Centre for Internet and Society

Would it be a unique identity crisis ?

praskrishna — 2011-04-01T17:10:30Z

The UID project will centralise a humongous amount of data but the fear is that it might fall into the wrong hands.

The Unique Identification (UID) project is already up and running. It’s touted as a watershed in inclusive politics, of bringing people, who by virtue of physical remoteness, their station in society or other liabilities were excluded from the system, back into it. UID Chairman Nandan Nilekani recently said that the aadhaar number will not replace the passport, driving license or the voter identity card and that by 2014, 60 per cent of the country’s population will have the 12-digit UID number. The idea, though it has not been made explicit, is that Aadhaar will eventually become the key document for the common man to navigate the system, whether it is opening a bank account or making a rent agreement to booking a train ticket or applying for a job.

In fact, there is the implicit danger that sooner than later the original idea of inclusiveness could be turned on its head by denying benefits to people who don’t have the Aadhaar! “There is nothing to ensure that you will continue to receive the same benefits like those who have the UID number. The claim that it is not mandatory is legally correct. But in practice it would not be,” said Prof Sridhar Krishnaswamy of W B University for Juridical Sciences.

It is a fundamental premise that data subjects ought to have “inalienable moral rights” about the “integrity” of the data collected about them. But even as UID is one of the best things that could have happened to deepen the democratic process in our society, the often un-remarked fact is that the project has also become the biggest industrial collector of personal information. Considering the size and heterogeneity of the Indian population, it becomes as big as Google, and the implications of this are quite frightening. The UID draft bill, which has to be cleared by Parliament for it to become law, has only perfunctorily looked at the dangers posed by such huge and centralized collection of data. It glosses over the issue, content with making conservative noises about “the interlinking of databases”. This only shows how casual our policy makers, even the most enlightened of them, are towards the whole issue of safeguarding privacy.

The Bangalore-based Centre for Internet and Society (CIS) has analyzed the draft UID bill in considerable depth. They have identified three main areas where the bill needs to be drastically reworked: (i) plugging all loopholes which would enable corporate organizations from accessing information from the Aadhar database for their own commercial or R & D purposes; (ii) stipulating a maximum period for the data to be stored; (iii) to be transparent about the methods it uses to collect, store and disseminate data.

Prof Krishnaswamy agreed that the UID bill has not taken the corporate threat seriously enough. He contends that the UID authorities should take small, concrete steps that would act as effective safeguards. “In the mobile phone segment, user information is stored only for six months. Now, the government is proposing a similar time cap for ISP too. But when it comes to UID there is no such time limit. It means personal information could be held perpetually,” he explained. All that UID Assistant Director A K Pandey had to say to this was, “if that is it, then we have to live with it.”

Another worrying aspect of the proposed bill, according to Usha Ramanathan, an activist and expert on identity and digital issues, is its failure to fix accountability on the main players including enrollers, outsourcing companies, and the UDAI authority itself. “The data collector and data controller should be equally held responsible for the protection of data,” she said. However, UID authorities themselves are of the view that the apprehensions are being overplayed. Pandey maintained that there was nothing in the UID that would compromise the privacy of individuals. “You go to a bank or the LIC office and you give whatever information they ask you. But when it comes to UID alone you say the information you give could be dangerous. We don’t quite understand this,” he retorted. He played down the fears that in the central data storage vital information could go corrupt. “We have taken adequate measures to protect it. We will have a backup,” he said.

The issue of transparency of data collection and storage remains. The CIS analysts feel that the UID should put out a synopsis of the algorithms it will use in collating and protecting data so that the public at large can be reassured of the firewalls that are in place. Then there is also the issue of not having concrete provisions in the UID bill to deal with special cases like whistleblowers and victims of abuse whose identities need to be protected even more carefully.

The UID authority also bypasses the question of whether it is confusing data protection with the larger issue of protection of privacy. A person’s identity is more than her date of birth, surname, religion, fingerprint or even the sum of these. Such information is basically data and allows governments or corporate bodies to provide a person a nominal identity, one that is indispensable if she is to be part of a socio-political system. The state and corporate entities conveniently deny a person her self, thereby reducing her to a subject instead of seeing each individual as a thinking, acting agency.

Be that as it may, right now the concern of civil society is to make at least protection of data as foolproof as possible. Aadhaar is just one of the projects that pose a threat to the privacy of individual citizens. There is the broader problem of how the Internet and mobile phones, the popularity of social networking sites such as Facebook and Twitter, and the widespread use of credit and debit cards has led to blatant misuse of personal information gathered online, sharing of consumer data without consent and the state’s own Big Brother surveillance. The need for an effective privacy law in India is imperative.

Read the original in Bangalore Mirror

For more details visit https://cis-india.org/news/unique-identity-crisis

Does the UID Reflect India?

elonnai — 2012-03-22T05:45:32Z

On December 17th the Campaign for No UID held a press conference and public meeting in Bangalore. Below is a summary and analysis of the events.

Introduction

Scientifically speaking, we are each unique. We have unique bodies and minds, and these give rise to unique understandings, interactions, and perceptions. Despite being unique, we can be put into different categories and classes, one of which is a culture. A culture is defined by its values, which are reflected in its legal system. Consequently legal systems are always changing – bills are constantly being amended, passed, and retracted in order to make the governing legal structure reflect the ethos of that society. Thus, when analyzing a piece of legislation it is important to ask if that bill is meaningful in a way that reflects the ideas, values, attitudes, and expectations that a society has. This is the question that Usha Ramanathan, Mathew Thomas, and others in the Campaign for No UID have been asking about the UID project, and urged the public to ask the same question in the press conference and public meeting held on the 17th of December. According to the Campaign for No UID, the project and Bill fail to reflect and meet the current needs that exist in India. The UID Bill, the proposed legislation for the project, authorizes the creation of a centralized database of unique identification numbers that are to be issued to every resident of India. The numbers will act as identity. Recently, the Bill was sent to the Parliamentary Standing Committee on Finance, and is scheduled to be enacted in early 2011. The UID project is attempting to create a technological solution to the identification problem in India. It is well-known that India faces challenges in identifying its citizens and residents. Individuals either have no identification – restricting their access to society and benefits -- or, in some cases, they have multiple identities, therefore taking advantage of society at the expense of others, or a person does not have any identification – therefore escaping civil duties. The confusing identity system that exists in India has many negative drawbacks including the facilitation of corruption, illegal immigration, and possible security threats. The UID project attempts to provide a system of identity that is based on individuals’ biometrics, and that places the whole of India on a grid through the issuance of 12 digit Aadhaar numbers. The Campaign for NO UID does not deny the need for an efficient identity system, is not against technology, and does not deny that the current identity system has problems. Instead, it believes that the project does not adequately address the issues at hand, while at the same time creating a real prospect of harmful ramifications.

Benefits for the Poor

Though the UID project only gives identity to an individual, it has been envisioned as a means of ensuring the delivery of benefits to the poor. According to the World Bank, within India 41% of the population lives below the poverty line, and targeting the need to ensure benefits for the poor is an appropriate vision. Furthermore, as reflected in the Right to Food Act, there is a cultural understanding and expectation that the State needs to work to bring benefits to the poor. The point that Ms. Ramanathan draws attention to, though, is that the goal of bringing benefits to the poor is just a vision. The project and the Bill are not structured in a way that guarantee benefits to the poor. Instead, by trying to include the perception of this benefit, the language of the Bill has become too broad. The wide-sweeping language allows room for abuse of how information that is collected will be used.

Appropriate Methodology

Ms. Ramanathan also questions the methodology of the UID project. The collection of biometrics is not an absolute insurer of identity, in the way that DNA would be. A person’s biometrics are in fact very public. They are left on anything one touches, and can easily be reproduced for use by others. Identity theft is thus easily accomplished if biometrics are the only safeguard. Realistically, the vast majority of India’s population would not know what to do or how to seek redress if identities were stolen – indeed, many would not even be aware of the fact that their identity had been stolen. Thus, the project establishes a hierarchy of vulnerability. Those who understand and have access to technology and the legal system are better able to protect their identity (or abuse another’s), and the rest of the population is at the mercy of the people who possess that knowledge and those connections.

Legal Questions

Ms. Ramanathan also brought up a few legal issues with the UID Bill. Most importantly she pointed out that the UID project is not legal, yet enrollment of individuals has been taking place. Not only is this action undemocratic, but it is presumptuous of the UIDAI to assume that their project will have legal validity. Another legal issue raised by Ms. Ramanathan was in concern with the compulsory nature of the Aadhaar number. Legally the UID Bill does not make the Aadhaar number compulsory. Instead, the project is structured in such a way that the UID number is socially compulsory. Ms. Ramanathan argues that this is unfair of the UIDAI. If the number were to be truly voluntary, the UID would need to include clauses that prohibit the denial of goods, services, entitlements and benefits for lack of a UID number. An individual would need to be able to access benefits with alternative forms of identification before the Aadhaar number would be truly voluntary.

Does India Comprehend what the UID Could Bring?

Another fear voiced by Mrs. Ramanathan in her presentation was the level of public comprehension. Even though the project will touch the lives of every human being who comes to India, the majority of the Indian population has not thought through why they support or do not support the project, and most do not comprehend the dangerous implications of the UID project. Connections are not being made and clearly publicized about how the project could be used in the future. For example, once everyone has a set of personal data that is uploaded on a centralized database, there is a new concern over that data. What is happening to it, who is using it, what is it being used for, who is seeing it, who is analyzing it, what happens if that data is lost? One of the serious implications of the project is its’ threat to anonymity. Anonymity results when the personal identity, or personally identifiable information of a person is not known. Anonymity already exists today in Indian society by default.. This will change, though, with the UID. One’s body will become a traceable marker that will be readily identifiable to law enforcement and other agencies. By issuing numbers to each person, that will be used for every transaction – it will be possible to create a map of the population and tag information about individuals in a way that changes the relationship between the state and the people. Though it is true India could benefit from a lesser degree of anonymity. For instance corruption might be easier to control. The Bill takes no steps, though, to ensure under what conditions anonymity will be preserved. Thus, the project has the potential to be widely misused for intensive surveillance and the policing of populations – not just for illegal activity but for disfavored or unpopular activity as well.

Conclusion

One way to avoid the misuse of data is through the adherence to privacy standards such as how data should be processed, transferred etc. India does not of yet have such a privacy law, and such principles are not reflected in the text of the Bill itself. The fact that the UID bill and project bring into focus principles that are not yet fully reflected in the social and legal framework of society can be problematic. On one hand this Bill can push India to adopt those principles, in which case a data protection and privacy bill must be enacted, and awareness must be raised. On the other hand, the Bill can simply overshadow the populace, allowing significant violations of privacy and anonymity to take place with no assurance of redress. As Ms. Ramanathan noted, even though the project is not reflective of Indian society, the way in which the project is being marketed is. The project has been tied to the image of Nandan Nilekani, and the message is clear: the project must be good. The Campaign for No UID is asking the public to look beyond the face of the project, and consider whether or not this is the India they imagine.

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india

The Niira Radia Tapes: Scrutinizing the Snoopers

praskrishna — 2011-04-02T07:29:21Z

There’s been plenty of outrage in India over taped phone calls between corporate lobbyist Niira Radia and local journalists, revealing what some people believe is evidence that star reporters at the country’s newspapers and TV channels are too cozy with the subjects they’re supposed to be reporting on.

Amid that firestorm, though, there’s been much less scrutiny of why and how the wiretaps happened in the first place, whether they were justified or a governmental overreach, and how these infamous tapes got from the government into the hands of media companies.

Here are just a few questions that merit more consideration: Who orders telephone surveillance in India and on what grounds? How often is it done? What protections are in place to ensure government officials don’t abuse their surveillance authority to settle scores with journalists, corporate officials or ordinary citizens they have a beef with?

The quick answer to all of these: India trusts its bureaucrats to do the right thing. The central government’s Home Secretary, along with some intelligence agencies and state officials, has the authority to approve wiretaps. Unlike in the U.S. and other countries, where investigators must generally obtain court warrants for surveillance to pursue matters ranging from drug-trafficking to insider trading, in India there is no such legal tradition or rule.

“There is no oversight infrastructure, either in parliament or in the judiciary,” said Sunil Abraham, executive director of the Bangalore-based Center for Internet and Society. There is only “post facto” protection in the sense that you can sue the government later if you feel you were wrongly wiretapped, he said.

According to local media reports, industrial giant Ratan Tata on Monday petitioned the Supreme Court over the leaking of the tapes, on which he is heard bantering with Ms. Radia (his lobbyist) about a range of topics related to the $70 billion Tata Group. The reports say he feels the episode violated his privacy and wants the leakers to be punished. (While there’s no explicit constitutional protection of privacy in India, the Supreme Court in some cases has held it is covered by Article 21 of the Constitution, which says, “No person shall be deprived of his life or personal liberty except according to procedure established by law.”)

A report in the Economic Times Monday said government is going to investigate the leak. A Home Ministry spokesman declined to comment on whether an inquiry has been launched but said India’s system of allowing a handful of security and intelligence officials to approve or deny wiretaps sufficiently guards Indian citizens’ privacy. “It isn’t an unchecked kind of thing, that anyone can just do it,” the spokesman said.

India draws its wiretap authority from a few laws, including the 1885 Telegraph Act and a separate information technology law enacted in 2000 and amended in 2008. The government can tap phones or intercept emails for reasons such as “any public emergency” or “in the interest of the public safety” – pretty broad language that gives a lot of leeway to bureaucrats, critics say.

A report in the Hindu last week claimed that more than 5,000 Indian phones are being bugged daily, citing anonymous sources. Mr. Abraham, of the Center for Internet and Society, says that breadth of surveillance in a country of 1.2 billion people wouldn’t be unreasonable. But his organization is planning a Right to Information request to find out more about the scope of government wiretapping.

The government may have had good reasons to conduct the wiretaps of Ms. Radia, which local media reports say were done by the income tax department for two four-month stints in 2008 and 2009, during which time they reportedly logged 5,851 calls.

The income tax agency hasn’t stated publicly what the rationale was and its officials declined to comment Monday.

Media reports suggest that the material was supposed to help probe the irregular allocation of mobile phone spectrum in 2008 to several Indian telecom firms. (The official in charge of that allocation, A. Raja, resigned as telecom minister Nov. 14 amid charges that he rigged the process to favor some companies over others.)

But much of the content in the several hours of so-called “2G tapes” that have leaked to Indian news organizations has little or nothing to do with taxes or 2G spectrum. There’s talk of the billionaire Ambani brothers’ natural gas pricing dispute, mining policy, a dog who is named Google because he is good at finding things, which corporate honchos are easy to get on the phone, and plenty of titillating exchanges between New Delhi’s power brokers on the politics of cabinet appointments. Some pretty top-notch gossip, in other words.

To be sure, the content on the tapes does raise disturbing and serious questions about whether some elements of the Indian media carry water for particular government ministers or corporations. And it pulls the veil back on how the titans of Indian business and politics shape policy away from the public spotlight, as Siddharth Varadarajan explained in Monday’s edition of the Hindu when he made a clever analogy to the movie The Matrix. (We’ve separately parsed the contents of some of the tapes for their potential significance.)

But it’s still worth asking tough questions about the legal and ethical foundations of wiretapping citizens, because, as Indian civil liberties expert Lawrence Liang said in an email, “if this can happen to a Nira Radia, then it can easily be used for a Nida Nobody.”

Update, 5:09 p.m.: “A Home Ministry spokesman confirmed the ministry has asked the Intelligence Bureau and Central Board of Direct Taxes to conduct a probe into the leak.”

Read the original in Wall Street Journal

For more details visit https://cis-india.org/news/niira-radia-tapes

Privacy and Telecommunications: Do We Have the Safeguards?

elonnai — 2012-03-21T10:06:48Z

All of you often come across unsolicited and annoying telemarketing calls/ SMS's, prank calls, pestering calls for payment, etc. Do we have any safeguards against them? This blog post takes a look at the various rules and regulations under Indian law to guard our privacy and confidentiality.

1 Introduction

With a subscriber base that stands at just over 700 million (TRAI, August 2010) the telecom industry has enjoyed spectacular success at absorbing Indians into its fold. Tele-density which, even as recently as in 2002 was stagnant in the low single-digits, today stands at a proud 59%. However far one could go today, it would seem one would never be too distant from a mobile phone.

While this extensive penetration has heralded an era of unprecedented access – truly a ‘communications revolution’ whose full effects it may still be too early to grasp – it has also led to the exposure of individuals to risks on a magnitude never before witnessed. Firstly, in the ordinary course of their business, telecom companies accumulate vast volumes of personal information about their customers including photocopies of identity documents, biographical information etc, which could potentially be misused;

Secondly, the fact that a vast amount of our communication now occurs with the involvement of electronic media has rendered us more susceptible to invasive surveillance - whether lawful or not;

Thirdly, much of our communication is now not merely ephemeral, but is stored in digital form for indefinite periods in corporate ‘data centers’.;

Lastly, owning a mobile phone not only enables us to communicate with our business partners and loved ones, but also forces us to engage with an incessant stream of ‘noise’ – telemarketing calls and SMSes, prank/hoax calls, calls pestering us for the payment of bills and offensive/threatening calls.

This note examines the kinds of safeguards that currently exist under Indian law to protect the privacy of telecom users. Broadly there are three streams of such protection

1) The Telegraph Act and Rules, which contains provisions that prohibit and penalize unlawful interception of communication. Furthermore, licenses issued to telecom service providers (TSPs) under this Act require TSPs to take measures to safeguard the privacy of their customers and confidentiality of communications.

2) The Telecom Regulatory Authority of India has issued various guidelines to TSPs many of which pertain to privacy.

3) The Consumer Protection Act provides customers with an avenue of redress in case of violation of their privacy.

The first two are described in greater detail in the paragraphs that follow. This is followed by a brief analysis of certain international norms

2 Indian Regulatory Regime

2.1 The Indian Telegraph Act and Rules

First enacted in 1885, the Telegraph Act remains today on the statute books as the umbrella legislation governing most forms of electronic communications in India including telephones, faxes, the internet etc. The Act contains several provisions which regulate and prohibit the unauthorized interception or tampering with messages sent over ‘telegraphs’i. The following sections apply:

1) Section 5 empowers the Government to take possession of licensed telegraphs and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence”ii

2) Section 23 imposes a fine of Rs. 500 on anyone who enters a telegraph office without proper authorization.

3) Section 24 makes it a criminal offence for a person to enter a telegraph office “with the intent of unlawfully learning the contents of any message”. Such a person may be punished with imprisonment for a term of up to a year.

4) Section 25 further imposes a criminal penalty on anyone who damages or tampers with any telegraph with the intent to prevent the transmission of messages or to acquaint himself with the contents of any message or to commit mischief. Punishment in this case could extend to 3 years imprisonment or a fine or both.

5) Section 26 makes it an offence for a Telegraph Officer to alter, unlawfully disclose or acquaint himself with the content of any message. This is also punishable with up to 3 years imprisonment or a fine or both.

6) Section 30 criminalizes the fraudulent retention or willful detention of a message which is intended for someone else. Punishment extends to 2 years imprisonment or fine or both.

2.2 License Agreements

Although the statute itself governs the actions of telecom operators in a general way, more detailed guidelines regulating their behavior are contained in the terms of the licenses issued to the telecoms which permit them to conduct businessiii. Frequently, these licenses contain clauses requiring telecom operators to safeguard the privacy of their consumers. A few examples include:

1) Clause 21 of the National Long Distance Licenseiv comprehensively covers various aspects of privacy including

a. Licensees to be responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place.

b. Licensees to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavors to secure that :

i. No person acting on behalf of the Licensees or the Licensees themselves divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and

ii. No such person seeks such information other than is necessary for the purpose of providing service to the Third Party.

c. The above safeguard however does not apply where

i. The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or

ii. The information is already open to the public and otherwise known.

d. The Licensees shall take necessary steps to ensure that the they and any person(s) acting on their behalf observe confidentiality of customer information.

2) Clause 39.2 of the Unified Access Service License and clause 42.2 of the Cellular Mobile Telephone Service licence enjoin the licensee to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party, and its business to whom it provides the service. The Licensee is required to use its best endeavors to secure that no person acting on behalf of the licensee or the licensee divulges or uses any such information - except as may be necessary in the course of providing such service to the third party.

3) The Internet Services License Agreement (which authorizes ISPs to function in India) similarly contains provisions touching on privacy:

a) Part VI of the License Agreement gives the Government the right to inspect/monitor the TSPs systems. The TSP is responsible for making facilities available for such interception.

b) Clause 32 under Part VI contains provisions mandating the confidentiality of information. These provisions are identical to those described in Clause 21 of the NLD License agreement (see above).

c) Clause 33.4 makes it the responsibility of the TSP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.

d) Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.

e) Clause 34.12 and 34.13 requires the Licensee to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.

f) Clause 34.16 requires the Licensee to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.

g) Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.

h) Clause 34.23 mandates that the Licensee maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor”.

i) Clause 34.28 (viii) forbids the licensee from transferring the following information to any person/place outside India:

j) Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and

k) User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

l) Clause 34.28(ix) and (x) require the TSP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.

m) Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well)

2.3 TRAI Regulations and Directions

The Telecom Regulatory Authority of India was established by statute in 1997 to safeguard interests of consumers while simultaneously nurturing conditions for growth of telecommunications in the country. The Authority has issued several regulations on various subjects which are binding on TSPs. The following regulations touch on the subject of privacy:

2.4 Unsolicited Commercial Communications Regulation

In 2007, the Authority introduced the Telecom Unsolicited Commercial Communications Regulations which were aimed at creating a mechanism for registering requests of subscribers who did not wish to receive unsolicited commercial communications.

* The regulations define “unsolicited commercial communication” as any message, through telecommunications service, which is transmitted for the purpose of informing about, or soliciting or promoting any commercial transaction in relation to goods, investments or services which a subscriber opts not to receive,

* The following categories of message are excluded

(i) any message under a specific contract between the parties to such contract; or

(ii) any messages relating to charities, national campaigns or natural calamities transmitted on the directions of the Government or agencies authorized by it for the said purpose;

(iii) any message transmitted, on the directions of the Government or any authority or agency authorized by it, in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality;

* The regulations specified a procedure for initiation of complaints by consumers and for their adjudication and disposal.

* Telemarketers who initiate unsolicited commercial communication with a person who has opted not to receive such communications face a fine of Rs. 500 per call/SMS as well as disconnection of their telephone services.

* The regulations require the TSPs to maintain confidentiality of all information submitted by the subscribers for the purposes of the ‘Do not Call Registry’.

2.5 Privacy and Confidentiality Direction

In February 2010, the TRAI issued a direction seeking to implement the privacy and confidentiality related clauses in the service providers’ licenses (see previous sections). Accordingly by this direction, the TRAI ordered all service providers to “put in place an appropriate mechanisms, so as to prevent the breach of confidentiality on information belonging to the subscribers and privacy of communication”. All service providers were required by this regulation to submit a report to the TRAI giving details of measures so adopted.

3 International Norms

3.1 Telecommunications in the EU

In 2006, the European Union adopted Directive 2006/24/EC which mandated member states to store citizens' telecommunications data for six to 24 months stipulating a maximum time period. The directive permits police and security agencies to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A request to access the information would only be granted through a court order. In 2002 the Directive adopted the Privacy and Electronic Communications Directive. The ECD regulates the electronic communications sector and addresses issues such as: the retention of data, the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories.

Art 10(1) of the German Constitution holds “The secrecy of letters, as well as of the post and telecommunications, is inviolable”. However, in 1968 an amendment was introduced which permitted (1) surveillance to occur without the affected person ever being informed of it; and (2) surveillance without judicial review, but through “a review of the

case by bodies and auxiliary bodies appointed by Parliament.”These measures could only be invoked in order to protect “the free democratic basic order or the existence or security of the Federation or a state.”

3.2 Telecommunication in the United States

In the United States telecommunications are regulated by the Federal Communications Commission. Specifically the FCC regulates how telecommunications carriers and providers of cable television use customer personal information, cable subscriber information, and telemarketing and junk fax activities. Every company that participates in telemarketing must comply with the FCC's rules. The main legislation used to regulate telecommunication carriers is the Federal Communication Act. The Act applies to how carriers may use and disclose “Customer Proprietary Network Information” which includes billing information, type of telecommunications service used, and the types of calls customers tend to make. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. The FCC does though provide, what is known as a “total service approach”, exception to these rules - that allows carriers to use CPNI to market to existing customers. Also, under the Act, cable providers are required to provide to their subscribers detailed notice about the collection and use of information, and gather consent before collecting, distributing, or disclosing information. Additionally, customers are granted access to their information, and information must be destroyed after it has served the purpose for which it is collected. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing.

The Telephone Consumer Protection Act applies to U.S companies that tele-market to consumers for commercial purposes. The rules require that phone calls are not permitted before 8:00 am or after 9:00 pm, the company must keep an internal record of consumer who ask not to be called again, and the company must refrain from sending commercial faxes without the recipient's consent. Telephone monitoring and recording are regulated in each state. Many states follow a system known as “one-party consent”, which permits a party to record a telephone conversation without the other party's consent. Only eleven states require consent of all parties before a telephone conversation is recorded (ibid Westby, International Guide to Privacy, 2004).

4 Discussion

The Indian Constitution does not, as in certain other countries (Eg. Germany), contain express language upholding the right to privacy in telecommunications. This absence has not however hindered the Supreme Court from reading in the right to privacy into the Fundamental Right to Life. Various judicial decisions as well as statutes affirm this right to privacy in telecommunications. In conclusion, we would like to provide a quick FAQ on privacy in telecommunications that draws on the foregoing analysis of Indian Law.v

(1) To what extent is there legal protection for customer information (such as one’s name, address, telephone number, or non-dynamic IP address);

As mentioned above, it is fairly easy for enforcement agencies to obtain this data. ISPs are required to make available much of this data on a website for the government to access at all times. Such access may be gained without judicial scrutiny and without even any showing of suspicion.

(2) The extent of legal protection for connection data (such as the telephone numbers called; time and length of connection; one’s dynamic IP address) and the content of telecommunications

Targeted surveillance or wiretapping is only possible following the procedure laid out in the Telegraph Rules which specify the manner in which such an order may be made, the review procedure and the maximum permissible duration of surveillance.

(3) the legal requirements placed on telecommunications providers for data retention or data erasure;

The ISP License agreement requires the ISP to maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny. No definition is provided of what these commercial records would include or exclude. There is no information on the extent to which ISPs in India currently comply with this requirement and whether they follow any data erasure procedures.

Questions:

Will a privacy legislation address data retention for the Telecom sector?

Will a privacy legislation regulate the monitoring and tapping of phones?

End Notes

i‘Telegraph’ is defined widely in the Act to include any “apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature” thus covering most known mediums of communication.

ii In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.

iii Section 4 of the Telegraph Act forbids the establishment of any telegraph service (including, as mentioned earlier, all telephony, internet etc) without obtaining a license from the Central Government.

iv Issued to TSPs who offer long distance telephony in India

v These questions drawn from a template provided in Schwartz, Paul M. “German and U.S. Telecommunications Privacy Law: Legal Regulation of Domestic Law Enforcement Surveillance.” Hastings Law Journal 54 (August 25, 2003): 751.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications

C.I.S Responds to Privacy Approach Paper

elonnai — 2012-03-21T10:08:10Z

A group of officers was created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject. Shri Rahul Matthan of Tri Legal Services prepared an approach paper for the legal framework for a proposed legislation on privacy. The approach paper is now being circulated for seeking opinions of the group of officers and is also being placed on the website of the Department of Personnel and Training for seeking public views on the subject. The Privacy India team at C.I.S responded to the approach paper and has called for the need for a more detailed study of statutory enforcement models and mechanisms in the creation of a privacy legislation.

1. What is privacy?

a) In the approach paper, the definition of privacy is not consistent and the meanings are used interchangably. It is variously referred to as a right and an expectation. Also, we find that no real distinctions are being made between privacy, data protection, and security. As a result, the paper lays out an approach to a data protection legislation masquerading as a privacy legislation. Thus, we find that there is a need to define and make consistent in the document, the language used to define privacy.

b) CIS, drawing upon the definition of privacy used in the European Union, understands privacy as the right of an individual to be free from unauthorised intrusion and the ability of that individual to control and disseminate information that identifies or characterizes the individual. We thus believe privacy is operative in these contexts:

1. Physical - physical space, body, home, car, etc.

2. Informational - Digital as well as Non-Digital (Information gathering, storage, retrieval, usage, transfer, disposal, etc).

3. Intellectual - Right to make decisions pertaining to oneself, to enjoy one's perspective and ideas. A violation in any of these contexts should be construed as a breach of privacy.

2. Is there a need for privacy protection?

a) We agree that there is a pressing need for privacy protection in the context of the enhanced technological opportunities that have arisen in the past two decades for the exploitation of personal data.

b) As the approach paper rightly concludes, these threats to privacy are magnified by initiatives that interlink databases – such as the UID project.

c) However, we believe that privacy is not limited to data protection and would invite the Committee to consider ways in which it may broaden the ambit of its investigation.

3. Is there a need for such legislation?

a) We reject the “hybrid” approach being offered here. Previous experiences with Self Regulatory Organisations (SROs) in India (for eg. AMFI, MFIN) leaves us with little cause for optimism that they will be an effective guarantor of as sensitive a right as privacy. Curiously, the approach paper itself does not mention this “hybrid” aspect anywhere else in the document.

b) We endorse the attempt to arrive through statute, at a minimal, though robust, horizontal guarantee of privacy that operates across sectors. Just as the parameters of the right to life and liberty are broad guidelines on one hand but have specific and intentional meanings, so should the right to privacy.

4. Legislative Competence:

We agree.

5. Is there a constitutional right to privacy?

a) We agree that the Supreme Court has derived a constitutional right to privacy from Article 21 of the Constitution.

b) However, the approach paper is factual incorrect in its assertion that “all available cases have been decided in the context of government action”. There is by now a sizeable amount of consumer case law which deals with the issue of privacy between private individuals/entities.

c) Most frequently, this issue has arisen the context of hospital/patient relationships and the courts have held the right to privacy as one that is not unqualified.

d) Other common “non-government” arenas where courts have elaborated on the right to privacy include banking and telephony services.

e) We feel that the Committee ought to inform itself more thoroughly about the developing jurisprudence on the right to privacy in India – both in the context of government and non-government actions.

6. Existing legislation:

a) In addition to the IT Act, there are several statutes and subordinate legislation which safeguard an individual’s privacy in specified sectors such as banking, insurance, telephony etc.

b) By neglecting them wholesale, we feel that the approach paper deprives itself of valuable contextual elaborations of the right to privacy in India. The case for a horizontal right to privacy in India can be derived not merely from the inadequacies of the IT Act, but from the cumulative failings of all these numerous dispersed provisions.

c) We agree that ITA does not provide sufficient protection to privacy, and that there is a need for specific legislation that addresses all aspects of privacy, but we would go much further than the current proposal.

d) We suggest that in addition to the requirements listed for data security, a full-fledged privacy legislation needs to include specific regulations on: gathering, retention, access, transfer, security, data quality, and individuals’ consent.

e) Furthermore, the data protection component of the privacy legislation needs to include redress for breaches of data, and the individual must be informed when a data breach takes place and given access to sufficient information to identify who breached the privacy and how – as well as information about what data were compromised and ways to limit or undo the improper disclosure..

f) Generally speaking, a privacy regime should work towards: 1. Increasing the protection of tangible and intangible possessions as well as personal data; 2. Increasing knowledge of privacy and empowering people to make informed choices; 3. Making organizations more accountable for protecting privacy; 4. Compelling (through audits, sanctions, etc) organisations to improve security standards; 5. Increasing individuals’ confidence in privacy laws and the organisations protecting privacy.

7. Potential Conflicts between Data Protection Legislation and other Laws:

We find that it would be useful if the laws that conflict with the data protection legislation are referenced in each section.

7.1 Data Protection and the Right to Information

a) The argument that a privacy legislation would conflict with the RTI is somewhat overstated.

b) Where the government has collected data from individual citizens, that information needs to be exempt from RTI disclosure unless an overriding public interest is demonstrated – which is the current position under the RTI Act.

c) We believe, on the other hand, that public officials ought to be subject to scrutiny by virtue of the public office they hold and that they should be subject to transparency about certain aspects of their life which would not be applicable to the common man. Information about tax filings, credit history, and financial records can help root out corruption, for example.

d) The kinds of personal data that are broadcast in the transparency bulletins should be limited with specifics shared if need be on a case by case basis.

e) As the approach paper itself mentions, the RTI Act is extremely sensitive to the issue of privacy and privacy is one of the most frequent grounds of refusal of data by public bodies.

f) Rulings by various information appellate bodies under the RTI Act have done an admirable job of balancing issues of privacy against the public interest and the proposed privacy legislation ought not to disturb this careful balance.

g) We recommend that the proposed privacy legislation contain a non-obstante clause that subordinates it to the provisions of the RTI Act.

7.2 Data Protection and Credit Verification

a) We agree with the statement but believe the privacy issues that would come up are not limited to just credit verification.

b) All aspects of data collection and handling for the financial sector should be looked into and statutes developed to deal with the sensitive nature of the data.

c) This may include limitations on marketing efforts and disclosure to third-parties.

7.3 Data Protection and Private Investigative Agencies

a) We believe that the private investigators should undergo licensure, and that the PI agencies should be regulated so that any kind of surveillance must comply with privacy protection laws.

b) Judicial oversight should be required in order to take certain kinds of action (access to records, surveillance, monitoring, etc) by these agencies.

7.4 Data Protection and National Security

a) We understand the conflict between the need for a government to ensure the security of its population with the need to protect privacy.

b) We find the most effective resolution is for judicial oversight for some activities (monitoring, surveillance, access to personal records by law enforcement, etc) to be required.

7.5 Data Protection vs. Transparency in Government

a) We feel that this section engages very sloppily with the issue of transparency/corruption in India.

b) It completely ignores the history of the various struggles for transparency in government fought across India, that were aimed precisely at prodding the government out of its secretive shell.

c) In doing so the approach paper risks retarding, at one stroke, all the advances made by these several movements over the past fifty years.

d) The publication of lists of recipients/beneficiaries of schemes has been one of the most hard won, and potent tools that has been used to mobilize collective action by locals against corrupt officials.

e) We empathise with the approach paper’s aspiration that the government “rethink its approach to transparency”, but are skeptical that a new privacy law would, of all things, prompt such a transformative rethinking. We advise caution and certainly greater sensitivity in handling this issue.

8.0 Privacy legislation in other countries:

a) We agree with the recommendations, but would include notification of breach: how, when, what and who.

b) We believe that the auditing of companies is an important security and transparency mechanism that needs to be included, along with the ability to sanction offenders and methods of redressal for aggrieved parties.

9.0 Proposed Framework for Privacy Legislation:

a) Although India lacks a horizontal law of privacy, various sectoral laws currently function to provide a degree of protection. For instance, sectoral regulatory agencies such has TRAI, RBI and SEBI have periodically issued guidelines on privacy which are enforceable through tribunals and ombudsmen under the respective enactments. Professional bodies like the Medical Council and the Bar Council prescribe privacy and confidentiality norms which members of these bodies must adhere to.

b) In this context, the approach paper’s suggestion of a “framework” followed by sectoral guidelines would appear to be no more than a duplication through statute of the extant state of affairs.

c) We would recommend instead, the provision in the act of a robust, general “right to privacy” which would provide a threshold level of protection to the individual. Sectoral guidelines on privacy could then be framed to operate in addition to existing sectoral norms, thereby raising the bar of privacy in that particular sector.

d) We also find the framework primarily targeted toward digital data protection alone, and it needs to address all forms of information and include personal and intellectual contexts.

9.1 Applicability

We endorse the approach paper’s recommendation that the proposed legislation apply both to private and public entities. However, we feel that this does not exhaust the issue of ‘applicability’. Specifically we invite the Committee’s attention to the following issues:

a) We believe that the data and the private information that are already in the possession of the government and public/private companies should come under the ambit of the legislation. I.e. it should be applicable to all data collected by any entity, regardless of the fact that such data is otherwise publicly obtainable.

b) We invite the Committee’s consideration on whether it would be wise to limit the applicability of the act to regulating the organized, systematic collection of large amounts of personal data by entities, however incorporated. This would, as the approach paper suggests, exempt from the purview of this Act, private and domestic collection of information. In addition it would exempt marginal collectors such as hobbyist website designers, academic researchers etc from the scope of this act. Remedies against these users would still remain, as they have thus far in Tort law.

9.2 Data

While we acknowledge that certain kinds of information may be more sensitive than others, we feel that the approach paper has not adequately made use of this distinction in its later segments. Specifically we believe:

a) The distinction is useful to prescribe enahanced security precautions during the stage of data collection. For example, the collection of genetic data or HIV status of a person can be made subject to very stringent conditions compared to say, the collection of more mundane details like name, age.

b) However, we believe the distinction is not useful if is used, say, to provide differentiated access/data security standards for the two types of information. Eg. If the law stipulated a lesser penalty for the exposure of personal data as opposed to sensitive data. Or if the law prescribed a lesser security standard for personal data compared to personal sensitive data. The threat posed by information depends heavily on the context in which it is used, and in the tragic aftermath of Godhra, even a list of names (which the approach paper has not regarded as ‘sensitive’) could be used to lethal purposes.

9.3 Personal Data

We endorse the need expressed by the approach paper for a multilateral definition of the way in which information may identify a person

9.4 Personal Sensitive Data

See comments at 9.2 above

9.5 Data Collection

a) We feel that while informed consent ought to be mandatory in all situations the mandatory requirement of informed ‘written’ consent could be confined only to collection of sensitive information and any information that is likely to be stored for longer durations than say, a week.

b) This would exempt benign uses such as by academic researchers or hobbyist website designers or photographers who inadvertently collect small quantities of ‘personal data’.

c) Simultaneously, more ‘industrial’ collectors of personal information such as telephone and insurance companies would be required to obtained written consent. Note that this would not exempt them from the requirement of observing standards of data security, but only free them of the obligation of having obtained written consent.

d) It is important that this requirement would be in addition to but not diminish consent requirements under existing law. For instance, various judicial decisions and the NHRC have stipulated guidelines governing the administration of the polygraph test to an accused. These include the provision of legal assistance and the requirement that consent be recorded before a judge. The simple requirement of “Informed written consent” under the privacy act should not override more other rigorous judicial guidelines.

e) As a overriding safeguard, we think that where “balancing interests” come into play, such interest must first seek and obtain judicial approbation.

9.6 Data Processing

a) We agree with the need to fix primary responsibility for data security on the data controller, however,

b) it may be in the interest of the citizen/victim to stipulate that in the event of a breach by the data processor, she may prefer her remedy against either the data processor or the data controller.

c) We reject the approach paper’s view that concessions need to be made “considering the population of India”. After all, considering this population, the very necessity of a privacy legislation itself may also have to “be considered”.

9.7 Data Storage

a) We concur that data should be stored only until the time the purpose for which it was collected is achieved.

b) Further, the Committee could consider introducing a presumption that in all cases, unless demonstrated otherwise, the purpose of data collection would be deemed to have been served within, say, 6 months from the date of collection.

c) We believe that this could be strengthened by placing the onus on the data controller, in the event of any dispute, to prove that the stated purpose has not yet been achieved. Any data that are required for national security or for archival, etc should come under the scrutiny of the judiciary.

d) We endorse the approach paper’s conservative stance on linking of databases.

9.8 Data Security

a) We invite the Committee to explore the possibility of gradated data security standards depending on the size of the data collection and the sensitivity of the information held.

b) This would ensure that different security standards would apply to, on the one hand, academic researchers and hobbyist website designers who collect marginal data in small ephemeral collections, and on the other hand large insurance companies which maintain large perpetual data warehouses of personal information.

9.9 Data Access

a) We agree that data subjects ought to have a ‘moral right’ that guarantees the integrity of data collected and maintained about them.

b) We believe that the proposed legislation should provide a clear and speedy mechanism to activate this right.

9.10 Cross Border Applicability and Transfer

a) We would argue that India does need comprehensive legislation and strong enforcement. Population size is not a reason for loose legislation. To the contrary, it buttresses the argument for urgent action to be taken, since the stakes are exponentially greater in a country where a billion people stand to lose their privacy compared to countries with populations numbering in the trifling millions.

b) Furthermore, the benefits to international trade should be taken into consideration when determining the stringency of a data protection regime, and this should inform the terms of the statutes that are enacted.

9.11 Exemptions

a) We believe that exemptions to the legislation should be carefully worded and where possible, permitted only through judicial oversight.

b) Care must be taken to see that exemptions under the proposed legislation do not end up widening the scope of intrusion than allowable under existent law. eg. An exemption in the Privacy act on grounds of ‘national security’ should not permit wiretapping agencies to circumvent the due procedure requirements under the Telegraph Act or to violate principles of natural justice.

9.12 Automated Decision Making

a) We agree but we think that there is a present need for automated decision related laws since the technology is already in use in India and other countries.

b) In particular, we would endorse the incorporation of provisions which would compel disclosure of the fact that automated decision making algorithms are being employed along with a synopsis of the logic of such algorithms.

9.13 Regulatory Set Up

We believe that effective regulation and inexpensive, speedy redress are critical for the success of the proposed right to privacy legislation. We believe the approach paper, while admirable in the scope of the subject it covers, deals with this issue rather inadequately under the overbroad heading of “Regulatory Set up” .

a) At the outset we believe that standards-setting functions could be and ought to be separated from adjudicatory functions. This is a model that has proven successful in various other domains in India in the recent past (eg. TRAI/TDSAT and SEBI/SAT. ) and could be usefully imported in the present context

b) Secondly, we we believe that the approach paper is not clear enough on whether civil or criminal penalties are intended. We believe that a judicious mix of both would be necessary in order to minimize the risk of individuals being needlessly harassed by enforcement agencies, whilst simultaneously dealing firmly with corporations and other entities whose violations of privacy threaten the greatest harm. We believe that the proposed legislation could be modeled along the lines of the Workmen’s Compensation Act, the Motor Vehicles Act and similar legislations which provide a minimum assured relief immediately upon the establishment of a claim.

c) Lastly, we firmly reject the approach paper’s proposal to merge the functions of the data regulator under the Privacy legislation with those of the Information Commissioners under the Right to Information Act. We believe that the Right to Information Act is a landmark legislation which has, in a short while, become a critical tool of empowerment in the hands of the citizens and civil service organizations. One of the most frequently cited reasons by which government departments refuse access to information under the RTI is on grounds of ‘privacy’. In most cases these turn out to be delaying tactics to shield the actions of a few corrupt officials from public scrutiny. The success of the RTI Act hinges on its interpretation and promulgation by officers who believe in the peremptory importance of openness of information in the public interest. The right to privacy demands an opposite orientation and the merging of the two in one officer would lead to an unsatisfactory implementation of both. We believe, as indicated above, that privacy claims that conflict with a citizen’s exercise of her right to information are being resolved satisfactory by the information commissioners under the RTI Act at present and the proposed Privacy legislation should not disturb this.

Conclusion

We commend the drafters of the approach paper for their having skillfully woven together the best international practices related to privacy, with an eye to specifics of the Indian situation. However we also feel that the Committee could have been better served by a more detailed study of statutory enforcement models and mechanisms that have succeeded in expanding the reach of remedies to Indians eg. the Consumer Protection Act, Motor Vehicles Act etc.

Approach Paper: 121KB

For more details visit https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper

Crisis for identity or identity crisis?

praskrishna — 2011-04-02T08:16:30Z

The hurry with which the government is pushing its most ambitious project to assign a number (UID) to every citizen without any feasibility study or public debate has raised many questions.

“It will empower all”, declared Prime Minister Manmohan Singh when he issued the first UID card to a villager from Tembhli village in Maharashtra. But as days pass and relevant issues come for public discourse, many people have begun to doubt prime minister’s assurance.

Unique identification number (UID), named Aadhaar is a 12 digit identification number that the government plans to issue to all citizens that will not only be an identity card but will also serve multiple purposes for its holder.

Infosys co-founder Nandan Nilekani has been assigned the responsibility to execute this proposal as Chairman of the Unique Identification Authority of India (UIDAI). Mr Nilekani leads a team of 120 people having the task of assigning unique identities to 1.2 billion people. He plans to take Aadhaar beyond being just a 12-digit identification number for every Indian. This ambitious and mammoth project is pitched to handle projects as diverse as a national-highway toll-collection system, a technology backbone for the forthcoming Goods and Services Tax (GST) and reform of the vast public distribution system (PDS) for subsidized foodgrains.

Government plans to cover 60 per cent of the nation’s population under this project in the next three years starting October this year. This project is intended to collect identification data about all residents in the country. It is said that it will impact the PDS and NREGA programmes, and plug leakages and save the government large sums of money.

But the UID will not replace ration cards and passports, and is not mandatory as of now. No questions would be asked related to language, caste or religion of the person applying for UID.

The UID number is linked to the fingerprints and the pattern of the eyes of the person assigned that number. This inimitable biometric data ensures that any given number is linked to only one person. So there is hardly a chance of any misgiving or stealing of rations and wages from the holder. It is believed that soon banks, insurance companies, cell phone providers and hospitals will demand UID number before doing business with you.

In short, in the future our name, address, bank account numbers, personal information and identity as a whole will be solely linked and governed by those 12 digit number we hold.

Critics say that there has been no feasible study conducted about UID project, neither has there been a cost benefit analysis done. To add to it, there are serious concerns about data and identity theft.

But apart from the buzz about this new project, there is an air of suspicion surrounding it too.

The launch of the UID has led to a flurry of debate amongst policy-makers, legal experts and civil society at large. In response, Mr Nilekani claims the UID to be “a foolproof project implemented at a low cost”.

However, some critical issues remain unanswered.

One of the major objections about UID is that there has been no feasible study conducted, neither has there been a cost benefit analysis done. There is no project document as such.

To add to it, there are serious concerns about data and identity theft.

In a world where cyber terrorism is the new threat, and the countries are gearing themselves to protect against such a threat, projects like UID come as an open invitation to terrorist outfits to infiltrate their defences.

The UID number is linked to fingerprints and the patterns of the holder’s eye. But medical studies show that our eye's iris patterns can change due to aging, disease or malnourishment. More over the government has no alternative option for many millions who fall outside this pattern of identification owing to callused hands, corneal scars and cataract induced by malnourishment. Even as enrollment is poised to begin, authentication is still an unstudied field. Fake fingerprints can very easily be made. Hence, the unique element of these numbers can be tampered.

Recently, Sunil Abraham, Director, Centre for Internet and Society has remarked, “If I leave my fingerprints around, my identity can be stolen and transactions done on my behalf. They could use that number, to share information about anybody.”

A cyber-criminal having access to any person’s identification number can virtually control that person. Telephone numbers, addresses, family history can all be tracked down. Bank accounts can be manipulated and transactions done without the person knowing. Since these days, a lot of money transactions are done through internet, a cyber criminal can easily steal few UID numbers and impersonate those persons to manipulate the bank or credit card accounts.

In an even uglier scenario, where people might be tracked and judged by their numbers, a criminal’s fingerprints left behind on a scene of crime can be mixed with some one else through a slight manipulation and exchange of UID numbers, making an entirely innocent person a suspect in the eyes of law. Some incompetent or revengeful government officials can also frame innocents for a crime one never committed.

Human rights activists claim that a tech-savvy person can hack into the system and gain any person’s information from the servers unless the government tightens the defenses. A reminiscence of the Bruce Willis starrer Hollywood blockbuster Die Hard 4, a bunch of techno geeks operating from trailer truck hold the entire United States hostage as they hack into every main frame computing network from transportation, communication, power, defence and individual accounts.

The number can also be used for real time tracking, profiling, mounting surveillance and ‘convergence’ of information. Apart from the concerns about identity theft, the number can also invade our private space. If in the future insurance companies and hospitals merge their databases, the insurance companies can increase premium, or simply refuse insurance cover to a person who is not keeping well.

Poor labourers and immigrants who are on the move in search of work could also be the victims of the ‘Aadhaar’. In future, in case of card being lost or misplaced, poor labour would be threatened with financial and welfare exclusion. Where being a legal resident is to be closely tied in with having a UID number, it could render the poor vulnerable to exclusion and expulsion by exploitative employers and others.

Interestingly, few months back in June, UK government scrapped the plans for the controversial 5 billion pounds National Identity Card scheme. The UK government now plans to destroy all information held on the National Identity Register, effectively dismantling the whole system.

Though Mr Nilekani claims that UID would be a cost effective project, however deeper analysis throws a different story. It is reported that the UIDAI project will cost Rs 45,000 crores to the exchequer in the next 4 years. This does not seem to include the costs that will be incurred by Registrars, Enrollers, additional costs on the PDS system to connect it to the UID, the estimated cost to the end user and to the number holder.

Defending himself from the flurry of queries, Mr Nilekani has stressed that the identification number is not mandatory for everyone and only those interested can enroll. The project aims to first enroll the poor and uneducated masses promising them better wages and ration schemes. As was reported, the first villager to get the UID card was ‘happy but did not know its benefits’. Critics allege that the reason why Aadhaar is selling itself to millions of poor in the country is to create a foundation of legitimacy to deflect concerns over its possible misuse, unsafe technology and huge costs. Later, with a larger foundation, the UID can be enforced upon all citizens in the near future as the apex identity proof, making everyone vulnerable to several risks described above.

The UIDAI project has proceeded so far without any legal authorization. There has been no feasibility study or cost-benefit analysis preceding the setting up of such a pervasive project. All calculations are of the back-of-the envelope variety. Data theft is a very serious threat to every individual and the country as a whole. There are deeply disconcerting facts about the project that should make even a die-hard UID supporter worry about its long term implications.

This article has been written by Sushant Sharma. He is a college fresher and avid reader.

Interestingly, few months back in June, UK government scrapped the plans for the controversial 5 billion pounds National Identity Card scheme. The decision came after about 15,000 citizens had already been enrolled and given their numbers. The UK government now plans to destroy all information held on the National Identity Register, effectively dismantling the whole system.

The UK system like the Indian UID had also started with much fanfare, claiming to save nearly 900 million pounds for the taxpayers. While the project was axed, UK’s Home Secretary Theresa May stated - “It (the identity card project) is intrusive and bullying, ineffective and expensive. It is an assault on individual liberty that does not promise a great good.”

The same logic implies to the India as well. But instead of scraping this over-hyped-failure-in-the-making project, our Prime Minister claims the UID project “will empower all”. But will it actually? That is for us to decide now.

Read the original article here.

For more details visit https://cis-india.org/news/identity-crisis

Beyond Access as Inclusion

anja — 2011-08-02T07:29:03Z

On 13 September, the day before the fifth Internet Governance Forum opens, CIS is coorganising in Vilnius a meeting on Internet governance and human rights. One of the main aims of this meeting is to call attention to the crucial, yet in Internet governance often neglected, indivisibility of rights. In this blog post, Anja Kovacs uses this lens to illustrate how it can broaden as well reinvigorate our understanding of what remains one of the most pressing issues in Internet governance in developing countries to this day: that of access to the Internet.

One of the most attractive characteristics of the Internet – and perhaps also one of the most debated ones – is its empowering, democratising potential. In expositions in favour of access to the Internet for all, this potential certainly often plays a central role: as the Internet can help us to make our societies more open, more inclusive, and more democratic, everybody should be able to reap the fruits of this technology, it is argued. In other words, in debates on access to the Internet, most of us take as our starting point the desirability of such access, for the above reasons. But how justified is such a stance? Is an Internet-induced democratic transformation of our societies what is actually happening on the ground?

I would like to move away, in this blog post, from the more traditional approaches to the issue of access, where debates mostly veer towards issues of infrastructure (spectrum, backbones, last mile connectivity, …) or, under the banner of “diversity”, towards the needs of specific, disadvantaged communities (especially linguistic minorities and the disabled). To remind us more sharply of the issues at stake and of the wide range of human rights that need our active attention to make our dreams a reality, I would like to take a step back and to ask two fundamental questions regarding access: why might access be important? And what do we actually have access to?

Let me start, then, by exploring the first question: why, actually, is Internet access important? In his canonical work on the information age, and especially in the first volume on the rise of the network society, Manuel Castells (2000) has perhaps provided the most elaborate and erudite description of the ways in which new technologies are restructuring our societies and our lives. We are all all too familiar with the many and deep-seated ways in which the Internet changes the manner in which we learn, play, court, pay, do business, maintain relationships, dream, campaign. And yet, the exact nature of the divide created by the unequal distribution of technical infrastructure and access, despite being so very real, receives relatively little attention: this divide is not simply one of opportunities, it is crucially one of power. If in traditional Marxist analysis the problem was that the oppressed did not have access to the means of production, today, one could well argue, the problem is that they do not have access to the means of communication and information.

Indeed, the Internet is not something that is simply happening to us: there are people who are responsible for these new evolutions. And so it becomes important to ask: who is shaping the Internet? Who is creating this new world? Let us, by way of example, consider some figures relating to Internet use in India. So often hailed as the emerging IT superpower of the world, there are, by the end of 2009, according to official government figures, in this country of 1 billion 250 million people slightly more than 15 million Internet connections. Of these, only slightly more than half, or almost 8 million, are broadband connections – the rest are still dial-up ones (TRAI 2010). The number of Internet users is of course higher – one survey estimates that there are between 52 million and 71 million Internet users in urban areas, where the bulk of users is still located (IAMAI 2010). But while this is a considerable number, it remains a fraction of the population in a country so big. What these figures put in stark relief, then, is that the poor and marginalised are not so much excluded from the information society (in fact, many have to bear the consequences of new evolutions made possible by it in rather excruciating fashion), but rather, that they are fundamentally excluded from shaping the critical ways in which our societies are being transformed.

To have at least the possibility to access the Internet is, then, of central significance in this context for the possibility of participation it signals in the restructuring of our societies at the community, national and global level, and this in two ways: in the creation of visions of where our societies should be going, and in the actual shaping of the architecture of our societies in the information age.

If we agree that access attains great significance in this sense, then a second question poses itself, and that is: in practice, what exactly are we getting access to? This query should be of concern to all of us. With the increasing corporatisation of the Internet and the seemingly growing urges of governments on all continents to survey and control their citizens, new challenges are thrown up of how to nurture the growth of open, inclusive, democratic societies, that all of us are required to take an interest in.

Yet it is in the case of poor and marginalised people that the challenges are most pronounced. Efforts to include them in the information society are disproportionately legitimised on the basis of the contribution these can make to improving their livelihoods. Initiatives, often using mobile technology, that allow farmers to get immediate information about the market prices of the produce they are intending to sell, are perhaps the most well-known and oft-cited examples in this category. Other efforts aim to improve the information flow from the government to citizens: India has set up an ambitious network of Common Service Centres, for example, that aim to greatly facilitate the access of citizens to particular government services, such as obtaining birth or caste certificates – and going by first indications, this also seems to be succeeding in practice. Only rarely, however, do initiatives to “include” the poor in the information society address them as holistic beings who do not only have economic lives, but political, emotional, creative and intellectual existences as well. This is not to say that economic issues are not of importance. But by highlighting only this aspect of poor people's lives, we promote a highly impoverished understanding of their existences.

The focus on a limited aspect of the poor's identity - important as that aspect may be - has a function, however: it makes it possible to hide from view the extremely restrictive terms on which poor people are currently being integrated into the information society. Even initiatives such as the Common Service Centres are in fact based on a public-private-partnership model that explicitly aims to “align [..] social and commercial goals” (DIT 2006: 1), and in effect subordinates government service design to the requirements of the CSC business model (Singh 2008). The point is not simply that we need strong privacy and data protection policies in such a context – although we clearly do. There is a larger issue here, which is that efforts to include the poor in the information society, in the present circumstances, really seem to simply integrate them more closely into a capitalist system over which they have little control, or to submit them to ever greater levels of government and corporate surveillance. Their own capacity to give shape to the system in which they are “included”, despite the oft-heralded capacities of the Internet to allow greater democratic participation and to turn everybody into a producer and distributor, as well as a consumer, remains extremely limited.

Such tendencies have not gone unnoticed. For example, unlike in many other parts of the world, social movements in India fighting against dams, special economic zones or mining operations in forest areas - all initiatives that lead to large-scale displacement – have not embraced technology as enthusiastically as one might have expected. There are various reasons for this. Within Indian nationalism, there have always been strands deeply critical of technology, with Gandhi perhaps their most illustrious proponent. But for many activists, technology often also already comes with an ideological baggage: an application such as Twitter, for example, in so many of its aspects is clearly manufactured by others, for others, drawing on value sets that activists often in many ways are reluctant to embrace. And such connotations only gain greater validity because of the intimate connections that exist in India between the IT boom and neoliberalism: technology has great responsibility for many of the trends and practices these activists are fighting against. While the Internet might have made possible many new publics, most movements do not – as movements – recognise these publics as their own (Kovacs, forthcoming).

To some extent, these are of course questions of the extent of access that people are granted. But they also raise the important issue of the value structure of the Internet. Efforts at inclusion always take for granted a standard that is already set. But what if the needs and desires of the many billions that still need to be included are not served by the Internet as it exists? What if, for it to really work for them, they need to be able to make the Internet a different place than the one we know today? While it is obvious that different people will give different answers in different parts of the world, such debates are complicated tremendously by the fact that it is no longer sufficient to reach a national consensus on the issues under discussion, as was the case in earlier eras. The global nature of the Internet's infrastructure requires that the possibility of differing opinions, too, needs to be facilitated at the global level. What are the consequences of this for the development of democracy?

For access to the Internet to be substantively meaningful from a human rights perspective in the information age, it is crucial, then, that at a minimum, the openness of the Internet is ensured at all levels. Of course, openness can be considered a value in itself. But perhaps more importantly, at the moment, it is the only way in which the possibility of a variety of answers to the pressing question of what shape our societies should take in the information age can emerge. Open standards and the portability of data, for example, are crucial if societies are to continue to decide on the role corporations should play in their public life, rather than having corporations de facto rule the roost. Similarly, under no circumstances should anyone be cut off from the Internet, if people are to participate in the public life of the societies of which they are members. And these are not just concerns for developing countries: if recent incidents from France to Australia are anything to go by, new possibilities facilitated by the Internet have, at least at the level of governments, formed the impetus for a clear shift to the right of the political spectrum in many developed countries. In the developed world, too, the questions of access and what it allows for are thus issues that should concern all. In the information age, human rights will only be respected if such respect is already inscribed in the very architecture of its central infrastructure itself.

List of References

Castells, Manuel (2000). The Rise of the Network Society, 2^nd edition. Oxford: Blackwell.

Department of Information Technology (DIT) (2006). Guidelines for the Implementation of Common Services Centers (CSCs) Scheme in States. New Delhi: Department of Information Technology, Government of India.

Internet and Mobile Association of India (IAMAI) (2010). I-Cube 2009-2010: Internet in India. Mumbai: Internet and Mobile Association of India.

Kovacs, Anja (forthcoming). Inquilab 2.0? Reflections on Online Activism in India (working title). Bangalore: Centre for Internet and Society.

Singh, Parminder Jeet (2008). Recommendations for a Meaningful and Successful e-Governance in India. IT for Change Policy Brief, IT for Change, Bangalore.

Telecom Regulatory Auhority of India (TRAI) (2010). The Indian Telecom Services Performance Indicators, October-December 2009. New Delhi: Telecom Regulatory Auhority of India.

For more details visit https://cis-india.org/internet-governance/blog/beyond-access-as-inclusion

Privacy and the Indian Copyright Act

praskrishna — 2013-08-06T13:37:27Z

India's Copyright Act was established in 1957, and is in the process of being placed before the Parliament in 2010. The provisions in the proposed Bill will work to make the Act WIPO Copyright Treaty (WCT) compliant. When looking at privacy in the context of copyright four key questions arise, says Elonnai Hickock as she analyses privacy in the context of the Indian Copyright Act.

How do DRM technologies undermine privacy and what safeguards are present in the Indian law to protect citizens’ right to privacy?

Technologies such as digital rights management technologies were developed to be used by hardware manufacturers, publishers, copyright holders and individuals to control the mode of use of certain digital devices and contents. DRM technologies pose as a privacy threat, because in their ability to monitor what is happening to a copyrighted work, they are also able to collect personal information and send it back to a host without knowledge of the user. The host is then able to use that data for marketing or commercial purposes. In the Copyright Act, 1957 there are no current provisions against DRM circumvention. In the proposed Copyright Bill 2010 there are two proposed provisions: to prevent anti circumvention of DRM technologies and one provision that clarifies what is a DRM technology.

Proposed Legislation

Section 2 (xa): Defines Rights Management Information – it is important to note that within the definition of RMI the provision specifically excludes any device or procedure intended to identify the user from the definition.

Section 65A (1) : Protection of Technological Measures - Any person who circumvents an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act, with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable to fine includes that any person facilitating circumvention by another person of a technological measure, shall maintain a complete record of such other persons including his name, address and all relevant particulars necessary to identify him.

Section 65B: Protection of Rights Management Information – Any person who removes, or distributes, copies, or broadcasts any rights management information without authority shall be by punishable with imprisonment.

Recommendation: We find, not just exclusively to the Copyright Act, but that in all Indian legislation the privacy of an individual is brought into question, because there are no safeguards against the commercialization of information, and no formal process of redress if an individual discovers that his information is being used without his consent/prior knowledge. We would recommend that (perhaps appropriately in legislation on data protection) a provision be included to clearly articulate that the collection and commercialization of information and personal data is prohibited by DRM technologies and host companies, and a method of redress be put in place.

Under the copyright, does a person have the ability to expose privacy infringement?

Because DRM technologies have the ability to collect user information, which could potentially be done through the use of spyware, it is important that an individual has the ability to know if and when their information is being collected. To do this an individual can discover the technological principles of a device, object, or system through a process known as reverse engineering. Currently reverse engineering is permitted under provision 52 (ac). It is further supported by provision 65A (2) (f).

Current Legislation

Provision 52 (ac): Certain acts not to be in infringement of copyright include: the observation, study or test of functioning of the computer programs in order to determine the ideas and principles which underlie any elements of the program while performing such acts necessary for the functions for which the computer program was supplied. The following acts shall not constitute an infringement of copyright, namely:
65A (2) (f): Nothing in sub-section (1) shall prevent any person from, doing anything necessary to circumvent technological measures intended for identification or surveillance of a user.

Recommendation: We have no recommendation, but see this as a positive provision.

How does the proposed exception for the disabled undermine privacy?

In India under the current Copyright Act, 1957 there are no provisions for the benefit of disabled persons, thus currently permission from copyright holders needs to be exclusively sought every time the visually challenged person requires access. Under the Constitution of India and the Bernes Convention, India has committed to enshrining the rights of the disabled.

Proposed Legislation

Section 31B: will grant compulsory license in respect of publication of any copyrighted works not covered by the exception under section 52 (1) (zb). For this a registered intermediary organization that is recognized under The Persons with Disability Act shall apply to the Copyright Board for approval. The board will evaluate the applicant and application, and grant permission if it sees fit. The intermediary will then be responsible for monitoring the usage of the copyrighted work to ensure that copyright law is not violated.

Recommendation: Though currently the Indian legislation does not threaten the privacy of the disabled, we find it concerning that under the WIPO copyright treaty – the anonymity of the disabled would be compromised.

What is On the Horizon?

As copyright and IP is a constantly evolving issue, countries are consistently amending and changing their laws. With the flow of peoples across borders increasing, Indians will be affected by different international policies that could pose to infringe upon their privacy, for example cross-border checks or three strike regimes, which will punish a person if caught infringing copyright three times. For example: France has proposed cutting off Internet to those caught infringing on copyright three times.

Examples of Proposed Legislation: The Anti-Counterfeiting Trade Agreement:

ACTA is a proposed legislation. Its objective is to combat counterfeiting and piracy. Partners in the negotiations include: The United States, Australia, Canada, the European Union, Japan, Mexico, Morocco, New Zealand, Singapore, South Korea, and Switzerland. The treaty will oblige each contracting party to adopt, in accordance with its legal system, the measures necessary to ensure the application of the treaty. Though ACTA has not been enacted, many worry that ACTA would facilitate privacy violations by trademark and copyright holders against private citizens suspected of infringement activities without any sort of legal due process. The Act could allow for random searches of laptops, MP3 players, and cellular phones for illegally downloaded or ripped music and movies.

Recommendation: We find that copyright infringement does not appear to justify cross border searches or other forms of regulating. ACTA and other international treaties raise the question that if India became compliant with certain international standards, would the standards would be too stringent without safeguards, and pose as a risk to a person’s privacy.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-copyright-act

Wherever you are, whatever you do

sunil — 2012-03-21T10:12:05Z

Facebook recently launched a location-based service called Places. Privacy advocates are resenting to this new development. Sunil Abraham identifies the three prime reasons for this outcry against Facebook. The article was published in the Indian Express on 23 August, 2010.

Privacy activists are up in arms again, at Facebook’s recent launch of a new location-based service called Places. But what’s the new issue here? For years, telecom operators have been able to roughly locate you by triangulating the signal strength between the three nearest cell towers. In India, geo-location is part of the call logs maintained by the operator. That is how the police was able to determine that Bangalore resident Sathish Gupta killed his wife Priyanka. He took her mobile with him during a jog with his friend and then faked a phone call as an alibi. He knew that the time-stamps on the call logs would corroborate his lies. But the location-data nailed him. So, in short, the state and telecom operators know where you are even if you don’t have a smartphone with GPS support.

For those who can afford it? GPS support provides greater accuracy and reliability, independent of telecom signal strength. The immediate and future benefits are huge. For parents, MyKidIsSafe.com, allows them to create a geo-fence and receive automatic notification when the child leaves the safety zone. In combination with RFID, businesses are able to provide their customers with accurate updates regarding status of deliveries. The Karnataka police is able to verify that the police inspector issuing the challan using a Blackberry for a traffic violation is not doing it from home. Seven hundred and fifty thousand gay men from 162 countries use a geo-social network called Grindr to find love. In the future, most car-pooling services will be GPS-enabled. Geo-location-based crowd-sourcing will be used to predict and avoid traffic jams by measuring the density and velocity of mobile phones on various routes.

Privacy advocates worry that after helping the police solve crimes and fight terrrorism, telecom companies retain the logs instead of deleting, anonymising or obfuscating them. Especially so in India, given the lack of privacy laws, telecom operators, web and mobile service providers could retain the logs for customer profiling or worse still, sell the raw data or analysis to third parties. Cyber-stalkers, child molesters and rapists benefit. Cat burglars will know when you are away and be able to clean out your house in a more relaxed fashion. Geo-surveillance by a state, obsessed with terrorism, will have negligible benefits while extracting a huge social cost and significantly undermining national security.

So why this particular outcry against the world’s most successful social networking website? There are three reasons that come immediately to mind. First, Facebook has a terrible record with privacy. In the last five years, the default settings have moved from one where no personal data was available for anonymous access to one with anonymous access to everything except birthday and contact information. And these are settings that affect the majority of the half a billion people who don’t bother changing default settings. So there is no guarantee that Facebook will not get more intrusive with its default geo-location privacy settings.

Second, a friend can geo-tag you without requiring you to approve or confirm this. Once you are geo-tagged, all your common friends will be notified through the friend-feed system. This is similar to the current system of photo sharing. A friend can upload a inappropriate photograph and tag you almost instantly all your work-mates who also happen to be your Facebook friends get a notification via the feed. Of course, you can always untag the photo, change the settings and defriend the culprit but by then the damage is usually done.

Third, the Facebook user-interface for privacy settings is notoriously complex and cumbersome. Many users will think that they have managed to bolt down the security settings when in fact their personal data will remain all up for grabs. The half a million third-party products available today on the Facebook platform only compounds this problem.

Read the original in the Indian Express

For more details visit https://cis-india.org/internet-governance/blog/wherever-you-are-whatever-you-do

RIM Offered Security Fixes

praskrishna — 2011-04-02T10:24:12Z

In India Talks, BlackBerry Maker Said It Could Share Metadata, Notes Show

Research In Motion Ltd. has offered information and tools to help India conduct surveillance of wireless email and messaging services on RIM's popular BlackBerry, say people familiar with the negotiations, illuminating RIM's dealings as it seeks to balance sovereign security concerns with its customers' privacy.

In a series of discussions that intensified this summer, RIM offered to provide crucial information that would help the Indian government track down messages sent via the company's popular and encrypted corporate email service, according to those familiar with the confidential talks and to minutes of meetings reviewed by The Wall Street Journal.

In a July 26 meeting, RIM representatives told Indian officials "they have a setup to help the security agencies in tracking the messages in which security agencies are interested," according to an Indian government summary of the meeting.

The Waterloo, Ontario, company has become an industry leader in part on the strength of a secure technology that offers information privacy to customers. But as RIM seeks to expand, it is grappling with how its promise of user confidentiality is encountering resistance from governments around the globe.

RIM's challenge, along with Google Inc.'s face-off with China over censorship issues, illustrates the growing tensions between Western technology giants, who seek to woo millions of emerging-market consumers with increasingly sophisticated technology, and governments that are trying to maintain security in the face of it.

The stakes are high in India, the world's No. 2 wireless market, behind China, with 635 million subscribers. Emerging economies are vital to RIM as its smartphones face competition in North America from Apple Inc.'s iPhone and devices that run on Google's Android software. RIM's new international subscribers for the first time outnumbered new North American subscribers in the quarter that ended Feb. 27, according to brokerage GMP Securities.

Discussions between RIM and India took a public turn Thursday when India's government threatened to block some BlackBerry services from the country's telecommunications networks unless the services could be opened to surveillance by Aug. 31. On Friday, an Indian government official said RIM had assured India it would meet the deadline.

A spokesman for RIM in India declined to comment on negotiations with India. Sachin Pilot, India's Minister of State for Communications and Information Technology said Friday there are promising signs that the company is willing to cooperate, but there's no deal "until I have something in writing."

RIM has come under scrutiny in recent months amid contentious negotiations with countries including the United Arab Emirates and Saudi Arabia, which have also sought to monitor BlackBerry services for threats to national security.

A person familiar with the negotiations in the U.A.E. said officials in the region believed RIM had been holding back from them technological solutions that had been offered to Western governments, specifically in regards to BlackBerry Messenger.

RIM declines to discuss its negotiations with governments and didn't comment on negotiations in India and other countries.

In a statement issued Thursday, RIM outlined its guidelines for how far it is willing to go in helping carriers meet surveillance needs. RIM said it will only help carriers meet strict national-security rules, won't provide more access than its competitors already do and won't alter the security architecture of its corporate email servers in response to government needs.

"RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries," the statement said.

Governments are pressuring RIM to comply with their demands for information in part because unlike other smartphone vendors, it operates its own network of servers, the biggest of which is in Canada, outside their monitoring reach and jurisdiction.

That contrasts with devices such as the iPhone, which don't operate their own email services. Governments generally have laws that allow them to monitor traffic on mobile and computer networks operating within their own countries.

Talks between RIM and various countries have centered mostly on data routed through the company's system for corporate emails, BlackBerry Enterprise Server, and its instant-messaging service, BlackBerry Messenger, whose high levels of encryption can prevent government monitors from deciphering content or determining sender or recipient. RIM has said that even it can't decrypt BlackBerry corporate emails.

India's security services argue they need access to selected emails to ward off criminal and terrorist threats. "In terms of our issues of national security, any responsible government would not want to compromise," said Mr. Pilot, the communications minister. "I don't think what we are asking is out of the ordinary vis-à-vis other countries."

Security and technology experts say each country has different surveillance needs, technology infrastructures and laws governing how security forces and police can access data. It is generally Internet service providers and telecommunications carriers that must implement the country's monitoring regime, and the kinds of help RIM gives carriers in doing that varies with each nation, says a person familiar with RIM's operations.

According to minutes taken by the Indian side, the parties discussed whether RIM could provide "metadata" from encrypted corporate emails—information such as the email's sender and recipient and the time sent. "After some persuasion, the [RIM] representative agreed that they can provide the metadata of the message," according to an Indian summary of one discussion.

Cyber-security experts say such metadata would give government intelligence services important leads to locate BlackBerry traffic on corporate email servers, where messages are in decrypted form. It wasn't clear under what circumstances RIM would agree to divulge such information.

In the meetings, RIM also promised to develop tools to help Indian authorities tap into third-party Internet chat services, such as Google's Gmail, that run on its handsets, according to the meeting minutes. It isn't clear whether or how RIM has proposed to help security officials decode BlackBerry Messenger.

RIM also appears to have put itself in a role of educating Indian officials over the operation of its network and on network security in general, suggesting to officials that emails that aren't subject to heavy corporate encryption can be viewed with assistance from local carriers.

Governments that have been reviewing their data-access arrangements with RIM have been sharing information with each other, said an official in the region with knowledge of the Indian negotiations.

The U.A.E. and Saudi Arabia, the Middle East's largest economies, upped their ante with RIM weeks before India did. Both countries have been negotiating with RIM for the same kinds of access to data that India wants, but people familiar with talks in the Gulf countries say they have been acrimonious.

Government officials say RIM has taken a condescending attitude to developing countries' security demands, and say they believe the company was holding out on solutions to access information, such as on BlackBerry Messenger, that had been offered to other countries.

"They refuse to listen to us," said a person familiar with the negotiations. "It's like we aren't speaking the same language."

Anger boiled over last month with the U.A.E. announcing a ban on BlackBerry email, Internet and instant-messaging services from Oct. 11, citing a lack of progress in more than three years of negotiations. Saudi Arabia followed with a threatened ban on BlackBerry Messenger.

Tensions were fueled when RIM co-CEO Michael Lazaridis said in an interview earlier this month with The Wall Street Journal that many of the nations the company deals with aren't tech-savvy and don't understand the Internet. "We work with these countries to educate them," he said.

Negotiations between the U.A.E. and RIM are ongoing. The government says it remains optimistic of a solution. In Saudi Arabia, telecommunications regulators announced earlier this week that RIM had offered them a technical fix that would let them access data from BlackBerry Messenger.

In RIM's home country of Canada, the U.S. and other countries, police and security agents typically must get a court order to gain access to things like the content of emails.

India's regulations in this area are murky. An 1885 law that has been updated over the years allows the government to intercept Internet traffic "on the occurrence of any public emergency." A 2008 law gives bureaucrats in various agencies the authority to order monitoring of any entity's Web traffic, though the matter can be challenged in court.

It remains unclear whether RIM's promise to provide metadata to corporate messages will be enough to satisfy India's concerns. A more drastic solution, says Sunil Abraham of the Bangalore-based Center for Internet and Society, would be for the government to require RIM to build a BlackBerry data center within India—something that could cost tens of millions of dollars, people familiar with the matter say—and then classify the company as an Indian Internet service provider.

Such a move would put India on stronger legal footing, analysts say, to demand data from RIM as well as companies whose employees use BlackBerrys. Under such a scenario, "the government would be allowed to get a room inside RIM and install whatever machines they want to monitor that traffic," Mr. Abraham said.

It wasn't clear from the government documents summarizing the meetings between RIM and the government whether such an option is being considered. The company would vehemently oppose such a classification, people familiar with the situation say. In the U.A.E, RIM has balked at the government's request that it set up a local data center, people familiar with those negotiations said.

Read the original in Wall Street Journal

For more details visit https://cis-india.org/news/rim-offered-security-fixes

Does the Government want to enter our homes?

sunil — 2012-03-21T10:12:40Z

When rogue politicians and bureaucrats are granted unrestricted access to information then the very future of democracy and free media will be in jeopardy. In an article published in the Pune Mirror on 10 August, 2010, Sunil Abraham examines this in light of the BlackBerry-to-BlackBerry messenger service that the Government of India plans to block if its makers do not allow the monitoring of messages. He says that civil society should rather resist and insist on suitable checks and balances like governmental transparency and a fair judicial oversight instead of allowing the government to intrude into the privacy and civil liberties of its citizens.

What? Me worry about the blackberry imbroglio?
If Pierre Trudeau were alive today, he would feel similarly about the Canadian innovation that is making news these days. But, given the Indian media's objective take on the ongoing BlackBerry tussle, one would assume that the media is unaffected.

Many internet observers say that the very future of democracy and free media is at stake. If rogue politicians and bureaucrats are able to eavesdrop on the communications of media houses, wouldn't that sound the death knell for sting operations, anonymous informants and whistle-blowers?

And, consequently, free press and democracy? How can the media keep its calm when one of the last bastions of electronic privacy in India is being stormed?

Isn’t this a lost cause already?
Perhaps, our reporters and editors have remained complacent, because they do not want to swim against the tide. After all, governments across the world have used excuses like cyber-terrorism, organised crime, pornography, piracy etc. to justify censorship and surveillance regimes.

The priveleged access that the governments of India, Saudi Arabia and UAE are demanding has already been provided to the governments of USA, Canada and Russia, for example.

We don't know how much they know about us!
The average reader might not be aware of the access that the Indian government has to his/her personal information.

To be clear, the Indian government, like most other governments, is able to intercept, decrypt, monitor and record sms and voice call traffic by working in partnership with ISP and Telecom operators.

This is legalised through ISP licence agreements, which requires ISPs to provide monitoring equipment that can be used to by various law enforcement and intelligence agencies. There is no clear policy on data-retention policies.

Industry insiders say that SMS messages, telephone call logs, email headers, and web requests are archived from anywhere between three months and a year.

Do these ISPs and telecom operators then delete, anonymise or obfuscate this data? Or do they they retain it for posterity for market research?

In the absence of a privacy law — the Indian citizen can only make intelligent guesses.

Encryption is our friend
As a student, when I passed a love note to my lady-love in class, I would use a symmetric key encryption scheme.

She would use the same key as I did to unencrypt the machine, ie, substituting the alphabet with the next/previous one.

If someone was able to intercept the key, then all communication between us in both directions would be compromised.

Asymmetric key encryption solves this problem by giving both parties two keys — a public key and a private key. I would use my lady-love’s public key to encrypt a message meant for her.

Only she would be able to unencrypt the message by using her private key. The size of the key — 40bit, 128bit, 256bit etc. determines the strength of the encryption.

The more bits you have, the longer it will take for someone to break through using a brute force method. The brute force method or dictionary method is when you try every single combination —just as you would with an old suitcase.

The time taken also depends on computing resources — whether you are a jealous boyfriend, or the FBI, or a corporation like Google. These days, governments depend on corporations for hardware and network muscle.

How does Blackberry encrypt differently?
Other smart phone providers like IPhone and Nokia make email and Internet traffic transparent to the ISP and telecom operator, making it easy for governments are able to keep track of Internet users on mobile phones just as they monitor dial-up or broadband users.

Most mobile services come with a basic encryption. Blackberry is different because it introduces an additional level of encryption, and then routes traffic either through corporate servers or through its own servers in Canada and other parts of the world.

The fact that information is routed thus can pose a threat to the Indian government, if officials are using Blackberries to exchange highly classified information.

Then, GoI could be worried if western intelligence agencies are eavesdropping.

How will this end? Will Blackberry leave?
Blackberry has never exited a country, because in the end it has prioritised consumer privacy over commercial compulsions. For example Blackberry has now ‘resolved’ security probwith Saudi Arabia.

I don’t think we should worry about deals or compromises. However, this is not to say that Blackberry should not be applauded.

They have taken a public stand against unrestricted governmental access to their clients’ information; one should always applaud corporates who fight hard for privacy and civil liberties.

What the Blackberry dilemma is showing us is the social cost of the electronic Big Brother will be steep, as it should be.

To protect citizens’ rights, civil society must resist and insist on suitable checks and balances like governmental transparency and fair judicial oversight.

Read the article in Pune Mirror

For more details visit https://cis-india.org/internet-governance/blog/government-enter-homes

UID Project in India - Some Possible Ramifications

Liliyan — 2012-03-21T10:13:27Z

Having a standard for decentralized ID verification rather than a centralized database that would more often than not be misused by various authorities will solve ID problems, writes Liliyan in this blog entry. These blog posts to be published in a series will voice the expert opinions of researchers and critics on the UID project and present its unique shortcomings to the reader.

Researchers at CIS have been grappling with the UID project from research, advocacy, and legal standpoints though all approach it from their own perspective and opinions are rarely duplicated. In an attempt to make their expert opinions more accessible to readers, a series of blog posts, this being the first, will be put up. These posts will not, and cannot because of its length and format, try to address all the possible issues the UID poses. However, they will present the bare bones of the arguments and research questions that the independent voices at CIS see as crucial. These posts will also ask many more questions than they answer, in an attempt to spur further dialogue about the UID project.

Central to understanding the nature of the UID project and its possible ramifications is the idea that technology is not merely a tool to be used by an unchanging, monolithic state. In fact, its very adoption can create ripple effects throughout the apparatus of the state. When the state adoptsa mainstream and ubiquitous technology, the structure of the government and methods of governance change. These changes are not always so dramatic as to be immediately noticeable without some informed inspection, but if one considers the way the state and the citizen interact the significance of these changes becomes starkly apparent. Can we trust the government to use touch screen voting machines like the ones we see every day at the bank? Do government surveillance cameras make us safer or introduce worrisome intrusion into our privacy, or both? Technology is not as neutral as it appears. That is not to say that it is inherently good or bad, but that it is not inert, it is transformative in nature.

The nation state as we know it is built on the printed word, or at least analogue technology. The ways in which we codify, distribute, and assimilate information have, for centuries, been dominated by the printing press. With the introduction of “database governance” there will inevitably be a shift, and a radical one at that. The Indian government has announced its intention to move towards “SMART” (simple, moral, accountable, responsive and transparent) governance, and this implies both an acceptance of the neo-liberal philosophy of government and techno-governance. To achieve a new level of transparency, accountability, and responsiveness, the move towards e-governance could be a major turning point, but how does this shift complicate and change the citizen-state relationship in India? How does this change shift the relationship of India with the rest of the international community?

The UID and Shifts in the Citizen-State Relationship

One way that the citizen-state relationship will change with the shift towards techno-governance, specifically in regard to the UID project, is that the UID posits the state as both the safe-keeper and arbiter of identity. Proponents of the UID project are adamant that it is a voluntary program, but even the UID website states that “in time, certain service providers may require a person to have a UID to deliver services”. As the UID becomes increasingly ubiquitous, could not having a number mean being cut off from some or many of the basic privileges of citizenship if one's identity is becoming more difficult to verify? If having a UID number is the most prominent marker of identity, then it is through state definition, arbitration and upon the state's technical capacity that all will rely.

Moreover, how do we begin to address the privacy issues raised by technological advances in relation to non-changing legal structures? What does it mean to capture all this identity data without introducing a new privacy legislation to protect the citizen? Without new legal accommodation, otherwise benign processes like a statistical census can become a potent tool in a shift towards a police state. As state apparatus's shift, there must be some paradigmatic shift in law to accompany these new technologies and government roles.

If the state transforms through the integration of e-governance forms, then there will inevitably be a recalibration of the relationship between the state, the market, and the citizen. Traditionally the separation of these entities creates arbitration and within a development paradigm there is dynamic, active triangulation. One way we can see this triangulation is through government intervention in markets on behalf of the citizen. There are certain spaces of consumption, for example, such as a cinema where state intervention against discrimination creates a marker for citizenship. That is, because I am able to access a cinema without discrimination, as one of my constitutional rights, this demonstrates my citizenship. However, with the introduction of public- private partnerships, or PPPs, the fact of having multiple stake-holders of political economy allows for the state to disinvest in the production and delivery of certain public services. Satisfying the needs of the citizen for services like sanitation, public education, delivery of power and clean water, maintenance of infrastructure like roads and bridges, can be handed over to corporate entities. The Indian government has enthusiastically embraced PPPs as a way to bring needed capital to the infrastructure demands that accompany their economic growth goals. However, how does this kind of task delegation affect transparency and accountability? If the state decides to stop producing or supplying a good or service, and instead turns this over to a corporation, can the mechanisms for state oversight realistically be trusted to make sure quality and accountability are not adversely affected and rectify the situation if they are? Where does the citizen come into all of this, in terms of what they stand to gain and lose?

The Definition of Citizenship and the UID

As the state and the market enters into new relationships the definition of citizenship changes. If the citizen is seen as the intended beneficiary of state programs, this new relationship between state and market begs the question “Who is subject to (or the subject of) the state?” When the corporate sphere creates micro-financing that helps farmers, they may help the people at the bottom of the economic pyramid manage their debt, but does it necessarily address the problems that created the debt in the first place? How does the market mediate the citizen-state dialogue? As the state and the market enter into new relationships there is a recalibration of the citizen-government relationship. Do market demands for an e-literate consumer put pressure on the state to create one where one did not exist before, and if so, can this not have profound implications for the definition of citizenship?

Part of the movement towards e-governance is signalled by the fact that there has been a shift away from state-sponsored literacy campaigns to e-literacy programs. Does this use of information and communications technology for development (or ITC4D) alienate significant portions of the population? Can such programs in fact widen the digital divide? With the introduction of e-governance the state asks the citizen to participate in governance by creating new avenues for civic participation, such as providing databases of information pertaining to the state that is freely accessible for analysis and manipulation by anyone with the skills to do so. But, if this makes it impossible for some portions of the citizenry to communicate effectively with the state, does this run the risk of making certain, traditional forms of citizenship redundant? How are people with low literacy and little or no access to the necessary technologies supposed to communicate with this new high-tech bureaucracy? Will those who cannot navigate the new systems be inadvertently relegated to second-class status?

This is of particular concern when thinking about the UID project. To properly manage and distribute social services, ID management in some form is crucial. However, when trying to make sure services are properly delivered to the uneducated poor the danger for digital-analogue slippage that is not in their favour increases, and accountability is not necessarily adequately addressed. For example, if I am an illiterate farmer entitled to a certain ration and the person conducting the transaction decides to defraud me, they can easily ask me to authenticate my biometrics, make it appear that they have been simply checking my identity when they have actually fooled me into authenticating the “completed” transaction and simply tell me the computer says, I've already received my share, that I'm only entitled to half of the normal amount, or some other such lie. In this scenario, how would I know this person wasn't telling me the truth? If they lie using a simple ledger, I can take the ledger itself or a copy of it to a literate friend and have them help me navigate the situation. I can seek redress and substantiate my claims more easily if I am not alienated by the technologies being used. Technologies can be empowering or dis-empowering depending on their application. How then, do we balance the demands of the market and the duties of the state against the rights of the citizen? Or rather, how do we apply technology in such a way that the demands of the market and the duties of the state mutually balance each other?

Centralization and Cost-effectiveness of the UID

While ID management is indisputably important, it does not require a centralized database. In the US there are multiple pieces of information, stored in separate databases that can be used to authenticate a transaction. No one can open a bank account with just a social security insurance number. You also need a separate form of ID, often two, that can be used to verify identity. In this way, the SSI number is a bit like a “username” and the other forms of ID, driver's license or passport, function like a corresponding “password”. With the UID project, however, the “username” (the number itself) and the “password” (the number holder's biometrics) are stored in the same place. Thereby, should the database be in some way compromised, all the information needed to verify and complete transactions would be available. If storing this information in a central database is really a good idea, then one must also accept the premise that merging all existing email servers into one monolithic server is also a good idea. Furthermore, centralization is not only more dangerous, it is totally unnecessary. Trillions of dollars worth of trade take place every year using PIN numbers issued by banks and verified without the verifying data being centralized. Having a standard for decentralized ID verification, rather than a centralized database would solve ID problems without creating a database that would be vulnerable to attack.

There are lots of examples of governments implementing costly safety measures that don't actually make anyone safer. Take for example the cameras put up all over London to monitor the movements of people. Unfortunately, something as low-tech as a hooded sweatshirt can thwart these attempts at surveillance. Moreover, if I am a criminal, I am going to make it a priority to know where the cameras are so that I can strategically avoid them. Another example is the millions of dollar the U.S. government spent on putting an armed Federal Air Marshal on every flight, post 9/11. While traditional intelligence gather has thwarted other attempted attacks since 9/11, Air Marshals have not been responsible for stopping any. Simply because the UID project is more technologically advanced does not make it more effective. It seems to greatly increase the risk of fraud that there can be so many separate biometrics machines scattered in different places to verify so many transactions. Having the machines sequestered in private businesses where they will not be constantly monitored or regulated seems to be both costly and easily subject to tampering. It seems to make more sense to have, say, one central, monitored machine per so many people that could be used to settle identity disputes when they arise rather than making the technology a part of every transaction.

Infallibility and Circumvention of the UID

The UID is not infallible and circumvention will certainly be a problem with the project. We find an analogy in the field of digital rights management. If I copy an mp3 without permission or payment, that is illegal. Digital rights management law was introduced to stop this practice, but it was circumvented. This legislation has not stopped the first crime. It has merely created a second, that of circumventing the law. The UID, in so far as it may be used to try to stop the crime of illegally siphoning resources such as, for example, grain intended to go to the poor, cannot stop people from circumventing the system. Circumventing the UID will be a crime. If doing so were truly impossible there would be no need to criminalize it. So, instead of preventing the initial crime of siphoning may not prevent the first crime, while introducing another.

There are basically two possible types of circumvention that are possible, though they might present themselves in various different forms. “Type A” or “the Mission Impossible” kind of fraud might involve fake thumb prints and contact lenses being worn by someone trying to fool the person conducting the biometric authentication. “Type B” occurs when the person operating the biometrics machine is working to defraud the system, most likely with one or many accomplices.

“Type A” involves one dishonest person, who is trying to access someone else's account or a ghost account, and there are various proposed methods to prevent against this type of fraud. To prevent against people using fake thumb prints, the biometrics machines will measure the heat of the thumb as well as the image of the thumb. With the iris scan, there will be a pulse of light to cause contraction in the iris so that a contact lens, which cannot adjust for light, can be detected. All of this will drastically raise the price of the machines in question. It is hard to imagine farmers and labourers defrauding the system with elaborate biometric defrauding devices, so these expensive machines are much more appropriate for monitoring the top of the economic pyramid, who steal in larger sums and have more sophisticated technology at their disposal.

“Type B” involves dishonesty either by the person in control of the biometric authentication, or both that person and others. This seems to be a much more likely and problematic scenario. Right now, bank accounts that are not connected to a name are regularly created so that people can cheat the tax man. Since the bank profits from these accounts, it's in the bank's interest to help people set up such accounts. Ghost ID numbers, and things like bank accounts that are connected to them, can still be produced with biometrics. How is this possible? Well, to make it possible for so many biometric authentications to happen every day, the whole set of ten finger prints won't be sent. That would be way too much data. So, instead of overwhelming the channels, only one thumb print will be sent. Even that many thumb prints would be an information overload, so each thumb print's image will be reduced to a set of 30 data points that will be compared against the original scans. So, where is there a possibility for fraud? When the scan of the finger is taken, and image is rendered. If someone wants to create a ghost ID they only have to manipulate this image, like with a Photoshop filter, and alter the data points. Once I've created a set of biometric markers that doesn't connect to anyone, I can conduct transactions for a ghost. One can easily imagine a market emerging for ghost IDs. People might start trying to pay foreign tourists for their biometric information, which could be sold to a local office. There are certain settings where biometrics works well, for example, at an airport. There, everything is under constant video surveillance. If someone were to tamper with or try to replace the machinery it would be quickly noticed by the cameras. Even if it weren't, different people would routinely be operating the same machine and this would be an added safe guard against fraud. However, at a bank, or any place where the machines used for verification are operated behind closed doors it is quite likely that the technology will be abused. This abuse could easily go unnoticed, because the draft UID bill has proposed strict accountability measures for the Authority, and has conveniently overlooked extending these to collecting and enrolling agencies.

Digital/Analogue Slippage

There is always the possibility of digital/analogue slippage or, more simply put, the computer records not reflecting what actually happened even if no fake identity was used. This happens all the time in IT buildings in the form of tailgating. Four people go out to lunch together and as they re-enter the building they're supposed to each swipe their ID card individually. It is easier and faster for one person to swipe for everyone so, despite signs discouraging this behaviour, this is a common occurrence. If you were to try to analyse the data collected after a day of such comings and goings it would be indecipherable.

I can also authenticate my biometrics, in order to authorize a transaction, without the transaction actually being complete. Let's say I'm a poor farmer entitled to a ration of 10 kilos of grain. The person who is supposed to give me the grain is not an honest person and insists that I authenticate the transaction before he or she gives me my ration. I do what I'm told but only receive 5 kilos. The computer record shows that I have gotten my full ration, so I have no grounds to contest. In this scenario, more complex technology does not necessarily mean greater accountability. Furthermore, even if I am illiterate, if there is a simple ledger that has recorded the transaction, I can physically take the ledger or a copy of it and show it to some literate person willing to help me. If the only record of the transaction is in a database that I can't access or can't understand it will be even more difficult for me to seek help. Moreover, if I don't understand the technology and the shop owner decides not to give me the grain at all they can simply say “Oh, I'm sorry, your account has been denied” or “The computer says you've already been given your ration” and I have little chance of successfully negotiating that situation. Built in to this example is the disadvantage that the illiterate and the computer illiterate face when dealing with this technology but, this is not necessarily always present in cases where digital/analogue slippage causes confusion or complication.

Commonly, things are bought by or registered to one person and used by another. For example, in a small office building, all the phone lines and computers may have been bought in the name of one person. Each office worker will not buy their own computer or equipment, but instead the computers will be bought in the name of the person who runs the organization or an administrator with financial authority. If someone in the office uses their computer to make a bomb or store child pornography, who is accountable? This is the problem when there is digital/analogue slippage. There is the digital record of events and then things as they really are, which are not always identical, and there is no accountability or safeguard against mistake. In the context of the UID, the possibility of such slippage is too high, and will work against the goal of delivering benefits to the poor instead of facilitating it.

For more details visit https://cis-india.org/internet-governance/blog/uid-in-india

Govt and BlackBerry firm wait for the other to hang up

praskrishna — 2011-04-02T10:46:54Z

Sunil Abraham speaks to Archna Shukla on the stand-off between the Government of India and RIM. The news was published in expressindia.com.

What is the current stand-off between the government and RIM all about?

The current logjam is with regards to BlackBerry messenger, email and web traffic. Around two years ago, the government had asked BlackBerry to allow it to monitor the text messages (SMSes) and phone calls exchanged through its platform. The government has since then been monitoring these services with the help of telecom service providers. It, however, still doesn’t have any means to monitor, intercept or decrypt BlackBerry’s messenger, email and web exchanges. The government wants to put in place a surveillance infrastructure to monitor these services and is asking BlackBerry to cooperate.

What is unique about BlackBerry services? Why doesn’t the government have a similar problem with Nokia or Apple?

Companies such as Apple do not provide email and messenger services in India. They only sell their handsets in the country. Nokia recently started providing such services under the Nokia Messaging Services Platform. The service, which includes enterprise solutions, consumer services and Nokia’s own messaging solution Ovi mail, is still in beta format. Nokia’s India spokesperson said the company will set up servers for its various services inside India whenever it kickstarts the functions in a full fledged manner.

Canadian firm Research in Motion (RIM), makers of BlackBerry, on the other hand, provides all these services alongside selling its handsets. It also manages all its data and traffic on its own without giving the access to anybody. The servers for these services are installed outside India. The government is concerned that keeping servers outside the country will give access to foreign authorities to monitor its local traffic and information. In the US, for instance, this kind of monitoring will be possible under the provisions of the Patriot Act.

Is BlackBerry the only one to use strong encryptions?

The use of strong encryption in information technology is prevalent in both the wireless industry and Internet platforms. BlackBerry, however, uses a superior encryption that is highly reliable and secure and it owes its popularity in the world markets to this feature mainly. According to Sunil Abraham, the Executive Director of Bangalore-based advocacy group Centre for Internet and Society, BlackBerry uses strong encryption with 256 bit keys. In comparison, gmail.com and Citibank.co.in use only 128 bit keys.

“If you have encryption on while visiting citibank.com or when using an offline mail client like MS Outlook Express, the government can identify the encrypted service that you are using and the recipient of your encrypted messages. Then they can launch a targeted brute-force attack to intercept and decrypt specific communications,” he says, adding that with the BlackBerry, the government can only see that you are having an encrypted transaction with the BlackBerry servers. They cannot identify the recipients and web services. This makes the brute-force attack difficult as a lot of time is spent decrypting unimportant messages.

What is the problem that RIM is facing in UAE and Saudi Arabia?

In UAE, it is facing the same problem as in India. In Saudi Arabia, BlackBerry will instal computer servers, which would allow the government some access to user’s data.

Can the Indian government and RIM meet half-way?

Unlikely. Though, as per PTI reports,

BlackBerry has made an attempt to break the logjam by offering metadata and relevant information to security agencies which will enable them in lawful interception, it has has failed to enthuse them. At a meeting between government officials and RIM, company’s representatives said that “they can provide the metadata of the message like the Internet Protocol address of BES and PIN and International Mobile Equipment Identity of the BlackBerry mobile”, sources said. Metadata is loosely defined as data about data. It provides information about a certain item’s content like how large the picture is, the colour depth, the image resolution when the image was created, and other data. A text document’s metadata may contain information about how long the document is, who the author is, when the document was written, and a short summary of the document. However, sources said the RIM, which has nearly one million subscribers across India, failed to enthuse the security agencies who want an uninterrupted access to the messaging services on BlackBerry platform. The security agencies apprehend that BlackBerry services in the present format pose a serious security threat.

The government may argue that if surveillance is allowed in some countries, it should have the same access, too.

So far, RIM’s public stand has been that its security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while providing them with the necessary confidence that no one, including RIM, could access their data.

Abraham of the Centre for Internet and Society says there is a possibility of a compromise behind the doors and the citizens may never get to know that a surveillance regime and infrastructure have been put in place to monitor their communications.

Click to read the original.

For more details visit https://cis-india.org/news/govt-and-blackberry

Civil Liberties and the amended Information Technology Act, 2000

Malavika Jayaram — 2012-03-21T10:13:53Z

This post examines certain limitations of the Information Technology Act, 2000 (as amended in 2008). Malavika Jayaram points out the fact that when most countries of the world are adopting plain English instead of the conventional legal terminology for better understanding, India seems to be stuck in the old-fashioned method thereby, struggling to maintain a balance between clarity and flexibility in drafting its laws. The present Act, she says, is although an improvement over the old Act and seeks to address and improve on certain areas in the right direction but still comes up short in making necessary changes when it comes to fundamental rights and personal liberties. The new Act retains elements from the previous one making it an abnormal document and this could have been averted if there had been some attention to detail.

After close to a decade of dealing with English statutes, European directives and pan-European regulations, I was struck anew by the antique style of Indian draftsmanship on my return. Much of the world is moving away from stiff legal speech and towards plain English. Even England has converted to a simpler, more concise legal rhetoric. India, however, has a peculiar genius for imprecision and euphemism that makes the purpose and implications of the law hard to understand and apply. While it may seem quaint, to pepper a law with terms like ‘inconvenience’, ‘nuisance’ or ‘annoyance’, the language fails to convey the seriousness of the offences being defined. A reading of the Information Technology Act, 2008, in its new incarnation incorporating the latest amendments and rules (ITA), is a case in point.

Legal draftsmen inevitably wrestle with the age-old dilemma of the generic versus the specific, the potential dangers of a broad definition versus the built-in obsolescence of a narrow spotlight. The crafters of the ITA, in their admittedly admirable attempts to redress some of the gaps and ambiguity in the original law, appear to have struggled in their efforts to strike a balance between clarity and flexibility. While the new avatar is certainly an improvement in some areas, one can’t help but regret the missed opportunity to make necessary changes. Most importantly is the negative impact of the occasionally sloppy and sometimes overly wide drafting on deeply cherished fundamental rights and personal liberties.

Among other things, the ITA has sought to address and improve aspects such as technology neutrality, data protection, phishing and spam, child pornography, the liability of intermediaries and cyber terrorism. While many of these amendments are a step in the right direction, the actual drafting that implements the high level objectives suffers in many respects. For example, the previous emphasis on ‘digital signatures’ has shifted to the technologically neutral ‘electronic signatures’ but the changes have not been carried out thoroughly enough to expunge the old concept entirely. The current law is a bit of an abnormal document in that it contains elements of both concepts, which some attention to detail could easily have averted. Another example is that the provisions meant to combat spam and phishing end up using the dreaded ‘annoyance’ and ‘inconvenience’ terminology with the effect of casting the net of criminality over far more than is appropriate. For example, mail sent with the purpose of causing ‘annoyance’ or ‘inconvenience’ (not exactly the worst offence in the offline world) could put someone behind bars.

An important set of well intentioned but woefully inadequate provisions are those relating to the protection of data. The absence of a specific law on data protection had, in itself, garnered much criticism both within the country as well as in the context of international transactions and outsourcing. The old Act offered the feeble protection of a single provision (section 43) that dealt with unauthorised access and damage to data. In an attempt to meet industry demands and international market standards, the ITA introduced two sections that address civil and criminal sanctions. While this exercise understandably falls far short of a comprehensive law relating to data (being squeezed into an omnibus piece of technology related legislation, rather than one geared up only to deal with data), there was considerable anticipation of its role in papering over the existing cracks and provide a workable, if temporary, data protection regime.

However, the attempt is such a limited one, and so replete with shortcomings that the need for a ‘proper’ data protection law still stands. Given the proposed initiation of the UID scheme, in particular, there is a compelling need for a robust and intelligent law in this regard. Most other countries’ regimes clearly do at least the following:

define and classify types of data (for example, in most European countries, ‘personal data’ is any data that identifies an individual, ‘sensitive personal data’ is data that reveals details of ethnicity, religion, health, sexuality, political opinion, etc.),
fine-tune the nature of protection to the categories of data (i.e., greater standards of care around sensitive personal data),
apply equally to data stored offline and manually as to data stored on computer systems,
distinguish between a data controller (i.e., one who takes decisions as to data) and a data processor (i.e., one who processes data on the instructions of the data controller),
impose clear restrictions on the manner of data collection (for example, must be obtained fairly and lawfully),
give clear guidelines on the purposes for which that data can be put to and by whom (often involving a consent requirement that gives the individual a great degree of control over their data),
require certain standards and technical measures around the collection, storage, access to, protection, retention and destruction of data,
ensure that the use of data is adequate, relevant and not excessive given the purpose for which it was gathered,
cater for opt-in and opt-out type regimes, again to provide individuals with a measure of control over the use of their data even after the stage of initial collection (which has a huge impact on invasive telemarketing or unsolicited written communication)
impose a knowledge requirement and procedures for allowing individuals to seek information on what data is held on them, and
create safeguards and penalties that are well tailored to breaches of any of the above.

Unfortunately, and perhaps understandably, the ITA barely begins to scratch the surface of what a good data protection regime entails. The provisions that it does introduce (sections 43-A and 72-A) have glaring inadequacies. Briefly:

the term ‘sensitive personal data or information’ is used indiscriminately without any definition,
the provisions only cover electronic data and records, not data stored in non-electronic systems or media,
they offer no guidance on most of the principles set out above such as in relation to accuracy, adequacy, consent, purpose, etc.,
in the absence of the controller-processor distinction, liability is imposed on persons, who are not necessarily in a position to control data, even if it is in their possession,
civil liability for data breaches only arises where ‘negligence’ is involved (i.e., failure to have security procedures or failure to implement them correctly will not automatically result in damages unless negligence is proven),
similarly, criminal liability only applies to cases of information obtained in the context of a service contract, and requires an element of ‘wilfulness’, or a disclosure without consent or in breach of a lawful contract – this is a very limited remit aimed largely at preventing disgruntled or unscrupulous employees from dealing in company/customer data.

For these broad reasons, we can see that even the amended ITA disappoints those who expected a greatly improved regime in relation to data. It is widely anticipated that the UID scheme, which poses so many potential data protection issues, will serve as a catalyst for a standalone law that is on par with the more sophisticated regimes that function very well in other countries. One great feature common to most of those regimes is that they are consumer/individual focused. The freedom and privacy of the individual is the central concern of protection. Our ITA seems far more concerned with providing corporates with a stick to beat errant employees with, and with catering to the needs of the outsourcing and IT industries. It remains to be seen whether the UID scheme will merely galvanise some targeted legal action covering UIDs rather than generating a broad based piece of legislation.

In addition to the criticisms levelled at the data protection provisions, the other large subset of concerns has been in relation to the civil liberties implications of the ITA. There has been some horror expressed in various forums and media about the ITA contributing to the growth of a police state, to severe curtailment of the freedom of speech and expression, to the invasion of privacy, and to the disproportionate severity of penalisation for offences that are placed on crimes committed in cyberspace compared to crimes committed in the hear and now. Sadly, this is true to a large extent given the clunky treatment of ‘cyber terrorism’, the intolerable pre-censorship that is enabled by the blocking of websites, the broad approach to the monitoring and collection of data, and the demanding obligations of intermediaries to cooperate with interception, monitoring and decryption of data for poorly defined reasons.

While our Constitution’s fundamental rights chapter, which enshrines certain basic, democratic, and profound rights, might not have the same vocabulary of due process as we see in the US, it nevertheless requires restrictions to be reasonable. Precedents and the wider jurisprudence in the field have further developed the concepts of checks and balances, procedural safeguards and legitimacy of restraints that a functioning democracy like India must accord to its people. It can be argued that several provisions of the ITA cause significant tension with the right to freedom of speech and expression, the right against self-incrimination, the right to equality before the law, and the right to practice a trade or profession. To briefly deal with the worst offenders in the IT Act, I have divided them into some broader topics:

Pre-censorship

Some of the most excessive provisions relate to the free hand with which public access to websites can be blocked. Previously, there was some hope that the rules yet to be formulated in connection with section 69-A would offer some procedural safeguards. The recently notified rules do contain details – in the bureaucratese that we have come to expect – of the process to be followed by the designated functionaries. They also permit the concerned person or intermediary to submit a reply and clarifications to the committee before the decision to block access is taken.

These rules are to a large extent undermined by rule 9 (“Blocking of information in cases of emergency”), which provides that, “…in any case of an emergency nature, for which no delay is acceptable…”, the process will turn into an internal escalation within the department of IT and interim directions relating to blocking access may be issued without giving (him) an opportunity of hearing. There are those who think that, given the events of 26/11, this is wholly justified but the prospect of abuse fills others with dread. The rules may offer detailed time-frames within which orders are made and approved, require reasons to be recorded in writing, provide that emergency orders may be revoked and information unblocked, etc. Regardless, the nature of the process (executive rather than judicial), the ease with which it can be abused, and the fact that the review committee will only meet once in two months to check for compliance, set aside incorrect orders and unblock information, does not offer much comfort. If a site is incorrectly blocked, it could take up to two months for this to be rectified, which could cause a great damage to the owner of the site, and indeed to the wider public that has an interest in uncensored, free speech.

Given that any person can submit a request, it is not unreasonable to anticipate a certain level of frivolous and malicious requests for blocking sites, especially given that the grounds for blocking are very wide (the often repeated set that we are familiar with, namely, in the interest of sovereignty and integrity of India; relating to defence of India/ security of State/ friendly relations with foreign states/ public order and for preventing incitement to commission of any cognizable offences). Without a review committee constantly monitoring and policing the unbridled use of the provisions, the backlog of blocking decisions that may need to be reversed can become a mountain very quickly. The dangers of pre-censorship and the curtailment of dialogue, debate and free speech are even greater in a country with an increasingly thin-skinned populace. Faced with a volatile backdrop of great diversity of religion, political opinions, views on sexuality, morality, obscenity and other highly subjective values and beliefs, there is immense extra-legal pressure on free speech. Thus, there is now a need for greater vigilance so that the thought police do not wield the stick of harsh penalties under the ITA without reason and due process.

Privacy and surveillance

This topic pulls together concerns around the blanket monitoring and collecting of traffic data or information, the interception and decryption (under duress) by intermediaries (now a large superset of ISPs, search engines, cyber cafes, online auction sites, online market places, etc.) and the wide definition of ‘cyber terrorism’ (which ludicrously even casts defamation as a terrorist activity).

Some of the broad concerns in relation to interception, monitoring and decryption in (section 69) are that:

there is no provision for a clear nexus between an intermediary and the information or resource sought to be monitored or intercepted,
the usual internationally recognised exception to liability where an intermediary operates purely as a conduit and has no control over data flowing through its network is not clearly spelt out,
the penalties for non-cooperation are extremely harsh, especially given the absence of a) and b) above,
these onerous penalties can be said to be in violation of Article 14 as they seem entirely disproportionate. Similar offences and remedies in the Code of Criminal Procedure or the Indian Penal Code prescribe less severe penalties, by an order of magnitude in fact. When the only difference between the offences is the medium in which information is contained, it seems arbitrary to impose a much harsher punishment on an online intermediary than on a member of the public who, for example, furnishes false information to the police in connection with a trial or enquiry.
the rules made in relation to monitoring, interception and decryption, offer some procedural safeguards, in that they impose a time limit on how long a directive for interception or monitoring can remain in force, a ceiling on how long data can be kept before it is required to be destroyed, etc. However, the effect of these is greatly diluted by exceptions “for functional requirements”, etc. The astonishing irony is that rule 20 requires the intermediary to maintain “…extreme secrecy…” and “…utmost care and precaution…” in the matter of interception, monitoring or decryption of information “…as it affects the privacy of citizens…”!!!!

In a similar vein, there are concerns around the monitoring and collection of traffic data (section 69B) as the section contains an unreasonably long list of grounds for monitoring. These include such extreme excesses as “forecasting of imminent cyber incidents”, “monitoring network application with traffic data or information on computer resource”, “identification and determination of viruses/computer contaminant”, and the catch-all “any other matter relating to cyber security”.

Finally, the main criticism of the ITA approach to ‘cyber terrorism’ is the very wide net that it seeks to cast, looking for a game that has little or nothing to do with the named offence. Amongst the cast of creatures unwittingly caught during this fishing expedition, we find some unlikely victims. In addition to the usual grounds of offence against sovereignty, national security, defence of India, etc., which we have seen in relation to other sections, the ITA considers the following as acts of cyber terrorism – broadly speaking, unauthorised access to information that is likely to cause:

injury to decency,
injury to morality,
injury in relation to contempt of court, and
injury in relation to defamation.

This would almost be laughable if these grounds were not enacted unto law, posing a threat to civil liberties by their very existence. Other countries have some notion of political ideology, religious case, etc. in their view of terrorism. That (a) to (d) above have been shoehorned into a clause that imposes the stiffest penalty within the entire ITA (life imprisonment) gives even more cause for concern.

In closing, I should reiterate that the ITA includes other deficiencies and worthwhile improvements alike, but an article focusing largely on the data protection and civil liberties aspects cannot reference them all.

For more details visit https://cis-india.org/internet-governance/blog/information-technology-act

The power of the next click...

nishant — 2012-03-13T10:43:41Z

P2P cameras and microphones hooked up to form a network of people who don't know each other, and probably don't care; a series of people in different states of undress, peering at the each other, hands poised on the 'Next' button to search for something more. Chatroulette, the next big fad on the internet, is here in a grand way, making vouyers out of us all. This post examines the aesthetics, politics and potentials of this wonderful platform beyond the surface hype of penises and pornography that surrounds this platform.

In his futuristic novel 1984, George Orwell conceived of a Big Brother who watches us all the time, tracking every move we make, every step we take, and reminding us that we are being watched. The Internet has often been seen as the embodiment of this fiction. There are many who unplug computers, look over surreptitious shoulders and wear tin-foil hats so that their movements cannot be traced. While this caricatured picture might seem absurd to funny, there is no denying the fact that we are being stalked by technologies. As our world gets more connected and our dependence on digital and internet objects grow, we are giving out more and more of our private and personal information for an easy trade-off with convenience and practicality.

As a reply to the question “Who watches the watchman?” several Internet theorists had suggested as a reply, a model where everybody looking at everybody else so that there is no one person who has exclusive powers of seeing without being seen. In this utopian state, people would be looking at each other (thus keeping a check on actions), looking after each other (forming virtual care networks) and looking for each other (building social networks with familiar strangers). After about 20 years of the first emergence of this discussion vis-à-vis the World Wide Web , comes an internet platform that produces a strange universe of people looking at.for.after each other in a condition of extreme vouyerism, performance, exhibitionism, surveillance and playfulness. It is a website that the Digital Natives are flocking to because it changes the way they look at each other. Literally.

Chatroulette! is a new MMORPG (Massively Multiple Online Role Playing Game) that uses a Peer-2-Peer network to constantly pair random people using their web cams, to look at each other. You start a Game and you begin a series of ‘lookings’ as people look back at you. Connect, cruise, watch, interact, boot – that is the anatomy of a Chatroullete! game. If you like what you see, you can linger a while or begin a conversation, or just ‘boot’ your ‘partner’ and get connected to somebody else in the almost infinite network. In the process you come across the unexpected, unpredictable and the uncanny. In the last one month of betting my time on Chatroullete!, I have seen it all and then some more – masturbating teenagers, strip teasing men and women, animals (including a very handsome tortoise) staring back at me, groups of friends eating dehydrated noodles and giggling, partners in sexual intercourse, graphic images of human gentilia, clever advertisements, pictures, art, musicians performing, dancers dancing, conference delegates staring bemusedly at a screen, ... the list is endless and probably exhausting. A growing community of users now dwell on Chatroulette! to connect in this new way that is part speed dating, part networking, part performance, part voyeurism.

The verdict on the blogosphere is still not in whether this is a new fad or something more long-lasting. Irrespective of its longevity, what Chatroullete! has done is show us a new universe of social interaction that Digital Natives around the world find appealing. The possibilities of cultural exchange, collaborative working, love, longing and learning that emerge around Chatroullete! are astounding. For Digital Natives the appeal of Chatroullete! is in forging viral and temporary networks which defy the Facebook way of creating sustained communities of interaction. This is the defining moment of virtual interaction and online networking –A model that is no longer trying to simulate ‘Real Life’ conditions online by forming permanent networks of ‘people like us’. Chatroulette! marks the beginning of a new way of spreading the message to completely random strangers, enticing them into thought, exchange and mobilisation through the world of gaming. The potentials for drawing in thousands of unexpected people into your own political cause are astounding. It might be all cute cats and sexual performance now, but it is only a matter of time when Digital Natives start exploring the possibility of using Chatroulette! to mobilise resources for dealing with crises in their personal and public environments. The wheel has been spun. We now wait to see where the ball lands.

For more details visit https://cis-india.org/digital-natives/blog/chatroulette