Centre for Internet and Society

Messaging apps find another foe in India’s market regulator

praskrishna — 2013-06-05T10:46:32Z

Paranoid governments and mobile operators aren’t the only one that dislike messaging apps. Regulatory bodies aren’t crazy about them either. The Securities and Exchange Board of India (SEBI) is worried that attempts to pass on confidential information or manipulate markets are originating from within services like WhatsApp and Blackberry Messenger.

This blog post was published in Quartz on May 8, 2013. Elonnai Hickok is quoted.

The regulator already analyzes data from trades for irregularities through its “integrated market surveillance system”. That gives it an idea of what stocks are being manipulated. Now it wants to expand its horizons. The Press Trust of India reports that SEBI has looked into tracking Twitter and Facebook and is grappling with messaging apps—though as yet it has no systems in place for doing either, according to Elonnai Hickok of the Center for Internet Studies in Bangalore. A SEBI spokesperson could not be reached for comment.

Even if SEBI did start following you on Twitter, it cannot snoop on your WhatsApp messages. That sort of power is the preserve of intelligence and police authorities. And there is good reason for SEBI’s restricted powers. Keeping the markets clean may be an honorable pursuit, but the regulator hasn’t always used honorable means.

India’s finance minister last year said that SEBI would be allowed to request call records, which are the data kept by operators about who called whom, for how long and from where. Such information can help investigators discover sources of leaked information. It can also be used to figure out whether traders are trying to influence other investigators. But a freedom-of-information request recently revealed that SEBI had been requesting—and receiving—such data from carriers at least since 2009, well before it was supposedly allowed to do so.

For more details visit https://cis-india.org/news/quartz-may-8-2013-leo-mirani-messaging-apps-find-another-foe-in-indias-market-regulator

Celebrating 5 Years of CIS

praskrishna — 2014-02-25T09:15:58Z

The Centre for Internet & Society (CIS) is celebrating 5 years of its existence with an exhibition showcasing its activities and accomplishments. The exhibition will be held at its offices in Bangalore and Delhi from May 20 to 23, 2013.

Download all the posters exhibited during the recent exhibition here.

As a move to promote transparency, CIS is inviting the general public to be its auditors by throwing open its account books and contracts which show how it has spent the Rs. 13.13 crores received from its donors. The four-day event will see renowned artists like Kiran Subbaiah, Tara Kelton, Navin Thomas and Abhishek Hazra featuring their work and also giving live demonstrations.

Agenda

Open exhibition on all the 4 days from 10.00 a.m. to 8.00 p.m., in Bangalore and Delhi. The evening programmes will be held in Bangalore. Dinner will be served right afterwards.

Evening Programmes

May 20, 2013

18.00 19.00	Why did I buy a set-top box?: What we know, don't know and need to know about Digitalisation — A Talk by Vibodh Parthasarathi Why are we being asked to install set-top boxes? How will this change what we want, and pay for, on TV? Grappling with these questions, the talk will evaluate the rationale of the digital migration in cable currently underway, and the less talked about digital migration being planned for the public broadcaster. These scarcely debated and often contentious issues form the core of a recent Country Report on the Media in India, anchored by the speaker. The India Country Report, the first inter-sectoral and policy oriented study of our electronic media landscape, finds the ongoing digitalisation of cable, the infusion of digital tools in the press and the proposed digital switchover of the public broadcaster, posing varied challenges not only to journalism but to public interest at large. This report is part of a global initiative, Mapping Digital Media, examining opportunities and risks amidst the transitions to a digital media ecology across 50 countries. Video
19.00 19.30	Film Screening on Cyber Cafes of Rural India by Video Volunteers Video Volunteers in partnership with CIS have been documenting the cyber cafes of rural India. Kamini Menon and Christy Raj will do the screening of seven 2-minute films: Cyber Cafe Trends Slowly Changing in Imphal by Achungmei Kamei (Manipur) Transgender Interaction with Cyber Cafes by Christy Raj (Karnataka) Cyber Cafes Prevail Over Mobile Phones in Nagaland by Meribeni Kikon (Nagaland) Mobile Technology Threatens Cyber Cafes in HP by Avdhesh Negi (Himachal Pradesh) Cyber Cafe Visit - A Day's Journey by Saroj Paraste (Madhya Pradesh) The Challenges of Establishing Cyber Cafes by Rohini Pawar (Maharashtra) The Community Service Centre - Myth or Reality? by Neeru Rathod (Gujarat) Video
19.30 20.00	Hindustani Classical Performance by Aditya Dipankar
20.00	Dinner
RSVP: Bernadette Längle (bernadette@cis-india.org), Ph: +91 80 4092 6283 Prasad Krishna (prasad@cis-india.org).

May 21, 2013

18.00 19.00	Screening of Sabaka A young elephant trainer in India vows revenge against the cult that killed his family. He seeks help from the local Maharajah who refuses, and he sets out alone to battle the enemy... Sabaka is a 1954 film produced and directed by Frank Ferrin starring Boris Karloff, Reginald Denny, June Foray, et.al.
19.00 20.00	Slouching towards Tlön: An Encyclopedia for the 2nd century of Indian cinema — A Talk by Lawrence Liang Ashish Rajadhyaksha and Paul Willemen’s Encyclopedia of Indian cinema (1994) marked an important moment for the study of Indian film history. In the two decades since its publication we have seen a rise in the academic community working on Indian film history along with the rise of various new archival initiatives online. Materials that were hitherto unavailable have also made their way into the public domain via the efforts of film historians, cinephiles and other enthusiasts. It is perhaps fitting to think about what a collaborative encyclopedia of Indian cinema for the 21st century may look like. Using Rajadhayksha and Willemen’s Encyclopedia as a base, Lawrence has been working on an online version that incorporates moving images, photographs and archival materials and his presentation will open up questions of how one thinks of an online encyclopedia as well as larger conceptual questions of the relationship between the encyclopedias, the internet and moving image archives. Video
20.00	Dinner
RSVP: Bernadette Längle (bernadette@cis-india.org), Ph: +91 80 4092 6283, Prasad Krishna (prasad@cis-india.org).

May 22, 2013

Cybersecurity, Privacy and Surveillance

18.00 18.30	“The Indian Surveillance State”— A Talk by Maria Xynou The Central Monitoring System confirms that, starting from last month ‘Big Brother’ is a reality in India. But how do authorities get the tech to spy on us? Maria has started investigating surveillance technology companies operating in India. So far, 76 companies have been detected which are producing and selling different types of surveillance gear to Indian law enforcement agencies. Join us to see India´s first investigation of who is aiding our watchers! Video
18.30 19.00	Why Privacy and How? A Talk by Bernadette Langle "But I have nothing to hide!" That's what most people think. Are you sure? What about all the services you use for free, don't you think the service provider has to spend money on that, and that he needs to earn it somehow? Bernadette will show some alternatives and also how easy it can be, to put your messages in a virtual private envelope as you use to do with messages on paper. Video
19.00 19.45	Cyber Security Preview — Presentation by Laird Brown and Purba Sarkar CIS in cooperation with Citizen Lab, Munk School of Global Affairs at the University of Toronto, is developing a film project on cyber security in India from a civil society perspective. Laird will show the preview of the project. The preview will include an overview of the project along with a video footage from the first series of interviews. Video
19.45 20.00	Faking of Fingerprints: A Presentation by Bernadette Langle Bernadette will give a brief presentation on how easy it is to fake a fingerprint. Afterwards you can get hands-on. Fake a fingerprint yourself and take it with you to your home. Video Video
20.00	Dinner
RSVP: Bernadette Längle (bernadette@cis-india.org), Ph: +91 80 4092 6283, Prasad Krishna (prasad@cis-india.org).

May 23, 2013

Kannada Language and IT

18.00 18.15	Kannada in Modern Era: A Guest Talk by Dr. Chandrashekhara Kambara Dr. Chandrashekhara will be the chief guest for this session and will give a guest lecture. Video
18.15 19.30	From Palm Leaf to Tablet – Journey of Kannada: A Talk by Dr. U.B. Pavanaja Kannada language which has a history of 2000 years and quite rich in literature started on palm leaves. Kannada advanced with modern times adopting the marvels of Information Technology. This is accomplished by successfully implementing Kannada in various facets of IT. It is being used everywhere from data driven applications to websites to hand held devices like tablets. These aspects will be brought out during the talk. Summary in Kannada: ತಾಳೆಗರಿಯಿಂದ ಟ್ಯಾಬ್ಲೆಟ್ ತನಕ ಕನ್ನಡದ ಪಯಣ ಸುಮಾರು ಎರಡು ಸಾವಿರ ವರ್ಷಗಳ ಭವ್ಯ ಇತಿಹಾಸವಿರುವ ಕನ್ನಡ ಸಾಹಿತ್ಯದ ಉಗಮ ತಾಳೆಗರಿಗಳ ಮೇಲೆ ಆಯಿತು. ಕನ್ನಡ ಭಾಷೆಯು ಆಧುನಿಕ ಮಾಹಿತಿ ತಂತ್ರಜ್ಞಾನದ ಅದ್ಭುತ ಕೊಡುಗೆಗಳನ್ನು ತನ್ನದಾಗಿಸಿಕೊಂಡು ಬೆಳೆಯಿತು. ಮಾಹಿತಿ ತಂತ್ರಜ್ಞಾನದ ಎಲ್ಲ ಅಂಗಗಳಲ್ಲಿ ಕನ್ನಡವನ್ನು ಅಳವಡಿಸಿ ಬಳಸಿಕೊಳ್ಳುವುದರ ಮೂಲಕ ಇದು ಸಾಧ್ಯವಾಯಿತು. ಆನ್ವಯಿಕ ತಂತ್ರಾಂಶವಿರಲಿ, ಪ್ರತಿಸ್ಪಂದನಾತ್ಮಕ ಜಾಲತಾಣವಿರಲಿ, ಕೈಯಲ್ಲಿ ಹಿಡಿದು ಕೆಲಸ ಮಾಡುವ ಟ್ಯಾಬ್ಲೆಟ್ ಇರಲಿ –ಎಲ್ಲ ಕಡೆ ಕನ್ನಡದ ಬಳಕೆ ಆಗುತ್ತಿದೆ. ಈ ಎಲ್ಲ ವಿಷಯಗಳ ಕಡೆ ಒಂದು ಪಕ್ಷಿನೋಟವನ್ನು ಈ ಭಾಷಣದಲ್ಲಿ ನೀಡಲಾಗುವುದು. Video
19.30 20.00	Carnatic Music Performance by Nirmita Narasimhan Video
20.00	Dinner
RSVP: Bernadette Längle (bernadette@cis-india.org), Ph: +91 80 4092 6283 Prasad Krishna (prasad@cis-india.org).

About the Speakers

Vibodh Parthasarathi	Vibodh Parthasarathi works with the Centre for Culture and Media Governance, Jamia Millia Islamia, New Delhi. He is also a Board Member at the Centre for Internet and Society, Bangalore. He maintains a multidisciplinary interest in media and development policy, business history of creative industries, and governance of media infrastructure. At the Centre for Culture, Media & Governance, Jamia Millia Islamia, New Delhi, his ongoing research addresses media policy literacy, the TV news industry and the digital switchover in India. He is the co-editor of the critically acclaimed tri-series on Communication Process (Sage).
Lawrence Liang	Lawrence Liang is the Chairman of the Board at the Centre for Internet and Society. He is a graduate of the National Law School. He subsequently pursued his Masters degree in Law and Development at Warwick, on a Chevening Scholarship. His key areas of interest are law, technology and culture, the politics of copyright and he has been working closely with Sarai, New Delhi on a joint research project Intellectual Property and the Knowledge/Culture Commons. A keen follower of the open source movement in software, Lawrence has been working on ways of translating the open source ideas into the cultural domain. He has written extensively on these issues and is the author of The Public is Watching: Sex, Laws and Videotape and A Guide to Open Content Licenses. Lawrence has taught at NLS, the Asian College of Journalism, NALSAR, etc., and is currently working on a Ph.D. on the idea of cinematic justice at Jawaharlal Nehru University.
Maria Xynou	Maria Xynou is a Policy Associate on the Privacy Project at the CIS. She has previously interned with Privacy International and with the Parliament of Greece. Maria holds a Master of Science in Security Studies from the University College London (UCL).
Bernadette Langle	Bernadette Längle recently graduated in social and cultural anthropology, philosophy and computer science. She is also a so-called hacktivist together with one of the oldest hacker associations of the world, the Chaos Computer Club, having a lot of influence in German politics. As one of the core-team organizer of Chaos Communication Congress in Germany she also has a lot of experience in organizing events.
Laird Brown	Laird Brown is a strategic planner and writer. His core competencies are brand analysis, public relations, and resource management. Laird has worked at the United Nations in New York; high-tech ventures in North America, Europe, and India; and, is a guest speaker at ICT conferences internationally. He is currently working on a film project for CIS on cyber security in India with Purba Sarkar.
Purba Sarkar	Purba Sarkar is an associate producer with the cyber security film project. She holds a Bachelor in Technology degree from West Bengal University of Technology. Purba worked as a strategic advisor in the field of SAP Retail for 4 years before joining CIS in January, 2013.
Dr.Chandrashekhara Kambara	Dr. Chandrashekhara Kambara is a prominent poet, playwriter, folklorist, film director in Kannada language. He is also the founder-vice-chancellor of Kannada University in Hampi. He is known for his effective usage of North Karnataka dialect of Kannada language in his plays and poems and is often compared with D.R. Bendre. He has been conferred with many prestigious awards including the Jnanpith Award (the highest literary honour conferred in India) in 2011 for the year 2010, the Sahitya Akademi Award, the Padma Shri by Government of India, Kabir Samman, Kalidas Samman and Pampa Award. After his retirement, Kambara was nominated Member of Karnataka Legislative Council, to which he made significant contributions through his interventions.
Dr. U.B. Pavanaja	Dr U B Pavanaja holds a Master’s degree from Mysore University and Ph.D. from Mumbai University. He was a scientist at the Bhabha Atomic Research Centre, Mumbai, for about 15 years. He has done advanced research in Taiwan. He resigned from BARC in 1997 and dedicated himself fully for the cause of Computer and Indian languages. He has to his credit many firsts, viz., first Kannada website, first Kannada online magazine, first Indian language (Kannada) website to receive Golden Web Award, first Indian language (Kannada) editor for Palm OS, first Indian language (Kannada) editor for WinCE device (HP Jornado 720), first Indian language version (Kannada) of universally popular Logo (programming language for children) software, etc. His Kannada logo won the Manthan Award for the year 2006. He was a member of the technical advisory committee setup by the Govt. of Karnataka for Standardization of Kannada on Computers (2000). He is also a member of the Kannada Software Committee of Govt. of Karnataka (2008-current).

The Artists

Kiran Subbaiah	Kiran Subbaiah studied sculpture at Santiniketan, MSU Baroda and the RCA London. He was an artist in residence at the Rijksakademie Amsterdam where he worked on art that incorporated informatics and electro-mechanics. He is also known for making videos using custom-built tools that enable him to perform multi-person film-making tasks single-handed. His art is shown extensively in India and abroad. Subbaiah is based in Bangalore and is represented by the Chatterjee and Lal gallery in Mumbai. Kiran will present the Spectator, a robot that can sense the presence of human beings around it. It tries to appreciate them as works of art.
Tara Kelton	Tara Kelton is an artist and designer. She has been living in Brooklyn, USA and Bangalore, India for the last three years. She received her MFA from the Yale School of Art in 2009. Kelton’s video, print, and web-based works investigate moments in which technology alters our perception of the physical world. Kelton has taught at the Srishti School of Art, Design, and Technology and has recently exhibited her work at Vox Populi (USA), Franklin Street Works (USA), GALLERYSKE (Bangalore) and the India Design Forum (Mumbai). Tara will present Trace, a surveillance camera feed drawn in real-time by anonymous online workers.
Navin Thomas	Navin Thomas is a multimedia artist and a professional scrap market junkie, he spends a good quality of his precious time looking for obscure cultural misfits... after destroying most of himself in the 90's, he now spends his time restoring your mother's brother’s tin space toys and other unusual situations.
Abhishek Hazra	Abhishek Hazra approaches his art with a particular emphasis on the study of the historiography of science. He uses videos and prints that often integrate textual fragments drawn from real and fictional scenarios. He has previously exhibited and performed at Science Gallery, Dublin, HEART Herning Museum of Contemporary Art, Denmark, Astrup Fearnley Museum of Modern Art, Oslo, Casino Luxembourg Forum d’art Contemporain, Experiment Marathon Reykjavik, Reykjavik Art Museum and Kunstmuseum Bern. Abhishek was most recently an artist in residence at SymbioticA, the Centre for Excellence in Biological Arts, University of Western Australia, Perth. It was first performed as part of Beam Me Up, curated by Reinhard Storz and Gitanjali Dang, which was acknowledged by Pro Helvetia, New Delhi and German Book Office, New Delhi. Abhishek will be presenting #cloudrumble56 (attempted to re-animate sections of the Indian parliamentary archives — specifically, the transcripts of the scientist M.N. Saha's (1893-1956) interventions — through a performance that was transmitted only through live tweets on Twitter).
Aditya Dipankar	Aditya Dipankar started fiddling with music at the age of 4 when he started learning the tabla and then went on to play it for a long time. Years later, he discovered his strong inclination towards singing. Now, under the noble guidance of Pandit Vijay Sardeshmukh (Senior disciple of Pandit Kumar Gandharva), he is trying to understand the simplicity and spontaneity in the rich tradition of Hindustani classical music.
Nirmita Narasimhan	Nirmita Narasimhan is a Policy Director at CIS and works on accessibility for persons with disabilities. She was awarded the national award for empowerment of persons with disabilities by the President of India and also received the NIVH Excellence Award. Nirmita Narasimhan is a disciple of Dr. Radha Venkatachalam and renowned maestro Prof. T.R. Subramanyam. She began learning music at the age of 5 and went on to complete her Ph.D. in this subject from the Delhi University. Nirmita has been performing since 1995 and received several accolades such as the Sahitya Kala Parishad Scholarship and prizes in several competitions. She received the Gold medal in MA for standing first in the University and also stood first in MPhil. She has released a CD on Ponnayya Pillai compositions and also sung in an album of varnams. Nirmita has performed in different places in India such as Delhi, Chennai, Tirupathi and Bangalore as well as in Singapore and has also given several thematic concerts such as Eka Raga Sandhya and Pallavi concerts.
Sharath Chandra Ram	Sharath Chandra Ram (Sharathchandra Ramakrishnan) has interests in multimodal art, cognitive science, accessibility, digital humanities and network cultures. He is a faculty at the Centre for Experimental Media Arts at the Srishti School of Art Design and Technology. At the Centre for Internet and Society he helped set up and manage activities at the Metaculture Media Lab : an open hackerspace and alternative platform for research and exchange. His writings and musings at CIS maybe found here: http://cis-india.org/author/sharath He graduated from the University of Edinburgh with a degree in Artificial Intelligence specializing in interactive virtual environments. Previously as a Research Associate at the National Institute of Mental Health and Neurosciences he received a special mention award at the International Conference on Consciousness (2012) held at the National Institute of Advanced Studies for his work on ‘Cross modal Integration’. As an amateur radio broadcaster, he is a proponent of the free use of airwaves for relief work, education and transmission art. He has also been a development related radio journalist (PANOS @ Nepal, Voices UNDP@Bangalore), speaker at the International Ham Radio Convention (Port Blair, 2006) and as a film enthusiast has been a Press Reviewer for the Edinburgh International Film Festival.

Locations

Bangalore

Centre for Internet and Society
No. 194, Second 'C' Cross, Domlur,
2nd Stage, Bangalore - 560071,
Karnataka, India
Ph: +91 80 4092 6283
Fax: +91 80 2535 0955

Delhi

Centre for Internet and Society
G 15, Top floor
Behind Hauz Khas, G Block Market
Hauz Khas,
New Delhi 110016
Ph: + 91 011 40503285

Event Brochure

Event Flier

Event Posters/Banners and Videos

Accessibility

National Resource Kit (PDF, PNG)
NVDA E-Speak (PDF, PNG)
International Collaborations (PDF, PNG)
Partners (PDF, PNG)
Publications (PDF, PNG)
Timeline (PDF, PNG)
Inclusive Planet (PDF, PNG)

In the below video Anandhi Viswanathan gives a demo of the National Resource Kit project and Rameshwar Nagar gives a demo of the NVDA and ESpeak (Text-to-Speech) project during the exhibition.

Access to Knowledge

Broadcast Treaty (PDF, PNG)
Copyright (PDF, PNG)
Software Patent 1 (PDF, PNG)
Software Patent 2 (PDF, PNG)
Pervasive Technologies (PDF, PNG)

Access to Knowledge (Wikipedia)

Factsheet (PDF, PNG)
Reaching Out (PDF, PNG)
Outreach (PDF, PNG)
Bridging Gender Gap (PDF, PNG)
Press Coverage (PDF, PNG)
Education Programmes (PDF, PNG)
Team Achievements (PDF, PNG)
Visualization (PDF, PNG)

Openness

Open Access to Scholarly Literature (PDF, PNG)
Open Access to Law (PDF, PNG)
Open Standards (PDF, PNG)
Free/Open Source Software (PDF, PNG)

Internet Governance (Free Speech)

Blocking of Websites (PDF, PNG)
Freedom of Speech (PDF, PNG)
Intermediary Liability (PDF, PNG)
Internet Governance Forum (PDF, PNG)

Internet Governance (Privacy)

Privacy Events (PDF, PNG)
Timeline (PDF, PNG)
UID (1) (PDF, PNG)
UID (2) (PDF, PNG)
DNA (1) (PDF, PNG)
DNA (2) (PDF, PNG)

Telecom

Institutional Framework for Indian Telecommunication (PDF, PNG)
Growth of Telecom Industry in India (PDF, PNG)
Delicensed Spectrum (PDF, PNG)
Spectrum Sharing (PDF, PNG)

RAW Monographs

Archives and Access (PDF, PNG)
Internet, Society and Space in Indian Cities (PDF, PNG)
The Last Cultural Mile (PDF, PNG)
Porn, Law, Video Technology (PDF, PNG)
Re:Wiring Bodies (PDF, PNG)
Community Informatics and Open Government Data (Special Issue) (PDF, PNG)

News and Media

Media Coverage (PDF, PNG)
Organizational Chart (PDF)

For more details visit https://cis-india.org/internet-governance/events/celebrating-5-years-of-cis

Consilience – 2013

praskrishna — 2013-11-20T06:15:15Z

The Law and Technology Committee of National Law School of India University, Bangalore is organising ‘Consilience – 2013′, an annual conference on law and technology, to be held on May 25 and 26, 2013. The Centre for Internet and Society is a co-partner for this event.

Theme: Data Protection and Cyber Security in India. Click to read the report here.

Topics:
Frameworks for Data Protection in India: The J. A.P. Shah “Report of the Group of Experts on Privacy”

a. What is the scope of the principles/framework?

b. What could be the strengths and limitation of their application?

c. How does Report define privacy for India?

d. Would an alternative framework for privacy in India be better? If so, what would this framework look like?

India and the EU: The Privacy Debate

a. How does the Indian data protection regime differ from the EU regime?

b. Was the EU is justified in not accepting India as a data secure country? Reason for or against.

c. In what way does the Indian regime on data protection not meet the requirements of EU’s data protection directive?

d. What changes need to be made in the Indian regime to become EU compliant? Are these changes feasible? Should India make these changes?

Governmental Schemes, Data Protection, and Security

a. In India, do private public partnerships between government and the private sector adequately incorporate data protection standards?

b. What have been concerns related to data protection and security that have arisen from government schemes? (Please use two governmental schemes as case studies)

c. Are these concerns related to the policy associated with the project – the architecture of the project as well as the implementation?

d. Should the larger question of data protection for governmental schemes be incorporated into a privacy legislation? If yes, how so?

Contracts and Data Protection in India

a. How are contracts used to ensure data protection in India? What actors use contracts?

b. Are there weaknesses in using contracts to ensure data protection standards?

c. Do contracts address questions brought about from technology like the cloud?

Cyber security in India

a. What are the perceived challenges and threats to cyber security in India?

b. Are these currently being addressed through policy/projects? If yes, how so?

c. How does India’s cyber security regime compare to other countries?

Surveillance and Cyber Security

a. Does policy in India enable the Government of India to surveil individuals for reasons related to cyber security?

b. If so – through what policy, projects, legislation?

c. Do the relevant policies, projects, and legislation impact privacy? How so?

The Draft National Cyber Security Policy

a. What is the scope of the National Cyber Security Policy of India? Does the draft policy adequately address all of the concerns within the ambit of cyber security?

b. Would the Draft National Cyber Security Policy of India be effective in meeting the goal of enhancing cyber security levels in India?

c. How does the Draft National Cyber Security Policy compare to other countries cyber security policies?

Word Limit:

Abstract: 750-800 words

Paper: 2,500 words

Deadlines:

Abstract Submission: April 30, 2013

Paper Submission: May 15, 2013

Contact Details:

consilience2013[at]gmail[dot]com

Mohak Arora: +91-90359-21926

Shivam Singla: +91-99167-08701

Each participant is required to submit an abstract on any one of the seven topics above and can choose the specific issue within the selected topic to discuss.

For additional details, click here.

For more details visit https://cis-india.org/internet-governance/events/consilience-2013-law-technology-committee-nls-bangalore

The Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!

maria — 2013-07-12T11:59:10Z

Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out!

This blog post has been cross-posted in Medianama on May 8, 2013. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

So yes, we live in an Internet Surveillance State. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?

Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it lacks privacy legislation which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.

The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?

A glimpse of the surveillance industry in India

In light of the UID scheme, the National Intelligence Grid (NATGRID), the Crime and Criminal Tracking Network System (CCTNS) and the Central Monitoring System (CMS), who supplies law enforcement agencies the technology to surveille us?

In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies simultaneously produce internet monitoring software and encryption tools! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.

Companies selling surveillance technology in India are listed in Table 1. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.

Table 2 shows the types of surveillance technology produced and sold by these 76 companies.

The graph below is based on Table 2 and shows which types of surveillance are produced the most by the 76 companies.

Graph on types of surveillance sold to law enforcement agencies by 76 companies in India

Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the UID scheme which is rapidly expanding across India. Only one company from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the Central Monitoring System (CMS), especially since the project would have to monitor and mine Big Data.

On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since the majority of the population in India does not even have Internet access. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while more than half the population owns mobile phones. Seeing as companies, such as ClearTrail Technologies and Shoghi Communications, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.

Did you Know:

CARLOS62 on flickr

WSS Security Solutions Pvt. Ltd. is north India´s first CCTV zone
Speck Systems Limited was the first Indian company to design, manufacture and fly a micro UAV indigenously
Mobile Spy India (Retina-X Studios) has the following mobile spying features:

SniperSpy: remotely monitors smartphones and computers from any location

Mobile Spy: monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces

4. Infoserve India Private Limited produces an Internet monitoring System with the following features:

Intelligence gathering for an entire state or a region
Builds a chain of suspects from a single start point
Data loss of less than 2%
2nd Generation Interception System
Advanced link analysis and pattern matching algorithms
Completely Automated System
Data Processing of up to 10 G/s
Automated alerts on the capture of suspicious data (usually based on keywords)

5. ClearTrail Technologies deploys spyware into a target´s machine
6. Spy Impex sells Coca Cola Tin Cameras!
7. Nice Deal also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and Lighter Video Cameras to name a few...
8. Raviraj Technologies is an Indian company which supplies RFID and biometric technology to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?

Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further oppression within these countries

Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards

“I´m not a terrorist, I have nothing to hide!”

r1chardm on flickr

It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:

“I´m not a terrorist, I have nothing to hide!”

Indeed. You may not be a terrorist...and you may think you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?

Last year at the linux.conf.au, Jacob Appelbaum stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. Bruce Schneier has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.

That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, we are all potentially suspects. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called ´risky information´. As long as our data is being surveilled, we are all suspects, which means that we can all potentially be arrested, interrogated and maybe even tortured, just like any other criminal suspect.

But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.

Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The market appears to demand for surveillance technologies because a pre-existing surveillance culture has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as 3M, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that surveillance is being socially integrated. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.

By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as NATGRID and the CMS in India- or by handing over our data, we are fuelling the surveillance state. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution and of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.

Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because India lacks privacy legislation which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.

Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as Raviraj Technologies, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus export controls are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.

Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even murdered in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.

For more details visit https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers

April 2013 Bulletin

praskrishna — 2013-05-31T08:07:38Z

The Centre for Internet & Society (CIS) welcomes you to the fourth issue of its newsletter for the year 2013. In this issue we bring you an overview of our research programs, updates of events organised by us, events we participated in, news and media coverage, and videos of some of our recent events.

Celebrating 5 Years of CIS
We at the Centre for Internet and Society celebrate 5 years of existence with an exhibition showcasing our work and accomplishments over this time. The exhibition will be held concurrently at both our Bangalore and Delhi offices from May 20 to 24, 2013, from 10 a.m. to 8 p.m.

Google Policy Fellowship
CIS is inviting applications for the Google Policy Fellowship programme. Google is providing a USD 7,500 stipend to the India fellow who will be selected by July 1, 2013. Fellowship focus areas include Access to Knowledge, Openness in India, Freedom of Expression, Privacy, and Telecom Send in your applications for the position by June 15, 2013.

Jobs
CIS invites applications for the posts of Developer (NVDA Screen Reader Project), and Programme Officer (Internet Governance). To apply send your resume to sunil@cis-india.org and pranesh@cis-india.org. CIS also invites applications for the post of Programme Officer (Access to Knowledge, Pilot Projects). To apply for this position send your resume to vishnu@cis-india.org.

Accessibility

CIS is doing two projects in partnership with the Hans Foundation. One is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and another is for developing a screen reader and text-to- speech synthesizer for Indian languages. CIS is also working with the World Blind Union and many other organisations to develop a Treaty for the Visually Impaired helped by the WIPO:

National Resource Kit for Persons with Disabilities
Anandhi Viswanathan from CIS and Manojna Yeluri from the Centre for Law and Policy Research are working in this project. Draft chapters have been published. Feedback and comments are invited from readers for the chapters on Himachal Pradesh, Goa, Jammu and Kashmir and Rajasthan:

The Himachal Pradesh Chapter (by Anandhi Viswanathan, April 30, 2013).
Goa Chapter (by Anandhi Viswanathan, April 30, 2013).
The Jammu & Kashmir Chapter (by Anandhi Viswanathan, April 30, 2013).
The Rajasthan Chapter (by Manojna Yeluri, April 30, 2013).

Note: All of these are early drafts and will be reviewed and updated.

Events Organised

Girls in ICT Day (April 25, 2013, Mitra Jyothi Auditorium, HSR Layout, Bangalore). Dr. U.B. Pavanaja gave a talk on Social Media and Kannada Language for Women with Disabilities. Sara Morais wrote an event report.
Global Accessibility Awareness Day (May 9, 2013, TERI, Southern Regional Centre, Domlur, Bangalore).

Announcement

CIS Gets ITU-D Sector Membership: CIS has become a sector member of ITU-D.

Access to Knowledge and Openness

The Wikimedia Foundation awarded CIS a two year grant of INR 26,000,000 to support and develop the growth of Indic language communities and projects by community collaborations and partnerships. This is being carried out by the Access to Knowledge team based in Delhi. CIS is also doing a project (Pervasive Technologies) on examining the relationship between production of pervasive technologies and intellectual property. CIS also promotes openness including open government data, open standards, open access, and free/libre/open source software through its Openness programme.

Wikipedia
Beginning from September 1, 2012, Wikimedia Foundation awarded CIS a two-year grant of INR 26,000,000 to support and develop free knowledge in India. The A2K team consists of four members based in Delhi: T. Vishnu Vardhan, Nitika Tandon and Subhashish Panigrahi, and one team member Dr. U.B. Pavanaja who is working from Bangalore office. Noopur Raval, Programme Officer has left the organisation. April 24, 2013 was her last working day.

Indic Wikipedia Visualisation Project

Indic Wikipedia Visualisation Project #2: Visualising Page Views and Project Pages.

Blog Entries

Indian WikiWomen celebrate Women’s History Month (by Netha Hussain, April 29, 2013).
Analysis of Konkani Wikipedia: Facts & Challenges (by Nitika Tandon, April 30, 2013).
Odia Wikipedia: Needs Assessment (by Subhashish Panigrahi, April 30, 2013).

Event Organised

Kannada Wikipedia Workshop (April 29, 2013, Govinda Pai Research Centre, MGM College Udupi). Dr. U.B. Pavanaja led the workshop and gave a talk on Kannada Wikipedia.

Events Co-organised
The following events were organised in the month of March but reports were written during the month of April. Vishnu Vardhan and Subhashish Panigrahi held meetings with wikipedians:

Kolkata Wiki Community Meetup (organised by CIS and Kolkata Wiki Community, March 14, 2013).
Odia Wikipedia - Cuttack Community Meetup (organised by CIS and Odia Wiki Community, Cuttack, March 16, 2013).
Odia Wikipedia – Bhubaneswar Community Meetup (organised by CIS and Odia Wiki Community, Bhubaneswar, March 17, 2013).

The following event was organised in the month of April. We will be publishing the report soon:

Telugu Wiki Mahotsavam 2013 (organised by Telugu Wikipedia Community and CIS, Hyderabad, April 9 – 11, 2013). Vishnu Vardhan was one of the trainers at the Wikipedia Academy at Centre for Good Governance on April 9, 2013. Vishnu Vardhan spoke about the Access to Knowledge work in one of the sessions of Wikimedia Meeting with Media Heads on April 10, 2013. Vishnu Vardhan gave a talk on A2K’s plans for the growth of Telegu Wikipedia in 2013-14 at the Telegu Wikipedia general meeting on April 11, 2013. Vishnu Vardhan also gave a talk about Access to Knowledge in the digital era at the Wiki Chaitanya Vedika on April 11, 2013.

Other Access to Knowledge Updates

WIPO

CIS Intervention on the Treaty for the Visually Impaired at SCCR/SS/GE/2/13 (Geneva, April 18 – 20, 2013). Pranesh Prakash participated in the session and spoke about the rights of the visually impaired.

Internet Governance

The Internet Governance programme conducts research around the various social, technical, and political underpinnings of global and national Internet governance, and includes online privacy, freedom of speech, and Internet governance mechanisms and processes. Currently, CIS is doing a project with Privacy International, London to facilitate research and events around surveillance, and freedom of speech and expression.

Information Technology

IT (Amendment) Act, 2008, 69A Rules: Draft and Final Version Comparison (by Jadine Lannon, April 27, 2013).
Indian Telegraph Act, 1885, 419A Rules and IT (Amendment) Act, 2008, 69 Rules (by Jadine Lannon, April 28, 2013).
IT (Amendment) Act, 2008, 69 Rules: Draft and Final Version Comparison (by Jadine Lannon, April 30, 2013).
IT (Amendment) Act, 2008, 69B Rules: Draft and Final Version Comparison (by Jadine Lannon, April 30, 2013).

Resources
The below rules were published recently:

Newspaper Column

Off the Record (by Nishant Shah, Indian Express, April 6, 2013).

Privacy

India´s ´Big Brother´: The Central Monitoring System (CMS) (by Maria Xynou, April 8, 2013).

Events Organised
Maria Xynou gives an overview of the discussions and recommendations from the privacy round tables held in Delhi and Bangalore:

A Privacy Round Table in Delhi (organized by CIS and Federation of Indian Chambers of Commerce and Industry, FICCI Federation House, Tansen Marg, New Delhi, April 3, 2013).
A Privacy Round Table in Bangalore (organized by CIS and Federation of Indian Chambers of Commerce and Industry, Jayamahal Palace, Jayamahal Road, Bangalore, April 20, 2013).

Announcements

2nd Expert Committee meeting on draft 'Human DNA Profiling Bill 2012': The Department of Biotechnology has constituted an Expert Committee to discuss various issues of this Bill in detail. Sunil Abraham has been nominated as one of the members of this Committee. A meeting of this Expert Committee has been scheduled for May 13, 2013 under the Chairmanship of Dr. T. S. Rao, Adviser, DBT.
Chinmayi Arun is one of the international experts supporting the Internet & Jurisdiction project, a global multi-stakeholder dialogue process.

Upcoming Events

A Privacy Round Table in Chennai (co-organised with Data Security Council of India and the Federation of Indian Chambers of Commerce and Industry, Residency Towers, Sir Thyagaraja Road, T Nagar, Chennai, May 18, 10.30 a.m. to 4.00 p.m.).
Consilience – 2013 (National Law School of India University, Bangalore, May 26 – 27, 2013).

Other Event Hosted

Or-bits.com — A Talk by Marialaura Ghidini (CIS, Bangalore, April 19, 2013). Marialaura Ghidini gave a talk abou the creation and activities of or-bits.com, a web-based curatorial platform that she founded in 2009.

News and Media

Clarify and define terms in IT rules, panel tells govt. (by Prashant Jha, Hindu, April 1, 2013).
India takes its first serious step toward privacy regulation – but it may be misguided (Privacy Surgeon, April 9, 2013).
Regulating Social Media: Unrealistic, Impossible, Necessary? (NDTV, April 11, 2013). Pranesh Prakash participated in a discussion on social media aired on NDTV.
Social media may influence 160 LS seats in 2014 (by Zia Haq, Hindustan Times, April 12, 2013).
Vote: Will Social Media Impact the Election? (by R. Jai Krishna, Wall Street Journal, April 15, 2013).
Untangling the web of India's 'ungovernable' Net (Deutsche Welle, April 15, 2013).
CIS in GNI Annual Report (April 25, 2013). CIS gets mentioned in GNI Annual Report. Sunil Abraham is quoted in it.
Is free speech an Indian value? (by Satarupa Sen Bhattacharya, India Together, April 27, 2013).

Knowledge Repository on Internet Access

CIS in partnership with the Ford Foundation is executing a project on Internet Access. It covers the history of the internet, technologies involved, principle and values of internet access, broadband market and universal access and will touch upon various polices and regulations which has an impact on internet access and bodies and mechanism which are responsible for formulation policies related to internet access. The blog posts and modules will be published in a new website: www.internet-institute.in.

Upcoming Event
We are hosting an “Institute on Internet and Society” with the support of Ford Foundation India, which is to be held from June 8, 2013 to June 14, 2013. Call for registration and relevant details have been announced.

The following units have been published:

Internet Infrastructure (by Srividya Vaidyanathan, April 30, 2013).
Internet Service Provider – Introduction (by Srividya Vaidyanathan, April 30, 2013).

Telecom

CIS is involved in promoting access and accessibility of telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

Prioritizing Communications & Energy (by Shyam Ponappa, Business Standard and Organizing India Blogspot, April 4, 2013).

Blog Entry

From Open Citizen Radio Networks to the Race for .RADIO gTLD (by Sharath Chandra Ram, April 30, 2013).

Event Participated

Broadband Policy Course (organised by Lirne Asia, Bangalore, April 5 – 6, 2013). Nirmita Narasimhan and Snehashish Ghosh attended the course.

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.
Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us
Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration
We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/april-2013-bulletin

Surveillance technology companies operating in India - spreadsheet

maria — 2013-04-27T16:29:14Z

The Centre for Internet and Society has started investigating surveillance technology companies operating in India! This spreadsheet entails the first 77 companies which are being researched.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-technology-companies-operating-in-india

GNI Annual Report

praskrishna — 2013-04-25T07:14:33Z

For more details visit https://cis-india.org/internet-governance/blog/gni-annual-report.pdf

Report on the 2nd Privacy Round Table meeting

maria — 2013-07-12T11:54:28Z

This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first Privacy Round Table in Delhi, this report entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20^th April 2013.

Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”

The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13^th April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.

DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.

The discussion points brought forward by DSCI were:

What role should government and industry respectively play in developing and enforcing a regulatory framework?
How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?
How can an organization be incentivized to follow the codes of practice under the SRO?
What should be the role of SROs in redressal of complaints?
What should be the business model for SROs?

DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions and preamble: Chapter I & II

The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.

Sensitive Personal Data

The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.

Information vs. Data

During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.

Exemptions

Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.

Discussion of “Protection of Personal Data”: Chapter III

Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.

Data Collection

In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.

Consent

On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they choose to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.

Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.

Data Disclosure

In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.

A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.

Data Destruction

In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.

Data Processing

In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.

However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.

In brief, the following questions with regards to chapter III of the bill were raised during the meeting:

Should consent be required prior to the collection of data?
Should consent be acquired prior and after the disclosure of data?
Should the purpose of data collection be the same as the purpose for the disclosure of data?
Should an executive order or a court order be required to disclose data?
At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?
An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?

Should companies notify individuals when they share their (individuals´) data with international third parties?

In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:

The data subject has to be informed, unless there is a model contract.
The request for consent should depend on the type of data that is to be disclosed.
Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).
The shared data may be considered private data (need of a relevant regulatory framework).
An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.
If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country.
India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.
The problem with disclosure is when there is an exception for certain circumstances
Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability.
Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).
´Data ownership´ should be included in the definitions of the Bill.
What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.

Discussion of “Interception of Communications”: Chapter IV

The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.

Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.

Discussion on self-regulation and co-regulation

The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.

The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.

Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.

Meeting conclusion

The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table

Report on the 1st Privacy Round Table meeting

maria — 2013-07-30T11:11:11Z

This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.

Overview of Justice A P Shah Report: Purpose, Principles and Framework

The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.

During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.

Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:

The purpose of the collection of data
The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case
Data is shared with third parties and it is hard to control how long they retain the data for
Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data

Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.

While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.

The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.

The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.

Discussion Highlights:

The pros and cons of self-regulation and co-regulation
The national privacy principles – and how to build in insurance for technology
The role of the Privacy Commissioner
The definition of terms used in the draft Privacy (Protection) Bill 2013

Overview, explanation and discussion on the Privacy (Protection) Bill 2013

The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.

During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.

Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.

As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.

Many participants agreed that India´s proposed Privacy Law should meet global standards in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.

The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.

The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.

The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.

Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.

During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on where it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.

The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.

The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.

Discussion Highlights:

If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills
Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)
If personal data should be distinguished in the private and public sector
If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards
The nuances of consumer consent
Various ways to define ´public figures´
Freedom of expression in the context of the draft Privacy (Protection) Bill 2013
The distinction between exemptions and exceptions

In depth explanation and discussions regarding the Privacy (Protection)

Bill 2013

The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.

The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals choose to disclose a large amount of information.

The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.

Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.

A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.

In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.

In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.

Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.

The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible. A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.

The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should not be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.

The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies.

Discussion Highlights:

The different instances of data collection and consumer consent
The nuances of data sharing
The issue of consumer consent and security assurances offered by companies
The pros and cons of having a data retention regulatory framework
How transparency is incorporated into the draft Privacy Protection Bill 2013
What is needed in provisions that speak to data destruction

Meeting conclusion

The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.

Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the Privacy Protection Bill, 2013 based on participants´ feedback, concerns, comments and ideas.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting

Untangling the web of India's 'ungovernable' Net

praskrishna — 2013-04-16T06:06:20Z

India sells itself as a tech hub, outsourcing IT experts to the world. At home, it dreams of "equity on the Net." But millions remain unconnected and digital surveillance is on the rise.

This was published in Deutsche Welle on April 15, 2013. Sunil Abraham is quoted.

The Indian government has a dream. It dreams of the "Equinet" - a time when "there shall be equity on the Net."

"The Internet must not just be a platform for the privileged - the Internet must become an inclusive platform," India's communications minister Kapil Sibal says. "In fact, my vision is that the Internet should ultimately become the Equinet. In other words, all those, no matter which station in life they belong to, should have access to the Internet, and that can only happen if all the elements of the Internet are such that people can access them at affordable costs."

India has the third highest number of people on the Net, with about 150 million people connected.

But with a population of 1.2 billion, 150 million is not that many. Internet penetration languishes at around 10 percent, while in the United States and China - the top two countries in world rankings - Internet penetration is at 78 and 40 percent, respectively.

Like in America… in 1994

It's a fact that Google chairman Eric Schmidt highlighted on a recent tour of India, among other Asian countries.

"The Internet feels [in India] like in America in 1994," he says. "It is crucial for India to invest and enable fast fiber Internet connectivity within the country, between the country and the other countries."


While touring Asia, Schmidt said India seemed to have "rested on its laurels" after early success in the IT sector

You would think that connectivity would be better in India. The country prides itself on being a tech hub, with its centers of excellence in places like Bangalore. It has outsourced information technology specialists globally for over ten years.

Communications minister Sibal insists the government is investing where it can, saying India will connect 250,000 villages with fiber optics in the "next year or so."

"The networks should be in place, the fiber optics should be in place, [connectivity] should be efficient and of high speed, and above all, the access to handsets, which is really the key - unless handsets are affordable and accessible to ordinary people, you will not get the kind of penetration that you want from the Internet," he adds.

However, for some, there are even greater challenges for India than poor connectivity and bad infrastructure.

All eyes on you

In mid-March, police in India's financial capital Mumbai launched the country's first "Social Media Lab."

Mumbai police say they will use it to monitor and track "which topics are trending among the youth so [they] can plan law and order in a good way."

The Mumbai Social Media Lab comes amid concerns over "moral policing" of the Net by Indian authorities, and censorship - especially where comments involve political figures. The Times of India reports numerous requests by authorities to have content removed by Google and Twitter. There have also been arrests under the remit of a controversial section - 66A - of India's IT Act.

Sibal denies India wants to censor the Net. If people have been arrested under Section 66A of the IT Act, it's because police officials have either misread the law, or acted independently, he says.

"Yes, but I would say, from where does this emanate? Does it emanate with a complete understanding at the top?" asks V.C. Vivekanandan, director of the Institute of Global Internet Governance and Advocacy.


Indian communications minister Kapil Sibal says "Internet governance is an oxymoron"

"There are various, multiple layers of governance in a huge country like India, where people could be enthusiastic in their own way about thinking what is right and wrong," says Vivekanandan. "So, I don't really see censorship as such, but they would like to have discourse in a model which was pre-Internet."

Tracking private lives

But in other areas, India is showing itself to be very comfortable in the Internet age - and where it has its eyes fixed on the future.

"From what I can tell, the social media monitoring cell in Mumbai is perhaps one of the more benign components because it isn't keeping track of private communications," says Sunil Abraham, executive director of the Centre for Internet and Society (CIS) in Bangalore.

However, the Indian government plans to track everybody's online activities - that means anything that uses the Internet as a communication network.

"There are very many other projects like the unique identification (UID) and the National Intelligence Grid (NATGRID) that will keep track of private communications," says Abraham.

The UID is the Indian government's centralized biometric identity management system, which will connect more than 20 databases that 12 intelligence and law enforcement agencies will be able to access.

"These databases include banking records, telecommunications records and travel records [among other things]," says Abraham. "So, it's a very large scale attempt by the Indian government to place citizens under 360 degree blanket surveillance."

Internet governance is an oxymoron

But how these moves square with Sibal's vision of the Equinet is hard to see.


This Delhi laywer, Mohit Sharma, is one of only 11 percent of Indians who are connected to the Internet

The communications minister believes Indians will not be dissuaded from using the Net.

"The fact that 150 million people are on the Net is evidence of the fact that they are not scared, and if you go to Twitter today, there are more abuses on Twitter than perhaps you can find anywhere else in the world," says Sibal.

That doesn't necessarily mean that the government thinks this is a good thing. But Sibal insists he is against Internet governance - in fact, he says "Internet governance is an oxymoron."

"How can you govern something that cannot be governed? Because anybody can say anything on the Net," says Sibal. "So, there should be an element of self-regulation. Just as we interact with each other in civilized society, similarly people on the Net should also interact with each other with self-restraint."

But the CIS's Sunil Abraham isn't convinced.

"If one listens very carefully to what the minister says, he says you cannot regulate the Internet. But you can regulate what citizens do on the Internet," he says. "You can regulate what corporations do on the Internet. And you can also regulate what the government does on the Internet."

For more details visit https://cis-india.org/news/d-w-april-15-2013-untangling-the-web-of-indias-ungovernable-net

India's 'Big Brother': The Central Monitoring System (CMS)

maria — 2013-12-06T09:39:20Z

In this post, Maria Xynou looks at India´s Central Monitoring System (CMS) project and examines whether it can target individuals´ communications data, regardless of whether they are involved in illegal activity.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Starting from this month, all telecommunications and Internet communications in India will be analysed by the government and its agencies. What does that mean? It means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities. This totalitarian type of surveillance will be incorporated in none other than the Central Monitoring System (CMS).

The Central Monitoring System (CMS)

The Central Monitoring System (CMS) may just be another step in the wrong direction, especially since India currently lacks privacy laws which can protect citizens from potential abuse. Yet, all telecommunications and Internet communications are to be monitored by Indian authorities through the CMS, despite the fact that it remains unclear how our data will be used.

The CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and by the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. The CMS project is likely to start operating this month and the government plans on creating a platform that will include all the service providers in Delhi, Haryana and Karnataka. The Information Technology Amendment Act 2008 enables e-surveillance and central and regional databases will be created to help central and state level law enforcement agencies in interception and monitoring. Without any manual intervention from telecom service providers, the CMS will equip government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers. The CMS will also enable Call Data Records (CDR) analysis and data mining to identify the personal information of the target numbers.

The estimated set up cost of the CMS is Rs. 4 billion and it will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Research and Analysis Wing (R&AW), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Central Board of Direct Taxes (CBDT), the Narcotics Control Bureau, and the Enforcement Directorate (ED). In particular, last October, the NIA approached the Department of Telecom requesting its connection with the CMS, which would help it intercept phone calls and monitor social networking sites without the cooperation of telcos. However, the NIA is currently monitoring eight out of 10,000 telephone lines and if it is connected with the CMS, the NIA will also get access to e-mails and other social media platforms. Essentially, the CMS will be converging all the interception lines at one location and Indian law enforcement agencies will have access to them. The CMS will also be capable of intercepting our calls and analyzing our data on social networking sites. Thus, even our attempts to protect our data from ubiquitous surveillance would be futile.

In light of the CMS being installed soon, the Mumbai police took the initiative of setting up a ´social media lab´ last month, which aims to monitor Facebook, Twitter and other social networking sites. This lab would be staffed by 20 police officers who would keep an eye on issues being publicly discussed and track matters relating to public security. According to police spokesman Satyanarayan Choudhary, the lab will be used to identify trends among the youth and to plan law and order accordingly. However, fears have arisen that the lab may be used to stifle political debate and freedom of expression. The arrest of two Indian women last November over a Facebook post which criticized the shutdown of Mumbai after the death of politician Bal Thackeray was proof that the monitoring of our communications can potentially oppress our freedom and human rights. And now that all our online activity will be under the microscope...will the CMS security trade-off be worth it?

Surveillance in the name of Security

In a digitised world, threats to security have been digitised. Terrorism is considered to be a product of globalisation and as such, the Internet appears to be a tool used by terrorists. Hence governments all around the world are convinced that surveillance is probably one of the most effective methods in detecting and prosecuting terrorists, as all movement, action, interests, ideas and everything else that could define an individual are closely being monitored under the ´surveillance umbrella´ True; if everything about our existence is being closely monitored and analysed, it seems likely that we will instantly be detected and prosecuted if engaged in illegal activity. But is that the case with big data? According to security expert Bruce Schneier, searching for a terrorist through data mining is like looking for a needle in a haystack. Generally, the bigger the amount of data, the bigger the probability of an error in matching profiles. Hence, when our data is being analysed through data mining of big data, the probability of us being charged for a crime we did not commit is real. Nonetheless, the CMS is going to start operating soon in an attempt to enable law enforcement agencies to tackle crime and terrorism.

A few days ago, I had a very interesting chat with an employee at SAS Institute (India) Pvt. Ltd. in Bangalore, which is a wholly owned subsidiary of SAS Institute Inc. SAS is a company which produces software solutions and services to combat fraud in financial services, identify cross-sell opportunities in retail, and all the business issues it addresses are based on three capabilities: information management, analytics and business intelligence. Interestingly enough, SAS also produces social network analysis which ´helps institutions detect and prevent fraud by going beyond individual and account views to analyze all related activities and relationships at a network dimension´. In other words, social network analysis by SAS would mean that, through Facebook, for example, all of an individual's´ interests, activities, habits, relationships and everything else that could be, directly or indirectly, linked to an individual would be mapped out in relation to other individuals. If, for example, several individuals appear to have mutual interests and activities, there is a high probability that an individual will be associated with the same type of organization as the other individuals, which could potentially be a terrorist organization. Thus, an essential benefit of the social network analysis solution is that it uncovers previously unknown network connections and relationships, which significantly enables more efficient investigations.

According to the SAS employee I spoke to, the company provides social network analysis to Indian law enforcement agencies and aims at supporting the CMS project in an attempt to tackle crime and terrorism. Furthermore, the SAS employee argued that their social network analysis solution only analyzes open source data which is either way in the public online domain, hence respecting individuals´ online privacy. In support of the Mumbai ´social media lab´, cyber security expert, Vijay Mukhi, argued:

´There may be around 60 lakh twitter users in the city and millions of other social media network users. The police will require a budget of around Rs 500 crore and huge resources such as complex software, unique bandwidth and manpower to keep a track of all of them. To an extent, the police can monitor select people who have criminal backgrounds or links with anti-social or anti-national elements...[...]...Even the apprehension that police is reading your tweet is wrong. The volume of networking on social media sites is beyond anybody's capacity. Deleting any user's message is humanly impossible. It is even difficult to find the origin of messages and shares. However, during the recent Delhi gangrape incident such monitoring of data in public domain helped the police gauge the mood of the people.´

Another cyber security expert argued that the idea that the privacy of our messages and online activity would be intercepted is a misconception. The expert stated that:

´The police are actually looking out for open source intelligence for which information in public domain on these sites is enough. Through the lab, police can access what is in the open source and not the message you are sending to your friend.´

Cyber security experts also argued that the purpose of the creation of the Mumbai social media lab and the CMS in general is to ensure that Indian law enforcement agencies are better informed about current public opinion and trends among the youth, which would enable them to take better decisions on a policy level. It was also argued that, apparently, there is no harm in the creation of such monitoring centres, especially since other countries, such as the U.S., are conducting the same type of surveillance, while have enacted stringent privacy regulations. In other words, the monitoring of our communications appears to be justified, as long as it is in the name of security.

CMS targeting individuals: myth or reality?

The CMS is not a big deal, because it will not target us individually...or at least that is what cyber security experts in India appear to be claiming. But is that really the case? Lets look at the following hypothesis:

The CMS can surveille and target individuals, if Indian law enforcement agencies have access to individuals content and non-content data and are simultaneously equipped with the necessary technology to analyse their data.

The two independent variables of the hypothesis are: (1) Indian law enforcement agencies have access to individuals´ content and non-content data, (2) Indian law enforcement agencies are equipped with the necessary technology to analyse individuals´ content and non-content data. The dependent variable of the hypothesis is that the CMS can surveille and target individuals, which can only be proven once the two independent variables have been confirmed. Now lets look at the facts.

The surveillance industry in India is a vivid reality. ClearTrail is an Indian surveillance technology company which provides communication monitoring solutions to law enforcement agencies around the world and which is a regular sponsor of ISS world surveillance trade shows. In fact, ClearTrail sponsored the ISS world surveillance trade show in Dubai last month - another opportunity to sell its surveillance technologies to law enforcement agencies around the world. ClearTrail´s solutions include, but are not limited to, mass monitoring of IP and voice networks, targeted IP monitoring, tactical Wi-Fi monitoring and off-the-air interception. Indian law enforcement agencies are equipped with such technologies and solutions and thus have the technical capability of targeting us individually and of monitoring our ´private´ online activity.

Shoghi Communications Ltd. is just another example of an Indian surveillance technology company. WikiLeaks has published a brochure with one of Shoghi´s solutions: the Semi Active GSM Monitoring System. This system can be used to intercept communications from any GSM service providers in the world and has a 100% target call monitor rate. The fact that the system is equipped with IMSI analysis software enables it to extract the suspect´s actual mobile number from the network without any help from the service provider. Indian law enforcement agencies are probably being equipped with such systems by Shoghi Communications, which would enable the CMS to monitor telecommunications more effectively.

As previously mentioned, SAS provides Indian law enforcement agencies social network analysis solutions. In general, many companies, Indian and international, produce surveillance products and solutions which they supply to law enforcement agencies around the world. However, if such technology is used solely to analyse open source data, how do law enforcement agencies expect to detect criminals and terrorists? The probability of an individual involved in illegal activity to disclose secrets and plans in the public online sphere is most likely significantly low. So given that law enforcement agencies are equipped with the technology to analyse our data, how do they get access to our content data in order to detect criminals? In other words, how do they access our ´private´ online communications to define whether we are a terrorist or not?

Some of the biggest online companies in the world, such as Google and Microsoft, disclose our content data to law enforcement agencies around the world. Sure, a lawful order is a prerequisite for the disclosure of our data...but in the end of the day, law enforcement agencies can and do have access to our content data, such as our personal emails sent to friends, our browsing habits, the photos we sent online and every other content created or communicated via the Internet. Law enforcement requests reports published by companies, such as Google and Microsoft, confirm the fact that law enforcement agencies have access to both our content and non-content data, much of which was disclosed to Indian law enforcement agencies. Thus, having access to our ´private´ online data, all Indian law enforcement agencies need is the technology to analyse our data and match patterns. The various surveillance technology companies operating in India, such as ClearTrail and Shoghi Communications, ensure that Indian law enforcement agencies are equipped with the necessary technology to meet these ends.

The hypothesis that the CMS can surveille and target us individually can be confirmed, since Indian law enforcement agencies have access to our content and non-content data, while simultaneously being equipped with the necessary technology to analyse our data. Thus, the arguments brought forth by cyber security experts in India appear to be weak in terms of validity and reliability and the CMS appears to be a new type of ´Big Brother´ upon us. But what does this mean in terms of our privacy and human rights?

The telephone tapping laws in India are weak and violate constitutional protections. The Information Technology Amendment Act 2008 has enabled e-surveillance to reach its zenith, but yet surveillance projects, such as the CMS, lack adequate legal backing. No privacy legislation currently exists in India which can protect us from potential abuse. The confirmed CMS hypothesis indicates that all individuals can potentially be targeted and monitored, regardless of whether they have been involved in illegal activity. Yet, India currently lacks privacy laws which can protect individuals from the infringement of their privacy and other human rights. The following questions in regards to the CMS remain vague: Who can authorise the interception of telecommunications and Internet communications? Who can authorise access to intercepted data? Who can have access to data? Can data monitored by the CMS be shared between third parties and if so, under what conditions? Is data monitored by the CMS retained and if so, for how long and under what conditions? Do individuals have the right to be informed about their communications being monitored and about data retained about them?

Immense vagueness revolves around the CMS, yet the project is due to start operating this month. In order to ensure that our right to privacy and other human rights are not breached, parliamentary oversight of intelligence agencies in India is a minimal prerequisite. E-surveillance regulations should be enacted, which would cover both policy and legal issues pertaining to the CMS project and which would ensure that human rights are not infringed. The overall function of the CMS project and its use of data collected should be thoroughly examined on a legal and policy level prior to its operation, as its current vagueness and excessive control over communications can create a potential for unprecedented abuse.

The necessity and utility of the CMS remain unclear and thus it has not been adequately proven yet that the security trade-off is worth it. One thing, though, is clear: we are giving up a lot of our data....we are giving up the control of our lives...with the hope that crime and terrorism will be reduced. Does this make sense?

This was cross-posted in Medianama

For more details visit https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system

March 2013 Bulletin

praskrishna — 2013-04-14T11:45:29Z

The Centre for Internet & Society (CIS) welcomes you to the third issue of its newsletter for the year 2013. In this issue we bring you an overview of our research programs, updates of events organised by us, events we participated in, news and media coverage, and videos of some of our recent events.

Jobs
CIS invites applications for the posts of Developer (NVDA Screen Reader Project), Programme Officer (Access to Knowledge and Openness), and Programme Officer (Internet Governance). To apply send your resume to sunil@cis-india.org and pranesh@cis-india.org.

Accessibility

CIS is doing two projects in partnership with the Hans Foundation. One of this is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and another is for developing a screen reader and text-to- speech synthesizer for Indian languages. CIS is also working with the World Blind Union and many other organisations to develop a Treaty for the Visually Impaired helped by the WIPO:

The Lakshadweep Chapter (by Anandhi Viswanathan, March 25, 2013): The union territory of Lakshadweep has not passed any legislation for persons with disabilities, but implements the provisions under the central laws. The benefits currently available to persons with disabilities in Lakshadweep include disability pension, unemployment allowance and grant for setting up kiosks.
The Meghalaya Chapter (by Manojna Yeluri, March 25, 2013): Meghalaya is one of the few north-eastern states, which has appointed a Commissioner for Disabilities. Most of the schemes and benefits given to persons with disabilities in Meghalaya are under centrally sponsored schemes. Very few schemes are initiated by the state government.
The Uttar Pradesh Chapter (by Manojna Yeluri, March 31, 2013): The Government of Uttar Pradesh has established shelter homes and vocational training centres in several parts of the states — most recently in Meerut, Bareilly and Gorakhpur. It has also undertaken to finance nearly 4340 corrective surgeries for polio across nine cities of Uttar Pradesh. It also intends to start several projects in 2013. These include the establishment of a Braille Press in order to produce Braille books, magazines and other study material.

Resources
We now have a new section on our website which contains all government notifications, RTI applications, and accessibility related resources: cases, statutes, etc. The following were published earlier this month:

Information about Schemes for Disabled Persons in Haryana We received this notification on schemes and policies for persons with disabilities from the Government of Haryana.
Haryana Government Notification (Hindi version): The notification that we received from the state government was in Hindi. We will put up the English translation soon.
West Bengal (Govt) Notifications: We received a series of notifications from the West Bengal Government from its various departments such as finance, higher education, transport, health and family welfare, labour, land and land reforms, panchayats and rural development, etc. OCR versions of the same have been published.
Lakshadweep (Govt) Notifications: Notifications received from the Lakshadweep Government including guidelines for functioning of KIOSKS, grant of unemployment allowance and special jobs to persons with disabilities, issuing identity card to persons with disabilities for availing government benefits, etc., are published. OCR versions have also been put up.

Event Participated In

A Discussion on Intercept between UNCRPD & CEDAW (organized by the Shanta Memorial Institute of Rehabilitation – Odisha, CBR Network and Mitra Jyoti, Bangalore, Karnataka, February 4, 2013): Anandhi Viswanathan participated in this event.

Access to Knowledge and Openness

Wikipedia

Beginning from September 1, 2012, Wikimedia Foundation awarded CIS a two-year grant of INR 26,000,000 to support and develop free knowledge in India. The A2K team consists of four members based in Delhi: T. Vishnu Vardhan, Nitika Tandon, Subhashish Panigrahi and Noopur Raval, and one team member Dr. U.B. Pavanaja who is working from Bangalore office.

Indic Wikipedia Visualisation Project

Visualising Basic Parameters (by Sajjad Anwar and Sumandro Chattapadhyay, March 26, 2013): Sajjad and Sumandro bring you a visualisation of the growth of Indic Wikipedia in this first post on Indic Wikipedia Visualisation project. They look into the different aspects of the past and present activities of Indic Wikipedias, and divide the visualisation into three different focus areas: (1) basic parameters, (2) geographic patterns of edits, and (3) exploring the topics that receives the greatest number of edits.

Events Organised

Introductory Wikipedia session at BITS Goa (organised by CIS, Birla Institute of Technology & Science, Pilani, Goa, March 7, 2013). The Access to Knowledge team was invited by Nikhil Dixit from BITS to organise a Wikipedia editing session. Nitika Tandon led the session on IP editing.
Kannada Wikipedia Workshop (organised by CIS, Institution of Engineers, JLB Road, Mysore, March 24, 2013). Dr. U.B. Pavanaja led this workshop.

Events Co-organised

Wiki Women's Day in Goa (organised by the Wikimedia India Chapter and CIS, Nirmala Institute of Education, Panaji, Goa, March 8, 2013). Nitika Tandon participated in this workshop held on International Working Women's Day, and shares the developments in this report.
Wikipedia Workshop for Kannada Science Writers (organised by Wikimedia India Chapter, Karnataka Rajya Vijnana Parishath and CIS, Karnataka Rajya Vijnana Parishath Conference Hall, Banashankari 2nd Stage, Bangalore, March 17, 2013). Dr. U.B. Pavanaja participated in the event.

Upcoming Event

Telugu Wiki Mahotsavam 2013 (co-organised with the Telegu Wikipedia community, Hyderabad, April 9 to 11, 2013). Vishnu Vardhan is participating in this event as a speaker. A public event will be held on April 11 from 5.00 p.m. to 8.00 p.m. at Golden Threshold (Sarojini Naidu's house) in Hyderabad.

Events Participated

Wikipedia Women's Workshop Bangalore 2013 (organised by Wikimedia India, Servelots Infotech, Jayanagar, Bangalore, March 8, 2013). The event was covered by Kannada Prabha on March 9, 2013. Dr. U.B. Pavanaja participated in the event.
Wikipedia at Avenir (organised by the Wikipedia community, Netaji Subhash Engineering College, Kolkata, West Bengal, March 11, 2013). CIS supported this event.

Event Report from Other Organisations
Wikipedia Community members helped the Higher Education Innovation and Research Applications Programme (HEIRA) of CSCS Bangalore to organize a day-long workshop on ‘Digital Literacy’ at Ahmednagar College, Ahmednagar, Maharasthra on January 17, 2013. Tanveer Hasan of HEIRA shares with us the developments in this report.

Other Openness Updates

Event Report

Iraqi Public Data Scenario Workshop: A Summary (by Sumandro Chattapadhyay, March 26, 2013): A workshop on public data was conducted by Sunil Abraham and Sumandro Chattapadhyay for the officials of the Government of Iraq. It was organized by UNDP Iraq in Amman, Jordan from October 18 to 23, 2012. Sumandro Chattapadhyay shares with us the developments from the workshop held over five days.

Event Participated

Open DataCamp - 2013 (organized by Open Data Camp, Dharmaram Vidya Kshetram (inside Christ University Campus), Dairy Circle, Bangalore, March 2 and 3, 2013): Sunil Abraham was a panelist.

HasGeek
HasGeek creates discussion spaces for geeks and has organised conferences like the Fifth Elephant, Droidcon India 2011, Android Camp, etc. HasGeek is supported by CIS and works from the CIS office in Bengaluru.

Upcoming Events

Pig Workshop (organized by HasGeek, Alchemy Solutions, Domlur, Bangalore, 9.00 a.m. to 6.00 p.m.): A workshop on how to use Pig for mining useful information from data. It is open to programmers who have a background in Java programming, some familiarity with Hadoop and MapReduce algorithms, and have worked with large chunks of data.
The Fifth Elephant 2013 (organized by HasGeek, July 11 to 13, 2013, NIMHANS Convention Centre, Bangalore).

Internet Governance

Privacy

Policy

Draft Human DNA Profiling Bill (April 2012): High Level Concerns (by Elonnai Hickok, March 12, 2013). The post examines the high level concerns that CIS has with the April 2012 draft of the Bill.
Human DNA Profiling Bill 2012 Analysis (by Jeremy Gruber, Council for Responsible Genetics, US, March 19, 2013). Jeremy provides an analysis of the Human DNA Profiling Bill, 2012. He says that India’s updated 2012 Human DNA Profiling Bill offers largely superficial changes from its predecessor, the Draft DNA Profiling Bill, 2007.

The Privacy (Protection) Bill 2013: A Citizen's Draft (by Bhairav Acharya, March 26, 2013). Bhairav Acharya has drafted the Privacy (Protection) Bill 2013. It contains provisions that speak to data protection, interception, and surveillance and also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.

Upcoming Events

A Privacy Round Table in Delhi (organized by CIS and Federation of Indian Chambers of Commerce and Industry, FICCI Federation House, Tansen Marg, New Delhi, April 3, 2013).
A Privacy Round Table in Bangalore (organized by CIS and Federation of Indian Chambers of Commerce and Industry, Jayamahal Palace, Jayamahal Road, Bangalore, April 20, 2013).

Event Organized

Analyzing the Draft Human DNA Profiling Bill 2012 (organized by the Centre for Internet and Society, Bangalore, March 1, 2013): Maria Xynou shares a summary of the workshop in this report.

Events Participated In

Global Partners Meeting @ London (organized by Privacy International, London School of Economics and Political Science, March 22 – 25, 2013). Sunil Abraham and Malavika Jayaram participated in the event.
India’s Civil Liberties Crisis: Of Bans, Blocks, Bullying and Biometrics (organized by the Center for Global Communication Studies, Annenberg School of Communication, University of Pennsylvania, Philadelphia, March 28, 2013). Malavika Jayaram participated as a speaker.
Future of Privacy in India (organized by DSCI and ICOMP, Oberoi Hotel, New Delhi, April 5, 2013). Sunil Abraham is a speaker at this event.

Blog Posts

Hacking without borders: The future of artificial intelligence and surveillance (by Maria Xynou, March 15, 2013). In this post, Maria looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India.
Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes... (by Maria Xynou, March 26, 2013). Maria examines red light cameras, RFID tags and black boxes used to monitor vehicles in India.
Microsoft Releases its First Report on Data Requests by Law Enforcement Agencies around the World (by Maria Xynou, March 27, 2013). CIS presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.
The Criminal Law Amendment Bill 2013 — Penalising 'Peeping Toms' and Other Privacy Issues (by Divij Joshi, March 31, 2013). The pending amendments to the Indian Penal Code, if passed in their current format, would be a huge boost for individual physical privacy by criminalising stalking and sexually-tinted voyeurism and removing the ambiguities in Indian law which threaten the privacy and dignity of individuals.

IT Act

Featured Blog Post

CIS Welcomes Standing Committee Report on IT Rules (by Pranesh Prakash, March 27, 2013). CIS welcomes the report by the Standing Committee on Subordinate Legislation, in which it has lambasted the government and has recommended that the government amend the Rules it passed in April 2011 under section 79 of the Information Technology Act. The post was quoted in: The Times of India (March 28, 2013), The Statesman (March 28, 2013), Economic Times (March 28, 2013), Data Quest (March 28, 2013), and The Hindu (April 1, 2013).

Submissions
Bhairav Acharya, on behalf of CIS submitted comments to the Committee on Subordinate Legislation of the 15^th Lok Sabha for the following rules:

Comments on the Information Technology (Electronic Service Delivery) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on April 11, 2011.
Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on April 11, 2011.
Comments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011. The Rules were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on April 11, 2011.

Note: The above rules were submitted earlier but published on our website only recently.

Unique ID Project

Event Organized

Unique Identity Number (UID), National Population Register (NPR), and Governance (organized by CIS and Say No to UID Campaign, TERI, Bangalore, March 2, 2013): CIS interviewed Usha Ramanathan and Anant Maringanti. Watch the videos uploaded in this blog post by Maria Xynou. This was covered in newzfirst on March 3, 2013 and in the Hindu on March 3, 2013.

Interview

Unique Identification Scheme (UID) & National Population Register (NPR), and Governance (by Elonnai Hickok, March 14, 2013). The post examines the UID, NPR and Governance as it exists in India. A video on the UID interview Questions and Answers is published.

News and Media

Indian ID crisis unveils Aadhaar doubts (ZDNet, March 14, 2013). Sunil Abraham is quoted.
New $1 Billion RIC Project Casts Doubts on Aadhaar (AEG India, March 16, 2013). Sunil Abraham is quoted.

Blog Entry

India's Biometric Identification Programs and Privacy Concerns (by Divij Joshi, March 31, 2013).

Free Speech and Expression

News and Media

Foreign Funding of NGOs (by Prashant Reddy, Open Magazine, March 2, 2013).
Iceland’s proposed porn ban ‘like repression in Iran, N. Korea’ – activists (RT, March 1, 2013). Sunil Abraham is quoted.
Chidambaram to Talk Budget on Google+ Hangout (by Dhanya Ann Thoppil, Wall Street Journal, March 4, 2013). Sunil Abraham is quoted.
Responding to govt requests is a challenge for online firms: Colin Maclay (LiveMint, March 13, 2013). Colin M. Maclay, managing director of Berkman Center for Internet and Society at Harvard mentioned CIS.
Indian police set up lab to monitor social media (originally published by AFP, March 18, 2013, and also carried in Global Post on the same day). Sunil Abraham is quoted.
Namaste, Mr. Eric Schmidt (by R. Jai Krishna, Wall Street Journal, March 20, 2013). Sunil Abraham is quoted.
Parliament panel blasts govt over ambiguous internet laws (by Ishan Srivastava, The Times of India, March 28, 2013). Pranesh Prakash is quoted.
What if the Net shut down for a few days (by Atul Sethi, The Times of India, March 30, 2013). Sunil Abraham is quoted.
Press controls ‘send wrong message to rest of world’ (by Jerome Starkey from Johannesburg, Francis Elliott from Delhi and David Brown, The Times, UK).

Event Organized

Freedom Song: Film Screening and Discussion (IIHS Bangalore City Campus, March 21, 2013). Freedom Song, a documentary film produced by the Public Service Broadcasting Trust and directed by Paranjoy Guha Thakurta and Subi Chaturvedi was screened.

Events Participated In

Is Social Media Incredible? (organized by Indian Institute of Journalism & New Media, Bangalore, March 2, 2013). Snehashish Ghosh participated in a panel discussion. The New Indian Express published a post-event report.
Rethinking the Internet: The Way Forward (organized by Telecom Italia and Financial iTimes, Telecom Italia Future Centre, Italy, March 21 – 22, 2013). Pranesh Prakash participated in this event.

Others

Events Organised

DML 2013: Fourth Annual Conference (co-organised by CIS and Digital Media & Learning Research Hub Central, Sheraton Chicago Hotel & Towers - Chicago, Illinois, March 14 – 16, 2013). We had a special track that ran through the conference on "Whose Change Is It Anyway? Futures, Youth, Technology And Citizen Action In The Global South (And The Rest Of The World)". Noopur Raval was one of the 16 presenters that we had selected on the tracks. Nishant Shah was one of the members in the Conference Committee.

Blog Posts

WGIG+8: Stock-Taking, Mapping, and Going Forward (Fontenoy Building, conference room # 7, UNESCO Headquarters, Paris, February 27, 2013). Pranesh Prakash was the moderator for the session. A summary of the discussion has been published.
What’s In a Name? — DNS Singularity of ICANN and the Gold Rush (by Sharath Chandra Ram, March 31, 2013). March 2013 being the 28th birthday of the first ever registered Internet domain as well as the exigent launch of the Trademark Clearing House disguised as a milestone in rights protection by ICANN for its new gTLD program, Sharath Chandra Ram, dissects the transitory role of ICANN from being a technical outfit to the Boardroom Big Brother of Internet Governance.
An Introduction to Bitfilm & Bitcoin in Bangalore, India (by Benson Samuel, March 12, 2013). Video of the event organized by CIS on January 23, 2013 is published in this blog post.

Knowledge Repository on Internet Access

Upcoming Event
We are hosting an “Institute on Internet and Society” in collaboration with the Ford Foundation India, which is to be held from June 8, 2013 to June 14, 2013. Call for registration and relevant details will be announced soon on our website.

The following units have been published:

Internet Protocols (by Srividya Vaidyanathan, March 18, 2013).
How email works, how do you get your email? Email Protocols (SMTP, POP, IMAP), SPAM/Phishing (by Srividya Vaidyanathan, March 19, 2013).
Internet Corporation for Assigned Names and Numbers (by Snehashish Ghosh, March 19, 2013).
ITU sectors — ITU-R, ITU-T, ITU-D, etc. (by Snehashish Ghosh, March 27, 2013).
World Conference on International Telecommunications 2012 (by Snehashish Ghosh, March 29, 2013).

Telecom

Newspaper Column

Are India's Glory Days Over? (by Shyam Ponappa, Organizing India Blogspot, March 8, 2013, originally published in the Business Standard, March 6, 2013).

Digital Natives

Digital Natives with a Cause? examines the changing landscape of social change and political participation in light of the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who critically engage with discourse on youth, technology and social change, and look at alternative practices and ideas in the Global South:

Events Participated In

Video Vortex # 9 Re:assemblies of Video (organized by the Institute of Network Cultures, Post Media Lab, Moving Image Lab, Leuphana, et.al, February 28 – March 2, 2013). Nishant Shah gave the key note. Videos of the event are published.

Digital Humanities

From 2012 to 2015, the Researchers @ Work series is focusing on building research clusters in the field of Digital Humanities. We organised the first Habits of Living workshops in Bangalore last year. The next workshop is being held in Brown University

Event Co-organised

Habits of Living: Networked Affects, Glocal Effects (co-organised with Brown University, March 21 – 23, 2013, Brown University, Rhode Island). Nishant Shah was a speaker at this event. He made a presentation on network ontologies.

Event Participated

Korean Trans Cine-Media in Global Contexts: Asia and the World (organized by Trans-Asia Screen Culture Institute, Cinema Studies, Korean National University of Arts, Korean Film Archive and Tsubouchi Memorial Theatre Museum, Waseda University, Seoul, March 27 – 29, 2013). Nishant Shah was a speaker at this event. He spoke on "The Asian Intercourse: Reimagining the Inter-Asia moment through ‘net-porn’ in networks".

About CIS

Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

For more details visit https://cis-india.org/about/newsletters/march-2013-bulletin

India's Biometric Identification Programs and Privacy Concerns

divij — 2016-07-21T10:51:42Z

The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.

Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.

‘Big Data’ and Privacy Issues

Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,[1] the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.[2] The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.

Biometric ID and Theft of Private Data

The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.

Biometric data and Potential Misuse

Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.[4] The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]

A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.[5] Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.[6] With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.[7]

With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.[8] Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]

Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.

[1]. http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections.

[2]. http://www.wired.com/threatlevel/2008/03/hackers-publish.

[3].https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions.

[4]. http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001.

[5]. http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece.

[6]. http://news.bbc.co.uk/2/hi/8691753.stm

[7]. Supra note 1.

For more details visit https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns

Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes...

maria — 2013-07-12T15:26:33Z

In this post, Maria Xynou looks at red light cameras, RFID tags and black boxes used to monitor vehicles in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have already adopted measures to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, privacy concerns have arisen as it remains unclear how data collected will be used.

Red light cameras

Last week, the Chennai police announced that it plans to install traffic enforcement cameras, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since early 2008 and a study indicates that they have reduced the traffic violation rates. A 2003 report by the National Cooperative Highway Research Programme (NCHRP) examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.

However, how are traffic violation rates even measured? According to Barbara Langland Orban, an associate professor of health policy and management at the University of South Florida:

“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”

Last year, the Bombay state government informed the High Court that the 100 CCTV cameras installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s due-process rights?

RFID tags and Black Boxes

A communication revolution is upon us, as Maharashtra state transport department is currently including radio frequency identification (RFID) tags on each and every number plate of vehicles. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the 2001 amendment of Rule 50 of the Central Motor Vehicles Rules, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.

RFID technology has also been launched at Maharashtra´s state border check-posts. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.

By 31 March 2014, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to Dr. Joshi, the Union Minister for Road Transport and Highways:

“The RFID technology shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”

Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it uniquely identifies each vehicle, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.

The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an Event Data Recorder (EDR), otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.

Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it mandatory for cars to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.

Are monitored cars safer?

The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a 2005 Federal Highway Administration study, although it shows a decrease in front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other studies of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.

Furthermore, there have been claims that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.

Companies which manufacture vehicle tracking systems are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?

And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope, but us. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored, we are all suspects and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.

Maneuvering our monitoring

Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.

Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as increasing the duration of the yellow light between the green and the red, re-timing lights so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.

Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:

Should we be monitored at all?

For more details visit https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes

The Privacy (Protection) Bill 2013: A Citizen's Draft

bhairav — 2013-07-12T11:50:20Z

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness around privacy, completing in depth research, and driving a privacy legislation in India. As part of this work, Bhairav Acharya has drafted the Privacy (Protection) Bill 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Privacy (Protection) Bill 2013 contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of a possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.

Click to download a full draft of the Privacy (Protection) Bill, 2013.

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft