement agencies need is the technology to analyse our data and match patterns. The various surveillance technology companies operating in India, such as ClearTrail and Shoghi Communications, ensure that Indian law enforcement agencies are equipped with the necessary technology to meet these ends.

The hypothesis that the CMS can surveille and target us individually can be confirmed, since Indian law enforcement agencies have access to our content and non-content data, while simultaneously being equipped with the necessary technology to analyse our data. Thus, the arguments brought forth by cyber security experts in India appear to be weak in terms of validity and reliability and the CMS appears to be a new type of ´Big Brother´ upon us. But what does this mean in terms of our privacy and human rights?

The telephone tapping laws in India are weak and violate constitutional protections. The Information Technology Amendment Act 2008 has enabled e-surveillance to reach its zenith, but yet surveillance projects, such as the CMS, lack adequate legal backing. No privacy legislation currently exists in India which can protect us from potential abuse. The confirmed CMS hypothesis indicates that all individuals can potentially be targeted and monitored, regardless of whether they have been involved in illegal activity. Yet, India currently lacks privacy laws which can protect individuals from the infringement of their privacy and other human rights. The following questions in regards to the CMS remain vague: Who can authorise the interception of telecommunications and Internet communications? Who can authorise access to intercepted data? Who can have access to data? Can data monitored by the CMS be shared between third parties and if so, under what conditions? Is data monitored by the CMS retained and if so, for how long and under what conditions? Do individuals have the right to be informed about their communications being monitored and about data retained about them?

Immense vagueness revolves around the CMS, yet the project is due to start operating this month. In order to ensure that our right to privacy and other human rights are not breached, parliamentary oversight of intelligence agencies in India is a minimal prerequisite. E-surveillance regulations should be enacted, which would cover both policy and legal issues pertaining to the CMS project and which would ensure that human rights are not infringed. The overall function of the CMS project and its use of data collected should be thoroughly examined on a legal and policy level prior to its operation, as its current vagueness and excessive control over communications can create a potential for unprecedented abuse.

The necessity and utility of the CMS remain unclear and thus it has not been adequately proven yet that the security trade-off is worth it. One thing, though, is clear: we are giving up a lot of our data....we are giving up the control of our lives...with the hope that crime and terrorism will be reduced. Does this make sense?

This was cross-posted in Medianama

For more details visit https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system

Comments on the Information Technology (Electronic Service Delivery) Rules, 2011

bhairav — 2013-07-12T12:12:16Z

Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Information Technology (Electronic Services Delivery) Rules, 2011. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1 This submission presents comments from the Centre for Internet and Society (“CIS”) on the Information Technology (Electronic Service Delivery) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on 11 April 2011 (“ESD Rules” or “Rules”).

1.2 The ESD Rules were notified only eight months before the Electronic Delivery of Services Bill, 2011 was tabled in the Lok Sabha on 27 December 2011 (Bill 137 of 2011) (“EDS Bill” or “Bill”). Both the ESD Rules and the EDS Bill are concerned with enabling computer-based electronic delivery of government services to Indian citizens (“electronic service delivery”). Both the Rules and the Bill originate from the same government department: the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology. Since the EDS Bill seeks to enact a comprehensive legislative framework for mandating and enforcing electronic service delivery, the purpose of the ESD Rules are called into question.

II Basic Issues Regarding Electronic Service Delivery

2.1 CIS believes that there are significant conceptual issues regarding electronic service delivery that demand attention. The Department-related Parliamentary Standing Committee on Information Technology of the Fifteenth Lok Sabha (“Standing Committee”) raised a few concerns when it submitted its 37th Report on the EDS Bill on 29 August 2012. There is a clear need for a national debate on the manner of effecting exclusive electronic service delivery to the exclusion of manual service delivery. Some of these issues are briefly summarised as follows:

(a) Mandatory exclusive electronic service delivery pre-supposes the ability of all Indian citizens to easily access such mechanisms. While there are no authoritative national statistics on familiarity with computer-related technologies, it is apparent that a large majority of Indians, most of whom are likely to be already marginalised and vulnerable, are totally unfamiliar with such technologies to endanger their ability to receive basic government services;

(b) Consequent upon mandatory exclusive electronic service delivery for basic government services, a large group of ‘middlemen’ will arise to facilitate access for that majority of Indians who cannot otherwise access these services. This group will control the interface between citizens and their government. As a result, citizens’ access to governance will deteriorate. This problem may be mitigated to a certain extent by creating a new class of public servants to solely facilitate access to electronic service delivery mechanisms;

(c) The issue of governmental incapacity at the citizen-government interface might be addressed by contracting private service providers to operate mandatory exclusive electronic service delivery mechanisms. However, it is difficult to see how commercialising access to essential government services serves the public interest, especially when public funds will be expended to meet the costs of private service providers. Permitting private service providers to charge a fee from the general public to allow access to essential government services is also ill advised;

(d) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must be accompanied by strong data protection measures to ensure the sanctity of sensitive personal information shared online with the state. At present, there are no specific laws that bind the state, or its agents, to the stringent requirements of privacy necessary to protect personal liberties. In the same vein, strong data security measures are necessary to prevent sensitive personal information from being compromised or lost;

(e) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must ensure ease and equality of accessibility. For this reason, electronic service delivery mechanisms should conform to the National Policy on Open Standards, 2010 (or the proposed National Electronic Access Policy which is currently awaiting adoption), the Interoperability Framework for E-Governance in India and the Website Guidelines of the National Informatics Centre;

(f) Electronic service delivery requires infrastructure which India does not currently have but can develop. Only 1.44 per cent of India’s population has access to a broadband internet connection[1] and current daily energy demand far exceeds supply. On the other hand, the number of broadband subscribers is increasing,[2] the annual installed capacity for electricity generation is growing[3] and the literacy rate is increasing.[4]

2.2 The ESD Rules do not address any of the issues raised in the preceding paragraph. As a result, they cannot be seen to represent the result of a national consensus on the crucial question of mandating exclusive electronic service delivery and the means of enforcing such a scheme. Further, very few of the provisions of the Rules are binding; instead, the Rules appear to be drafted to serve as a minimal model for electronic service delivery. In this background, CIS believes that the Rules should be treated as an incomplete arrangement that prescribe the minimal standards necessary to bind private service providers before comprehensive and statutory electronic service delivery legislation is enacted, perhaps in the form of the EDS Bill or otherwise. Therefore, without prejudice to the issues raised in the preceding paragraph, CIS offers the following comments on the provisions of the Rules while reserving the opportunity to make substantive submissions on electronic service delivery in general to an appropriate forum at a later date.

III Improper Exercise of Subordinate Legislative Power

3.1 Rule 317 of the Rules of Procedure and Conduct of Business in the Lok Sabha (Fourteenth Edition, July 2010) (“Rules of Procedure”), which empowers the Committee on Subordinate Legislation to scrutinise exercises of statutory delegation of legislative powers for impropriety, states:

There shall be a Committee on Subordinate Legislation to scrutinize and report to the House whether the powers to make regulations, rules, subrules, bye-laws etc., conferred by the Constitution or delegated by Parliament are being properly exercised within such delegation.

Further, the Committee on Subordinate Legislation is specifically empowered by rule 320(vii) of the Rules of Procedure to examine any provision of the ESD Rules to consider “whether it appears to make some unusual or unexpected use of the powers conferred by the Constitution or the Act pursuant to which it is made.”

3.2 Accordingly, the attention of the Committee on Subordinate Legislation is called to an improper exercise of delegated power under rule 3(1) of the ESD Rules, which states:

The appropriate Government may on its own or through an agency authorised by it, deliver public services through electronically- enabled kiosks or any other electronic service delivery mechanism.

This sub-rule (1) empowers both the Central Government and State Governments to provide electronic service delivery on their own.

3.3 The ESD Rules are made in exercise of delegated powers conferred under section 87(2)(ca) read with section 6-A(2) of the Information Technology Act, 2000 (“IT Act”). Section 87(2)(ca) of the IT Act empowers the Central Government to make rules to provide for:

the manner in which the authorised service provider may collect, retain and appropriate service charges under sub-section (2) of section 6-A.

Section 6-A(2) of the IT Act states:

The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.

Prima facie, the delegated powers under section 87(2)(ca) read with section 6-A(2) of the IT Act, in exercise of which the ESD Rules are made, only permit delegated legislation to regulate private service providers, they do not permit the executive to exercise these powers to empower itself to conduct electronic service delivery on its own. Therefore, to the extent that the ESD Rules authorise the Central Government and State Governments to provide electronic service delivery on their own, such authorisation constitutes an improper exercise of delegated power and is ultra vires the IT Act. This may be resolved by deriving the delegated legislative competence of the ESD Rules from section 87(1) of the IT Act, instead of section 87(2)(ca) read with section 6-A(2).

IV Clause-by-Clause Comments

Rule 2 - Definitions

4.1.1 Rule 2(c) of the ESD Rules states:

"authorised agent" means an agent of the appropriate Government or service provider and includes an operator of an electronically enabled kiosk who is permitted under these rules to deliver public services to the users with the help of a computer resource or any communication device, by following the procedure specified in the rules

In accordance with the argument regarding improper exercise of delegated power contained in paragraphs 3.1 – 3.3 of this submission, the appropriate Government cannot undertake electronic service delivery under these Rules. Consequently, the appropriate Government cannot appoint an agent to provide electronic service delivery on behalf, and under the control, of the appropriate Government since, as the principal, the appropriate Government would be responsible for the acts of its agents. Instead, private service providers may provide electronic service delivery as contractees of the appropriate Government who might enter into such contracts as a sovereign contractor. Therefore, only a private service provider may appoint an authorised agent under these Rules.

4.1.2 Therefore, it is proposed that rule 2(c) is amended to read as follows:

““authorised agent” means an agent of a service provider, and includes an operator of an electronically enabled kiosk, who is permitted under these rules to deliver public services with the help of a computer resource or any communication device, by following the procedure specified in these rules”

Rule 3 - System of Electronic Service Delivery

4.2.1 Rule 3(3) of the ESD Rules states:

The appropriate Government may determine the manner of encrypting sensitive electronic records requiring confidentiality, white they are electronically signed.

This sub-rule is supposed to prescribe stringent standards to maintain the security, confidentiality and privacy of all personal information used during electronic service delivery transactions. In the absence of transactional security, electronic service delivery will invite fraud, theft and other misuse to impugn its viability as a means of delivering public services. However, the use of the term “may” leaves the prescription of security standards up to the discretion of the appropriate Government. Further, the language of the sub-rule is unclear and imprecise.

4.2.2 Therefore, it is proposed that rule 3(3) is amended to read as follows:

“The appropriate Government shall, prior to any electronic service delivery, determine the manner of encrypting electronic records and shall prescribe standards for maintaining the safety, security, confidentiality and privacy of all information collected or used in the course of electronic service delivery.”

4.3.1 Rule 3(5) of the ESD Rules states:

The appropriate Government may allow receipt of payments made by adopting the Electronic Service Delivery System to be a deemed receipt of payment effected in compliance with the financial code and treasury code of such Government.

Firstly, if these Rules enable payments to be made electronically, they must also validate the receipt of these payments. Inviting citizens to make electronic payments for government services without recognising the receipt of those payments is farcical to attract abusive and corrupt practices. Therefore, it is imperative that these Rules compulsorily recognise receipt of payments, either by deeming their receipt to be valid receipts under existing law or by specially recognising their receipt by other means including the law of evidence. Either way, electronic receipts of electronic payments must be accorded the validity in law that manual/paper receipts have; and, copies of such electronic receipts must be capable of being adduced in evidence. Secondly, the use of the phrase “financial code and treasury code” is avoidable since these terms are undefined.

4.3.2 Therefore, it is proposed that rule 3(5) be amended to read as follows:

“Any receipt of payment made by electronic service delivery shall be deemed to be a valid receipt of such payment under applicable law and shall be capable of being adduced as evidence of such payment.”

4.4.1 Rule 3(6) of the ESD Rules states:

The appropriate Government may authorise service providers or their authorised agents to collect, retain and appropriate such service charges as may be specified by the appropriate Government for the purpose of providing such services from the person availing such services:

Provided that the apportioned service charges shall be clearly indicated on the receipt to be given to the person availing the services.

This sub-rule is an almost verbatim reproduction of the provisions of section 6-A(2) of the IT Act which reads as follows:

Since the IT Act specifically delegates to the appropriate Governments the power to authorise service providers to levy charges, rule 3(6) of the ESD Rules that merely copies the provisions of the parent statute is meaningless. The purpose of delegated legislation is to give effect to the provisions of a statute by specifying the manner in which statutory provisions shall be implemented. Copying and pasting statutory provisions is a absurd misuse of delegated legislative powers.

4.4.2 Therefore, it is proposed that sub-rule (6) is deleted and the remaining sub-rules of rule 3 are renumbered.

4.5.1 Rule 3(7) of the ESD Rules states:

The appropriate Government shall by notification specify the scale of service charges which may be charged and collected by the service providers and their authorised agents for various kinds of services.

This is an almost verbatim reproduction of the provisions of section 6-A(4) of the IT Act which reads as follows:

The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section.

As noted in paragraph 4.3.1 of this submission, the purpose of delegated legislation is not to copy the provisions of the parent statute, but to amplify the scope of the delegated power and the manner of effecting its implementation.

4.5.2 Therefore, it is proposed that sub-rule (7) is deleted and the remaining sub-rules of rule 3 are renumbered.

4.6.1 Rule 3(8) of the ESD Rules states:

The appropriate Government may also determine the norms on service levels to be complied with by the Service Provider and the authorised agents.

There is no quarrel with the power of the government to determine norms for, or directly prescribe, service levels to regulate service providers. However, without a scheme of statutory or sub-statutory penalties for contravention of the prescribed service levels, a sub-delegated service level cannot enforce any penalties. Simply put, the state cannot enforce penalties unless authorised by law. Unfortunately, rule 3(8) contains no such authorisation. Service levels for service providers without a regime of penalties for non-compliance is meaningless, especially since service providers will be engaged in providing access to essential government services.

4.6.2 Therefore, it is proposed that rule 3(8) be amended to read as follows:

“The appropriate Government shall prescribe service levels to be complied with by all service providers and their authorised agents which shall include penalties for failure to comply with such service levels.”

[1]. Thirty-Seventh Report of the Standing Committee on Information Technology (2011-12) on the Electronic Delivery of Services Bill, 2011 (New Delhi: Lok Sabha Secretariat, 29 August 2012) at pp. 13, 17 and 34. See also, Telecom Sector in India: A Decadal Profile (New Delhi: Telecom Regulatory Authority of India, 8 June 2012).

[2]. Annual Report (2011-12) of the Department of Telecommunications, Ministry of Communications and Information Technology, Government of India (New Delhi: Department of Telecommunications, 2012) at pp. 5 and 1-3.

[3]. Report of the Working Group on Power of the Twelfth Plan (New Delhi: Planning Commission, Government of India, January 2012).

[4]. Provisional Report of the Census of India 2011 (New Delhi: Registrar General and Census Commissioner, 2011) from p. 124.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011

Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

bhairav — 2013-07-12T12:13:53Z

Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Sensitive Personal Data Rules. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1 The Centre for Internet and Society (“CIS”) is pleased to present this submission on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011 (“Sensitive Personal Data Rules” or “Rules”) to the Committee on Subordinate Legislation of the Fifteenth Lok Sabha.

1.2 The protection of personal information lies at the heart of the right to privacy; and, for this reason, it is an imperative legislative and policy concern in liberal democracies around the world. In India, although remedies for invasions of privacy exist in tort law and despite the Supreme Court of India according limited constitutional recognition to the right to privacy[1], there have never been codified provisions protecting the privacy of individuals and their personal information.

The Sensitive Personal Data Rules represent India’s first legislative attempt to recognise that all persons have a right to protect the privacy of their personal information. However, the Rules suffer from numerous conceptual, substantive and procedural weaknesses, including drafting defects, which demand scrutiny and rectification. The interpretation and applicability of the Rules was further confused when, on 24 August 2011, the Department of Information Technology of the Ministry of Communications attempted to reinterpret the Rules through a press release oblivious to the universally accepted basic proposition that law cannot be made or reinterpreted via press releases.[2] Therefore, the attention of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha is called to the following submissions:

II Principles to Facilitate Appraisal
2.1 The Sensitive Personal Data Rules are an important step towards building a legal regime that protects the privacy of individuals whilst enabling the secure collection, use and storage of personal information by state and private entities. The Rules are to be welcomed in principle. However, at present, the Rules construct an incomplete regime that does not adequately protect privacy and, for this reason, falls short of internationally accepted data protection standards.[3]

This not only harms the personal liberties of Indian citizens, it also affects the ability of Indian companies to conduct commerce in foreign countries. More importantly, the Rules offer no protection against the state.

2.2 To enact a comprehensive personal information protection regime, CIS believes that the Rules should proceed on the basis of the following broad principles:

(a) Principle of Notice / Prior Knowledge

All persons from whom personal information is collected have a right to know, before the personal information is collected and, where applicable, at any point thereafter: (i) of an impending collection of personal information; (ii) the content and nature of the personal information being collected; (iii) the purpose for which the personal information is being collected; (iv) the broad identities of all natural and juristic persons who will have access to the collected personal information; (v) the manner in which the collected personal information will be used; (vi) the duration for which the collected personal information will be stored; (vii) whether the collected personal information will be disclosed to third parties including the police and other law enforcement agencies; (viii) of the manner in which they may access, check, modify or withdraw their collected personal information; (ix) the security practices and safeguards that will govern the sanctity of the collected personal information; (x) of all privacy policies and other policies in relation to the collected personal information; (xi) of any breaches in the security, safety, privacy and sanctity of the collected personal information; and, (xii) the procedure for recourse, including identities and contact details of ombudsmen and grievance redress officers, in relation to any misuse of the collected personal information.

(b) Principle of Consent

Personal information must only be collected once the person to whom it pertains has consented to its collection. Such consent must be informed, explicit and freely given. Informed consent is conditional upon the fulfilment of the principle of notice/prior knowledge set out in the preceding paragraph. Consent must be expressly given: the person to whom the personal information to be collected pertains must grant explicit and affirmative permission to collect personal information; and, he must know, or be made aware, of any action of his that will constitute such consent. Consent that is obtained using threats or coercion, such as a threat of refusal to provide services, does not constitute valid consent. Any person whose personal information has been consensually collected may, at any time, withdraw such consent for any or no reason and, consequently, his personal information, including his identity, must be destroyed. When consent is withdrawn in this manner, the person who withdrew consent may be denied any service that requires the use of the personal information for which consent was withdrawn.

Personal information must only be collected when, where and to the extent necessary. Necessity cannot be established in general; there must be a specific nexus connecting the content of the personal information to the purpose of its collection. Only the minimal amount of personal information necessary to achieve the purpose should be collected. If a purpose exists that warrants a temporally specific, or an event-dependent, collection of personal information, such a collection must only take place when that specific time is reached or that event occurs. If the purpose of personal information is dependent upon, or specific to, a geographical area or location, that personal information must only be collected from that geographical area or location.

(d) Right to be Forgotten / Principle of Purpose Limitation

Once collected, personal information must be processed, used, stored or otherwise only for the purpose for which it was collected. If the purpose for which personal information was collected is achieved, the collected personal information must be destroyed and the person to whom that personal information pertained must be ‘forgotten.’ Similarly, collected personal information must be destroyed and the person to whom it pertained ‘forgotten’ if the purpose for which it was collected expires or ceases to exist. Personal information collected for a certain purpose cannot be used or stored for another purpose nor even used or stored for a similar purpose to arise in the future without the express and informed consent of the person from whom it was collected in accordance with the principles of notice/prior knowledge and consent.

(e) Right of Access

All persons from whom personal information is collected have a right to access that personal information at any point following its collection to check its accuracy, make corrections or modifications and have destroyed that which is inaccurate. Where personal information of more than one person is held in an aggregated form such that affording one person access to it may endanger the right to privacy of another person, the entity holding the aggregated personal information must, to the best of its ability, identify the portion of the personal information that pertains to the person seeking access and make it available to him. All persons from whom personal information is collected must be given copies of their personal information upon request.

(f) Principle regarding Disclosure

Personal information, once collected, must never be disclosed. However, if the person to whom certain personal information pertains consents to its disclosure in accordance with the principle of consent after he has been made aware of the proposed disclosee and other details related to the personal information in accordance with the principle of notice/prior knowledge, the personal information may be disclosed. Consent to a disclosure of this nature may be obtained even during collection of the personal information if the person to whom it pertains expressly consents to its future disclosure. Notwithstanding the rule against disclosure and the consent exception to the rule, personal information may be disclosed to the police or other law enforcement agencies on certain absolute conditions. Since the protection of personal information is a policy imperative, the conditions permitting its disclosure must be founded on a clear and serious law enforcement need that overrides the right to privacy; and, in addition, the disclosure conditions must be strict, construed narrowly and, in the event of ambiguity, interpreted to favour the individual right to privacy. Therefore, (i) there must be a demonstrable need to access personal information in connection with a criminal offence; (ii) only that amount of personal information that is sufficient to satisfy the need must be disclosed; and, (iii), since such a disclosure is non-consensual, it must follow a minimal due process regime that at least immediately notifies the person concerned and affords him the right to protest the disclosure.

(g) Principle of Security

All personal information must be protected to absolutely maintain its sanctity, confidentiality and privacy by implementing safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure and other risks. Such a level of protection must include physical, administrative and technical safeguards that are constantly and consistently audited. Protection measures must be revised to incorporate stronger measures and mechanisms as and when they arise.

(h) Principle of Transparency / ‘Open-ness’

All practices, procedures and policies governing personal information must be made available to the person to whom that personal information pertains in a simple and easy-to-understand manner. This includes policies relating to the privacy, security and disclosure of that personal information. If an entity that seeks to collect personal information does not have these policies, it must immediately draft, publish and display such policies in addition to making them available to the person from whom it seeks to collect personal information before the collection can begin.

(i) Principle of Accountability

Liability attaches to the possession of personal information of another person. Since rights and duties, such as those in relation to privacy of personal information, are predicated on accountability, this principle binds all entities that seek to possess personal information of another person. As a result, an entity seeking to collect, use, process, store or disclose personal information of another person is accountable to that person for complying with all these principles as well as the provisions of any law. The misuse of personal information causes harm to the person to whom it pertains to attract and civil and criminal penalties.

2.3 These principles are reflective of internationally accepted best practices to form the basis upon which Indian legislation to protect personal information should be drafted. The Sensitive Personal Data Rules, in their current form, fall far short of the achieving the substantive intent of these principles. CIS submits that either (i) the Sensitive Personal Data Rules should be replaced with new and comprehensive legislation that speaks to the objectives and purpose of these principles, or (ii) the Sensitive Personal Data Rules are radically modified by amendment to bring Indian law to par with world standards. Nevertheless, without prejudice to the preceding submission, CIS offers the following clause-by-clause comments on the Sensitive Personal Data Rules:

III Clause-by-Clause Analysis and Comments

Rule 2 - Definitions

3.1.1 Rule 2(1)(b) of the Sensitive Personal Data Rules defines “biometrics” as follows:

"Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes.

3.1.2 Firstly, the Sensitive Personal Data Rules do not use the term “biometrics.” Instead, rule 3(vi), which defines sensitive personal data, uses the term “biometric information.” It is unclear why rule 2(1)(b) provides a definition of the technologies by which information is obtained instead of clearly identify the information that constitutes sensitive personal data. This is one of several examples of poor drafting of the Sensitive Personal Data Rules. Secondly, biometric information is not used only for authentication; there are many other reasons for collecting and using biometric information. For instance, DNA is widely collected and used for medical research. Restricting the application of the definition to only that biometric information that is used for authentication is illogical to deprive the Rules of meaning.

3.1.3 Therefore, it is proposed that rule 2(1)(b) be re-drafted to read as follows:

““Biometric information” means any information relating to the physical, physiological or behavioural characteristics of an individual which enable their unique identification including, but not limited to, fingerprints, retinas, irises, voice patterns, facial patterns, Deoxyribonucleic acid (DNA) and genetic information.”

3.2.1 Rule 2(1)(c) of the Sensitive Personal Data Rules defines “body corporate” in accordance with the definition provided in clause (i) of the Explanation to section 43A of the Information Technology Act, 2000 (“IT Act”) as follows:

“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

3.2.2 Firstly, this definition of a body corporate is poorly drafted to extend beyond incorporated entities to bring within its ambit even unincorporated professional organisations such as societies and associations which, by their very nature, are not bodies corporate.[4]

This is an arbitrary reinterpretation of the fundamental principles of company law. As it presently stands, this peculiar definition will extend to public and private limited companies, including incorporated public sector undertakings, ordinary and limited liability partnerships, firms, sole proprietorships, societies and associations; but, will exclude public and private trusts[5] and unincorporated public authorities. Hence, whereas non-governmental organisations that are organised as societies will fall within the definition of “body corporate,” those that are organised as trusts will not. Similarly, incorporated public authorities such as Delhi Transport Corporation and even municipal corporations such as the Municipal Corporation of Delhi will fall within the definition of “body corporate” but unincorporated public authorities such as the New Delhi Municipal Council and the Delhi Development Authority will not. This is a prima facie violation of the fundamental right of all persons to be treated equally under the law guaranteed by Article 14 of the Constitution of India.

3.2.3 Secondly, whereas state entities and public authorities often collect and use sensitive personal data, with the exception of state corporations the Sensitive Personal Data Rules do not apply to the state. This means that the procedural safeguards offered by the Rules do not bind the police and other law enforcement agencies allowing them a virtually unfettered right to collect and use, even misuse, sensitive personal data without consequence. Further, state entities such as the Unique Identification Authority of India or the various State Housing Boards which collect, handle, process, use and store sensitive personal data are not covered by the Rules and remain unregulated. It is not possible to include these unincorporated entities within the definition of a body corporate; but, in pursuance of the principles set out in paragraph 2.2 of this submission, the Rules should be expanded to all state entities, whether incorporated or not.

3.2.4 Therefore, it is proposed that rule 2(1)(c) be re-drafted to read as follows:

““body corporate” means the body corporate defined in sub-section (7) of section 2 read with section 3 of the Companies Act, 1956 (1 of 1956) and includes those entities which the Central Government may, by notification in the Official Gazette, specify in this behalf but shall not include societies registered under the Societies Registration Act, 1860 (21 of 1860), trusts created under the Indian Trusts Act, 1882 (2 of 1882) or any other association of individuals that is not a legal entity apart from the members constituting it and which does not enjoy perpetual succession.”

Further, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to societies registered under the Societies Registration Act, 1860 and trusts created under the Indian Trusts Act, 1882 in a manner reflective of their distinctiveness from bodies corporate.

Furthermore, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to public authorities and the state as defined in Article 12 of the Constitution of India.

3.3.1 Rule 2(1)(d) of the Sensitive Personal Data Rules defines “cyber incidents” as follows:

"Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.

3.3.2 Before examining the provisions of this clause, CIS questions the need for this definition. The term “cyber incidents” is used only once in these rules: the proviso to rule 6(1) which specifies the conditions upon which personal information or sensitive personal data may be disclosed to the police or other law enforcement authorities without the prior consent of the person to whom the information pertains. An analysis of rule 6(1) is contained at paragraphs 3.11.1 – 3.11.4 of this submission. Firstly, personal information and sensitive personal data should only be disclosed in connection with the prevention, investigation and prosecution of an existing offence. Offences cannot be created in the definitions clause of sub-statutory rules, they can only be created by a parent statute or another statute. Secondly, the scope and content of “cyber incidents” are already covered by section 43 of the IT Act. When read with section 66 of IT Act, an offence is created that is larger than the scope of the term “cyber incidents” to render this definition redundant.

3.3.3 Therefore, it is proposed that the definition of “cyber incidents” in rule 2(1)(d) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.

3.4.1 Rule 2(1)(g) of the Sensitive Personal Data Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. However, the term “intermediary” is not used anywhere in the Sensitive Personal Data Rules and so its definition is redundant. This is another instance of careless drafting of the Sensitive Personal Data Rules.

3.4.2 Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.

Rule 3 - Sensitive Personal Data

3.5.1 Rule 3 of the Sensitive Personal Data Rules provides an aggregated definition of sensitive personal data as follows:

Sensitive personal data or information of a person means such personal information which consists of information relating to –

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

3.5.2 In accordance with the principle that certain kinds of personal information are particularly sensitive, due to the intimate nature of their content in relation to the right to privacy, to invite privileged protective measures regarding the collection, handling, processing, use and storage of such sensitive personal data, it is surprising that rule 3 does not protect electronic communication records of individuals. Emails and chat logs as well as records of internet activity such as online search histories are particularly vulnerable to abuse and misuse and should be accorded privileged protection.

3.5.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:

“Sensitive personal data or information of a person means personal information as to that person’s –

(i) passwords and encryption keys;

(ii) financial information including, but not limited to, information relating to his bank accounts, credit cards, debit cards, negotiable instruments, debt and other payment details;

(iii) physical, physiological and mental condition;

(iv) sexual activity and sexual orientation;

(v) medical records and history;

(vi) biometric information; and

(vii) electronic communication records including, but not limited to, emails, chat logs and other communications made using a computer;

and shall include any data or information related to the sensitive personal data or information set out in this rule that is provided to, or received by, a body corporate.

Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”

Rule 4 - Privacy and Disclosure Policy

3.6.1 Rule 4 of the Sensitive Personal Data Rules, which obligates certain bodies corporate to publish privacy and disclosure policies for personal information, states:

Body corporate to provide policy for privacy and disclosure of information. – (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for –

(i) Clear and easily accessible statements of its practices and policies;

(ii) type of personal or sensitive personal data or information collected under rule 3;

(iii) purpose of collection and usage of such information;

(iv) disclosure of information including sensitive personal data or information as provided in rule 6;

(v) reasonable security practices and procedures as provided under rule 8.

3.6.2 This rule is very badly drafted, contains several discrepancies and is legally imprecise. Firstly, this rule is overbroad to bind all bodies corporate that receive and use information, as opposed to “personal information” or “sensitive personal data.” All bodies corporate receive and use information, even a vegetable seller uses information relating to vegetables and prices; but, not all bodies corporate receive and use personal information and even fewer bodies corporate receive and use sensitive personal data. The application of this provision should turn on the reception and use of personal information, which includes sensitive personal data, and not simply information. Secondly, although this rule only applies when a provider of information provides information, the term “provider of information” is undefined. It may mean any single individual who gives his personal information to a body corporate, or it may even mean another entity that outsources or subcontracts work that involves the handling of personal information. This lack of clarity compromises the enforceability of this rule. The government’s press release of 24 August 2011 acknowledged this error but since it is impossible, not to mention unconstitutional, for a statutory instrument like these Rules to be amended, modified, interpreted or clarified by a press release, CIS is inclined to ignore the press release altogether. It is illogical that privacy policies not be required when personal information is directly given by a single individual. This rule should bind all bodies corporate that receive and use personal information irrespective of the source of the personal information. Thirdly, it is unclear whether separate privacy policies are required for personal information and for sensitive personal data. There is a distinction between personal information and sensitive personal data and since these Sensitive Personal Data Rules deal with the protection of sensitive personal data, this rule 4 should unambiguously mandate the publishing of privacy policies in relation to sensitive personal data. Any additional requirement for personal information must be set out to clearly mark its difference from sensitive personal data. Fourthly, because of sloppy drafting, the publishing duties of the body corporate in respect of any sensitive personal data are unclear. For example, the phrase “personal or sensitive personal data or information” used in clause (ii) is meaningless since “personal information” and “sensitive personal data or information” are defined terms.

3.6.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:

“Duty to publish certain policies. – (1) Any body corporate that collects, receives, possesses, stores, deals with or handles personal information or sensitive personal data from any source whatsoever shall, prior to collecting, receiving, possessing, storing, dealing with or handling such personal information or sensitive personal data, publish and prominently display the policies listed in sub-rule (2) in relation to such personal information and sensitive personal data.

(2) In accordance with sub-rule (1) of this rule, all bodies corporate shall publish separate policies for personal information and sensitive personal data that clearly state –

(i) the meanings of personal information and sensitive personal data in accordance with these rules;

(ii) the practices and policies of that body corporate in relation to personal information and sensitive personal data;

(iii) descriptive details of the nature and type of personal information and sensitive personal data collected, received, possessed, stored or handled by that body corporate;

(iv) the purpose for which such personal information and sensitive personal data is collected, received, possessed, stored or handled by that body corporate;

(v) the manner and conditions upon which such personal information and sensitive personal data may be disclosed in accordance with rule 6 of these rules; and

(vi) the reasonable security practices and procedures governing such personal information and sensitive personal data in accordance with rule 8 of these rules.”

Rule 5 - Collection of Information

3.7.1 Rule 5(1) of the Sensitive Personal Data Rules lays down the requirement of consent before personal information can be collected as follows:

Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.

3.7.2 Firstly, the principle and requirement of consent is of overriding importance when collecting personal information, which includes sensitive personal data. Pursuant to the principles laid down in paragraph 2.2 of this submission, consent must be informed, explicit and freely given. Since sub-rule (3) of rule 5 attempts to secure the informed consent of persons giving personal information, this sub-rule must establish that all personal information can only be collected upon explicit consent that is freely given, irrespective of the medium and manner in which it is given. Secondly, it may be noted that sub-rule (1) only applies to sensitive personal data and not to other personal information that is not sensitive personal data. This is ill advised. Thirdly, this sub-rule relating to actual collection of personal information should follow a provision establishing the principle of necessity before collection can begin. The principle of necessity is currently laid down in sub-rule (2) of rule 5 which should be re-numbered to precede this sub-rule relating to collection.

3.7.3 Therefore, it is proposed that rule 5(1) be re-numbered to sub-rule (2) of rule 5 and re-drafted to read as follows:

“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to collecting that personal information or sensitive personal data, obtain the express and informed consent of that person in any manner, and through any medium, that may be convenient but shall not obtain such consent through threat, duress or coercion.”

3.8.1 Rule 5(2) of the Sensitive Personal Data Rules sets out the principle of necessity governing the collection of personal information as follows:

Body corporate or any person on its behalf shall not collect sensitive personal data or information unless —

(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and

(b) the collection of the sensitive personal data or information is considered necessary for that purpose.

3.8.2 Firstly, before allowing a body corporate to collect personal information, which includes sensitive personal data, the law should strictly ensure that the collection of such personal information is necessary. Necessity cannot be established in general, there must be a nexus connecting the personal information to the purpose for which the personal information is sought to be collected. This important sub-rule sets out the principles upon which personal information can be collected; and, should therefore be the first sub-rule of rule 5. Secondly, this sub-rule only applies to sensitive personal data instead of all personal information. It is in the public interest that the principle of necessity applies to all personal information, including sensitive personal data.

3.8.3 Therefore, it is proposed that rule 5(2) be re-numbered to sub-rule (1) of rule 5 and re-drafted to read as follows:

“No body corporate shall collect any personal information or sensitive personal data of a person unless it clearly establishes that –

(a) the personal information or sensitive personal data is collected for a lawful purpose that is directly connected to a function or activity of the body corporate; and

(b) the collection of the personal information or sensitive personal data is necessary to achieve that lawful purpose.”

3.9.1 Rule 5(3) of the Sensitive Personal Data Rules attempts to create an informed consent regime for the collection of personal information as follows:

While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of —

(a) the fact that the information is being collected;

(b) the purpose for which the information is being collected;

(c) the intended recipients of the information; and

(d) the name and address of —

(i) the agency that is collecting the information; and

(ii) the agency that will retain the information.

3.9.2 Firstly, this sub-rule (3) betrays the carelessness of its drafters by bringing within its application any and all information collected by a body corporate from a person instead of only personal information or sensitive personal data. Secondly, this provision is crucial to establishing a regime of informed consent before personal information is given by a person to a body corporate. For consent to be informed, the person giving consent must be made aware of not only the collection of that personal information or sensitive personal data, but also the purpose for which it is being collected, the manner in which it will be used, the intended recipients to whom it will be sent or made accessible, the duration for which it will be stored, the conditions upon which it may be disclosed, the conditions upon which it may be destroyed as well as the identities of all persons who will collect, receive, possess, store, deal with or handle that personal information or sensitive personal data. Thirdly, the use of the phrase “take such steps as are, in the circumstances, reasonable” dilutes the purpose of this provision and compromises the establishment of an informed consent regime. Instead, the use of the term “reasonable efforts”, which has an understood meaning in law, will suffice to protect individuals while giving bodies corporate sufficient latitude to conduct their business.

3.9.3 Therefore, it is proposed that rule 5(3) be re-drafted to read as follows:

“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to such collection, make reasonable efforts to inform that person of the following details in respect of his personal information or sensitive personal data –

(a) the fact that it is being collected;

(b) the purpose for which it is being collected;

(d) the intended recipients to whom it will be sent or made available;

(e) the duration for which it will be stored;

(f) the conditions upon which it may be disclosed;

(g) the conditions upon which it may be destroyed; and

(h) the identities of all persons and bodies corporate who will collect, receive, possess, store, deal with or handle it.”

3.10.1 Rule 5(4) of the Sensitive Personal Data Rules lays down temporal restrictions to the retention of personal information:

Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

3.10.2 Since this sub-rule (4) only applies to sensitive personal data instead of all personal information, bodies corporate are permitted to hold personal information of persons that is not sensitive personal data for as long as they like even after the necessity that informed the collection of that personal information expires and the purpose for which it was collected ends. This is a dangerous provision that deprives the owners of personal information of the ability to control its possession to jeopardise their right to privacy. The Sensitive Personal Data Rules should prescribe a temporal limit to the storage of all personal information by bodies corporate.

3.10.3 Therefore, it is proposed that rule 5(4) be re-drafted to read as follows:

“No body corporate shall store, retain or hold personal information or sensitive personal data for a period longer than is required to achieve the purpose for which that personal information or sensitive personal data was collected.”

Rule 6 - Disclosure of Information

3.11.1 Rule 6(1) of the Sensitive Personal Data Rules, which deals with the crucial issue of disclosure of personal information, states:

Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation:

Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.

3.11.2 In addition to errors and discrepancies in drafting, this sub-rule contains wide and vague conditions of disclosure of sensitive personal data to gravely impair the privacy rights and personal liberties of persons to whom such sensitive personal data pertains. A summary of drafting errors and discrepancies follows: Firstly, this sub-rule only applies to sensitive personal data instead of all personal information. The protection of personal information that is not sensitive personal data is an essential element of the right to privacy; hence, prohibiting bodies corporate from disclosing personal information at will is an important public interest prerogative. Secondly, the use of the phrase “any third party” lends vagueness to this provision since the term “third party” has not been defined. Thirdly, the repeated use of the undefined phrase “provider of information” throughout these Rules and in this sub-rule is confusing since, as pointed out in paragraph 3.6.2 of this submission, it could mean either or both of the single individual who consents to the collection of his personal information or another entity that transfers personal information to the body corporate.

3.11.3 Further, the conditions upon which bodies corporate may disclose personal information and sensitive personal data without the consent of the person to whom it pertains are dangerously wide. Firstly, the disclosure of personal information and sensitive personal data when it is “necessary for compliance of a legal obligation” is an extremely low protection standard. The law must intelligently specify the exact conditions upon which disclosure sans consent is possible; since the protection of personal information is a public interest priority, the conditions upon which it may be disclosed must outweigh this priority to be significant and serious enough to imperil the nation or endanger public interest. The disclosure of personal information and sensitive personal data for mere compliance of a legal obligation, such as failure to pay an electricity bill, is farcical. Secondly, the proviso sets out the conditions upon which the state, through its law enforcement agencies, may access personal information and sensitive personal data without the consent of the person to whom it pertains. Empowering the police with access to personal information can serve a public good if, and only if, it results in the prevention or resolution of crime; if not, this provision will give the police carte blanche to misuse and abuse this privilege. Hence, personal information should only be disclosed for the prevention, investigation and prosecution of an existing criminal offence. Thirdly, the definition and use of the term “cyber incidents” is unnecessary because section 43 of the IT Act already lists all such incidents. In addition, when read with section 66 of the IT Act, there emerges a clear list of offences to empower the police to seek non-consensual disclosure of personal information to obviate the need for any further new terminology. In sum, with regard to the non-consensual disclosure of personal information for the purposes of law enforcement: a demonstrable need to access personal information to prevent, investigate or prosecute crime must exist; only that amount of personal information sufficient to satisfy the need must be disclosed; and, finally, no disclosure may be permitted without clearly laid down procedural safeguards that fulfil the requirements of a minimal due process regime.

3.11.4 Therefore, it is proposed that rule 6(1) be re-drafted to read as follows:

“No body corporate shall disclose any personal information or sensitive personal data to anyone whosoever without the prior express consent of the person to whom the personal information or sensitive personal data to be disclosed pertains.

Provided that if the personal information or sensitive personal data was collected pursuant to an agreement that expressly authorises the body corporate to disclose such personal information or sensitive personal data, and if the person to whom the personal information or sensitive personal data pertains was aware of this authorisation prior to such collection, the body corporate may disclose the personal information or sensitive personal data without obtaining the consent of the person to whom it pertains in the form and manner specified in such agreement.

Provided further that if a reasonable threat to national security, defence or public order exists, or if the disclosure of personal information or sensitive personal data is necessary to prevent, investigate or prosecute a criminal offence, the body corporate shall, upon receiving a written request from the police or other law enforcement authority containing the particulars and details of the personal information or sensitive personal data to be disclosed, disclose such personal information or sensitive personal data to such police or other law enforcement authority without the prior consent of the person to whom it pertains.”

3.12.1 Rule 6(2) of the Sensitive Personal Data Rules creates an additional disclosure mechanism:

Notwithstanding anything contain in sub-rule (1), any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.

3.12.2 This sub-rule is overbroad to enable anyone’s sensitive personal data to be disclosed to any other person without the application of any standards of necessity, proportionality or due process and without the person to whom the sensitive personal data pertains having any recourse or remedy. Such provisions are the hallmarks of authoritarian and police states and have no place in a liberal democracy. For instance, the invocation of this sub-rule will enable a police constable in Delhi to exercise unfettered power to access the biometric information or credit card details of a politician in Kerala since an order of a policeman constitutes “an order under the law”. Pursuant to our submission in paragraph 3.11.4, adequate measures exist to secure the disclosure of personal information or sensitive public data in the public interest. The balance of convenience between privacy and public order has already been struck. This sub-rule should be removed.

3.12.3 Therefore, it is proposed that rule 6(2) be deleted and the remaining sub-rules in rule 6 be accordingly renumbered.

3.13.1 Rule 6(4) of the Sensitive Personal Data Rules states:

The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.

3.13.2 Firstly, as mentioned elsewhere in this submission, the phrase “third party” has not been defined. This is a drafting discrepancy that must be rectified. Secondly, this sub-rule only encompasses sensitive personal data and not other personal information that is not sensitive personal data. Thirdly, it may be necessary, in the interests of business or otherwise, for personal information or sensitive personal data that has been lawfully disclosed to a third person to be disclosed further if the person to whom that personal information consents to it.

3.13.3 Therefore, it is proposed that rule 6(4) be re-drafted to read as follows:

“Personal information and sensitive personal data that has been lawfully disclosed by a body corporate to a person who is not the person to whom such personal information or sensitive personal data pertains in accordance with the provisions of these rules may be disclosed further upon obtaining the prior and express consent of the person to whom it pertains.”

Rule 7 - Transfer of Information

3.14.1 Rule 7 of the Sensitive Personal Data Rules sets out the conditions upon which bodies corporate may transfer personal information or sensitive personal data to other bodies corporate in pursuance of a business arrangement:

A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

3.14.2 This provision allows personal information and sensitive personal data to be transferred across international borders to other bodies corporate in pursuance of a business agreement. The transfer of such information is a common feature of international commerce in which Indian information technology companies participate with significant success. Within India too, personal information and sensitive personal data is routinely transferred between companies in furtherance of an outsourced business model. Besides affecting ease of business, the sub-rule also affects the ability of persons to control their personal information and sensitive personal data. However, the sub-rule has been poorly drafted: firstly, the simultaneous use of the phrases “provider of information” and “such person” is imprecise and misleading; secondly, the person to whom any personal information or sensitive personal data pertains must pre-consent to the transfer of such information.

3.14.3 Therefore, it is proposed that rule 7 be re-drafted to read as follows:

“A body corporate may transfer any personal information or sensitive personal data in its possession to another body corporate, whether located in India or otherwise, if the transfer is pursuant to an agreement that binds the other body corporate to same, similar or stronger measures of privacy, protection, storage, use and disclosure of personal information and sensitive personal data as are contained in these rules, and if the express and informed consent of the person to whom the personal information or sensitive personal data pertains is obtained prior to the transfer.”

Rule 8 - Reasonable Security Practices

3.15.1 Following rule 8(1) of the Sensitive Personal Data Rules that prescribes reasonable security practices and procedures necessary for protecting personal information and sensitive personal data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection standards required by rule 8(1):

The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).

3.15.2 ISO/IEC 27001 is an information security management system standard that is prescribed by the International Organisation for Standardisation and the International Electrotechnical Commission. CIS raises no objection to the content or quality of the ISO/IEC 27001 standard. However, to achieve ISO/IEC 27001 compliance and certification, one must first purchase a copy of the standard. A copy of the ISO/IEC 27001 standard costs approximately Rs. _____/-. The cost of putting in place the protective measures required by the ISO/IEC 27001 standard are higher: these include the cost of literature and training, the cost of external assistance, the cost of technology, the cost of employees’ time and the cost of certification.

3.15.3 Therefore, to bring these standards within the reach of small and medium-sized Indian bodies corporate, an appropriate Indian authority, such as the Bureau of Indian Standards, should re-issue affordable standards that are equivalent to ISO/IEC 27001.

IV The Press Release of 24 August 2011

4.1 The shoddy drafting of the Sensitive Personal Data Rules resulted in national and international confusion about its interpretation. However, instead of promptly correcting the embarrassingly numerous errors in the Rules, the Department of Information Technology of the Ministry of Communications and Information Technology chose to issue a press release on 24 August 2011 that was published on the website of the Press Information Bureau. The content of that press release is brought to the attention of the Committee of Subordinate Legislation as follows:

Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000.

Press Note

The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).

These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.

Ministry of Communications & Information Technology (Dept. of Information Technology)

Press Information Bureau, Government of India, Bhadra 2, 1933, August 24, 2011

SP/ska
(Release ID :74990)

4.2 It is apparent from a plain reading of the text that this press release seeks to re-interpret the application of rules 5 and 6 of the Sensitive Personal Data Rules insofar as they apply to Indian bodies corporate receiving personal information collected by another company outside India. Also, it seeks to define the term “providers of information” to address the confusion created by the repeated use this term in the Rules. Further, it re-interprets the scope and application of rule 4 relating to duty of bodies corporate to publish certain policies. Furthermore, it seeks to amend the provisions of rule 5(1) relating to manner and medium of obtaining consent prior to collecting personal information.

4.3 At the outset, it must be understood that a press release is not valid law. According to Article 13(3) of the Constitution of India,

...law includes any Ordinance, order, bye law, rule, regulation, notification, custom or usages having in the territory of India the force of law.

Law includes orders made in exercise of a statutory power as also orders and notifications made in exercise of a power conferred by statutory rules.

[See, Edward Mills AIR 1955 SC 25 at pr. 12, Babaji Kondaji Garad 1984 (1) SCR 767 at pp. 779-780 and Indramani Pyarelal Gupta 1963 (1) SCR 721 at pp. 73-744]

Sub-delegated orders, made in exercise of a power conferred by statutory rules, cannot modify the rules.

[See, Raj Narain Singh AIR 1954 SC 569 and Re Delhi Laws Act AIR 1951 SC 332]

Therefore, press releases, which are not made or issued in exercise of a delegated or sub-delegated power are not “law” and cannot modify statutory rules.

V Summary

5.1 CIS submits that the following provisions of the Sensitive Personal Data Rules be amended or annulled

Rule 2(1)(b);
Rule 2(1)(c);
Rule 2(1)(d);
Rule 2(1)(g);
Rule 3;
Rule 4(1);
Rule 5(1);
Rule 5(2);
Rule 5(3);
Rule 5(4);
Rule 6(1);
Rule 6(1) Proviso;
Rule 6(2);
Rule 6(4);
Rule 7; and
Rule 8.

5.2 CIS submits that the Committee on Subordinate Legislation should take a serious view of the press release issued by the Department of Information Technology of the Ministry of Communications and Information Technology on 24 August 2011.

5.3 CIS submits that in exercise of the powers granted to the Committee on Subordinate Legislation under Rules 317 and 320 of the Lok Sabha Rules of Procedure, the provisions of the Sensitive Personal Data Rules listed in the preceding paragraph 5.1 should be annulled; and, the Committee may be pleased to consider and recommend as an alternative the amendments proposed by CIS in this submission.

5.4 CIS thanks the Committee on Subordinate Legislation for the opportunity to present this submission and reiterates its commitment to supporting the Committee with any clarification, question or other requirement it may have.

[1]. See generally, Kharak Singh AIR 1963 SC 1295, Gobind (1975) 2 SCC 148, R. Rajagopal (1994) 6 SCC 632, People’s Union for Civil Liberties (1997) 1 SCC 301 and Canara Bank (2005) 1 SCC 496.

[2]. See infra pr. 4.3.

[3]. See, for comparison, Directive 95/46/EC of 24 October 1995 of the European Parliament and Council, the Data Protection Act, 1998 of the United Kingdom and the Proposed EU Regulation on on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[4].See generally, Board of Trustees of Ayurvedic College AIR 1962 SC 458 and S. P. Mittal AIR 1983 SC 1.

[5]. See generally, W. O. Holdsworth AIR 1957 SC 887 and Duli Chand AIR 1984 Del 145.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011

Comments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011

bhairav — 2013-07-12T12:15:30Z

Bhairav Acharya on behalf of the Centre for Internet and Society submitted the following comments on the Information Technology (Guidelines for Cyber Cafe Rules), 2011.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1 This submission presents preliminary clause-by-clause comments from the Centre for Internet and Society (“CIS”) on the Information Technology (Guidelines for Cyber Café) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on 11 April 2011 (“Cyber Café Rules”).

1.2 This submission is for the consideration of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha. In its 21^st Report, the Committee on Subordinate Legislation presciently noted that:

“…statutory rules ought to be framed and notified not only in time but utmost care and caution should also be exercised in their formulation and finalization so as to get rid of any avoidable discrepancies. As far as possible, the aim should be to prevent needless litigation arising subsequently from badly framed rules.” [See the 21^st Report of the Lok Sabha Committee on Subordinate Legislation presented on 16 December 2011 at pr. 2.1]

Unfortunately, the Cyber Café Rules have been poorly drafted, contain several discrepancies and, more seriously, may impinge upon constitutionally guaranteed freedoms of Indian citizens. The attention of the Committee on Subordinate Legislation is accordingly called to the following provisions of the Cyber Cafe Rules:

II Validity of the Cyber Cafe Rules

2.1 The Cyber Cafe Rules are made in exercise of powers granted under section 87(2)(zg) read with section 79(2) of the Information Technology Act, 2000 (“IT Act”). Read together, these delegated powers invest the executive with the power to frame rules for exempting cyber cafes from liability for any third party information, data or communication link if they comply with Central Government guidelines. The empowerment made by section 87(2)(zg) of the IT Act pertains to:

“the guidelines to be observed by the intermediaries under sub-section (2) of section 79”

Sections 79 (1) and (2) state:

“79. Exemption from liability of intermediary in certain cases. – (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

(2) The provisions of sub-section (1) shall apply if—

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or

(b) the intermediary does not—

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.”

2.2 Hence, section 79(2) permits the Central Government to prescribe guidelines for cyber cafes to comply with in order to claim the general exemption from liability granted by section 79(1) of the IT Act. The Cyber Cafe Rules constitute those guidelines. However, the liability from which cyber cafes may be exempted extends only to “any third party information, data, or communication link made available or hosted” by users of cyber cafes. In other words, the liability of cyber cafes (the exemption from which is supposed to be controlled by the Cyber Cafe Rules) is only in respect of the information, data or communication links of their users. No liability is assigned to cyber cafes for failing to collect identity information of their users. Therefore, the Cyber Cafe Rules made under the power granted by section 79(2)(c) of the IT Act cannot make cyber cafes liable for user identification information. In accordance with sections 79(2)(c) and 79(1) read with section 87(2)(zg) of the IT Act, the Cyber Cafe Rules may legitimately deal with the duties of cyber cafes in respect of any information, data or communication links of their users, but not in respect of user identification. However, the thrust of the Cyber Cafe Rules, and the pith of their provisions, is concerned solely with registering and identifying cyber cafe users including collecting their personal information, photographing them, storing their personal information and reporting these non-content related details to the police. There is even a foray into interior design to dictate the height limits of furniture inside cyber cafes. All of this may be a legitimate governance concern, but it cannot be undertaken by the Cyber Cafe Rules. To the extent that the Cyber Cafe Rules deal with issues beyond those related to any information, data or communication links of cyber cafe users, the Rules exceed the permissible limit of delegated powers under section 79(2) and 87(2)(zg) of the IT Act and, consequently, are ultra vires the IT Act.

III Clause-by-Clause Analysis and Comments

Rule 2 - Definitions

3.1 Rule 2(1)(c) of the Cyber Cafe Rules defines a cyber cafe in accordance with the definition provided in section 2(1)(na) of the IT Act as follows:

““cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public”

This definition of a cyber cafe is overbroad to bring within its ambit any establishment that offers internet access in the course of its business such as airports, restaurants and libraries. In addition, some State Road Transport Corporations offer wi-fi internet access on their buses; and, Indian Railways, as well as Bangalore Metro Rail Corporation Limited, plans to offer wi-fi internet access on some of its trains. These will all fall within the definition of “cyber cafe” as it is presently enacted. The definition of “cyber cafe” should be read down to only relate to commercial establishments that primarily offer internet access to the general public for a fee.

Therefore, it is proposed that rule 2(1)(c) be amended to read as follows:

“notwithstanding anything contained in clause (na) of sub-section (1) of section 2 of the Act, and for the purposes of these rules only, “cyber cafe” means, any commercial establishment which primarily offers access to the internet to members of the general public for consideration for any purpose but does not include any educational or academic institution, office or place where access to the internet is restricted to authorised persons only.”

3.2 Rule 2(1)(e) of the Cyber Cafe Rules defines “data” in accordance with the definition provided in section 2(1)(o) of the IT Act. However, the term “data” is not used anywhere in the Cyber Cafe Rules and so its definition is redundant. This is one of several instances of careless drafting of the Cyber Cafe Rules.

Therefore, it is proposed that the definition of “data” in rule 2(1)(e) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.

3.3 Rule 2(1)(g) of the Cyber Cafe Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. While all cyber cafes are intermediaries, not all intermediaries are cyber cafes: there are different categories of intermediaries that are regulated by other rules under the IT Act. The Cyber Cafe Rules make no mention of any other category of intermediaries other than cyber cafes; indeed, the term “intermediary” is not used anywhere in the Cyber Cafe Rules. Its definition is therefore redundant.

Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.

Rule 3 - Agency for Registration of Cyber Cafes

4.1 Rule 3 of the Cyber Cafe Rules, which attempts to set out a registration regime for cyber cafes, as follows:

“3. Agency for registration of cyber cafe. – (1) All cyber cafes shall be registered with a unique registration number with an agency called as registration agency as notified by the Appropriate Government in this regard. The broad terms of registration shall include:

(i) name of establishment;

(ii) address with contact details including email address;

(iii) whether individual or partnership or sole properitership or society or company;

(iv) date of incorporation;

(v) name of owner/partner/proprietor/director;

(vi) whether registered or not (if yes, copy of registration with Registrar of Firms or Registrar of Companies or Societies); and

(vii) type of service to be provided from cyber cafe

Registration of cyber cafe may be followed up with a physical visit by an officer from the registration agency.

(2) The details of registration of cyber cafe shall be published on the website of the registration agency.

(3) The Appropriate Government shall make an endeavour to set up on-line registration facility to enable cyber cafe to register on-line.

(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.”

CIS raises two unrelated and substantial objections to this provision: firstly, all cyber cafes across India are already registered under applicable local and municipal laws such as the relevant State Shops and Establishments Acts and the relevant Police Acts that provide detailed information to enable the relevant government to regulate cyber cafes; and, secondly, the provisions of rule 3 create an incomplete and clumsy registration regime that does not clearly establish a procedure for registration within a definite timeframe and does not address the consequences of a denial of registration.

4.2 At the outset, it is important to understand the distinction between registration and licensing. The state may identify certain areas or fields of business, or certain industries, to be regulated by the conditions of a licence in the public interest. These may include shops selling alcohol or guns; or, industries such as telecommunications, mining or nuclear power. Licences for various activities are issued by the state for a limited term on the basis of need and public interest and licensees are permitted to operate only within the term and conditions of the licence. Failure to observe licence conditions can result in the cancellation of the licence and other penalties, sometimes even criminal proceedings.

Registration, on the other hand, is an information-gathering activity that gives no power of intervention to the state unless there is a general violation of law. The primary statutory vehicle for achieving this registration are the various Shops and Establishments Acts of each State and Union Territory and other municipal registration regulations. For example, under section 5 of the Delhi Shops and Establishments Act, 1954, an establishment, which includes shops, commercial establishments and places of public amusement and entertainment, must fulfil the following registration requirements:

“5. Registration of establishment. – (1) Within the period specified in sub-section (5), the occupier of every establishment shall send to the Chief Inspector a statement in a prescribed form, together with such fees as may be prescribed, containing

(a) the name of the employer and the manager, if any;

(b) the postal address of the establishment;

(c) the name, if any, of the establishment,

(d) the category of the establishment, i.e. whether it is a shop, commercial establishment, residential hotel, restaurant eating house, theatre or other place of public amusement or entertainment;

(e) the number of employees working about the business of the establishment; and

(f) such other particulars as may be prescribed.

(2) On receipt of the statement and the fees, the Chief Inspector shall, on being satisfied about the correctness of the statement, register the establishment in the Register of Establishments in such manner as may be prescribed and shall issue, in a prescribed form, a registration certificate to the occupier.

(3) The registration certificate shall be prominently displayed at the establishment and shall be renewed at such intervals as may be prescribed in this respect.

(4) In the event of any doubt or difference of opinion between an occupier and the Chief Inspector as to the category to which shall after such enquiry, as it may think proper, decide the category of each establishment and the decision thereto shall be final for the purpose of this Act.

(5) Within ninety days from the date mentioned in column 2 below in respect of the establishment mentioned in column 1, the statement together with fees shall be sent to the Chief Inspector under sub-section (1).”

Besides the registration regime, the Shops and Establishments Acts also enact inspection regimes to verify the accuracy of all registered information, the maintenance of labour standards and other public safety requirements. These are not addressed by the Cyber Cafe Rules.

4.3 In addition to the various Shops and Establishments Acts which prescribe registration procedures, all premises within which cyber cafes operate are subject to a further licensing regime under the various State Police Acts as places of public amusement and entertainment. For example, a cyber cafe is deemed to be a “place of public amusement” under section 2(9) of the Bombay Police Act, 1951 and therefore subject to the licensing, registration and regulatory provisions of the Rules for Licensing and Controlling Places of Public (Other than Cinemas) and Performances for Public Amusement including Cabaret Performances, Discotheque, Games, Poll Game, Parlours, Amusements Parlours providing Computer Games, Virtual Reality Games, Cyber Cafes with Net Connectivity, Bowling Alleys, Cards Rooms, Social Clubs, Sports Clubs, Meals and Tamasha Rules, 1960. Similar provisions exist in Delhi.

In view of these two-fold registration requirements under the Shops and Establishments Acts and relevant Police Acts, creating yet another layer of registration is unwarranted. The Cyber Cafe Rules do not prescribe any new registration requirement that has not already been covered by the Shops and Establishments Acts and Police Acts. Multiple overlapping legislations will create confusion within the various departments of the relevant government and, more importantly, will result in non-compliance.

4.4 Without prejudice to the preceding comments relating to already existing registration requirements under the Shops and Establishments Acts and Police Acts, rule 3 of the Cyber Cafe Rules are very poorly drafted and do not fulfil the requirements of a valid registration regime. Most State governments have not notified a registration agency for cyber cafes as required by the Cyber Cafe Rules, probably because appropriate provisions under the Shops and Establishments Acts already exist. No time-limit has been specified for the registration process. This means that the (as yet non-existent) registration agency may delay, whether out of inefficiency or malice, a registration application without consequences for the delay. This not only discourages small and medium enterprises to hinder economic growth, it also encourages corruption as cyber cafe operators will be forced to pay a bribe to receive their registration.

4.5 Furthermore, rule 3(4) of the Cyber Cafe Rules, which calls on the Central Government to notify rules made by State governments, reads as follows:

“(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.”

This nonsensical provision, which gives the Central Government the power to notify rules made by State governments, prima facie violates the constitutional scheme of division of legislative powers between the Union and States. Rules that have been made by State governments, the subject matter of which is within the legislative competence of the State legislatures, are notified by those State governments for application within their States and no separate notification of these rules can be done by the Central Government.

Therefore, it is proposed that rule 3 be deleted in entirety and the remaining rules be accordingly renumbered.

Rule 4 - Identification of User

5.1 Rule 4 of the Cyber Cafe Rules attempts to establish the identity of cyber cafe users. This is a legitimate and valid exercise to prevent unlawful use of cyber cafes. Sub-rule (1) of rule 4 reads as follows:

“(1) The Cyber Cafe shall not allow any user to use its computer resource without the identity of the user being established. The intending user may establish his identify by producing a document which shall identify the users to the satisfaction of the Cyber Cafe. Such document may include any of the following:

(i) Identity card issued by any School or College; or

(ii) Photo Credit Card or debit card issued by a Bank or Post Office; or

(iii) Passport; or

(iv) Voter Identity Card; or

(v) Permanent Account Number (PAN) card issued by Income-Tax Authority; or

(vi) Photo Identity Card issued by the employer or any Government Agency; or

(vi) Driving License issued by the Appropriate Government; or

(vii) Unique Identification (UID) Number issued by the Unique Identification Authority of India (UIDAI).”

The use of credits cards or debit cards to verify identity is specifically discouraged by the Reserve Bank of India because it directly results in identity theft, fraud and other financial crimes. Online credit card fraud results in large losses to individual card-holders and to banks. The other identity documents specified in rule 4 will suffice to accurately establish the identity of users.

Therefore, it is proposed that the use of credit or debit cards as a means of establishing identity in rule 4(1)(ii) be deleted and the remaining clauses in sub-rule (1) of rule 4 be accordingly renumbered.

5.2 Rule 4(2) of the Cyber Café Rules compels the storage of photographs and other personal information of users by cyber cafés:

“The Cyber Cafe shall keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorised representative of cyber cafe. Such record shall be securely maintained for a period of at least one year.”

While this submission does not question the requirement of storing user information for the purposes of law enforcement, this rule 4(2) does not prescribe the standards of security, confidentiality and privacy that should govern the storage of photographs and other personal information by cyber cafes. Without such a prescription, cyber cafes will simply store photographs of users, including minors and women, and important personal information that can be misused, such as passport copies, in a file with no security. This is unacceptable. Besides endangering vulnerable user information, it makes identity theft and other offences easier to perpetrate. If cyber cafes are to collect, store and disclose personal information of users, they must be bound to strict standards that explicitly recognise their duties and obligations in relation to that personal information. In this regard, the attention of the Committee on Subordinate Legislation is called to CIS’ submission regarding the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Therefore, it is proposed that rule 4(2) be amended to read as follows:

“Any information of any user collected by a cyber cafe under this rule shall be collected, handled, stored and disclosed in accordance with the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, for a period not exceeding six months from the date of collection of that information.”

5.3 Sub-rule (3) of rule 4 allows cyber cafe users to be photographed:

“(3) In addition to the identity established by an user under sub-rule (1), he may be photographed by the Cyber Cafe using a web camera installed on one of the computers in the Cyber Cafe for establishing the identity of the user. Such web camera photographs, duly authenticated by the user and authorised representative of cyber cafe, shall be part of the log register which may be maintained in physical or electronic form.”

Since the identity documents listed in rule 4(1) all contain a photograph of their owner, the need for further photography is unnecessary. This provision needlessly burdens cyber cafe owners, who will be required to store two sets of photographs of users – their photographic identity documents in addition to individual photographs, and invades the individual privacy rights of users who will be exposed to unnecessary photography by private cyber cafe operators. Granting a non-state entity the right to take photographs of other individuals to no apparent gain or purpose is avoidable, especially when no measures are prescribed to regulate the safe and lawful storage of such photographs. Without strict safety measures governing the taking and storing of photographs of users, including minor girls and women, the Cyber Cafe Rules leave open the possibility of gross misuse of these photographs.

Therefore, it is proposed that sub-rule (3) of rule 4 be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.

5.4 Sub-rue (4) of rule 4 reads as follows:

“(4) A minor without photo Identity card shall be accompanied by an adult with any of the documents as required under sub-rule (1).”

Regulating a minor’s access and use of the internet may serve a public good but it cannot be achieved by law. Information deemed unsuitable for minors that is available via other media, such as video, television or magazines, is not legally proscribed for minors. The law cannot and does not regulate their availability to minors. The protection of minors is an overriding public and jurisprudential concern, but law alone cannot achieve this end. Most minors do not possess photographic identity documents and rule 4(4) will, if implemented, result in internet access being taken away from minors. Restricting a minor’s ability to access useful, educational and other harmless content available on the internet is harmful to the public interest as it discourages education and awareness.

Therefore, it is proposed that rule 4(4) be amended to read as follows:

“A minor who does not possess any of the identity documents listed under sub-rule (1) of this rule may provide the name and address of his parent or guardian prior to using the cyber cafe.”

5.5 Rule 4(5) of the Cyber Cafe Rules states that a user “shall be allowed to enter the cyber cafe after he has established his identity.” However, since rule 4(1) already addresses identity verification by specifically preventing a cyber cafe from “allow[ing] any user to use its computer resource without the identity of the user of the user being established,” this rule 4(5) is redundant.

Therefore, it is proposed that rule 4(4) be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.

5.6 Rule 4(6) of the Cyber Cafe Rules states:

“(6) The Cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.”

This provision is legally imprecise, poorly drafted and impossible to enforce. The nature of doubt or suspicion that is necessary before contacting the police is unclear. A cyber cafe may doubt whether a customer is able to pay the bill for his internet usage, or be suspicious because of the length of a person’s beard. Requiring the police to be called because someone is doubtful is ridiculous. Furthermore, reasonableness in law is a well-established concept of rationality; it is not open to interpretation. “Reasonable doubt” is a criminal law threshold that must be reached in order to secure a conviction. Reporting requirements must be clear and unambiguous.

Therefore, it is proposed that rule 4(6) be deleted.

Rule 5 - Log Register

6.1 Rule 5(3) of the Cyber Cafe Rules states:

“(3) Cyber Cafe shall prepare a monthly report of the log register showing date- wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.”

This provision is akin to telephone tapping. If phone companies are not required to report the call histories of each of their users and cable television providers not required to report individual viewing preferences, there is no reason for cyber cafes to report the internet usage of users. There may be instances where public interest may be served by monitoring the internet history of specific individuals, just as it is possible to tap an individual’s telephone if it is judicially determined that such a need exists. However, in the absence of such protective provisions to safeguard individual liberties, this sub-rule (3) is grossly violative of the individual right to privacy and should be removed.

Therefore, it is proposed that rule 5(3) be deleted and the remaining sub-rules of rule 5 be accordingly renumbered.

Rule 7 - Inspection of Cyber Cafe

7.1 Rule 7 of the Cyber Cafe Rules provides for an inspection regime:

“An officer autnorised by the registration agency, is authorised to check or inspect cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.”

The corollary of a registration regime is an inspection regime. This is necessary to determine that the information provided during registration is accurate and remains updated. However, as stated in paragraphs 3.2 – 3.4 of this submission, a comprehensive and more easily enforceable registration and inspection regime already exists in the form of the various Shops and Establishments Acts in force across the country. Those provisions also provide for the consequences of an inspection, which the Cyber Cafe Rules do not.

Therefore, it is proposed that rule 7 be deleted.

IV Summary

8.1 In sum:

(a) Under the delegated powers contained in section 87(2)(zg) read with section 79(2) of the IT Act, the Central Government does not have the competence to make rules for identifying cyber cafe users including collecting, storing and disclosing personal information of cyber cafe users nor for prescribing the interior design of cyber cafes and, to the extent that the Rules do so, they are ultra vires the parent statute;

(b) The attention of the Committee on Subordinate Legislation is invited to the following provisions of the Cyber Cafe Rules which require amendment or annulment:

Rule 2(1)(c);
Rule 2(1)(e);
Rule 2(1)(g);
Rule 3(1);
Rule 3(4);
Rule 4(1);
Rule 4(2);
Rule 4(3);
Rule 4(4);
Rule 4(5);
Rule 4(6);
Rule 5(3); and
Rule 7.

(c) The Cyber Cafe Rules are extremely poorly framed, rife with discrepancies and will give rise to litigation. They should be selectively annulled and, to prevent a repeat of the same mistakes, new rules may be framed in concert with experts, professional organisations and civil society in a democratic manner.

8.2 CIS would like to conclude by taking this opportunity to present its compliments to the Committee on Subordinate Legislation and to offer the Committee any assistance or support it may require.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011

March 2013 Bulletin

praskrishna — 2013-04-14T11:45:29Z

The Centre for Internet & Society (CIS) welcomes you to the third issue of its newsletter for the year 2013. In this issue we bring you an overview of our research programs, updates of events organised by us, events we participated in, news and media coverage, and videos of some of our recent events.

Jobs
CIS invites applications for the posts of Developer (NVDA Screen Reader Project), Programme Officer (Access to Knowledge and Openness), and Programme Officer (Internet Governance). To apply send your resume to sunil@cis-india.org and pranesh@cis-india.org.

Accessibility

CIS is doing two projects in partnership with the Hans Foundation. One of this is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and another is for developing a screen reader and text-to- speech synthesizer for Indian languages. CIS is also working with the World Blind Union and many other organisations to develop a Treaty for the Visually Impaired helped by the WIPO:

The Lakshadweep Chapter (by Anandhi Viswanathan, March 25, 2013): The union territory of Lakshadweep has not passed any legislation for persons with disabilities, but implements the provisions under the central laws. The benefits currently available to persons with disabilities in Lakshadweep include disability pension, unemployment allowance and grant for setting up kiosks.
The Meghalaya Chapter (by Manojna Yeluri, March 25, 2013): Meghalaya is one of the few north-eastern states, which has appointed a Commissioner for Disabilities. Most of the schemes and benefits given to persons with disabilities in Meghalaya are under centrally sponsored schemes. Very few schemes are initiated by the state government.
The Uttar Pradesh Chapter (by Manojna Yeluri, March 31, 2013): The Government of Uttar Pradesh has established shelter homes and vocational training centres in several parts of the states — most recently in Meerut, Bareilly and Gorakhpur. It has also undertaken to finance nearly 4340 corrective surgeries for polio across nine cities of Uttar Pradesh. It also intends to start several projects in 2013. These include the establishment of a Braille Press in order to produce Braille books, magazines and other study material.

Resources
We now have a new section on our website which contains all government notifications, RTI applications, and accessibility related resources: cases, statutes, etc. The following were published earlier this month:

Information about Schemes for Disabled Persons in Haryana We received this notification on schemes and policies for persons with disabilities from the Government of Haryana.
Haryana Government Notification (Hindi version): The notification that we received from the state government was in Hindi. We will put up the English translation soon.
West Bengal (Govt) Notifications: We received a series of notifications from the West Bengal Government from its various departments such as finance, higher education, transport, health and family welfare, labour, land and land reforms, panchayats and rural development, etc. OCR versions of the same have been published.
Lakshadweep (Govt) Notifications: Notifications received from the Lakshadweep Government including guidelines for functioning of KIOSKS, grant of unemployment allowance and special jobs to persons with disabilities, issuing identity card to persons with disabilities for availing government benefits, etc., are published. OCR versions have also been put up.

Event Participated In

A Discussion on Intercept between UNCRPD & CEDAW (organized by the Shanta Memorial Institute of Rehabilitation – Odisha, CBR Network and Mitra Jyoti, Bangalore, Karnataka, February 4, 2013): Anandhi Viswanathan participated in this event.

Access to Knowledge and Openness

Wikipedia

Beginning from September 1, 2012, Wikimedia Foundation awarded CIS a two-year grant of INR 26,000,000 to support and develop free knowledge in India. The A2K team consists of four members based in Delhi: T. Vishnu Vardhan, Nitika Tandon, Subhashish Panigrahi and Noopur Raval, and one team member Dr. U.B. Pavanaja who is working from Bangalore office.

Indic Wikipedia Visualisation Project

Visualising Basic Parameters (by Sajjad Anwar and Sumandro Chattapadhyay, March 26, 2013): Sajjad and Sumandro bring you a visualisation of the growth of Indic Wikipedia in this first post on Indic Wikipedia Visualisation project. They look into the different aspects of the past and present activities of Indic Wikipedias, and divide the visualisation into three different focus areas: (1) basic parameters, (2) geographic patterns of edits, and (3) exploring the topics that receives the greatest number of edits.

Events Organised

Introductory Wikipedia session at BITS Goa (organised by CIS, Birla Institute of Technology & Science, Pilani, Goa, March 7, 2013). The Access to Knowledge team was invited by Nikhil Dixit from BITS to organise a Wikipedia editing session. Nitika Tandon led the session on IP editing.
Kannada Wikipedia Workshop (organised by CIS, Institution of Engineers, JLB Road, Mysore, March 24, 2013). Dr. U.B. Pavanaja led this workshop.

Events Co-organised

Wiki Women's Day in Goa (organised by the Wikimedia India Chapter and CIS, Nirmala Institute of Education, Panaji, Goa, March 8, 2013). Nitika Tandon participated in this workshop held on International Working Women's Day, and shares the developments in this report.
Wikipedia Workshop for Kannada Science Writers (organised by Wikimedia India Chapter, Karnataka Rajya Vijnana Parishath and CIS, Karnataka Rajya Vijnana Parishath Conference Hall, Banashankari 2nd Stage, Bangalore, March 17, 2013). Dr. U.B. Pavanaja participated in the event.

Upcoming Event

Telugu Wiki Mahotsavam 2013 (co-organised with the Telegu Wikipedia community, Hyderabad, April 9 to 11, 2013). Vishnu Vardhan is participating in this event as a speaker. A public event will be held on April 11 from 5.00 p.m. to 8.00 p.m. at Golden Threshold (Sarojini Naidu's house) in Hyderabad.

Events Participated

Wikipedia Women's Workshop Bangalore 2013 (organised by Wikimedia India, Servelots Infotech, Jayanagar, Bangalore, March 8, 2013). The event was covered by Kannada Prabha on March 9, 2013. Dr. U.B. Pavanaja participated in the event.
Wikipedia at Avenir (organised by the Wikipedia community, Netaji Subhash Engineering College, Kolkata, West Bengal, March 11, 2013). CIS supported this event.

Event Report from Other Organisations
Wikipedia Community members helped the Higher Education Innovation and Research Applications Programme (HEIRA) of CSCS Bangalore to organize a day-long workshop on ‘Digital Literacy’ at Ahmednagar College, Ahmednagar, Maharasthra on January 17, 2013. Tanveer Hasan of HEIRA shares with us the developments in this report.

Other Openness Updates

Event Report

Iraqi Public Data Scenario Workshop: A Summary (by Sumandro Chattapadhyay, March 26, 2013): A workshop on public data was conducted by Sunil Abraham and Sumandro Chattapadhyay for the officials of the Government of Iraq. It was organized by UNDP Iraq in Amman, Jordan from October 18 to 23, 2012. Sumandro Chattapadhyay shares with us the developments from the workshop held over five days.

Event Participated

Open DataCamp - 2013 (organized by Open Data Camp, Dharmaram Vidya Kshetram (inside Christ University Campus), Dairy Circle, Bangalore, March 2 and 3, 2013): Sunil Abraham was a panelist.

HasGeek
HasGeek creates discussion spaces for geeks and has organised conferences like the Fifth Elephant, Droidcon India 2011, Android Camp, etc. HasGeek is supported by CIS and works from the CIS office in Bengaluru.

Upcoming Events

Pig Workshop (organized by HasGeek, Alchemy Solutions, Domlur, Bangalore, 9.00 a.m. to 6.00 p.m.): A workshop on how to use Pig for mining useful information from data. It is open to programmers who have a background in Java programming, some familiarity with Hadoop and MapReduce algorithms, and have worked with large chunks of data.
The Fifth Elephant 2013 (organized by HasGeek, July 11 to 13, 2013, NIMHANS Convention Centre, Bangalore).

Internet Governance

Privacy

Policy

Draft Human DNA Profiling Bill (April 2012): High Level Concerns (by Elonnai Hickok, March 12, 2013). The post examines the high level concerns that CIS has with the April 2012 draft of the Bill.
Human DNA Profiling Bill 2012 Analysis (by Jeremy Gruber, Council for Responsible Genetics, US, March 19, 2013). Jeremy provides an analysis of the Human DNA Profiling Bill, 2012. He says that India’s updated 2012 Human DNA Profiling Bill offers largely superficial changes from its predecessor, the Draft DNA Profiling Bill, 2007.

The Privacy (Protection) Bill 2013: A Citizen's Draft (by Bhairav Acharya, March 26, 2013). Bhairav Acharya has drafted the Privacy (Protection) Bill 2013. It contains provisions that speak to data protection, interception, and surveillance and also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.

Upcoming Events

A Privacy Round Table in Delhi (organized by CIS and Federation of Indian Chambers of Commerce and Industry, FICCI Federation House, Tansen Marg, New Delhi, April 3, 2013).
A Privacy Round Table in Bangalore (organized by CIS and Federation of Indian Chambers of Commerce and Industry, Jayamahal Palace, Jayamahal Road, Bangalore, April 20, 2013).

Event Organized

Analyzing the Draft Human DNA Profiling Bill 2012 (organized by the Centre for Internet and Society, Bangalore, March 1, 2013): Maria Xynou shares a summary of the workshop in this report.

Events Participated In

Global Partners Meeting @ London (organized by Privacy International, London School of Economics and Political Science, March 22 – 25, 2013). Sunil Abraham and Malavika Jayaram participated in the event.
India’s Civil Liberties Crisis: Of Bans, Blocks, Bullying and Biometrics (organized by the Center for Global Communication Studies, Annenberg School of Communication, University of Pennsylvania, Philadelphia, March 28, 2013). Malavika Jayaram participated as a speaker.
Future of Privacy in India (organized by DSCI and ICOMP, Oberoi Hotel, New Delhi, April 5, 2013). Sunil Abraham is a speaker at this event.

Blog Posts

Hacking without borders: The future of artificial intelligence and surveillance (by Maria Xynou, March 15, 2013). In this post, Maria looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India.
Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes... (by Maria Xynou, March 26, 2013). Maria examines red light cameras, RFID tags and black boxes used to monitor vehicles in India.
Microsoft Releases its First Report on Data Requests by Law Enforcement Agencies around the World (by Maria Xynou, March 27, 2013). CIS presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.
The Criminal Law Amendment Bill 2013 — Penalising 'Peeping Toms' and Other Privacy Issues (by Divij Joshi, March 31, 2013). The pending amendments to the Indian Penal Code, if passed in their current format, would be a huge boost for individual physical privacy by criminalising stalking and sexually-tinted voyeurism and removing the ambiguities in Indian law which threaten the privacy and dignity of individuals.

IT Act

Featured Blog Post

CIS Welcomes Standing Committee Report on IT Rules (by Pranesh Prakash, March 27, 2013). CIS welcomes the report by the Standing Committee on Subordinate Legislation, in which it has lambasted the government and has recommended that the government amend the Rules it passed in April 2011 under section 79 of the Information Technology Act. The post was quoted in: The Times of India (March 28, 2013), The Statesman (March 28, 2013), Economic Times (March 28, 2013), Data Quest (March 28, 2013), and The Hindu (April 1, 2013).

Submissions
Bhairav Acharya, on behalf of CIS submitted comments to the Committee on Subordinate Legislation of the 15^th Lok Sabha for the following rules:

Comments on the Information Technology (Electronic Service Delivery) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on April 11, 2011.
Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on April 11, 2011.
Comments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on April 11, 2011.

Note: The above rules were submitted earlier but published on our website only recently.

Unique ID Project

Event Organized

Unique Identity Number (UID), National Population Register (NPR), and Governance (organized by CIS and Say No to UID Campaign, TERI, Bangalore, March 2, 2013): CIS interviewed Usha Ramanathan and Anant Maringanti. Watch the videos uploaded in this blog post by Maria Xynou. This was covered in newzfirst on March 3, 2013 and in the Hindu on March 3, 2013.

Interview

Unique Identification Scheme (UID) & National Population Register (NPR), and Governance (by Elonnai Hickok, March 14, 2013). The post examines the UID, NPR and Governance as it exists in India. A video on the UID interview Questions and Answers is published.

News and Media

Indian ID crisis unveils Aadhaar doubts (ZDNet, March 14, 2013). Sunil Abraham is quoted.
New $1 Billion RIC Project Casts Doubts on Aadhaar (AEG India, March 16, 2013). Sunil Abraham is quoted.

Blog Entry

India's Biometric Identification Programs and Privacy Concerns (by Divij Joshi, March 31, 2013).

Free Speech and Expression

News and Media

Foreign Funding of NGOs (by Prashant Reddy, Open Magazine, March 2, 2013).
Iceland’s proposed porn ban ‘like repression in Iran, N. Korea’ – activists (RT, March 1, 2013). Sunil Abraham is quoted.
Chidambaram to Talk Budget on Google+ Hangout (by Dhanya Ann Thoppil, Wall Street Journal, March 4, 2013). Sunil Abraham is quoted.
Responding to govt requests is a challenge for online firms: Colin Maclay (LiveMint, March 13, 2013). Colin M. Maclay, managing director of Berkman Center for Internet and Society at Harvard mentioned CIS.
Indian police set up lab to monitor social media (originally published by AFP, March 18, 2013, and also carried in Global Post on the same day). Sunil Abraham is quoted.
Namaste, Mr. Eric Schmidt (by R. Jai Krishna, Wall Street Journal, March 20, 2013). Sunil Abraham is quoted.
Parliament panel blasts govt over ambiguous internet laws (by Ishan Srivastava, The Times of India, March 28, 2013). Pranesh Prakash is quoted.
What if the Net shut down for a few days (by Atul Sethi, The Times of India, March 30, 2013). Sunil Abraham is quoted.
Press controls ‘send wrong message to rest of world’ (by Jerome Starkey from Johannesburg, Francis Elliott from Delhi and David Brown, The Times, UK).

Event Organized

Freedom Song: Film Screening and Discussion (IIHS Bangalore City Campus, March 21, 2013). Freedom Song, a documentary film produced by the Public Service Broadcasting Trust and directed by Paranjoy Guha Thakurta and Subi Chaturvedi was screened.

Events Participated In

Is Social Media Incredible? (organized by Indian Institute of Journalism & New Media, Bangalore, March 2, 2013). Snehashish Ghosh participated in a panel discussion. The New Indian Express published a post-event report.
Rethinking the Internet: The Way Forward (organized by Telecom Italia and Financial iTimes, Telecom Italia Future Centre, Italy, March 21 – 22, 2013). Pranesh Prakash participated in this event.

Others

Events Organised

DML 2013: Fourth Annual Conference (co-organised by CIS and Digital Media & Learning Research Hub Central, Sheraton Chicago Hotel & Towers - Chicago, Illinois, March 14 – 16, 2013). We had a special track that ran through the conference on "Whose Change Is It Anyway? Futures, Youth, Technology And Citizen Action In The Global South (And The Rest Of The World)". Noopur Raval was one of the 16 presenters that we had selected on the tracks. Nishant Shah was one of the members in the Conference Committee.

Blog Posts

WGIG+8: Stock-Taking, Mapping, and Going Forward (Fontenoy Building, conference room # 7, UNESCO Headquarters, Paris, February 27, 2013). Pranesh Prakash was the moderator for the session. A summary of the discussion has been published.
What’s In a Name? — DNS Singularity of ICANN and the Gold Rush (by Sharath Chandra Ram, March 31, 2013). March 2013 being the 28th birthday of the first ever registered Internet domain as well as the exigent launch of the Trademark Clearing House disguised as a milestone in rights protection by ICANN for its new gTLD program, Sharath Chandra Ram, dissects the transitory role of ICANN from being a technical outfit to the Boardroom Big Brother of Internet Governance.
An Introduction to Bitfilm & Bitcoin in Bangalore, India (by Benson Samuel, March 12, 2013). Video of the event organized by CIS on January 23, 2013 is published in this blog post.

Knowledge Repository on Internet Access

Upcoming Event
We are hosting an “Institute on Internet and Society” in collaboration with the Ford Foundation India, which is to be held from June 8, 2013 to June 14, 2013. Call for registration and relevant details will be announced soon on our website.

The following units have been published:

Internet Protocols (by Srividya Vaidyanathan, March 18, 2013).
How email works, how do you get your email? Email Protocols (SMTP, POP, IMAP), SPAM/Phishing (by Srividya Vaidyanathan, March 19, 2013).
Internet Corporation for Assigned Names and Numbers (by Snehashish Ghosh, March 19, 2013).
ITU sectors — ITU-R, ITU-T, ITU-D, etc. (by Snehashish Ghosh, March 27, 2013).
World Conference on International Telecommunications 2012 (by Snehashish Ghosh, March 29, 2013).

Telecom

Newspaper Column

Are India's Glory Days Over? (by Shyam Ponappa, Organizing India Blogspot, March 8, 2013, originally published in the Business Standard, March 6, 2013).

Digital Natives

Digital Natives with a Cause? examines the changing landscape of social change and political participation in light of the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who critically engage with discourse on youth, technology and social change, and look at alternative practices and ideas in the Global South:

Events Participated In

Video Vortex # 9 Re:assemblies of Video (organized by the Institute of Network Cultures, Post Media Lab, Moving Image Lab, Leuphana, et.al, February 28 – March 2, 2013). Nishant Shah gave the key note. Videos of the event are published.

Digital Humanities

From 2012 to 2015, the Researchers @ Work series is focusing on building research clusters in the field of Digital Humanities. We organised the first Habits of Living workshops in Bangalore last year. The next workshop is being held in Brown University

Event Co-organised

Habits of Living: Networked Affects, Glocal Effects (co-organised with Brown University, March 21 – 23, 2013, Brown University, Rhode Island). Nishant Shah was a speaker at this event. He made a presentation on network ontologies.

Event Participated

Korean Trans Cine-Media in Global Contexts: Asia and the World (organized by Trans-Asia Screen Culture Institute, Cinema Studies, Korean National University of Arts, Korean Film Archive and Tsubouchi Memorial Theatre Museum, Waseda University, Seoul, March 27 – 29, 2013). Nishant Shah was a speaker at this event. He spoke on "The Asian Intercourse: Reimagining the Inter-Asia moment through ‘net-porn’ in networks".

About CIS

Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

For more details visit https://cis-india.org/about/newsletters/march-2013-bulletin

India's Biometric Identification Programs and Privacy Concerns

divij — 2016-07-21T10:51:42Z

The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.

Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.

‘Big Data’ and Privacy Issues

Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,[1] the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.[2] The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.

Biometric ID and Theft of Private Data

The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.

Biometric data and Potential Misuse

Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.[4] The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]

A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.[5] Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.[6] With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.[7]

With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.[8] Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]

Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.

[1]. http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections.

[2]. http://www.wired.com/threatlevel/2008/03/hackers-publish.

[3].https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions.

[4]. http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001.

[5]. http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece.

[6]. http://news.bbc.co.uk/2/hi/8691753.stm

[7]. Supra note 1.

For more details visit https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns

Centre for Internet and Society

Odia Wikipedia: Needs Assessment

Fact Sheet

﻿Identified Needs

Google Policy Fellowship Programme: Call for Applications

Fellowship Focus Areas

Frequently Asked Questions

Payments, Forms, and Other Administrative Stuff

Host Organizations

Important Dates

CIS anniversary

Celebrating 5 Years of CIS

Agenda

May 20, 2013

May 21, 2013

May 22, 2013

May 23, 2013

About the Speakers

The Artists

Locations

Bangalore

Delhi

Event Brochure

Event Posters/Banners and Videos

Accessibility

Access to Knowledge

Access to Knowledge (Wikipedia)

Openness

Internet Governance (Free Speech)

Internet Governance (Privacy)

Telecom

RAW Monographs

News and Media

Goa chapter

Access to Knowledge Bulletin — May 2013

From Open Citizen Radio Networks to the Race for .RADIO gTLD

An Overview of Open Radio Networks

Impedances and Emerging Trends in Commercial radio webcasting:

The .RADIO TLD competition

Key References

April 2013 Bulletin

Access to Knowledge and Openness

News and Media

GNI Annual Report

India's 'Big Brother': The Central Monitoring System (CMS)

The Central Monitoring System (CMS)

Surveillance in the name of Security

CMS targeting individuals: myth or reality?

Comments on the Information Technology (Electronic Service Delivery) Rules, 2011

Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Comments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011

March 2013 Bulletin

Access to Knowledge and Openness

Other Openness Updates

Privacy

IT Act

Unique ID Project

Free Speech and Expression

Others

Follow us elsewhere

Support Us

Request for Collaboration

India's Biometric Identification Programs and Privacy Concerns

Introduction

‘Big Data’ and Privacy Issues

Biometric ID and Theft of Private Data

Biometric data and Potential Misuse

Identified Needs