Centre for Internet and Society

India's Central Monitoring System (CMS): Something to Worry About?

maria — 2014-02-22T13:50:37Z

In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!

The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as a project run by the Centre for Communication Security Research and Monitoring (CCSRM), along with the Telecom Testing and Security Certification (TTSC) project.

The Central Monitoring System (CMS), which was largely covered by the media in 2013, was actually approved by the Cabinet Committee on Security (CCS) on 16th June 2011 and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, government funding of the CMS has reached at least Rs. 450 crore (around $72 million).

In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, clause 41.10 of the Unified Access Services (UAS) License Agreement was amended in June 2013. In particular, the amended clause includes the following:

“But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”

Furthermore, draft Rule 419B under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. Call Data Records, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to draft Rule 419B, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.

Other than this draft Rule and the amendment to clause 41.10 of the UAS License Agreement, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the Indian Telegraph Act, 1885, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:

the interests of the sovereignty and integrity of India
the security of the State
friendly relations with foreign states
public order
for preventing incitement to the commission of an offense

However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.

So how does the Central Monitoring System (CMS) actually work?

We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized access to the country's telecommunications network. The question, though, is how.

Well, prior to the CMS, all service providers in India were required to have Lawful Interception Systems installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.

In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that the authority can also bypass service providers in gaining such access. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.

The above is illustrated in the following chart:

The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, 70 ISF servers have been purchased for six License Service Areas and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.

The Centre for Development of Telematics plans to integrate ISF servers which connect with the CMS in the premises of service providers in the following regions:

Delhi
Maharashtra
Kolkata
Uttar Pradesh (West)
Andhra Pradesh
Uttar Pradesh (East)
Kerala
Gujarat
Madhya Pradesh
Punjab
Haryana

With regards to the UAS License Agreement that TSPs are required to comply with, amended clause 41.10 specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a Memorandum of Understanding (MoU) for MPLS connectivity has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, Rs. 4.8 crore have been given to BSNL for interconnecting 81 CMS locations of the following License Service Areas:

Delhi
Mumbai
Haryana
Rajasthan
Kolkata
Karnataka
Chennai
Punjab

Clause 41.10 of the UAS License Agreement also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor at least 30 simultaneous calls for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:

Called/calling party mobile/PSTN numbers
Time/date and duration of interception
Location of target subscribers (Cell ID & GPS)
Data records for failed call attempts
CDR (Call Data Records) of Roaming Subscriber
Forwarded telephone numbers by target subscriber

Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, 80% of the CMS Physical Data Centre has been built so far.

In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. Training has been imparted to the following law enforcement agencies:

Intelligence Bureau (IB)
Central Bureau of Investigation (CBI)
Directorate of Revenue Intelligence (DRI)
Research & Analysis Wing (RAW)
National Investigation Agency (NIA)
Delhi Police

And should we even be worried about the Central Monitoring System?

Well, according to the brief material for the Honourable MOC and IT Press Briefing on 16th July 2013, we should not be worried about the Central Monitoring System. Over the last year, media reports have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However, Indian authorities have argued that the Central Monitoring System will better protect the privacy of individuals and maintain their security due to the following reasons:

The CMS will just automate the existing process of interception and monitoring, and all the existing safeguards will continue to exist
The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A
The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted
The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data
A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard

While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.

The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will “just” be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the Information Technology (Amendment) Act, 2008, and the Indian Telegraph Act, 1885, potentially infringe upon individual's right to privacy and other human rights.

May I remind you of Section 69 of the Information Technology (Amendment) Act, 2008, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an ambiguous matter. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”

The second argument appears inadequate too. Section 5(2) of the Indian Telegraph Act, 1885, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates targeted surveillance, while the Central Monitoring System could potentially undertake mass surveillance. Since the process of interception is automated and, under clause 41.16 of the Unified License (Access Services) Agreement, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.

As for the third argument, it is not clear how bypassing the nodal officers of TSPs will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?

While the fourth argument makes a point about differentiating the provisioning and requesting entities with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.

Furthermore, this argument states that the CMS authority will not have access to content data, but does not specify if it will have access to metadata. What's concerning is that metadata can potentially be more useful for tracking individuals than content data, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.

The final argument appears to provide some promise, since the maintenance of a command log of all provisioning activities could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.

In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it protects individuals from abuse by those in power and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.

If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.

After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.

How can we not be worried about the Central Monitoring System?

The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.

For more details visit https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about

UAS License Agreement Amendment regarding the Central Monitoring System (CMS)

maria — 2014-01-30T12:43:56Z

For more details visit https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment

New Document on India's Central Monitoring System (CMS) - 2

maria — 2014-01-30T12:40:31Z

For more details visit https://cis-india.org/internet-governance/blog/new-cms-doc-2

January 2014 Bulletin

praskrishna — 2014-04-07T07:09:59Z

The Centre for Internet and Society (CIS) welcomes you to the first issue of its newsletter (January) for the year 2014:

-------------------------------
Highlights
-------------------------------

Amba Salelkar provides an analysis of the three stages of the Rights for Persons with Disabilities 2013 since it was initially commissioned.
We published revised chapters for the states of Andhra Pradesh and Chhattisgarh as part of our National Resource Kit project.
In the first of a three-part study Ananth Padmanabhan examines the "John Doe" orders that courts have passed against ISPs, which entertainment companies have used to block websites.
The second Institute on Internet and Society is being held in Pune from February 11 to 17.
CIS signed a memorandum of understanding (MoU) with KIIT University and Kalinga Institute of Social Sciences for furthering Odia Wikipedia.
Dr. Nishant Shah co-authored a chapter on video games in a book published by Palestinian Art Court-al Hoash.
Sneha gives an overview of the research enquiry in the field of Digital Humanities in her blog post on Mapping Digital Humanities in India.
In the first of the insightful seven part series, Gautam Bhatia looks at surveillance and the right to privacy in India from a constitutional perspective, tracing its genealogy through Supreme Court case law and compares it with the law in the USA.

-----------------------------------------------
Jobs
-----------------------------------------------
CIS is seeking applications for the posts of Program Officer (Access to Knowledge): http://bit.ly/1fnydB0 and Program Officer (Internet Governance): http://bit.ly/1aA57K6. There are two vacancies each for these posts and these are full-time based in Delhi. To apply, please send your resume to Sunil Abraham (sunil@cis-india.org), Nirmita Narasimhan (nirmita@cis-india.org) and Pranesh Prakash (pranesh@cis-india.org) with three writing samples of which at least one demonstrates your analytic skills, and one that shows your ability to simplify complex policy issues.

----------------------------------------------
Accessibility and Inclusion
----------------------------------------------
As part of our project (under a grant from the Hans Foundation) on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India, we bring you draft chapters for the states of Madhya Pradesh and Arunachal Pradesh, and the union territory of Daman and Diu. With this we have completed compilation of draft chapters for 27 states and 5 union territories.

Based on the feedback and comments received from our readers the following chapters were revised:

► National Resource Kit Chapter

Andhra Pradesh Chapter (by Anandhi Viswanathan, January 31, 2014): http://bit.ly/1lzUFcG.
Chhattisgarh Chapter (by Anandhi Viswanathan, January 31, 2014): http://bit.ly/1fY4NZ0.

# Blog Entry

The Right of Persons with Disabilities Bill 2013 and the Lack of Access to Accessibility Rights (by Amba Salelkar, January 31, 2014): http://bit.ly/1diSg40.

-----------------------------------------------------------
Access to Knowledge
-----------------------------------------------------------
The Access to Knowledge programme addresses the harms caused to consumers and human rights, and critically examines Open Government Data, Open Access to Scholarly Literature, and Open Access to Law, Open Content, Open Standards, and Free/Libre/Open Source Software.

# Analysis

Can Judges Order ISPs to Block Websites for Copyright Infringement? (Part 1) (by Ananth Padmanabhan, January 30, 2014). Ananth looks at the theory behind John Doe orders and finds that it would be wrong for Indian courts to grant "John Doe" orders against ISPs: http://bit.ly/1nteYaK.

# Blog Entries

Open Letter to the Vatican: Request for Holy See to Comment on IPR (by Samantha Cassar, January 31, 2014): http://bit.ly/1dGN7OS.
The Game of IPR: Insights from the 6th Global Intellectual Property Convention in Hyderabad (by Samantha Cassar, January 31, 2014): http://bit.ly/1fY5qS6.

The following has been done under grant from the Wikimedia Foundation (http://bit.ly/SPqFOl). As part this project (http://bit.ly/X80ELd), we organised 4 workshops in the month of January, published an article in DNA, and signed a memorandum of understanding with KIIT University and Kalinga Institute of Social Sciences to further the development of Odia Wikipedia:

►Wikipedia

# Articles / Newspaper Columns

Odia Wikipedia: Three Years of Active Contributions Gives Life to a Ten Year Old Project (by Subhashish Panigrahi, HASTAC, January 31, 2014): http://bit.ly/1jvxD8r.
WikiSangamotsavam 2013 brings Indian Wikimedians together (by Netha Hussain and Subhashish Panigrahi, DNA, January 14, 2014). The article was edited by Rohini Lakshane: http://bit.ly/1jvynKP.

# Announcement

CIS-A2K, KIIT University and Kalinga Institute of Social Sciences sign MoUs (by Subhashish Panigrahi, January 11, 2014): KIIT University, Kalinga Institute of Social Sciences and the Centre for Internet and Society's Access to Knowledge team (CIS-A2K) have entered into a memorandum of understanding (MoUs) for furthering Odia Wikipedia: http://bit.ly/1j1qtFv.

# Blog Entries

Wikipedia Editing as Assessment Tool in the Indian Higher Education Classroom (by Dr. Tejaswini Niranjana, Ashwin Kumar A.P. and T. Vishnu Vardhan, January 30, 2014): http://bit.ly/1m5QHMD.
Wikipedia at Forefront in Christ University (by Syed Muzamiluddin, January 29, 2014): http://bit.ly/LTFA8E.

# Events Organised

Odia WikiMeetup (Bhubaneswar, January 11, 2014): http://bit.ly/NBkFJi.
Introductory talk about "Wikipedia in Academics" (KIIT School of Technology, Bhubaneswar, January 12, 2014): http://bit.ly/1j1yv1f.
Odia Wikipedia's 10th anniversary @ KISS (Kalinga Institute of Social Sciences, Bhubaneswar, January 28, 2014): http://bit.ly/1gsqkJC.
Odia Wikipedia 10th anniversary (Indian Institute of Mass Communication, Dhenkanal, January 29, 2014): http://bit.ly/1dGRBoy.

# Event Participated In

The Dynamics of Education to Employment Journey: Opportunities and Challenges (organized by KIIT School of Management, KIIT University, Bhubaneswar, February 21-22, 2014). T. Vishnu Vardhan gave a talk: http://bit.ly/1ePwqHc.

# Media Coverage

CIS gave its inputs to the following media coverage:

Digitising contest to preserve rare books in Malayalam (The Hindu, January 4, 2014): http://bit.ly/NBtVgz.
‘With Internet in every pocket, power to the people’ (by Shubhadeep Chaudhury, The Tribune, January 12, 2014): http://bit.ly/1ojb1IZ. Shubhadeep interviews T. Vishnu Vardhan on internet and social media.
ଆଦିବାସୀଭାଷାରଉନ୍ନତିକଳ୍ପେଉଇକିପିଡ଼ିଆ(Odishan.com, January 12, 2014):http://bit.ly/1kAWJmG.
KIIT University to lead building free knowledge repository initiative (India Education Diary.com, January 20, 2014): http://bit.ly/1j1Rzwk.
Odisha: KISS to create tribal languages and heritage repository (Odisha Diary Bureau, January 20, 2014): http://bit.ly/1bLBhmB.
FDC recognition for the Centre for the Internet and Society (Wikimedia Foundation, January 30, 2014): http://bit.ly/1fYdxOz. Wikimedia Foundation published a resolution declaring CIS eligible for funding through the Annual Plan Grants program.
Tech-savvy students given tips to enter IT field (The Times of India, January 31, 2014): http://bit.ly/1j1QvIX.
Odia Wikipedia (Sanchar, January 31, 2014): http://bit.ly/1ePwAON.

Openness

# Event Organised

What is happening in South America and how Openness is an opportunity to Social, Political and Activist Movements? (Centre for Internet and Society, Bangalore, January 17, 2014): http://bit.ly/1bnZaq0.

-----------------------------------------------
Internet Governance
-----------------------------------------------
CIS is doing a project (under a grant from Privacy International and International Development Research Centre (IDRC)) on conducting research on surveillance and freedom of expression (SAFEGUARDS). So far we have organised seven privacy round-tables and drafted the Privacy (Protection) Bill. Gautam Bhatia gives an analysis of the right to privacy from a constitutional perspective and Elonnai Hickok analyses a public report published by GNI.

# Analyses

Surveillance and the Indian Constitution - Part 1: Foundations (by Gautam Bhatia, January 13, 2014): http://bit.ly/1ntqsen.
Surveillance and the Indian Constitution - Part 2: Gobind and the Compelling State Interest Test (by Gautam Bhatia, January 27, 2014): http://bit.ly/1dH3meL.

# Newspaper Columns / Book Chapter

Big Brother is Watching You (by Chinmayi Arun, The Hindu, January 3, 2014): http://bit.ly/1cGpg0K.
Making the Powerful Accountable (by Chinmayi Arun, The Hindu, January 30, 2014): http://bit.ly/1nvzSpC.
Video Games: A Case Study of a Cross-cultural Video Collaboration (by Larissa Hjorth and Nishant Shah, January 31, 2014): http://bit.ly/1eTaXLX. A new book focusing on Palestinian artists’ video, edited by Bashir Makhoul and published by Palestinian Art Court- al Hoash, 2013, includes a chapter co-authored by Larissa and Nishant.

# Blog Entries

Letter requesting public consultation on position of GoI at WGEC (by Snehashish Ghosh, January 7, 2014): http://bit.ly/1g66bL7.
Electoral Databases – Privacy and Security Concerns (by Snehashish Ghosh, January 16, 2014): http://bit.ly/Mb4ktM.
GNI Assessment Finds ICT Companies Protect User Privacy and Freedom of Expression (by Elonnai Hickok, January 20, 2014): http://bit.ly/1mjbpmL.
Interview with Mathew Thomas from the Say No to UID campaign - UID Court Cases (by Maria Xynou, January 27, 2014): http://bit.ly/1eT9XHv. Maria interviewed Mathew Thomas on UID.
India's Central Monitoring System (CMS): Something to Worry About? (by Maria Xynou, January 30, 2014): http://bit.ly/1gsM4oQ.

# Events Organized

Biometrics or Bust? Implications of the UID for Participation and Inclusion (CIS, Bangalore, January 10, 2014). Malavika Jayaram gave a talk: http://bit.ly/1lJZhuK.
Digital Citizens: Why Cyber Security and Online Privacy are Vital to the Success of Democracy and Freedom of Expression (CIS, Bangalore, January 14, 2014): http://bit.ly/KucEU5. Michael Oghia gave a talk.
Nullcon Goa Feb 2014 — International Security Conference (organised by Nullcon, Bogmallo Beach Resort, Goa, February 12 – 15, 2014). CIS is one of the sponsors for this event: http://bit.ly/1lrBu5I.

# Events Co-organised

CPDP 2014 Reforming Data Protection: The Global Perspective (organised by CPDP, Brussels, January 22 – 24, 2014): http://bit.ly/KsgCws. CIS is one of the sponsors for this event. Malavika Jayaram was a speaker.
The Future of the Internet, Who Should Govern It and What is at Stake for You? (organised by Internet and Mobile Association of India, Cellular Operators Association of India, Internet Democracy project, Media for Change, SFLC and CIS, India International Centre, January 29, 2014): http://bit.ly/1eqkSUu. Chinmayi Arun moderated a session. Snehashish Ghosh participated in the event as a speaker.

# Events Participated In

Seminar on "Hate Speech and Social Media" (organized by NALSAR University of Law, Hyderabad and British Deputy High Commission, Hyderabad, January 4 – 5, 2014): http://bit.ly/1dmcEkT. Chinmayi Arun was one of the speakers.
Multistakeholders Consultation on International Public Policy Issues (organized by the Department of Electronics & Information Technology, New Delhi, January 21, 2014): http://bit.ly/Mbfkao. Snehashish Ghosh participated in this meeting.
Internet Governance and India: The Way Forward (organized by Observer Research Foundation, New Delhi, January 22, 2014): http://bit.ly/1ePFueY. Snehashish Ghosh participated in the event.
Data Privacy Day 2014 (organized by Data Security Council of India, Infosys, Bangalore, January 28, 2014). Elonnai Hickok was a panelist: http://bit.ly/1ePFfk8.
TACTIS Symposium 2014 (organized by Tata Consultancy Service, TCS Siruseri, Chennai, January 28 and 29, 2014): http://bit.ly/1bo9y0R. Sunil Abraham gave the keynote address.

--------------------------------
News & Media Coverage
--------------------------------
CIS gave its inputs to the following media coverage:

Inventions that will make a difference (by Geeta Padmanabhan, The Hindu, January 1, 2014): http://bit.ly/MKwmfu.
Rise of the bot: all you need to know about the latest threat online (by Danish Raza, Hindustan Times, January 5, 2014): http://bit.ly/1dHgNex.
Despite apex court order, IOC proceeds with Aadhaar-linked DBT (by Deepa Kurup, The Hindu, January 6, 2014): http://bit.ly/1g6ffjn.
Worldwide: International Privacy - 2013 Year in Review – Asia (by Gonzalo S. Zeballos, James A. Sherer and Alan M. Pate, Mondaq Yearly Review, January 8, 2014): http://bit.ly/1iOaYRO.
Election panel rejects Google’s proposal for electoral services tie-up (by Anuja and Moulishree Srivastava, Livemint, January 9, 2014): http://bit.ly/1gpaGjF.
Social Notworking - 'Murder by Twitter'(by Malini Nair, The Times of India, January 19, 2014): http://bit.ly/1j2kT63.
The net is taking over (by Veenu Sandhu and Surabhi Agarwal, Business Standard, January 24, 2014): http://bit.ly/1hb4eQL.
The Dangers of Birdsong (by Namrata Joshi, January 25, 2014): http://bit.ly/1kB8J7L.
Is Bhutan selling its soul to Google? (by Lucky Wangmo from Thimphu and Pema Seldon form Bangalore, Business Bhutan, January 25, 2014): http://bit.ly/1fYl3sO.
What is net neutrality and why it is important (The Times of India, January 30, 2014): http://bit.ly/1ePFZ8P.

--------------------------------
Digital Humanities
--------------------------------
CIS is building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia:

# Blog Entry

Mapping Digital Humanities in India (by Sneha PP, January 16, 2014): http://bit.ly/1gsQEEQ.

--------------------------------
Digital Natives
--------------------------------
CIS is doing a research project titled “Making Change”. The project will explore new ways of defining, locating, and understanding change in network societies. Having the thought piece 'Whose Change is it Anyway' as an entry point for discussion and reflection, the project will feature profiles, interviews and responses of change-makers to questions around current mechanisms and practices of change in South Asia and South East Asia:

►Making Change Project

# Blog Entry

Creative Activism - Voices of Young Change Makers in India (UDAAN) (by Denisse Albornoz, January 20, 2014): http://bit.ly/1cxXAMI.

►Other
# Newspaper Column

10 Ways to Say Nothing New (by Nishant Shah, Indian Express, January 19, 2014): http://bit.ly/1gsONjn.

----------------------------------------------------------
Knowledge Repository on Internet Access
----------------------------------------------------------
CIS in partnership with the Ford Foundation is executing a project to create a knowledge repository on Internet and society. This repository will comprise content targeted primarily at civil society with a view to enabling their informed participation in the Indian Internet and ICT policy space. The repository is available at the Internet Institute website: http://bit.ly/1iQT2UB.

►Ongoing Event

Institute on Internet and Society (organised by Ford Foundation and CIS, Yashada, Pune, February 11-17, 2014): http://bit.ly/180mQi9.

-----------------------------------------------------
About CIS
-----------------------------------------------------
The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

► Follow us elsewhere

Twitter:https://twitter.com/CISA2K
Facebook group: https://www.facebook.com/cisa2k
Visit us at:https://meta.wikimedia.org/wiki/India_Access_To_Knowledge
E-mail: a2k@cis-india.org

► Support Us
Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

► Request for Collaboration:
We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org. To discuss collaborations on Indic language Wikipedia, write to T. Vishnu Vardhan, Programme Director, A2K, at vishnu@cis-india.org.

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/january-2014-bulletin

The Future of the Internet, Who Should Govern It and What is at Stake for You?

praskrishna — 2014-02-12T11:12:54Z

Internet and Mobile Association of India, Cellular Operators Association of India, Internet Democracy project, Media for Change, SFLC and the Centre for Internet Society is organizing a Multi-stakeholder Dialogue on the future of internet on January 29, 2014 at Multipurpose Hall, India International Center (IIC).

Snehashish Ghosh will participate in the event as a speaker.

Schedule

10.00 - 10.30: Registration
10.30 -13.30: Discussion and Open House
13.30: Lunch

The meeting seeks to address, among others, the following questions:

The issue of governing the internet through a multistakeholder mechanism (including government, business, civil society, academia and the technical community) versus a multilateral one (or an intergovernmental one, including only governments in a decision making role) is leading the global discourse.

What is multistakeholderism? How is it practiced? How is it different from multilateralism or intergovernmental decision making? Why has multistakeholderism assumed such an important role in internet governance?
Moderator – Subi Chutervedi

Several of the arguments are based in a framework document known as ‘Tunis Agenda 2005’.
What is the role of the Tunis Agenda in these debates? Since its formulation 9 years ago, is it still relevant? What does “stakeholders in their respective roles” mean in 2014 and beyond?
Moderator – Subi Chaturvedi

The positions taken by the Government of India at international fora are linked to its cyber security concerns.
Will India’s position of multilateral/intergovernmental governance of the Internet actually address these cyber security concerns?
Moderator – Anja Kovacs

Since the Snowden revelations, mass surveillance by governments has assumed center stage and is driving the recent discourse.
Will a multilateral/inter-governmental mechanism adequately address serious concerns of government surveillance and intrusion into the privacy of internet users and citizens?
Moderator – Anja Kovacs

Innovation, freedom of speech and expression and privacy rights are critical to a free and open internet. How are these impacted under a multistakeholder vis-à-vis a multilateral/inter-governmental mechanism?
Moderator- Chinmayi Arun

Internet governance has both a domestic and a global angle. In 2014, what should be the process of policy making involving stakeholders? Should there be consultation and what should be the process, quality and outcome of such consultation, especially as it relates to Internet Governance?

What process should the government adopt before taking a position internationally and while formulating domestic policy related to internet governance?
Moderator Chinmayi Arun

For more details visit https://cis-india.org/events/future-of-internet-january-29-2014

Surveillance and the Indian Constitution - Part 2: Gobind and the Compelling State Interest Test

pranesh — 2014-01-27T18:03:38Z

Gautam Bhatia analyses the first case in which the Supreme Court recognized a constitutional right to privacy, Gobind v. State of Madhya Pradesh, and argues that the holding in that case adopted the three-pronged American test of strict scrutiny, compelling State interest, and narrow tailoring in its approach to privacy violations.

After its judgment in Kharak Singh, the Court was not concerned with the privacy question for a while. The next case that dealt – peripherally – with the issue came eleven years later. In R.M. Malkani v State of Maharashtra, the Court held that attaching a recording device to a person’s telephone did not violate S. 25 of the Telegraph Act, because

"where a person talking on the telephone allows another person to record it or to hear it, it can-not be said that the other person who is allowed to do so is damaging, removing, tampering, touching machinery battery line or post for intercepting or acquainting himself with the contents of any message. There was no element of coercion or compulsion in attaching the tape recorder to the telephone."

Although this case was primarily about the admissibility of evidence, the Court also took time out to consider – and reject – a privacy-based Article 21 argument, holding that:

"Article 21 was invoked by submitting that the privacy of the appellant’s conversation was invaded. Article 21 contemplates procedure established by law with regard to deprivation of life or personal liberty. The telephonic conversation of an innocent citizen will be protected by Courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants. It must not be understood that the Courts will tolerate safeguards for the protection of the citizen to be imperiled by permitting the police to proceed by unlawful or irregular methods."

Apart from the fact that it joined Kharak Singh in refusing to expressly find a privacy right within the contours of Article 21, there is something else that unites Kharak Singh and R.M. Malkani: they hypothetical in Kharak Singh became a reality in Malkani – what saved the telephone tapping precisely because it was directed at "… a guilty person", with the Court specifically holding that the laws were not for targeting innocent people. Once again, then, the targeted and specific nature of interception became a crucial – and in this case, a decisive – factor. One year later, in another search and seizure case, Pooran Mal v Inspector, the Court cited M.P. Sharma and stuck to its guns, refusing to incorporate the Fourth Amendment into Indian Constitutional law.

It is Gobind v State of MP, decided in 1975, that marks the watershed moment for Indian privacy law in the Constitution. Like Kharak Singh, Gobind also involved domiciliary visits to the house of a history-sheeter. Unlike Kharak Singh, however, in Gobind the Court found that the Regulations did have statutory backing – S. 46(2)(c) of the Police Act, which allowed State Government to make notifications giving effect to the provisions of the Act, one of which was the prevention of commission of offences. The surveillance provisions in the impugned regulations, according to the Court, were indeed for the purpose of preventing offences, since they were specifically aimed at repeat offenders. To that extent, then, the Court found that there existed a valid “law” for the purposes of Articles 19 and 21.

By this time, of course, American constitutional law had moved forward significantly from eleven years ago, when Kharak Singh had been decided. The Court was able to invoke Griswold v Connecticut and Roe v Wade, both of which had found a "privacy" as an "interstitial" or "penumbral" right in the American Constitution – that is, not reducible to any one provision, but implicit in a number of separate provisions taken together. The Court ran together a number of American authorities, referred to Locke and Kant, to dignity, to liberty and to autonomy, and ended by holding, somewhat confusingly:

“the right to privacy must encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing. This catalogue approach to the question is obviously not as instructive as it does not give analytical picture of that distinctive characteristics of the right of privacy. Perhaps, the only suggestion that can be offered as unifying principle underlying the concept has been the assertion that a claimed right must be a fundamental right implicit in the concept of ordered liberty… there are two possible theories for protecting privacy of home. The first is that activities in the home harm others only to the extent that they cause offence resulting from the mere thought that individuals might he engaging in such activities and that such ‘harm’ is not Constitutionally protective by the state. The second is that individuals need a place of sanctuary where they can be free from societal control. The importance of such a sanctuary is that individuals can drop the mask, desist for a while from projecting on the world the image they want to be accepted as themselves, an image that may reflect the values of their peers rather than the realities of their natures… the right to privacy in any event will necessarily have to go through a process of case-by-case development."

But if no clear principle emerges out of the Court’s elucidation of the right, it was fairly unambiguous in stressing the importance of the right itself. Interestingly, it grounded the right within the context of the freedom struggle. "Our founding fathers," it observed, "were thoroughly opposed to a Police Raj even as our history of the struggle for freedom has borne eloquent testimony to it." (Para 30) The parallels to the American Fourth Amendment are striking here: in his historical analysis Akhil Amar tells us that the Fourth Amendment was meant precisely to avoid the various abuses of unreasonable searches and seizures that were common in England at the time.

The parallels with the United States become even more pronounced, however, when the Court examined the grounds for limiting the right to privacy. "Assuming that the fundamental rights explicitly guaranteed to a citizen have penumbral zones and that the right to privacy is itself a fundamental right, that fundamental right must be subject to restriction on the basis of compelling public interest." "Compelling public interest" is an interesting phrase, for two reasons. First, “public interest” is a ground for fundamental rights restrictions under Article 19 (see, e.g., Article 19(6)), but the text of the Article 19 restrictions do not use – and the Court, in interpreting them, has not held – that the public interest must be “compelling”. This suggests a stricter standard of review for an Article 21 privacy right violation than Article 19 violations. This is buttressed by the fact that in the same paragraph, the Court ended by observing: “even if it be assumed that Article 19(5) [restrictions upon the freedom of movement] does not apply in terms, as the right to privacy of movement cannot be absolute, a law imposing reasonable restriction upon it for compelling interest of State must be upheld as valid.” The Court echoes the language of 19(5), and adds the word “compelling”. This surely cannot be an oversight.

More importantly – the compelling State interest is an American test, used often in equal protection cases and cases of discrimination, where “suspect classes” (such as race) are at issue. Because of the importance of the right at issue, the compelling state interest test goes hand-in-hand with another test: narrow tailoring. Narrow tailoring places a burden upon the State to demonstrate that its restriction is tailored in a manner that infringes the right as narrowest manner that is possible to achieve its goals. The statement of the rule may be found in the American Supreme Court case of Grutter v Bollinger:

"Even in the limited circumstance when drawing racial distinctions is permissible to further a compelling state interest, government is still constrained under equal protection clause in how it may pursue that end: the means chosen to accomplish the government’s asserted purpose must be specifically and narrowly framed to accomplish that purpose."

To take an extremely trivial example that will illustrate the point: the State wants to ban hate speech against Dalits. It passes legislation that bans “all speech that disrespects Dalits.” This is not narrowly tailored, because while all hate speech against Dalits necessarily disrespects them, all speech that disrespects Dalits is not necessarily hate speech. It was possible for the government to pass legislation banning only hate speech against Dalits, one that would have infringed upon free speech more narrowly than the “disrespect law”, and still achieved its goals. The law is not narrowly tailored.

Crucially, then, the Court in Gobind seemed to implicitly accept the narrow-tailoring flip side of the compelling state interest coin. On the constitutionality of the Police Regulations itself, it upheld their constitutionality by reading them narrowly. Here is what the Court said:

“Regulation 855, in our view, empowers surveillance only of persons against whom reasonable materials exist to induce the opinion that they show a determination, to lead a life of crime – crime in this context being confined to such as involve public peace or security only and if they are dangerous security risks. Mere convictions in criminal cases where nothing gravely imperiling safety of society cannot be regarded as warranting surveillance under this Regulation. Similarly, domiciliary visits and picketing by the police should be reduced to the clearest cases of danger to community security and not routine follow-up at the end of a conviction or release from prison or at the whim of a police officer.”

But Regulation 855 did not refer to the gravity of the crime at all. Thus, the Court was able to uphold its constitutionality only by narrowing its scope in a manner that the State’s objective of securing public safety was met in a way that minimally infringed the right to privacy.

Therefore, whether the Gobind bench was aware of it or not, its holding incorporates into Indian constitutional law and the right to privacy, not just the compelling State interest test, but narrow tailoring as well. The implications for the CMS are obvious. Because with narrow tailoring, the State must demonstrate that bulk surveillance of all individuals, whether guilty or innocent, suspected of crimes or not suspected of crimes (whether reasonably or otherwise), possessing a past criminal record or not, speaking to each other of breaking up the government or breaking up a relationship – every bit of data must be collected to achieve the goal of maintaining public security, and that nothing narrower will suffice. Can the State demonstrate this? I do not think it can, but at the very least, it should be made to do so in open Court.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-the-indian-consitution-part-2

GNI Assessment Finds ICT Companies Protect User Privacy and Freedom of Expression

elonnai — 2014-01-20T06:17:46Z

Elonnai Hickok analyses a public report recently published by GNI on the independent assessment process for Google, Microsoft, and Yahoo. The report finds Google, Microsoft, and Yahoo to be in compliance with the GNI principles on privacy and freedom of expression.

Introduction

In January 2014, the Global Network Initiative (GNI) published the Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo. GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.

Overview of the Public Report

The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the GNI principles on freedom of expression and privacy. The principles lay out broad guidelines that member companies should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with Implementation Guidelines to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.

Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.

The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.

A number of findings came out of the assessments undertaken for the Report including:

As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.
The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights.
Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles.

The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:

Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies.
Consider the impact of hardware on freedom of expression and privacy.
Improve external and internal reporting.
Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations.
Review executive management training.
Improve stakeholder engagement.
Improve communication with users.
Increase sharing of best practices.
The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights.

NSA leaks, global push for governmental surveillance reform, and the Public Report

With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five Principles on Global Government Surveillance Reform. Similar to other efforts to end mass and disproportionate surveillance, such as the Necessary and Proportionate principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.

Along these lines, on January 14^th, GNI released the statement “Surveillance Reforms to Protect Rights and Restore Trust”, urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.

Conclusion and way forward

Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.

The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.

For more details visit https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression

EU parliament report slams US surveillance

praskrishna — 2014-02-03T06:13:55Z

Report that outlines need for stringent laws for protecting citizen privacy, democratizing Internet governance holds lessons for India, say analysts.

The article by Moulishree Srivastava and Elizabeth Roche quotes Sunil Abraham. It was published in Livemint on January 17, 2014.

A European Union (EU) parliament report that outlines the need for stringent laws for protecting citizen privacy, democratizing Internet governance and rebuilding trust between Europe and the US holds many lessons for India, analysts and policymakers say.

The US government listened into Indian communications as part of its massive global surveillance, which was exposed last year in leaks to the media. The embassies of France, Italy, Greece, Japan, Mexico, South Korea and Turkey were also subjected to the surveillance put in place after the September 2001 terrorist attacks. According to the external affairs ministry, India has registered its protest at least thrice over the issue with US authorities.

A draft report on the US National Security Agency’s surveillance programme by the European parliament’s committee on civil liberties, justice and home affairs states that trust between the two transatlantic partners, trust among EU member-states, and trust between citizens and their governments were profoundly shaken because of the spying, and to rebuild trust in all these dimensions a comprehensive plan was urgently needed.

"It is very doubtful that data collection of such magnitude is only guided by the fight against terrorism, as it involves the collection of all possible data of all citizens; points therefore to the possible existence of other power motives such as political and economic espionage," says the report.

The report recommends prohibiting blanket mass surveillance activities and bulk processing of personal data, and asks EU member-states, including the UK, Germany, France, Sweden and the Netherlands, to revise their national legislation and practices governing the activities of intelligence services to ensure that they are in line with the standards of the European Convention on Human Rights.

It also calls on the US to revise its legislation without delay in order to bring it in line with international law, recognizing privacy and other rights as well as providing for judicial redress for EU citizens.

"The American approach to privacy regulation has been deeply flawed. The US dominance over the Internet affects the structure and substance of Internet governance and among other human rights, the right to privacy," said Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based not-for-profit research organization. "The (EU) report, if implemented, may change the future of Internet governance by deepening the existing leadership provided by the EU in promoting their privacy standards globally."

On India’s rather restrained reaction to the spying, he said, “It is a tragedy that our politicians are not as proactive when it comes to protecting our rights. While India has only focused on changing its official email policy after the revelations of mass surveillance, it has done nothing as concrete and comprehensive as EU."

"There is neither the recognition of (the) pervasive nature of global mass surveillance, nor is there full appreciation (of) the damaging consequences," Abraham added.

J. Satyanarayana, secretary in India’s department of electronics and information technology, said the concerns over privacy are the same for India as for the EU, but declined to comment on what preventive steps the government is implementing due to security reasons. The EU report called for concluding the EU-US umbrella pact, a framework agreement on data protection in the field of police and judicial cooperation, to ensure proper redress mechanisms for EU citizens in the event of data transfers from the EU to the US for law enforcement purposes. The report asks EU policymakers not to initiate any new sectoral agreements or arrangements for the transfer of personal data for law enforcement purposes and suggests suspending the terrorist finance tracking programme until the umbrella agreement negotiations are concluded.

"EU wants to use EU-US umbrella agreement...to raise the US standards, to ensure the rights of EU citizens and perhaps all the citizens. All humans will need protection under US law as is currently the case in the EU,” said Abraham. “The prohibition of blanket surveillance that the report recommends will hopefully apply to all citizens regardless of their nationality."

The draft report goes as far as suggesting suspending Safe Harbour, the legal instrument used for the transfer of EU personal data to the US through Google, Microsoft, Yahoo, Facebook, Apple and LinkedIn, until a full review has been conducted and current loopholes are plugged. The report’s proposals and recommendations are likely to be implemented after election to the European parliament in May.

In addition to reforms in the existing systems, the report outlines the importance of development of European clouds as it notes that trust in US cloud computing and cloud services providers has been affected by the surveillance practices.

"Three of the major computerized reservation systems used by airlines worldwide are based in the US and that PNR (passenger name record) data are saved in cloud systems operating on US soil under US law...lacks data protection adequacy," states the report.

C.U. Bhaskar, analyst with the South Asia Monitor think tank, was of the view that India had “adequately” responded to the US through quiet diplomacy.

"It is unlikely that the US will give up cyber surveillance,” he said, adding, “We should acquire our own capacity to ensure adequate defensive and offensive firewalls and build up appropriate capacity for our cyber programmes."

"Given our expertise in the IT (information technology) sector, as an analyst my opinion is that we have a reasonable capacity to build up our capabilities," Bhaskar added.

For more details visit https://cis-india.org/news/livemint-january-17-2014-moulishree-srivastava-elizabeth-roche-eu-parliament-slams-us-surveillance

Electoral Databases – Privacy and Security Concerns

snehashish — 2014-01-16T11:07:21Z

In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.

The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.[i] After due consideration, the ECI has decided to drop the plan.[ii]

The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.

Publication of Electoral Rolls
The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.

The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document[iii] given that the roll is published and can be circulated on the direction of the ECI.

With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.[iv] In addition to that, the electoral rolls for the entire country are available on the ECI website.[v] However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.[vi]

Security Concerns
The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.

In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “With Great Computing Power Comes Great Surveillance”[vii] Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain

For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.

Current IT Laws does not mandate the protection of the electoral database
A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”[viii] However, the appropriate Government has not notified the electoral database as a protected system[ix]. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.

The Information Technology Rules (IT Rules) are also not applicable to electoral databases, per se. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (hereinafter Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”[x] and should arguably be made subject to the Rules.

The intent of the ECI for hosting the entire country’s electoral database online inter alia is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”[xi] However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.

The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.

Conclusion
Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.

It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.

[i] Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss

[ii] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

[iii] Section 74, Indian Evidence Act, 1872

[iv] eci.nic.in/eci_main1/the_function.aspx

[v] http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx

[vi] “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at eci.nic.in/eci_main/eroll&epic/ins06012010.pdf

[vii] http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/

[viii] Section 70, Information Technology Act, 2000

[ix] Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure

[x] Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[xi] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

For more details visit https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns

Surveillance and the Indian Constitution - Part 1: Foundations

pranesh — 2014-01-23T15:12:30Z

In this insightful seven-part series, Gautam Bhatia looks at surveillance and the right to privacy in India from a constitutional perspective, tracing its genealogy through Supreme Court case law and compares it with the law in the USA.

Note: This was originally posted on the Indian Constitutional Law and Philosophy blog.

On previous occasions, we have discussed the ongoing litigation in ACLU v. Clapper in the United States, a challenge to the constitutionality of the National Security Agency’s (NSA) bulk surveillance program. Recall that a short while after the initial Edward Snowden disclosures, The Hindu revealed the extent of domestic surveillance in India, under the aegis of the Central Monitoring System (CMS). The CMS (and what it does) is excellently summarized here. To put thing starkly and briefly:

“With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.”

The CMS is not sanctioned by parliamentary legislation. It also raises serious privacy concerns. In order to understand the constitutional implications, therefore, we need to investigate Indian privacy jurisprudence. In a series of posts, we plan to discuss that.

Privacy is not mentioned in the Constitution. It plays no part in the Constituent Assembly Debates. The place of the right – if it exists – must therefore be located within the structure of the Constitution, as fleshed out by judicial decisions. The first case to address the issue was M. P. Sharma v. Satish Chandra, in 1954. In that case, the Court upheld search and seizure in the following terms:

"A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to Constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right. by some process of strained construction."

The right in question was 19(1)(f) – the right to property. Notice here that the Court did not reject a right to privacy altogether – it only rejected it in the context of searches and seizures for documents, the specific prohibition of the American Fourth Amendment (that has no analogue in India). This specific position, however, would not last too long, and was undermined by the very next case to consider this question, Kharak Singh.

In Kharak Singh v. State of UP, the UP Police Regulations conferred surveillance power upon certain “history sheeters” – that is, those charged (though not necessarily convicted) of a crime. These surveillance powers included secret picketing of the suspect’s house, domiciliary visits at night, enquiries into his habits and associations, and reporting and verifying his movements. These were challenged on Article 19(1)(d) (freedom of movement) and Article 21 (personal liberty) grounds. It is the second ground that particularly concerns us.

As a preliminary matter, we may observe that the Regulations in question were administrative – that is, they did not constitute a “law”, passed by the legislature. This automatically ruled out a 19(2) – 19(6) defence, and a 21 “procedure established by law” defence – which were only applicable when the State made a law. The reason for this is obvious: fundamental rights are extremely important. If one is to limit them, then that judgment must be made by a competent legislature, acting through the proper, deliberative channels of lawmaking – and not by mere administrative or executive action. Consequently – and this is quite apart from the question of administrative/executive competence - if the Police Regulations were found to violate Article 19 or Article 21, that made them ipso facto void, without the exceptions kicking in. (Paragraph 5)

It is also important to note one other thing: as a defence, it was expressly argued by the State that the police action was reasonable and in the interests of maintaining public order precisely because it was “directed only against those who were on proper grounds suspected to be of proved anti-social habits and tendencies and on whom it was necessary to impose some restraints for the protection of society.” The Court agreed, observing that this would have “an overwhelming and even decisive weight in establishing that the classification was rational and that the restrictions were reasonable and designed to preserve public order by suitable preventive action” – if there had been a law in the first place, which there wasn’t. Thus, this issue itself was hypothetical, but what is crucial to note is that the State argued – and the Court endorsed – the basic idea that what makes surveillance reasonable under Article 19 is the very fact that it is targeted – targeted at individuals who are specifically suspected of being a threat to society because of a history of criminality.

Let us now move to the merits. The Court upheld secret picketing on the ground that it could not affect the petitioner’s freedom of movement since it was, well secret – and what you don’t know, apparently, cannot hurt you. What the Court found fault with was the intrusion into the petitioner’s dwelling, and knocking at his door late at night to wake him up. The finding required the Court to interpret the meaning of the term “personal liberty” in Article 21. By contrasting the very specific rights listed in Article 21, the Court held that:

“Is then the word “personal liberty” to be construed as excluding from its purview an invasion on the part of the police of the sanctity of a man’s home and an intrusion into his personal security and his right to sleep which is the normal comfort and a dire necessity for human existence even as an animal? It might not be inappropriate to refer here to the words of the preamble to the Constitution that it is designed to “assure the dignity of the individual” and therefore of those cherished human value as the means of ensuring his full development and evolution. We are referring to these objectives of the framers merely to draw attention to the concepts underlying the constitution which would point to such vital words as “personal liberty” having to be construed in a reasonable manner and to be attributed that these which would promote and achieve those objectives and by no means to stretch the meaning of the phrase to square with any preconceived notions or doctrinaire constitutional theories.” (Paragraph 16)

A few important observations need to be made about this paragraph. The first is that it immediately follows the Court’s examination of the American Fifth and Fourteenth Amendments, with their guarantees of “life, liberty and property…” and is, in turn, followed by the Court’s examination of the American Fourth Amendment, which guarantees the protection of a person’s houses, papers, effects etc from unreasonable searches and seizures. The Court’s engagement with the Fourth Amendment is ambiguous. It admits that “our Constitution contains no like guarantee…”, but holds that nonetheless “these extracts [from the 1949 case, Wolf v Colorado] would show that an unauthorised intrusion into a person’s home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man – an ultimate essential of ordered liberty”, thus tying its own holding in some way to the American Fourth Amendment jurisprudence. But here’s the crucial thing: at this point, American Fourth Amendment jurisprudence was propertarian based – that is, the Fourth Amendment was understood to codify – with added protection – the common law of trespass, whereby a man’s property was held sacrosanct, and not open to be trespassed against. Four years later, in 1967, in Katz, the Supreme Court would shift its own jurisprudence, to holding that the Fourth Amendment protected zones where persons had a “reasonable expectation of privacy”, as opposed to simply protecting listed items of property (homes, papers, effects etc). Kharak Singh was handed down before Katz. Yet the quoted paragraph expressly shows that the Court anticipated Katz, and in expressly grounding the Article 21 personal liberty right within the meaning of dignity, utterly rejected the propertarian-tresspass foundations that it might have had. To use a phrase invoked by later Courts – in this proto-privacy case, the Court already set the tone by holding it to attach to persons, not places.

While effectively finding a right to privacy in the Constitution, the Court expressly declined to frame it that way. In examining police action which involved tracking a person’s location, association and movements, the Court upheld it, holding that “the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

The “therefore” is crucial. Although not expressly, the Court virtually holds, in terms, that tracking location, association and movements does violate privacy, and only finds that constitutional because there is no guaranteed right to privacy within the Constitution. Yet.

In his partly concurring and partly dissenting opinion, Subba Rao J. went one further, by holding that the idea of privacy was, in fact, contained within the meaning of Article 21: “it is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” Privacy he defined as the right to “be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures.” On this ground, he held all the surveillance measures unconstitutional.

Justice Subba Rao’s opinion also explored a proto-version of the chilling effect. Placing specific attention upon the word “freely” contained within 19(1)(d)’s guarantee of free movment, Justice Subba Rao went specifically against the majority, and observed:

“The freedom of movement in clause (d) therefore must be a movement in a free country, i.e., in a country where he can do whatever he likes, speak to whomsoever he wants, meet people of his own choice without any apprehension, subject of course to the law of social control. The petitioner under the shadow of surveillance is certainly deprived of this freedom. He can move physically, but he cannot do so freely, for all his activities are watched and noted. The shroud of surveillance cast upon him perforce engender inhibitions in him and he cannot act freely as he would like to do. We would, therefore, hold that the entire Regulation 236 offends also Art. 19(1)(d) of the Constitution.”

This early case, therefore, has all the aspects that plague the CMS today. What to do with administrative action that does not have the sanction of law? What role does targeting play in reasonableness – assuming there is a law? What is the philosophical basis for the implicit right to privacy within the meaning of Article 21’s guarantee of personal liberty? And is the chilling effect a valid constitutional concern?

We shall continue with the development of the jurisprudence in the next post.

You can follow Gautam Bhatia on Twitter

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-the-indian-consitution-part-1

Internet Monitor

praskrishna — 2014-01-09T07:33:02Z

Malavika's piece on India's Identity Crisis is published in this report.

For more details visit https://cis-india.org/internet-governance/blog/internet-monitor-2013.pdf

Digital Citizens: Why Cyber Security and Online Privacy are Vital to the Success of Democracy and Freedom of Expression

praskrishna — 2014-01-08T04:59:10Z

Michael Oghia will give a presentation which will show why cyber security and online privacy are vital for democracy and freedom of expression.

In the time when Edward Snowden is fighting for both clemency and to be known as a brave whistle blower that exposed government wrongdoing, cyber security and online privacy have never been more important. As Jacob Applebaum discussed in May last year, and CIS’ Maria Xynou presented recently in December, surveillance throughout the world is increasing. With security apparatus’ likethe NSA and now India’s Central Monitoring System, coupled with corporate data centers around the world storing our e–mails, address books, preferences, and passwords, it is easy to see how our online privacy is increasingly being threatened and often, violated.

Indeed, online privacy is inextricably linked to freedom of expression, and freedom of expression is a fundamental civil liberty imperative to democracy. Moreover, online security and privacy are essential to good, transparent, and accountable democratic governance. This is largely because surveillance, censorship, and monitoring ultimately create environments where self-censorship is the norm, as is the fear of the government instead of spaces that allow for freedom of expression and democratic dialogue and dissent.

What I would like to accomplish my speaking at CIS is not to merely educate about the dangers posed to Internet security or to world democracy, but rather to:

Reiterate the importance of digital privacy and cyber security to the success of democracy and the continued protection of free expression.
Encourage citizens, technology specialists, Internet and privacy advocates, and others to see themselves as part of a larger system of democratic governance and civic participation. This means understanding how technical capabilities intersect with civil society, and then use them to advocate for a more open, accessible, and private cyberspace.
Reinforce that digital media literacy education is vital to ensuring a free, open, accessible, and democratic Internet.

Additionally, I want to present ideas and recommendations for what you can do to engage with these problems, and how we can collaborate together to address them.

About the Public Intelligence Project

The Public Intelligence Project is an independent, non-partisan, not-for-profit think tank conducting research, education, and advocacy on the importance of diversity, critical thinking, dialogue, and freedom of expression. We seek to promote more robust systems of participatory democracy, civic engagement, and conflict prevention in order to create a culture of democracy.

Michael Oghia

Michael is responsible for a new project at Meta-Culture called the Public Intelligence Project, which focuses on expanding participatory democracy, civic engagement, and conflict prevention by conducting research, education, and advocacy on the intersections between diversity, dialogue, critical thinking, and freedom of expression. While new to the conflict resolution field, as a poet, musician, editor, writer, blogger, and activist, he is well-versed in the importance of freedom of expression and participating in the democratic process. He was born in Kentucky to Lebanese-Syrian parents, and after graduating with a BS in sociology from the University of Louisville, he moved to Lebanon to pursue an MA in sociology from the American University of Beirut. There, he had the opportunity to witness the Arab Revolutions first-hand while research about topics such as Internet ownership in the Middle East, social movements, Arab media, globalization, Arab youth and family, and his thesis subject, romantic love in the Arab world. Michael enjoys engaging Twitter conversations, and has an unnatural affinity for crunchy peanut butter.

Date: Tuesday, January 14, 2014
Time: 6.30 p.m. to 8.00 p.m.
Talk by: Michael Oghia
Title: Research & Advocacy Consultant, and Project Manager
Organisation: Meta-Culture / Public Intelligence Project
Websites: www.meta-culture.in <http://www.meta-culture.in> & www.publicintelligenceproject.org <http://www.publicintelligenceproject.org>

For more details visit https://cis-india.org/events/why-cyber-security-and-online-privacy-are-vital-for-success-of-democracy-and-freedom-of-expression

Big Brother is watching you

chinmayi — 2014-01-06T09:31:22Z

India has no requirements of transparency whether in the form of disclosing the quantum of interception or in the form of notification to people whose communication was intercepted.

The article by Chinmayi Arun was published in the Hindu on January 3, 2014.

The Gujarat telephone tapping controversy is just one of many kinds of abuse that surveillance systems enable. If a relatively primitive surveillance system can be misused so flagrantly despite safeguards that the government claims are adequate, imagine what is to come with the Central Monitoring System (CMS) and Netra in place.

News reports indicate Netra — a “NEtwork TRaffic Analysis system” — will intercept and examine communication over the Internet for keywords like “attack,” “bomb,” “blast” or “kill.” While phone tapping and the CMS monitor specific targets, Netra is vast and indiscriminate. It appears to be the Indian government’s first attempt at mass surveillance rather than surveillance of predetermined targets. It will scan tweets, status updates, emails, chat transcripts and even voice traffic over the Internet (including from platforms like Skype and Google Talk) in addition to scanning blogs and more public parts of the Internet. Whistle-blower Edward Snowden said of mass-surveillance dragnets that “they were never about terrorism: they’re about economic spying, social control, and diplomatic manipulation. They’re about power.”

So far, our jurisprudence has dealt with only targeted surveillance; and even that in a woefully inadequate manner. This article discusses the slow evolution of the right to privacy in India, highlighting the context and manner in which it is protected. It then discusses international jurisprudence to demonstrate how the right to privacy might be protected more effectively.

Privacy and the Constitution

A proposal to include the right to privacy in the Constitution was rejected by the Constituent Assembly with very little debate. Separately, a proposal to give citizens an explicit fundamental right against unreasonable governmental search and seizure was also put before the Constituent Assembly. This proposal was supported by Dr. B.R. Ambedkar. If accepted, it would have included within our Constitution the principles from which the United States derives its protection against state surveillance. However, the proposed amendment was rejected by the Constituent Assembly.

Fortunately, the Supreme Court has gradually been reading the right to privacy into the fundamental rights explicitly listed in the Constitution. After its initial reluctance to affirm the right to privacy in the 1954 case of M.P. Sharma vs. Satish Chandra, the court came around to the view that other rights and liberties guaranteed in the Constitution would be seriously affected if the right to privacy was not protected. In Kharak Singh vs. The State of U.P., the court recognised “the right of the people to be secure in their persons, houses, papers, and effects” and declared that their right against unreasonable searches and seizures was not to be violated. The right to privacy here was conceived around the home, and unauthorised intrusions into homes were seen as interference with the right to personal liberty.

If the Kharak Singh judgment was progressive in its recognition of the right to privacy, it was conservative about the circumstances in which the right applies. The majority of judges held that shadowing a person could not be seen to interfere with that person’s liberty. Dissenting with the majority, Justice Subba Rao maintained that broad surveillance powers put innocent citizens at risk, and that the right to privacy is an integral part of personal liberty. He recognised that when a person is shadowed, her movements will be constricted, and will certainly not be free movements. His dissenting judgment showed remarkable foresight and his reasoning is consistent with what is now a universally acknowledged principle that there is a “chilling effect” on expression and action when people think that they are being watched.

The right to privacy as defined by the Supreme Court now extends beyond government intrusion into private homes. After Govind vs. State of M.P., and Dist. Registrar and Collector of Hyderabad vs. Canara Bank, this right is seen to protect persons and not places. Any inroads into this right for surveillance of communication must be for permissible reasons and according to just, fair and reasonable procedure. State action in violation of this procedure is open to a constitutional challenge.

Our meagre procedural safeguards against phone tapping were introduced in PUCL vs. Union of India (1997) after the Supreme Court was confronted with extensive, undocumented phone tapping by the government. The apex court found itself compelled to lay down what it saw as bare minimum safeguards, consisting mostly of proper record-keeping and internal executive oversight by senior officers such as the home secretary, the cabinet secretary, the law secretary and the telecommunications secretary. These safeguards are of little use since they are opaque and rely solely on members of the executive to review surveillance requests.

Right and safeguards

There is a difference between targeted surveillance in which reasons have to be given for surveillance of particular people, and the mass-surveillance which Netra sets up. The question of mass surveillance and its attendant safeguards has been considered by the European Court of Human Rights in Liberty and Others vs. the United Kingdom. Drawing upon its own past jurisprudence, the European Court insisted on reasonable procedural safeguards. It stated quite clearly that there are significant risks of arbitrariness when executive power is exercised in secret and that the law should be sufficiently clear to give citizens an adequate indication of the circumstances in which interception might take place. Additionally, the extent of discretion conferred and the manner of its exercise must be clear enough to protect individuals from arbitrary interference. The principles laid down by the European Court in relation to phone-tapping also require that the nature of the offences which may give rise to an interception order, the procedure to be followed for examining, using and storing the data obtained, the precautions to be taken when communicating the data to other parties, and the circumstances in which recordings may or must be erased or the tapes destroyed be made clear.

Opaque and ineffective

Our safeguards apply only to targeted surveillance, and require written requests to be provided and reviewed before telephone tapping or Internet interception is carried out. CMS makes the process of tapping more prone to misuse by the state, by making it even more opaque: if the state can intercept communication directly, without making requests to a private telecommunication service provider, then it is one less layer of scrutiny through which the abuse of power can reach the public. There is no one to ask whether the requisite paperwork is in place or to notice a dramatic increase in interception requests.

India has no requirements of transparency whether in the form of disclosing the quantum of interception taking place each year, or in the form of subsequent notification to people whose communication was intercepted. It does not even have external oversight in the form of an independent regulatory body or the judiciary to ensure that no abuse of surveillance systems takes place. Given these structural flaws, the Amit Shah controversy is just the beginning of what is to come. Unfettered mass surveillance does not bode well for democracy.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-january-3-2014-chinmayi-arun-big-brother-is-watching-you

Inventions that will make a difference

praskrishna — 2014-02-12T11:07:02Z

In an increasingly tech-driven world, what does 2014 have to offer? Geeta Padmanabhan turns the spotlight on some life-changing gadgets.

Geeta Padmanabhan's article published in the Hindu on January 1, 2014 quotes Maria Xynou.

Digiterati, have you tried Snapchat, the service that makes messages/photos/captions you send disappear in a few seconds once opened? The app with its swelling popularity among the young demands a re-think about data: do you need it around forever? In a remarkable step forward, 2014 may see Forever Internet and Erasable Internet living side by side.

What else is in store? “Your mobile devices and PCs will get more intelligent and remember your different passwords,” said J. Prasanna, AVS labs. “Advanced biometrics will enable scanning (fingerprint/retina) without devices. Sharper attack simulation on the cyber-world will force corporates to improve defence. Industrial houses will opt for more mobile devices — computers like raspberry pi — for logistics/checking. “You may not see a workstation at all!” Maria Xynou, The Centre for Internet and Society, foresees surveillance technologies getting smarter with artificial intelligence software, and people fending them off with crypto-like privacy software. “This might trigger more intrusive technologies,” she said.

Big data will grow bigger. Many of the products we depend on — Google's spell-checker, translation service, traffic maps, search-suggestions; Amazon.com's AMZN +0.13% media; Facebook’s News Feed, “friend” facilities — have come out of a huge cache of user data. But Kaspersky Lab expects cybercriminals to use refined mobile-phishing, banking-Trojans and mobile-botnets to hack and modify private information. VPN (virtual private network) services and Tor-anonymisers will become popular, demand for local encryption tools will spurt, it predicts.

Folding phones?

Now that curved display (G-Flex) is here, 2014 may bring in “roll-up or fold” smartphones/tablets to fit into our wallets. Also, with smarter tracking-tools and voice-recognition technology smartphones will become so intuitive and efficient that they may reflexively cater to our needs. “It will become a context engine — aware of where it is, where you are going, what you need,” said futurist Paul Saffo. Apple will launch the anticipated big-screen iPhones and iPads (12.9-inch or 13.3-inch), reports Digitimes. Upcoming iPhone models will have a 20mm chipset, and a choice between 4.7-inch and 6-inch display panel. But don't throw away your MacBook Air or MacPro yet.

“Prepare for a life-changing gadget,” says BBC, referring to Oculus Rift, a “consumer-focused virtual-reality headset”, to be launched by Kickstarter. You wear it and you'll see yourself running along a beach, flying in a spaceship, riding a roller-coaster, it says. Impatient for the “real” one? There are no tech hurdles to having a vehicle that is part-car, part-plane, part-drone parked outside your home, says Missy Cummings, Aeronautics/Astronautics Professor, MIT. The fly-by-wire Airbus is a drone, anyway. Automated systems with micro-second reactions will make transportation network — ground and air — safer. Your regular car will gain advanced tech features, from in-built sat-navs, parking assistance to voice-activated/touchscreen DVD players and radios.

Educator Sugata Mitra hopes to launch an entire school in the cloud — the tech-cloud. Retired teachers in remote areas will teach through Skype, classrooms will be beamed from all parts of the planet — “deep in the jungle, or high on a mountain.” Kids can just gather at one home for lessons, he said.

Robots will take longer strides in 2014. Google's Japanese start-up robot won the Darpa rescue-challenge by carrying out all the eight rescue-themed tasks ahead of rivals. Its dexterous, independent “robot army” will carry packages, push strollers. LiveScience reports Knightscope's five-foot K5 robot-cop's on-board sensor that can see, hear, touch and smell its surroundings will combine its observations with public data and use the information to predict if, when and where a crime is likely to occur. Asutosh Saxena's team at Cornell University has created a robot (PR2) programmed to free shop-assistants from drudgery — it packs purchases at check-out counters. Forrester Research's Jeff Ernst believes ICANN’s gTLD (generic top-level domain) program is a game-changer. The introduction of .brand and .category will help you choose products with ease and marketers fight off cybersquatters.

The best gift

To me the best gift of 2014 is the Copenhagen wheel. With an attached computer/sensor-aided device, this bicycle wheel monitors pedalling and activates an on-board electric-motor when you need support. Connecting wirelessly to the biker's smartphone, the device tracks distance travelled and elevation gained, shares with friends the number of calories burned, locks the wheel remotely as you walk away from the bike. An electric-hybrid bicycle!

Mark Anderson, Strategic News Service anticipates Apple's Siri-like products to get an upgrade, visualisation tools to usher in “seeing data.” Software-defined networking and storage will cause a “stampede to virtualise everything.” Technical work to break down barriers between clouds will spawn software that can run anywhere. E-mapping will include MALT (Micromapping, Advertising, Location/ID, Transactions). Indoor maps and location information will place advertising targeted at you, leading to transaction in which “your phone will direct you to where things on your shopping-list are. You pick them up, the store knows who you are, how you pay, and you’ll just walk out.”

Track these

2014 will see computers that can learn from their own mistakes.
Spending on mobile, work-collaboration and video-conferencing apps will rise.
Demand for “big data” analysts will soar.
Small start-ups will raise money more through crowdfunding, less from venture capitalists.

For more details visit https://cis-india.org/news/the-hindu-january-1-2014-geeta-padmanabhan-inventions-that-will-make-a-difference

Internet Privacy in India

elonnai — 2014-01-08T13:51:06Z

Internet privacy encompasses a wide range of issues and topics. It can be understood as privacy rights that an individual has online with respect to their data, and violations of the same that take place online. Given the dynamic nature of the online sphere, privacy concerns and issues are rapidly changing.

The Changing Nature of Information

For example – the way in which the internet allows data to be produced, collected, combined, shared, stored, and analyzed is constantly changing and re-defining personal data and what type of protections personal data deserves and can be given. For example, seemingly harmless data such IP address, key words used in searches, websites visited, can now be combined and analysed to identify individuals and learn personal information about an individual. From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet. In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used. For example, law enforcement routinely troll social media sites for information that might be useful in an investigation.

The Blurry Line between the Public and Private Sphere

The above example also highlights how the “sphere” of information on the internet is unclear i.e. is information posted on social media public information – free for use by any individual or entity including law enforcement, employees, data mining companies etc. or is information posted on social media – private, and thus requires authorization for further use. For example, in India, in 2013 the Mumbai police established a “social media lab” for the purposes of monitoring and tracking user behavior and activities.[1]

Authorization is not required for the lab to monitor individuals and their behavior, and individuals are not made aware of the same, as the project claims to analyze only publicly available information. Similar dilemmas have been dealt with by other countries. For example, in the U.S, individuals have contested the use of their tweets without permission,[2] while courts in the US have ruled that tweets, private and public, can be obtained by law enforcement with only a subpoena, as technically the information has been shared with another entity, and is therefore no longer private.[3] Indian Courts have yet to deal directly with the question of social media content being public or private information.

The Complication of Jurisdiction

The borderless nature of information flows over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in. Thus, for example an Indian using Gmail, will be subject to the laws of the United States. On one hand this could be seen as a positive, if one country has stronger privacy protections than another, but could also be damaging to privacy in the reverse situation – where one company has lower privacy standards and safeguards. In addition to the dilemma of different levels of protection being provided over data as it flows through different jurisdictions, access by law enforcement to data stored in a different jurisdiction, or data from one country accessible to law enforcement because it is being processed in their jurisdiction, are two other complications that arise. These complications cannot be emphasized more than with the case of the NSA Leaks. Because Indian data was residing in US servers, the US government could access and use the data with no obligation to the individual.[4] In response to the NSA leaks, the government of India has stated that all facts need to be known before any action is taken, while citizens initially sought to hold the companies who disclosed the data to US security agencies such as Google, Facebook etc. accountable.[5]

Despite this, because the companies were acting within the legal limits of the United States where they were incorporated, they could not be held liable. In response to the dilemma, many actors in India, including government and industry are asking for the establishment of 'domestic servers'. For example, Dr. Kamlesh Bajaj, CEO of Data Security Council of India was quoted in Forbes magazine promoting the establishment of India centric social media platforms.[6] Similarly, after the PRISM scandal became public, the National Security Advisor requested the Telecom Department to only route traffic data through Indian servers.[7]

In these contexts, the internet is a driving force behind a growing privacy debate and awareness in India.

Current Policy for Internet Privacy in India

Currently, India's most comprehensive legal provisions that speak to privacy on the internet can be found in the Information Technology Act (ITA) 2000. The ITA contains a number of provisions that can, in some cases, safeguard online privacy, or in other cases, dilute online privacy. Provisions that clearly protect user privacy include: penalizing child pornography,[8]penalizing, hacking and fraud[9] and defining data protection standards for body corporate.[10]

Provisions that serve to dilute user privacy speak to access by law enforcement to user's personal information stored by body corporate[11] collection and monitoring of internet traffic data[12] and real time monitoring, interception, and decryption of online communications.[13] Additionally, legislative gaps in the ITA serve to weaken the privacy of online users. For example, the ITA does not address questions and circumstances like the evidentiary status of social media content in India, merging and sharing of data across databases, whether individuals can transmit images of their own “private areas” across the internet, if users have the right to be notified of the presence of cookies and do-not track options, the use of electronic personal identifiers across data bases, and if individuals have the right to request service providers to take down and delete their personal content.

Online Data Protection

Since 2010, there has been an increasing recognition by both the government and the public that India needs privacy legislation, specifically one that addresses the collection, processing, and use of personal data. The push for adequate data protection standards in India has come both from industry and industrial bodies like DSCI – who regard strong data protection standards as an integral part of business, and from the public, who has voiced increasing concerns that governmental projects, such as the UID, involved with collecting, processing, and using personal data are presently not adequately regulated and are collecting and processing data in such a way that abuses individual privacy. As mentioned above, India's most comprehensive data protection standards are found in the ITA and are known as the Information Technology “Reasonable security practices and procedures and sensitive personal data or information” Rules 2011.[14]

The Rules seek to provide rights to the individual with regards to their information and obligate body corporate to take steps towards protecting the privacy of consumer's information. Among other things, the Rules define “sensitive personal information' and require that any corporate body must publish an online privacy policy, provide individuals with the right to access and correct their information, obtain consent before disclosing sensitive personal information ' except in the case of law enforcement, provide individuals the ability to withdraw consent, establish a grievance officer, require companies to ensure equivalent levels of protection when transferring information, and put in place reasonable security practices. Though the Rules are the strongest form of data protection in India, they have not been recognized by the European Union as meeting the EU standards of “data secure”[15] and many gaps still exist. For example, the Rules apply only to:

Body corporate and not to the government
Electronically generated and transmitted information
A limited scope of sensitive personal information.
A body corporate when a contractual agreement is not already in place.

These gaps leave a number of bodies unregulated and types of information unprotected, and limits the scope of the Rules. It is also unclear to what extent companies are adhering to these Rules, and if they are applying the Rules only to the use of their website or if they are also applying the Rules to their core business practices.

Cyber Cafés

In 2011 the Guidelines for Cyber Café Rules were notified under the Information Technology Act. These Rules, among other things, require Cyber Café’s to retain the following details for every user for a period of one year: details of identification, name, address, contact number, gender, date, computer terminal identification, log in time, and log out time. These details must be submitted to the same agency as directed, on a monthly basis.[16] Cyber Cafes must also retain the history of websites accessed and logs of proxy servers installed at the cyber café for a period of one year.[17] Furthermore, Cyber Café’s must ensure that the partitions between cubicles do not exceed four and half feet in height from floor level.[18] Lastly, the cyber café owner is required to provide every related document, register, and information to any officer authorized by the registration agency on demand.[19] In effect, the identification and retention requirements of these rules both impact privacy and freedom of expression, as cyber cafes users cannot use the facility anonymously and all their information, including browser history, is stored on an a-priori basis. The disclosure provisions in these rules also impact privacy and demonstrate a dilution of access standards for law enforcement to users internet communications as the provision does not define:

An authorization process by which the registration agency follows to authorize individuals to conduct inspections.
Circumstances on which inspection of a Cyber Café by an authorized officer is necessary and permissible.
The process for which information can be requested, and instead vaguely requires cyber café owners to disclose information “on demand”.

Online Surveillance and Access

The ITA also allows for the interference of user privacy online by defining broad standards of access to law enforcement and security agencies, and providing the government with the power to determine what tools individuals can use to protect their privacy. This is most clearly demonstrated by provisions that permit the interception, monitoring, and decryption of digital communications[20] provide for the collection and monitoring of traffic data[21] and allow the government to set the national encryption standard.[22] In particular, the structure of these provisions and the lack of safeguards incorporated, serve as a dilution to user privacy. For example, though these provisions create a framework for interception they are missing a number of internationally recognized safeguards and practices, such as notice to the individual, judicial oversight, and transparency requirements. Furthermore, the provisions place extensive security and technical obligations on the service provider – as they are required to extend all facilities necessary to security agencies for interception and decryption, and hold the service provider liable for imprisonment up to seven years for non-compliance. This creates an environment where it is unlikely that the service provider would challenge any request for access or interception from law enforcement. Interception is also regulated through provisions and rules under the Indian Telegraph Act 1885 and subsequent ISP and UAS licenses.

Scope of Surveillance and Access

The extent to which the Government of India lawfully intercepts communications is not entirely clear, but in 2011 news items quoted that in the month of July 8,736 phones and e-mail accounts were under lawful surveillance.[23]

Though this number is representative of authorized interception, there have been a number of instances of unauthorized interceptions that have taken place as well. For example, in 2013 it was found that in Himachel Pradesh 1371 phones were tapped based on verbal approval, while the Home Ministry had only authorized interception of 170.[24] This demonstrates that there are instances of when existing safeguards for interception and surveillance are undermined and highlights the challenge of enforcement for even existing safeguards.

Demonstrating the tensions between right to privacy and governmental access to communications, and at the same time highlighting the issue of jurisdiction was the standoff between RIM/BlackBerry and the Indian Government. For several years, the Indian Government has requested that RIM provide access to the company’s communication traffic, both BIS and BES, as Indian security agencies have been unable to decrypt the data. Solutions that the Indian Government has proposed include: RIM providing the decryption keys to the government, RIM establishing a local server, local ISPs and telcos developing an indigenous monitoring solution. In 2012, RIM finally established a server in Mumbai and in 2013 provided a lawful interception solution that satisfied the Indian Government.[25]

The implementation of the Central Monitoring System by the Indian Government is another example of the Government seeking greater access to communications. The system will allow security agencies to bypass service providers and directly intercept communications. It is unclear if the system will provide for the interception of only telephonic communications or if it will also allow for the interception of digital communications and internet traffic. It is also unclear what checks and balances exist in the system. By removing the service provider from the equation the government is not only taking away a potential check, as service providers can resist unauthorized requests, but it is also taking away the possibility for companies to be transparent about the interception requests that they comply with.

Future frameworks for privacy in India: The Report of the Group of Experts on Privacy

In October 2012 the Report of the Group of Experts on Privacy was published by a committee of experts chaired by Justice A.P. Shah.[26] The report creates a set of recommendations for a privacy framework and legislation in India. Most importantly, the Report recognizes privacy as a fundamental right and defines nine National Privacy Principles that would apply to all data controllers both in the private sector and the public sector. This would work to ensure that businesses and governments are held accountable to protecting privacy and that legislation and practices found across sectors, states/governments, organizations, and governmental bodies are harmonized. The privacy principles are in line with global standards including the EU, OECD, and APEC principles on privacy, and include: notice, choice & consent, collection limitation, purpose limitation, access and correction, accountability, openness, disclosure of information, security.

The Report also envisions a system of co-regulation, in which the National Privacy Principles will be binding for every data controller, but Self Regulatory Organizations at the industry level will have the option of developing principles for that specific sector. The principles developed by industry must be approved by the privacy commissioner and be in compliance with the National Privacy Principles. In addition to defining principles, the Report recommends the establishment of a privacy commissioner for overseeing the implementation of the right to privacy in India and specifies that aggrieved individuals can seek redress either through issuing a complaint the privacy commissioner or going before a court.

The nine national privacy principles include:

Notice: Principle 1: Notice

A data controller shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:

During Collection

What personal information is being collected;
Purposes for which personal information is being collected;
Uses of collected personal information;
Whether or not personal information may be disclosed to third persons;
Security safeguards established by the data controller in relation to the personal information;
Processes available to data subjects to access and correct their own personal information;
Contact details of the privacy officers and SRO ombudsmen for filing complaints.

Other Notices
Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Service providers would have to explain how the information would be used and if it may be disclosed to third persons such as advertisers, processing Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.

Example of Implementation: A telecom service provider must make available to individuals a privacy policy before any personal information is collected by the company. The notice must include all categories of information as identified in the principle of notice. For example, the service provider must identify the types of personal information that will be collected from the individual from the initial start of the service and during the course of the consumer using the service. For a telecom service provider this could range from name and address to location data. The notice must identify if information will be disclosed to third parties such as advertisers, processers, or other telecom companies. If a data breach that was the responsibility of the company takes place, the company must notify all affected customers. If individuals have their personal data accessed or intercepted by Indian law enforcement or for other legal purposes, they have the right to be notified of the access after the case or other purpose for the data has been met.

Principle 2: Choice and Consent

A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required.

Example of implementation: If an individual is signing up to a service, a company can only begin collecting, processing, using and disclosing their data after consent has been taken. If the provision of information is mandated by law, as is the case for the census, this information must be anonymized after a certain amount of time if it is published in public databases. If there is a case where consent is not possible, such as in a medical emergency, consent before processing information, does not need to be taken.

Principle 3: Collection Limitation

A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.

Example of Implementation: If a bank is collecting information to open an account for a potential customer, they must collect only that information which is absolutely necessary for the purpose of opening the account, after they have taken the consent of the individual.

Principle 4: Purpose Limitation

Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.

Example of Implementation: If a bank is collecting information from a customer for opening a bank account, the bank can only use that information for the purpose of opening the account and any other reasons consented to. After a bank has used the information to open an account, it must be destroyed. If the information is retained by the bank, it must be done so with consent, for a specific purpose, with the ability of the individual to access and correct the stored information, and in a secure fashion.

Principle 5: Access and Correction

Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.

Example of Implementation: An individual who has opened a bank account, has the right to access the information that was initially provided and subsequently generated. If there is a mistake, the individual has the right to correct the mistake. If the individual requests information related to him that is stored on a family member from the bank, the bank cannot disclose this information without explicit consent from the family member as it would impact the privacy of another.

Principle 6: Disclosure of Information

A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.

Example of Implementation: If a website, like a social media site, collects information about how a consumer uses its website, this information cannot be sold or shared with other websites or partners, unless notice of such sharing has been given to the individual and consent has been taken from the individual. If websites provide information to law enforcement, this must be done in accordance with laws in force, and cannot be done through informal means. The social media site would be prohibited from publishing, sharing, or making public the personal information in any way without obtaining informed consent.

Principle 7: Security

A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.

Example of Implementation: If a company is a telecommunication company, it must have security measures in place to protect customers communications data from loss, unauthorized access, destruction, use, processing, storage, modification, denanonmyization, unauthorized disclosure, or other forseeable risk. This could include encrypting communications data, having in place strong access controls, and establishing clear chain of custody for the handling and processing communications data.

Principle 8: Openness

A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.

Example of Implementation: If a hospital is collecting and processing personal information of, for example, 1,000 patients, their policies and practices must reflect and be applicable to the amount, sensitivity, and nature of information that they are collecting. The policies about the same must be made available to all individuals – this includes individuals of different intelligence, skill, and developmental levels.

Principle 9: Accountability

The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.

Example of Implementation: To ensure that a hospital is in compliance with the national privacy principles, it must undertake activities like running trainings and providing educational information to employees on how to handle patient related information, conducting audits, and establishing an officer or body for overseeing the implementation of privacy.

Public Discourses on Privacy

In India, there have been a number of important discourses related to privacy around various projects and topics. These discourses have been driving public awareness about privacy in India, and represent an important indication of public perception of privacy and privacy concerns.

The Unique Identification Project

One of these discourses is a public dialogue and debate on the Unique Identification Project. Since 2009 the Government of India has been rolling out an identity scheme known as UID or Aadhaar. The scheme is applicable to all residents in India, and seeks to provide individuals with an identity based on their fingerprints, iris scans, and photograph. The project has been heavily supported by some, and at the same time, heavily critiqued by others. Of those critiquing the project, which included a Parliamentary Standing Committee on Finance,[27] privacy has been a driving force behind the concerns about the project. Arguing that not only does the UID Bill not have sufficient privacy safeguards in its provisions[28] but the design of the project and the technology of the project places individual privacy at risk. For example, the project relies on centralized storage of biometrics collected under the scheme; it does not account for or address how transaction data that is generated each time an individual identifies himself/herself with the UID will be stored, processed, and shared; and does not provide adequate security measures to protect sensitive information like biometrics.

The Human DNA Profiling Bill

In 2006 the Department of Biotechnology piloted a draft human DNA Profiling Bill with the objective of creating DNA databases at the national and regional levels, and enabling the creation and storage of DNA profiles for forensic purposes. Since 2006 there have been two more drafts of the bill released to the public, and an expert committee has been created to finalize the text of the bill. Individuals, including the Centre for Internet and Society, publicly raising concern about the bill, cite a lack of privacy safeguards in the provisions, and expansive circumstances and reasons that the bill permits the creation and storage of DNA profiles.[29]

Surveillance

For many years there has been running public discourse about the surveillance that the Indian government has been undertaking. This discourse is growing and is now being linked to privacy and the need for India to enact a privacy legislation. As discussed above, the current surveillance regime is lacking on many fronts, while at the same time the government continues to seek greater interception powers and more access to larger sets of information in more granularity. Projects like the Central Monitoring System, NATGRID, and Lawful Interception Solutions have caused individuals to question the government on the proportionality of State surveillance and ask for a comprehensive privacy legislation that also regulates surveillance.

The need for strong and enforceable surveillance provisions is not unique to India, and in 2013 the International Principles on the Application of Human Rights to the Surveillance of Communications were drafted. The principles lay out standards that ensure that surveillance is in compliance with international human rights law and serve as safeguards that countries can incorporate into their regimes to ensure the same. The principles include: legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, safeguards against illegitimate access. Along with defining safeguards, the principles highlight the challenge of rapidly changing technology and how it is constantly changing how information can be surveilled by governments and what information surveilled by governments, and how information can be combined and analysed to draw conclusions about individuals.

A Privacy Legislation for India

Since 2010, there has been a strong public discourse around the need for a privacy legislation in India. In November 2010, a “Privacy Approach” paper was released to the public which envisioned the creation of a data protection legislation. In 2011, the Department of Personnel and Training released a draft privacy bill that defined a privacy regime that encompassed data protection, surveillance, and mass marketing, and recognized privacy as a fundamental right.[31] In 2012 the Report of the Group of Experts on Privacy, as discussed above, was published.[32] Presently, the Department of Personnel and Training is drafting the text of the Governments Privacy Bill. In 2013, the Centre for Internet and Society drafted the Citizen’s Privacy Protection Bill – a citizen’s version of a privacy legislation for India.[33] From April 2013 – October 2013, the Centre for Internet and Society, in collaboration with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India, held a series of seven Privacy Roundtables across India. The objective of the Roundtables was to gain public feedback to a privacy framework in India. Topics discussed during the meetings included, how to define sensitive personal information vs. Personal information, if co-regulation should be a model adopted as a regulatory framework, and what should be the legal exceptions to the right to privacy.[34]

Conclusion

Clearly, privacy is an emerging and increasingly important field in India’s internet society. As companies collect greater amounts of information from and about online users, and as the government continues to seek greater access and surveillance capabilities, it is critical that India prioritizes privacy and puts in place strong safeguards to protect the privacy of both Indians and foreigners whose data resides temporarily or permanently in India. The first step towards this is the enactment of a comprehensive privacy legislation recognizing privacy as a fundamental right. The Report of the Group of Experts on Privacy and the government considering a draft privacy bill are all steps in the right direction.

[1]. http://www.zdnet.com/in/india-sets-up-social-media-monitoring-lab-7000012758/

[2]. http://www.techdirt.com/articles/20130203/18510621869/investigative-journalist-claims-her-public-tweets-arent-publishable-threatens-to-sue-blogger-who-does-exactly-that.shtml

[3]. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us

[4]. http://www.bbc.co.uk/news/technology-24744695

[5]. http://www.thehindu.com/news/national/sc-to-hear-pil-on-us-surveillance-of-internet-data/article4829549.ece

[6]. http://forbesindia.com/article/checkin/indias-internet-privacy-woes/35971/1

[7]. http://www.thehindubusinessline.com/industry-and-economy/info-tech/route-domestic-net-traffic-via-india-servers-nsa-tells-operators/article5022791.ece

[8]. ITA section 67

[9]. ITA section 43, 66, and 66F

[10]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011.

[11]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011. section 6(1)

[12]. Information Technology (Procedure and Safeguards for monitoring and collection of Traffic Data or other information) Rules 2009

[13]. Information Technology (Procedure and Safeguards for intercepting, monitoring, and decryption) Rules 2009

[14]. Ibid footnote 6

[15]. Business Standard. Data secure status for India is vital: Sharma on the FTA with EU. September 3rd 2013. Available at: http://www.business-standard.com/article/economy-policy/data-secure-status-for-india-is-vital-sharma-on-fta-with-eu-113090300889_1.html

[16]. Guidelines for Cyber Cafe Rules 5(2) & 5(3). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR315E_10511(1).pdf

[17]. Guidelines for Cyber Cafe Rules 5(4)

[18]. Guidelines for Cyber Cafe Rules 5(6)

[18]. Guidelines for Cyber Café Rules 5(6)

[19]. Guidelines for Cyber Café Rules 7(1)

[20]. Ibid footnote 9

[21]. Ibid footnote 8

[22]. ITA section 84A

[23]. Jain, B. 8,736 phone and e-mail accounts tapped by different government agencies in July. September 17th 2011. Available at: http://articles.economictimes.indiatimes.com/2011-09-17/news/30169231_1_phone-tap-e-mail-accounts-indian-telegraph-act

[24]. The Economic Times. Action to be taken in ‘phone tapping’ during BJP rule: Virbhadra Singh. March 6th 2013. Available at: http://articles.economictimes.indiatimes.com/2013-03-06/news/37500338_1_illegal-phone-virbhadra-singh-previous-bjp-regime

[25]. Chaudhary, A. BlackBerry’s Tussle with Indian Govt. Finally Ends; BB Provides Interception System. http://www.medianama.com/2013/07/223-blackberrys-tussle-with-indian-govt-finally-ends-bb-provides-interception-system/

[26]. Report of the Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[27]. http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf

[28]. http://www.indianexpress.com/news/uid-bill-skips-vital-privacy-issues/688614/

[29]. http://www.epw.in/authors/elonnai-hickok

[30]. http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf

[31]. http://www.iltb.net/2011/06/analysis-of-the-privacy-bill-2011/

[32]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[33]. http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft

[34]. http://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings

For more details visit https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india