Centre for Internet and Society

Surat’s Massive Surveillance Network Should Cause Concern, Not Celebration

joe — 2014-09-06T03:05:13Z

The blog post examines the surveillance network of Surat, a city in Gujarat state in India.

The Surveillance System

Surat, a city in the state of Gujarat, has recently unveiled a comprehensive closed-circuit camera surveillance system that spans almost the entire city. This makes Surat the first Indian city to have a modern, real-time CCTV system, with eye-tracking software and night vision cameras, along with intense data analysis capabilities that older systems lack.

Similar systems are planned for cities across India, from Delhi to Punjab, even those that already have older CCTV programs in place. Phase I of the system, which is currently completed, consists of 104 CCTV cameras installed at 23 locations and a 280 square foot video wall at the police control room. The video wall is one of the largest in the country, according to the Times of India.

Narendra Modi, then the Gujarat chief minister, launched the project in January 2013, though the project was original conceptualized by police commissioner Rakesh Asthana, who has cited the CCTV system in Scotland Yard as his inspiration.

Phase II of the surveillance project will involve the installation of 550 cameras at 282 locations, and in the future, police plan to install over 5000 cameras across the city. Though other security systems, like those in Delhi, rely on lines from the state owned service provider MTNL, with limited bandwidth for their CCTV network, the Surat system has its own dedicated cables.

The security system was financed by a unique Public-Private Partnership (PPP) model, where a coalition of businesses, including many manufacturing units and representatives of Surat’s textile industry want to prevent crime. The many jewelers in the city also hoped it would limit thefts. In the model, businesses interested in joining the coalition contribute Rs 25 lakh as a one-time fee and the combined fees along with some public financing go to construct the city-wide system. The chairman of the coalition is always the Commissioner of Surat Police. Members of the coalition not only get a tax break, but also believe they are helping to create a safer city for their industries to thrive.

Arguments for the System

Bomb blasts in Ahmedabad in 2008 led the Gujarat police to consider setting up surveillance systems not just in Ahmedabad, according to Scroll.in, but in many cities including Surat. Terror attacks in Mumbai in 2008 and at the Delhi High Court in 2011 lent momentum to surveillance efforts, as did international responses to terror, such as the United Kingdom’s intensive surveillance efforts in response to 2005 bombing in London. The UK’s security system has become so comprehensive that Londoners are caught on camera over 300 times a day on average. The UK’s CCTV systems cost over £500 million between 2008 and 2012, and one single crime has been solved in London for every 1,000 cameras each year, according to 2008 Metropolitan Police figures.

However, citizens in London may feel safer in their surveillance state knowing that the Home Office of the United Kingdom regulates how CCTV systems are used to ensure that cameras are being used to protect and not to spy. The UK’s Surveillance Camera Code of Practice outlines a thorough system of safeguards that make CCTV implementation less open to abuse. India currently has no comparable regulation.

The combined government worries of terrorism and business owners desire to prevent crime led to Surat’s unique PPP, ournalist Suarav Datta’s article in Scroll.in continues. Though the Surat Municipal Corporation invested Rs 2 crore, business leaders demonstrated their support for the surveillance system by donating the remaining Rs 10 crore required to build the first phase system. Phase II will cost Rs 21 crore, with the state government investing Rs 3 crore and business groups donating the other Rs 18 crore. This finance model demonstrates both public and private support for the CCTV system.

Why CCTV systems may do more harm than good

Despite hopes that surveillance through CCTV systems may prevent terrorism and crime, evidence suggests that it is not as much of a golden bullet as its proponents believe. In the UK, for example, where surveillance is practice extensively, the number of crimes captured on camera dropped significantly in 2010, because there were so many cameras that combing through all the hours footage was proving to be an exercise in futility for many officers. According to Suaray Datta’s article on Scroll.in, potential offenders in London either dodge cameras or carry out their acts in full view of them, which detracts from the argument that cameras deter crime. Additionally, prosecutors allege that the CCTV systems are of little value in court, because the quality of the footage is so low that it cannot provide conclusive proof of identities.

A 2008 study in San Francisco showed that surveillance cameras produce only a placebo effect–they do not deter crime, they just move it down the block, away from the cameras. In Los Angeles, more dramatically, there was little evidence that CCTV cameras helped detect crime, because in high traffic areas the number of cameras and operators required is so high, and because the city’s system was privately funded, the California Research Bureau’s report noted that it was open to exploitation by private interests pursuing their own goals. Surat’s surveillance efforts are largely privately funded too, a vulnerability that could lead to miscarriages of justice if private security contractors were to gain to security footage.

More evidence of the ineffectiveness of CCTV surveillance comes in the Boston marathon bombing of 2013 and the attack on the Indian parliament in 2001. In the case of the Boston bombing, release of CCTV footage to the general public led to rampant and unproductive speculation about the identity of the bomber, which resulted in innocent spectators being unfairly painted with suspicion.

India’s lack of regulation over CCTV’s also makes Surat’s new system susceptible to misuse. There is currently no strong legislation that protects citizens filmed on CCTV from having their images exploited or used inappropriately. Only police will have access to the recordings, Surat officials say, but the police themselves cannot always be trusted to adequately respect the rights of the citizens they are trying to protect.

The Report of the Group of Experts on Privacy acknowledges the lack of regulations on CCTV surveillance, and recommends that CCTV footage be legally protected from abuse. However, the Report notes that regulating CCTV surveillance to the standards of the National Privacy Principals they establish earlier in the report may not be possible for a number of reasons. First, it will be difficult to limit the quantity of information collected because the cameras are simply recording video of public spaces, and is unlikely that individuals will be able to access security footage of themselves. However, issues of consent and choice can be addressed by indicating that CCTV surveillance is taking place on entryways to monitored spaces.

Surat is not the first place in India to experiment with mass CCTV surveillance. Goa has mandated surveillance cameras in beach huts to monitor the huts and deter and detect crime. The rollout is slow and ongoing, and some of the penalties the cameras are intended to enforce seem too severe, such as potentially three months in prison for having too many beach chairs. More worryingly, there are still no laws ensuring that the footage will only be used for its proper law-enforcement objectives. Clear oversight is needed in Goa just as it is in Surat. The Privacy Commissioner outlined by the Report of the Group of Experts could be well suited to overseeing the proper administration of CCTV installations, just as the Commissioner would oversee digital surveillance.

Concerns of privacy and civil liberties appear to have flown out the window in Surat, with little public debate. It is unclear that Surat’s surveillance efforts will achieve any of their desired effects, but without needed safeguards they will present an opportunity for abuse. Perhaps CCTV initiatives need to be subjected to a little bit more scrutiny.

For more details visit https://cis-india.org/internet-governance/blog/surat-massive-surveillance-network-cause-of-concern-not-celebration

Supreme Court Order is a Good Start, but is Seeding Necessary?

Elonnai Hickok and Rohan George — 2015-09-07T13:21:58Z

This blog post seeks to unpack the ‘seeding’ process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the court in the context of the seeding process.

Introduction

On August 11th 2015, in the writ petition Justice K.S Puttaswamy (Retd.) & Another vs. Union of India & Others1, the Supreme Court of India issued an interim order regarding the constitutionality of the UIDAI scheme. In response to the order, Dr. Usha Ramanathan published an article titled  'Decoding the Aadhaar judgment: No more seeding, not till the privacy issue is settled by the court' which, among other points, highlights concerns around the seeding of Aadhaar numbers into service delivery databases. She writes that "seeding' is a matter of grave concern in the UID project. This is about the introduction of the number into every data base. Once the number is seeded in various databases, it makes convergence of personal information remarkably simple. So, if the number is in the gas agency, the bank, the ticket, the ration card, the voter ID, the medical records and so on, the state, as also others who learn to use what is called the 'ID platform', can 'see' the citizen at will."2

Building off of this statement, this article seeks to unpack the 'seeding' process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the Court in the context of the seeding process.

What is Seeding?

In the UID scheme, data points within databases of service providers and banks are organized via individual Aadhaar numbers through a process known as 'seeding'. The UIDAI has released two documents on the seeding process - "Approach Document for Aadhaar Seeding in Service Delivery Databases version 1.0" (Version 1.0)3 and "Standard Protocol Covering the Approach & Process for Seeding Aadhaar Number in Service Delivery Databases June 2015 Version 1.1" (Version 1.1)4

According to Version 1.0 "Aadhaar seeding is a process by which UIDs of residents are included in the service delivery database of service providers for enabling Aadhaar based authentication during service delivery."5 Version 1.0 further states that the "Seeding process typically involves data extraction, consolidation, normalization, and matching".6 According to Version 1.1, Aadhaar seeding is "a process by which the Aadhaar numbers of residents are included in the service delivery database of service providers for enabling de-duplication of database and Aadhaar based authentication during service delivery".7 There is an extra clause in Version 1.1's definition of seeding which includes "de-duplication" in addition to authentication.

Though not directly stated, it is envisioned that the Aadhaar number will be seeded into the databases of service providers and banks to enable cash transfers of funds. This was alluded to in the Version 1.1 document with the UIDAI stating "Irrespective of the Scheme and the geography, as the Aadhaar Number of a given Beneficiary finally has to be linked with the Bank Account, Banks play a strategic and key role in Seeding."8

How does the seeding process work?

The seeding process itself can be done through manual/organic processes or algorithmic/in-organic processes. In the inorganic process the Aadhaar database is matched with the database of the service provider - namely the database of beneficiaries, KYR+ data from enrolment agencies, and the EID-UID database from the UIDAI. Once compared and a match is found - for example between KYR fields in the service delivery database and KYR+ fields in the Aadhaar database - the Aadhaar number is seeded into the service delivery database.9

Organic seeding can be carried out via a number of methods, but the recommended method from the UIDAI is door to door collection of Aadhaar numbers from residents which are subsequently uploaded into the service delivery database either manually or through the use of a tablet or smart phone. Perhaps demonstrating the fact that technology cannot be used as a 'patch' for a broken or premature system, organic (manual) seeding is suggested as the preferred process by the UIDAI due to challenges such as lack of digitization of beneficiary records, lack of standardization in Name and Address records, and incomplete data.10

According to the 1.0 Approach Paper, to facilitate the seeding process, the UIDAI has developed an in house software known as Ginger. Service providers that adopt the Aadhaar number must move their existing databases onto the Ginger platform, which then organizes the present and incoming data in the database by individual Aadhaar numbers. This 'organization' can be done automatically or manually. Once organized, data can be queried by Aadhaar number by person's on the 'control' end of the Ginger platform.11

In practice this means that during an authentication in which the UIDAI responds to a service provider with a 'yes' or 'no' response, the UIDAI would have access to at least these two sets of data: 1.) Transaction data (date, time, device number, and Aadhaar number of the individual authenticating) 2.) Data associated to an individual Aadhaar number within a database that has been seeded with Aadhaar numbers (historical and incoming). According to the Approach Document version 1.0, "The objective here is that the seeding process/utility should be able to access the service delivery data and all related information in at least the read-only mode." 12 and the Version 1.1 document states "Software application users with authorized access should be able to access data online in a seamless fashion while providing service benefit to residents." 13

What are the concerns with seeding?

With the increased availability of data analysis and processing technologies, organisations have the ability to link disparate data points stored across databases in order that the data can be related to each other and thereby analysed to derive holistic, intrinsic, and/or latent assessments. This can allow for deeper and more useful insights from otherwise standalone data. In the context of the government linking data, such "relating" can be useful - enabling the government to visualize a holistic and more accurate data and to develop data informed policies through research14. Yet, allowing for disparate data points to be merged and linked to each other raises questions about privacy and civil liberties - as well as more intrinsic questions about purpose, access,  consent and choice.  To name a few, linked data can be used to create profiles of individuals, it can facilitate surveillance, it can enable new and unintended uses of data, and it can be used for discriminatory purposes.

The fact that the seeding process is meant to facilitate extraction, consolidation, normalization and matching of data so it can be queried by Aadhaar number, and that existing databases can be transposed onto the Ginger platform can give rise to Dr. Ramanthan's concerns. She argues that anyone having access to the 'control' end of the Ginger platform can access all data associated to a Aadhaar number, that convergence can now easily be initiated with databases on the Ginger platform,  and that profiling of individuals can take place through the linking of data points via the Ginger platform.

How does the Supreme Court Order impact the seeding process and what still needs to be clarified?

In the interim order the Supreme Court lays out four welcome clarifications and limitations on the UID scheme:

The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;
The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen;
The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme;
The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation."15

In some ways, the court order addresses some of the concerns regarding the seeding of Aadhaar numbers by limiting the scope of the seeding process to the PDS scheme, but there are still a number of aspects of the scheme as they pertain to the seeding process that need to be addressed by the court.

These include:

The Process of Seeding

Prior to the Supreme Court interim order, the above concerns were quite broad in scope as Aadhaar could be adopted by any private or public entity - and the number was being seeded in databases of banks, the railways, tax authorities, etc. The interim order, to an extent, lessens these concerns by holding that  "The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme…".

However, the Court could have perhaps been more specific regarding what is included under the PDS scheme, because the scheme itself is broad. That said, the restrictions put in place by the court create a form of purpose limitation and a boundary of  proportionality on the UID scheme. By limiting the purpose of the Aadhaar number to use in the PDS system, the  Aadhaar number can only be seeded into the databases of entities involved in the PDS Scheme, rather than any entity that had adopted the number. Despite this, the seeding process is an issue in itself for the following reasons:

Access: Embedding service delivery databases and bank databases with the Aadhaar number allows for the UIDAI or authorized users to access information in these databases. According to version 1.1 of the seeding document from the UIDAI - the UIDAI is carrying out the seeding process through 'seeding agencies'. These agencies can include private companies, public limited companies, government companies, PSUs, semi-government organizations, and NGOs that are registered and operating in India for at least three years.16 Though under contract by the UIDAI, it is unclear what information such organizations would be able to access. This ambiguity leaves the data collected by UIDAI open to potential abuse and unauthorized access. Thus, the Court Ruling fails to provide clarity on the access that the seeding process enables for the UIDAI and for private parties.

Consent: Upon enrolling for an Aadhaar number, individuals have the option of consenting to the UIDAI sharing information in three instances:

"I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services."

"I want the UIDAI to facilitate opening of a new Bank/Post Office Account linked to my Aadhaar Number.

"I have no objection to sharing my information for this purpose""I have no objection to linking my present bank account provided here to my Aadhaar number"17

Aside for the vague and sweeping language of actions users provide consent for, which raises questions about how informed an individual is of the information he consents to share, at no point is an individual provided the option of  consenting  to the UIDAI accessing data - historic or incoming - that is stored in the database of a service provider in the PDS system seeded with the Aadhaar number. Furthermore, as noted earlier, the fact that the UIDAI concedes that a beneficiary has to be linked with a bank account raises questions of consent to this process as linking one's bank account with their Aadhaar number is an optional part of the enrollment process. Thus, even with the restrictions from the court order, if individuals want to use their Aadhaar number to access benefits, they must also seed their number with their bank accounts. On this point, in an order from the Finance Ministry it was clarified that the seeding of Aadhaar numbers into databases is a voluntary decision, but if a beneficiary provides their number on a voluntary basis - it can be seeded into a database.18

Withdrawing Consent: The Court also did not directly address if individuals could withdraw consent after enrolling in the UID scheme - and if they did - whether Aadhaar numbers should be 'unseeded' from PDS related databases. Similarly, the Court did not clarify whether services that have seeded the Aadhaar number, but are not PDS related, now need to unseed the number. Though news items indicate that in some cases (not all) organizations and government departments not involved in the PDS system are stopping the seeding process19, there is no indication of departments undertaking an 'unseeding' process. Nor is there any indication of the UIDAI allowing indivduals enrolled to 'un-enroll' from the scheme. In being silent on issues around consent, the court order inadvertently overlooks the risk of function creep possible through the seeding process, which "allows numerous opportunities for expansion of functions far beyond those stated to be its purpose"20.

Verification and liability: According to Version 1.0 and Version 1.1 of the Seeding documents, "no seeding is better than incorrect seeding". This is because incorrect seeding can lead to inaccuracies in the authentication process and result in individuals entitled to benefits being denied such benefits. To avoid errors in the seeding process the UIDAI has suggested several steps including using the "Aadhaar Verification Service" which verifies an Aadhaar number submitted for seeding against the Aadhaar number and demographic data such as gender and location in the CIDR. Though recognizing the importance of accuracy in the seeding process, the UIDAI takes no responsibility for the same. According to Version 1.1 of the seeding document, "the responsibility of correct seeding shall always stay with the department, who is the owner of the database."21 This replicates a disturbing trend in the implementation of the UID scheme - where the UIDAI 'initiates' different processes through private sector companies but does not take responsibility for such processes. 22

The Scope of the UIDAI's mandate and the necessity of seeding

Aside from the problems within the seeding process itself, there is a question of the scope of the UIDAI's mandate and the role that seeding plays in fulfilling this. This is important in understanding the necessity of the seeding process.

On the official website, the UIDAI has stated that its mandate is "to issue every resident a unique identification number linked to the resident's demographic and biometric information, which they can use to identify themselves anywhere in India, and to access a host of benefits and services." 23 Though the Supreme Court order clarifies the use of the Aadhaar number, it does not address the actual legality of the UIDAI's mandate - as there is no enabling statute in place -and it does not clarify or confirm the scope of the UIDAI's mandate.

In Version 1.0 of the Seeding document the UIDAI has stated the "Aadhaar numbers of enrolled residents are being 'seeded' ie. included in the databases of service providers that have adopted the Aadhaar platform in order to enable authentication via the Aadhaar number during a transaction or service delivery."24 This statement is only partially correct. For only providing and authenticating of an Aadhaar number - seeding is not necessary as the Aadhaar number submitted for verification alone only needs to be compared with the records in the CIDR to complete authentication of the same. Yet, in an example justifying the need for seeding in the Version 1.0 seeding document the UIDAI states "A consolidated view of the entire data would facilitate the social welfare department of the state to improve the service delivery in their programs, while also being able to ensure that the same person is not availing double benefits from two different districts."25 For this purpose, seeding is again unnecessary as it would be simple to correlate PDS usage with a Aadhaar number within the PDS database. Even if limited to the PDS system,  seeding in the databases of service providers is only necessary for the creation and access to comprehensive information about an individual in order to determine eligibility for a service. Further, seeding is only necessary in the databases of banks if the Aadhaar number moves from being an identity factor - to a transactional factor - something that the UIDAI seems to envision as the Version 1.1 seeding document states that Aadhaar is sufficient enough to transfer payments to an individual and thus plays a key role in cash transfers of benefits.26

Conclusion

Despite the fact that adherence to the interim order from the Supreme Court has been adhoc27, the order does provide a number of welcome limitations and clarifications to the UID Scheme. Yet, despite limited clarification from the Supreme Court and further clarification from the Finance Ministry's Order, the process of seeding and its necessity remain unclear. Is the UIDAI taking fully informed consent for the seeding process and what it will enable? Should the UIDAI be liable for the accuracy of the seeding process? Is seeding of service provider and bank databases necessary for the UIDAI to fulfill its mandate? Is the UIDAI's mandate to provide an identifier and an authentication of identity mechanism or is it to provide authentication of eligibility of an individual to receive services? Is this mandate backed by law and with adequate safeguards? Can the court order be interpreted to mean that to deliver services in the PDS system, UIDAI will need access to bank accounts or other transactions/information stored in a service provider's database to verify the claims of the user?

Many news items reflect a concern of convergence arising out of the UID scheme.28 To be clear, the process of seeding is not the same as convergence. Seeding enables convergence which can enable profiling, surveillance, etc. That said, the seeding process needs to be examined more closely by the public and the court to ensure that society can reap the benefits of seeding while avoiding the problems it may pose.

[1]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[2]. Usha Ramanthan. Decoding the Aadhaar judgment: No more seeding, not till the privacy issues is settled by the court. The Indian Express. August 12^th 2015. Available at: http://indianexpress.com/article/blogs/decoding-the-aadhar-judgment-no-more-seeding-not-till-the-privacy-issue-is-settled-by-the-court/

[3]. UIDAI. Approach Document for Aadhaar Seeding in Service Delivery Databases. Version 1.0. Available at: https://authportal.uidai.gov.in/static/aadhaar_seeding_v_10_280312.pdf

[4]. UIDAI. Standard Protocol Covering the Approach & Process for Seeding Aadhaar Numbers in Service Delivery Databases. Available at: https://uidai.gov.in/images/aadhaar_seeding_june_2015_v1.1.pdf

[5]. Version 1.0 pg. 2

[6]. Version 1.0 pg. 19

[7]. Version 1.1 pg. 3

[8]. Version 1.1 pg. 7

[9]. Version 1.1 pg. 5 -7

[10]. Version 1.1 pg. 7-13

[11]. Version 1.0 pg 19-22

[12]. Version 1.0 pg. 4

[13]. Version 1.1 pg. 5, figure 3.

[14]. David Card, Raj Chett, Martin Feldstein, and Emmanuel Saez. Expanding Access to Adminstrative Data for Research in the United States. Available at: http://obs.rc.fas.harvard.edu/chetty/NSFdataaccess.pdf

[15]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[16]. Version 1.1 pg. 18

[17]. Aadhaar Enrollment Form from Karnataka State. http://www.karnataka.gov.in/aadhaar/Downloads/Application%20form%20-%20English.pdf

[18]. Business Line. Aadhaar only for foodgrains, LPG, kerosene, distribution. August 27^th 2015. Available at: http://www.thehindubusinessline.com/economy/aadhaar-only-for-foodgrains-lpg-kerosene-distribution/article7587382.ece

[19]. Bharti Jain. Election Commission not to link poll rolls to Aadhaar. The Times of India. August 15^th 2015. Available at: http://timesofindia.indiatimes.com/india/Election-Commission-not-to-link-poll-rolls-to-Aadhaar/articleshow/48488648.cms

[20]. Graham Greenleaf. “Access all areas': Function creep guaranteed in Australia's ID Card Bill (No.1) Computer Law & Security Review. Volume 23, Issue 4. 2007. Available at: http://www.sciencedirect.com/science/article/pii/S0267364907000544

[21]. Version 1.1 pg. 3

[22]. For example, the UIDAI depends on private companies to act as enrollment agencies and collect, verify, and enroll individuals in the UID scheme. Though the UID enters into MOUs with these organizations, the UID cannot be held responsible for the security or accuracy of data collected, stored, etc. by these entities. See draft MOU for registrars: https://uidai.gov.in/images/training/MoU_with_the_State_Governments_version.pdf

[23]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[24]. Version 1.0 pg.3

[25]. Version 1.0 pg.4

[26]. Version 1.1 pg. 3

[27]. For example, there are reports of Aadhaar being introduced for different services such as education. See: Tanu Kulkarni. Aadhaar may soon replace roll numbers. The Hindu. August 21^st, 2015. For example: http://www.thehindu.com/news/cities/bangalore/aadhaar-may-soon-replace-roll-numbers/article7563708.ece

[28]. For example see: Salil Tripathi. A dangerous convergence. July 31^st. 2015. The Live Mint. Available at: http://www.livemint.com/Opinion/xrqO4wBzpPbeA4nPruPNXP/A-dangerous-convergence.html

For more details visit https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary

Sunil Abraham, CIS : "Avec l’e-G8, Nicolas Sarkozy veut promouvoir de nouvelles restrictions à la liberté d’expression"

praskrishna — 2011-05-25T11:54:51Z

Le débat continue de faire rage en Inde au sujet d’une nouvelle législation posant des limites floues et, selon certains, potentiellement dangereuses, à la liberté d’expression sur Internet. Et alors que s’ouvre à Paris l’e-G8, sur fond de polémiques autour des intentions de son principal supporteur, le président de la République Française, Nicolas Sarkozy, Sunil Abraham, directeur exécutif de l’ONG Center for Internet & Societies, a accepté de partager son regard sur l’événement, depuis Bangalore. This news was published in LE MAG IT on May 24, 2011.

LeMagIT: L’Inde vient de se doter d’une nouvelle législation relative aux technologies de l’information et de la communication. Que dénoncez-vous dans cette législation ?

Sunil Abraham: Il y a trois principales préoccupations, pour la société civile. Tout d’abord, cette nouvelle législation va au-delà de son périmètre légitime et définit des limites vagues et inconstitutionnelles à la liberté d’expression sur Internet. Par exemple, un discours dénigrant, relevant du harcèlement, blasphématoire ou haineux n’a jamais été criminel ou considéré comme tel par la justice indienne. Mais du fait de cette nouvelle législation, cela peut être puni de 3 ans de prison. Ensuite, ces règles introduisent un biais contre la participation citoyenne à toute forme de publication en ligne, en particulier dans les médias sociaux ou la production de contenus collective. Ainsi, une fois qu’un ordre de retrait a été notifié, le contenu contestable visé doit être supprimé dans un délai de 36 heures. Ou c’est l’intermédiaire concerné qui est susceptible de voir engagée sa responsabilité. De grandes entreprises telles que Google seront en mesure de gérer de telles injections et d’engager des procédures en justice mais de simples individus seront écrasés par la censure privée sans application équitable de la loi. En outre, les individus ne seront pas notifiés de l’application d’une telle censure et aucune pénalité n’est prévue pour ceux qui abuseraient du système en émettant des ordres de retrait de contenu en masse de manière automatisée. Enfin, l’État a créé un système de surveillance à plusieurs niveaux impliquant cyber-cafés, FAI et fournisseurs de services en ligne. Les garde-fous sur les réquisitions judiciaires émises par les agences de renseignement ont été dilués. La rétention de logs redondante à plusieurs niveaux fournit en outre des cibles multiples avec des vulnérabilités multiples aux criminels à la fois au sein et en dehors de ces institutions. Les violations de la vie privée vont se multiplier et ne feront que distraire les agents du renseignement de leurs missions de fond pour lutter contre la criminalité et le terrorisme.

En clair, nous pensons que ces nouvelles règles vont réfréner la liberté d’expression sur Internet en Inde en stimulant l’auto-censure, la censure privée et la surveillance. Cela va nuire à l’exercice démocratique, à la liberté des médias, et à la transparence des institutions publiques, à la culture et à la créativité, à la recherche et au développement, et enfin - mais ce n’est pas rien - à l’entrepreneuriat.

LeMagIT: Dans un contexte de suspicion sur les objectifs du forum e-G8, et avec la perspective de la nouvelle législation indienne, quel regard portez-vous sur le sommet international qui s’ouvre ce mardi 24 mai en France ?

Sunil Abraham: Nicolas Sarkozy et les nations développées de l’Ouest ont complètement perdu leur légitimité morale dans le débat sur la liberté sur Internet. Leur duplicité et leur double-langage ont été mis en lumière - d’un côté, ils critiquent la Birmanie, l’Arabie Saoudite et la Chine mais, dans le même temps, à l’intérieur de leurs frontières, ces nations ont courbé l’échine pour satisfaire aux demandes des ayants-droits. Rétention de données, exigence de justification d’identité dans les cyber-cafés, riposte graduée, investigations transnationales, etc... sont en train de devenir la norme. Nicolas Sarkozy semble avoir oublié que l’accès au savoir est le prérequis de la liberté d’expression. Le partage de l’information est une composante essentielle des activités quotidiennes des citoyens du Net. Criminaliser ces actes afin de soutenir les modèles économiques moribonds des éditeurs de logiciels et des sociétés de production de médias ne fera que réduire Internet à une télévision interactive.

En tant que personne mariée à un ayant-droit en quête de rente, Nicolas Sarkozy n’a naturellement que peu de sympathie pour l’accès [libre] à la connaissance et peut ainsi se faire le champion vocal des régimes de riposte graduée. Il serait bien capable d’interdire à quelqu’un de lire sous un livre prétexte que cette personne aurait partagé les photocopies de ce livre avec trois de ses amis. Il n’y a aucune proportionnalité entre le préjudice et la punition.

Avec l’e-G8, Nicolas Sarkozy essaie de pousser d’autres restrictions à la liberté d’expression avec son concept “d’Internet civilisé” - les régimes répressifs du monde entier ont de quoi se réjouir. Leur régulation draconienne a été importée par le pays de “liberté, égalité, fraternité.” J’espère que le peuple français se joindra aux sociétés civiles du monde entier pour rejeter les propositions de Nicolas Sarkozy.

Sunil's original response in English

What is wrong with the latest IT Rules 2011 [Intermediary Due Diligence, Cyber Cafe and Reasonable Security Measures) under the IT Act [Amendment 2008]

There are 3 broad concerns that civil society has with the latest IT rules. One, they go beyond the the scope of the IT Act and place unconstitutional and vague limits on freedom of expression online. For example speech that is harmful, harassing, disparaging, blasphemous or hateful has never been criminal or defined by Indian courts. But thanks to the latest rules, they are punishable with 3 years of imprisonment. Two, the rules are biased against citizen participation in online publication especially in the form of social media and commons based peer production. Once a take down notice is received the objectionable content has to be deleted within 36 hour otherwise the intermediary looses immunity. Large corporations like Google will be able to manage due diligence and also fight court battles but individual users will becrushed by private censorship sans due process of law. This individuals will not be notified when such censorship occurs and there is no penalty for those who abuse the system by sending bulk machine generated take-downs. Three, the state has mandated a multi-tier blanket surveillance regime - by cyber-cafes, ISPs and application service providers. Safeguards for information requests by intelligence agencies have been diluted. Redundant multi-level retention of logs provides multiple targets with multiple vulnerabilities to criminals both inside and outside these institutions. Privacy violations will multiply only serving a big distraction from the real intelligence work required to stop criminals and terrorists.

In brief - we believe the latest rules have a chilling effect on online freedom of expression in India via self-censorship, private censorship and blanket surveillance. This will undermine - democratic governance, free media, transparency and accountability in public institutions, culture and creativity, research and development and last but not least entrepreneurship.

What is wrong with Sarkozy's agenda at the e-G8

Sarkozy and developed western nations have completely lost their higher moral ground on net freedom. Their duplicity and double-speak has been exposed - on the one hand they criticise Burma, Saudi Arabia and China. But simultaneously at home these nations have bent backwards to please rights-holders. Blanket data retention, real ID requirements at cyber-cafes, three strikes regime, cross-border searches, etc are becoming the norm. Sarkozy appears to have forgotten that access to knowledge is the precondition for freedom of expression. Sharing of information is an essential component of the everyday Internet use of ordinary netizens. Criminalising these acts in order to prop up extinct business models of media houses and software companies will only reduce the Internet to interactive television.

Read the original published by LeMagIT here

For more details visit https://cis-india.org/news/avec-i-e-g-8

Summary of the CIS workshop on the Draft Human DNA Profiling Bill 2012

maria — 2013-07-12T15:33:25Z

On March 1st, 2013, the Centre for Internet and Society organized a workshop which analysed the April 2012 draft Human DNA Profiling Bill and its potential implications on human rights in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Think you control who has access to your DNA data? That might just be a myth of the past. Today, clearly things have changed, as draft Bills with the objective of creating state, regional, and national DNA databases in India have been leaked over the last years. Plans of profiling certain residents in India are being unravelled as, apparently, the new policy when collecting, handling, analysing, sharing and storing DNA data is that all personal information is welcome; the more, the merrier!

Who is behind all of this? The Centre for DNA Fingerprinting and Diagnostics in India created the 2007 draft DNA Profiling Bill[1], with the aim of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked which was created by the Department of Biotechnology. The most recent version of the Bill was drafted in April 2012 and seeks to create DNA databases at the state, regional and national level in India[2]. According to the latest 2012 draft Human DNA Profiling Bill, each DNA database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of identification in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and a DNA Profiling Board for overseeing the carrying out of the Act.

However, the 2012 draft Human DNA Profiling Bill lacks adequate safeguards and its various loopholes and overreaching provisions could create a potential for abuse. The creation of DNA databases is currently unregulated in India and although regulations should be enacted to prevent data breaches, the current Bill raises major concerns in regards to the collection, use, analysis and retention of DNA samples, DNA data and DNA profiles. In other words, the proposed DNA databases would not only be restricted to criminals…

DNA databases...and Justice for All?

Source: Libertas Academica on flickr

During the workshop [3]on the 2012 draft Human DNA Profiling Bill, DNA[4] was defined as a material that determines a persons´ hereditary traits, whilst DNA profiling[5] was defined as the processing and analysis of unique sequences of parts of DNA. Thus the uniqueness of DNA data is clear and the implications that could potentially occur through its profiling could be tremendous. The 2007 DNA Profiling Bill has been amended, yet its current 2012 version appears not only to be more intrusive, but to also be extremely vague in terms of protecting data, whilst very deterministic in regards to the DNA Profiling Board´s power. A central question in the meeting was:

Should DNA databases be created at all?

The following concerns were raised and discussed during the workshop:

● The myth of the infallibility of DNA evidence

The Innocence Project[6], which was presented at the workshop, appears to provide an appeal towards the storage of DNA samples and profiles, as it represents clients seeking post-conviction DNA testing to prove their innocence. According to statistics presented at the workshop, there have been 303 post-conviction exonerations in the United States, as a result of individuals proving their innocence through DNA testing. Though post-conviction exonerations can be useful, they cannot be the basis and main justification for creating DNA databases. Although DNA testing could enable post-conviction exonerations, errors in matching data remain a high probability and could result in innocent people being accused, arrested and prosecuted for crimes they did not commit. Thus, arguments towards the necessity and utility of the creation of DNA databases in India appear to be weak, especially since DNA evidence is not infallible[7].

False matches can occur based on the type of profiling system used, and errors can take place in the chain of custody of the DNA sample, all of which indicate the weakness of DNA evidence being used. DNA data only provides probabilities of potential matches between DNA profiles and the larger the amount of DNA data collected, the larger the probability of an error in matching profiles[8].

● The non-criteria of DNA data collection

How and when can DNA data be collected? The amended draft 2012 Bill remains extremely vague and broad. In particular, the Bill states that all offences under the Indian Penal Code and other laws, such as the Immoral Traffic (Prevention) Act, 1956, are applicable instances of human DNA profiling. Section B(viii) of the Schedule states that human DNA profiling will be applicable for offences under ´any other law as may be specified by the regulations made by the Board´. This incredibly vague section empowers the DNA Profiling Board with the ultimate power to decide upon the offences under which DNA data will be collected. The issue is this: most laws have loopholes. A Bill which lists applicable instances of human DNA profiling, under the umbrella of a potentially indefinite number of laws, exposes individuals to the collection of their DNA data, which could lead to potential abuse.

● The DNA Profiling Board´s power

The DNA Profiling Board has ´absolute´ power, especially according to the 2012 draft Human DNA Profiling Bill. Some of the Board´s functions include providing recommendations for provision of privacy protection laws, regulations and practices relating to access to, or use of, stored DNA samples or DNA analyses[9]. The Board is also required to advise on all ethical and human rights issues, as well as to take ´necessary steps´ to protect privacy. However, it remains unclear how a Board which lacks human rights expertise will carry out such tasks.

No human rights experts

Despite the various amendments[10] to the section on the composition of the Board, no privacy or human rights experts have been included. According to the Bill, the Board will be comprised of many molecular biologists and other scientists, while human rights experts have not been included to the list. This can potentially be problematic as a lack of expertise on privacy and human rights laws can lead to the regulation of DNA databases without taking civil liberties into consideration.

Vague authorisation for communication of DNA profiles

The Bill also empowers the Board to ´authorise procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies´[11]. Although the 2007 Bill [12]restricted the Boards´ authorisation to crime investigation by law enforcement agencies, its 2012 amendment extends such authorisation to ´civil proceedings´ which can also be carried out by so-called ´other agencies´.[13] This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ remain vague.

Protecting the public

The Board is also authorised to ´assist law enforcement agencies in using DNA techniques to protect the public´[14]. Over the last years, laws are being enacted that enable law enforcement agencies to use technologies for surveillance purposes in the name of ´public security´, and the 2012 draft Bill is no exception. Many security measures have been applied to ´protect the public´, such as CCTV cameras and other technologies, but their actual contribution to public safety still remains a controversial debate[15]. DNA techniques which would effectively protect the public have not been adequately proven, thus it remains unclear how the Board would assist law enforcement agencies.

Sharing data with international agencies…and regulating DNA laboratories

In addition to the above, the Board would also encourage cooperation between Indian investigation agencies and international agencies[16]. This would potentially enable the sharing of DNA data between third parties and would enhance the probability of data being leaked to unauthorised third parties.

The Board would also be authorised to regulate the standards, quality control and quality assurance obligations of the DNA laboratories[17]. The draft 2012 Bill ultimately gives monopolistic control to the DNA Profiling Board over all the procedures related to the handling of DNA data!

● The DNA Data Bank Manager

According to the 2012 draft Human DNA Profiling Bill[18], it is the DNA Data Bank Manager who would carry out ´all operations of and concerning the National DNA Data Bank´. All such operations are not clearly specified. The powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.

The Bill also empowers the Manager to determine appropriate instances for the communication of information[19]. In other words, law enforcement agencies and DNA laboratories can request the disclosure of information from the DNA Data Bank Manager, without prior authorisation. The DNA Data Bank Manager is empowered to decide the requested data.

DNA access restrictions

Are you a victim or a cleared suspect? You better be, if you want access to your data to be restricted! The 2012 draft Human DNA Profiling Bill [20]states that access to information will be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect. The Bill is unclear as to how access to the data of non-victims or suspects is regulated.

● Availability of DNA profiles and DNA samples

According to the amended draft 2012 Bill[21], DNA profiles and samples can be made available in criminal cases, judicial proceedings and for defence purposes among others. However, ´criminal cases´ are loosely defined and could enable the availability of DNA data in low profile cases. Furthermore, the availability of DNA data is also enabled for the ´creation and maintenance of a population statistics database´. This is controversial because it remains unclear how such a database would be used.

● Data destruction

According to an amendment to section 37, DNA data will be kept on a ´permanent basis´ and the DNA Data Bank Manager will expunge a DNA profile only once the court has certified that an individual is no longer a suspect. This raises major concerns, as it does not clarify under what conditions individuals can have access to their data during its retention, nor does it give volunteers and missing persons the opportunity to have their data deleted from the data bank.

Workshop conclusions

Source: micahb37 on flickr

The various loopholes in the Bill which can create a potential for abuse were discussed throughout the workshop, as well as various issues revolving around DNA data retention, as previously mentioned.

During the workshop, some participants questioned the creation of DNA databases to begin with, while others argued that they are inevitable and that it is not a question of whether they should exist, but rather a question of how they should be regulated. All participants agreed upon the need for further safeguards to protect individuals´ right to privacy and other human rights. Further research on the necessity and utility of the creation of DNA databases in regards to human rights was recommended. In addition to all the above, the Ministry of Law and Justice was recommended to pilot the draft DNA Profiling Bill to ensure better provisions in regards to privacy and data protection.

A debate on the use of DNA data in civil cases versus criminal cases was largely discussed in the workshop, with concerns raised in regards to DNA sampling being enabled in civil cases. The fact that the terms ´civil cases´ and ´criminal cases´ remain broad, vague and not legally-specified, raised huge concerns in the workshop as this could enable the misuse of DNA data by authorities. Thus, the members attending the workshop recommended the creation of two separate Bills regulating the use of DNA data: a DNA Profiling Bill for Criminal Investigation and a DNA Profiling Bill for Research. The creation of such Bills would restrict the access to, collection, analysis, sharing of and retention of DNA data to strictly criminal investigation and research purposes.

However, even if separate Bills were created, who is to say that when implemented DNA in the database would not be abused? Criminal investigations can be loosely defined and research purposes can potentially cover anything and everything. So the question remains:

Should DNA databases be created at all?

[1] Draft DNA Profiling Bill 2007, http://dbtindia.nic.in/DNA_Bill.pdf

[2] Human DNA Profiling Bill 2012: Working draft versión – 29th April 2012,

[3] Centre for Internet and Society, Analyzing the Draft Human DNA Profiling Bill 2012, 25 February 2013, http://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill

[4] Genetics Home Reference: Your Guide to Understanding Genetic Conditions, What is DNA?, http://ghr.nlm.nih.gov/handbook/basics/dna

[5] Shanna Freeman, How DNA profiling Works, http://science.howstuffworks.com/dna-profiling.htm

[6] Innocence Project, DNA exoneree case profiles, http://www.innocenceproject.org/know/

[7] Australian Law Reform Commission (ALRC), Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96), ´Criminal Proceedings: Reliability of DNA evidence´, Chapter 44, http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence

[8] Ibid.

[9] Human DNA Profiling Bill 2012: Working draft version – 29th April 2012, Section 12(o, p, t), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[10] Ibid: Section 4(q)

[11] Ibid: Section 12(j)

[12] Draft DNA Profiling Bill 2007, Section 13, http://dbtindia.nic.in/DNA_Bill.pdf

[13] : Human DNA Profiling Bill 2012: Working draft version – 29^th April 2012, Sections 12(j), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[14] Ibid: Section 12(l)

[15] Schneier, B.(2008), Schneier on Security, ´CCTV cameras´, http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html

[16] Human DNA Profiling Bill 2012: Working draft version – 29^th April 2012, Sections 12(u) and 12(v), http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

[17] Ibid: Section on the ´Standards, Quality Control and Quality Assurance Obligations of DNA Laboratories´

[18] Ibid: Section 33

[19] Ibid: Section 35

[20] Ibid: Section 43

[21] Ibid: Section 40

For more details visit https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012

Submission to UN High Level Panel on Digital Cooperation

Admin — 2019-02-19T00:55:04Z

For more details visit https://cis-india.org/internet-governance/files/submission-to-un-high-level-panel-on-digital-cooperation

Submission to UN High Level Panel on Digital Co-operation.pdf

karan — 2019-02-07T07:18:44Z

For more details visit https://cis-india.org/internet-governance/submission-to-un-high-level-panel-on-digital-co-operation.pdf

Submission to TRAI (November 6, 2017)

Admin — 2017-11-08T01:08:37Z

For more details visit https://cis-india.org/telecom/files/submission-to-trai-november-6-2017

Submission to the Committee of Experts on a Data Protection Framework for India

amber — 2018-02-05T13:39:00Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ (“White Paper”) released by the Ministry of Electronics and Information Technology. The White paper was drafted by a Committee of Expert (“Committee”) constituted by the Ministry. CIS has conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. The submission was made on January 31, 2018.

For more details visit https://cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india

Subject To Technology

nishant — 2009-07-06T12:06:10Z

This paper is an attempt to examine the production of illegalities with reference to cyberspace, to make a symptomatic reading of new conditions within which citizenships are enacted, in the specific context of contemporary India. Looking at one incident each, of cyber-pornography and cyber-terrorism, the paper sets out to look at the State’s imagination of the digital domain, the positing of the ‘good’ cyber citizen, and the production of new relationships between the state and the subject. This essay explores the ambiguities, the dilemmas and the questions that arise when Citizens become Subjects, not only to the State but also to the technologies of the State. The paper first appeared in the Inter Asia Cultural Studies Journal.

For more details visit https://cis-india.org/publications-automated/cis/nishant/iacs%20article.pdf

Sub Tracks

praskrishna — 2013-12-11T10:08:35Z

For more details visit https://cis-india.org/internet-governance/blog/sub-tracks.pdf

Studying the Internet Discourse in India through the Prism of Human Rights

Deva Prasad M — 2015-07-22T04:18:37Z

This post by Deva Prasad M is part of the 'Studying Internets in India' series. Deva Prasad is Assistant Professor at the National Law School of India University (NLSIU), Bangalore. In this essay, he analyses key public discussions around Internet related issues from the human rights angle, and explores how this angle may contribute to understanding the features of the Internet discourse in India.

Introduction

The significance of Internet as an important element and tool in day-to-day life of mankind is an established experiential fact. The intrinsic value that Internet brings to our lives has transformed the access to Internet as a necessity. Internet’s intrinsic value acts an enabling tool for information, communication and commerce to be effectively and expeditiously carried forward. It is to due to this enormous intrinsic value attached with Internet that there is an emerging trend of exploring Internet from the perspective of human rights. Moreover, Internet as a medium also helps in furtherance of human rights [1]. Social movements have attained a new lease of life with the digital activism over Internet. Arab spring is an epitome of this phenomenon.

There is an emerging positive trend of linking established norms of human rights with Internet. The Report of the Special Rapporteur on the right to freedom of opinion and expression has vividly explained the possibility and feasibility of extending and extrapolating the right of freedom of opinion and expression to Internet medium (Article 19 of the UDHR and the ICCPR) [2]. The Special Rapporteur also highlights the need to have access to Internet for effective enjoyment of right to freedom of opinion and expression in the digital sphere. The UN High Commissioner on Human Right’s report on‘The Right To Privacy In The Digital Age’ also explicitly highlights the significance of protecting the right to privacy in the internet medium in light of extensive “surveillance and the interception of digital communications and the collection of personal data” [3]. The extensive interception and blocking of the online communication is also a pertinent reason, which calls for human right protection to be extended to Internet.

The WSIS Declaration for Building of Information Society [4] and the Charter of Human Rights and Principles for the Internet [5] also have played a significant role in furthering the inter-linkage between human rights and Internet.

The Internet and human rights policy developments have gathered significant relevance in international human rights law and Internet policy fora. But it is interesting to note that the Indian government and state institutional mechanisms have not yet pro-actively accepted relevance of applying human rights norm to the Internet medium in India.

As an essay in the Studying Internet series, it is important to highlight how human rights acts as underlying factors in many socio-political issues pertaining to Internet in India. Analysis of these issues helps us to understand that, even though the Indian state turns a blind eye to the human rights element in the various socio-political issues relating to Internet, the digitally conscious Indian’s have realized their rights and even fought their own battle for exercising their rights.

In recent years, the Internet discourse in India has witnessed many socio-political concerns. This essay would be exploring the pertinent socio-political issues in Indian context and the underlying link to human rights thread. Globally, exploring Internet from the perspective of human rights brings out multitude of issues, which requires application of established human rights norms of right to privacy, freedom of expression, access. The story in India is no different. In this regard, three socio-political issues relating to Internet, which gained much attention in India roughly in last one year, are being analyzed. Interestingly, all three issues have an underlying thread of human right perspective connecting them and need pertinent deliberation from human rights perspective.

Section 66A and Freedom of Speech and Expression

The lack of freedom of expression on Internet and Section 66A of Information Technology Act, 2000 is an interesting case study. Indian government used Section 66A as a tool for extensive surveillance and had taken criminal legal action against the Internet and social media users for posting the offensive comments and posts. But Section 66A was badly drafted allowing the government to initiate criminal legal action in an arbitrary and whimsical manner. Thus such a provision could be misused by the state for curbing the freedom of expression in the Internet sphere. The rampant usage of the Indian state machinery of Section 66A had led to sharp reaction amongst the Internet and social media users in India. The vagueness in language and unconstitutionality of Section 66A were criticized by legal experts. The action of state machinery in arresting a cartoonist, a professor and two girls in Maharashtra [6] (and many others) for comments and post on social media against politicians, had made it evident the lack of respect for freedom for speech and expression on Internet by the Indian state machinery (Most of these incidents took place during the year 2012). These incidents led to wide spread protest for violation of human right to freedom of speech and expression by the digital media users. When the Public Interest Litigation [7] filed by Shreya Singhal led to the Supreme Court striking down the Section 66A on 24th March, 2015 for lack of due process being followed, it was a water shed moment for internet discourse in India. The significance of human rights (especially the freedom of speech and expression) in the Internet medium got asserted.

Net Neutrality and Internet Access Issue

The recent net neutrality debate in India has also evoked deliberation about the right of equal access to Internet and the need to maintain Internet as a democratic space. The net neutrality debate on keeping Internet a democratic space that is equally accessible to everyone has got much vogue in India. An important point that needs to be emphasized in the debate regarding net neutrality in India is the equal access question being raised. The equal access question is more a product of the lack of regulatory clarity regarding TRAI’s (Telecom Regulatory Authority of India) capacity to regulate the Over-the top (OTT) services; coupled with the lack of well stipulated right to internet access in the Indian context.

The net neutrality rides on the premise that the entire data available on the Internet should be equally accessible to everyone. No discrimination should be allowed regarding access to a particular website or any particular content on the Internet. Tim Wu, a renowned scholar in Internet and communication law has mentioned in his seminal work, Network Neutrality and Broadband Discrimination, that network neutrality signifies “an Internet that does not favor one application” [8].

In this regard, there has been a constructive dialogue between the Federal Communication Commission in United States and the various stakeholders. An interesting development was a proposition, which attempted to classify broadband internet service access as a public utility [9]. There is much relevance for such debates in the Indian context. India also needs public participation (especially strong voices from internet user’s perspective) to highlight these access concerns regarding Internet. Human right’s concerns regarding Internet should be pro-actively brought to the attention of regulatory institutions such as TRAI. There is need to balance the economic and for-profit interest of service providers with the larger public interest based on equal access.

The pressure created by public opinion through online activism upon the TRAI’s proposal to regulate the OTT services helps in understanding the power of public participation in the pertinent human rights issues relating to Internet [10]. The broader design in which the principle of human rights in the context of Internet medium would have to be asserted in India is also vividly seen in the case of protest against OTT regulation.

Right to be Forgotten in EU and Repercussions in India

The repercussions of ‘Right to be Forgotten’ judgment of European Union also had led to debate of similar rights in Indian context. The Google v. AEPD and Mario Cosjeta [11] is an interesting case decided by the Court of Justice of European Union, where the court held that based on the right to privacy and data protection, persons could ask databases (this case was against the search engine Google) on Internet medium to curtail from referring to certain aspects of their personal information [12]. This is basically referred to as ‘right to be forgotten’.

Viktor Mayor Schonberg in his book Delete: The Virtue of Forgetting in Digital Age has elaborated the problem of how the digital age coupled with the Internet has led to store, disseminate and track information in a substantially easy way and advocates for the more informational privacy rights [13]. In this judgment, the Court of Justice of European Union has furthered the information privacy rights in the European Union with the ‘right to be forgotten’.

In the Indian context, it is important to note that information privacy rights are yet to evolve to the extent that of European Union with definite privacy and data protection law. But interestingly, there was a request made to a media news website by a person attempting to enforce the right to be forgotten [14]. Even though the application of right to be forgotten is not directly applicable in the Indian context, this event throws light to the fact that Internet users in India are becoming conscious of their rights in the Internet space. The way Indian news media gave relevance to the right to be forgotten ruling also is an example of how there is an implicit recognition of the interlink between human rights and Internet that is slowly seeping into the Indian milieu.

Internet Discourse in India and Human Rights

Discussion of the three issues mentioned above points out to an important fact that human rights are not pro-actively applied to the Internet medium by the Indian state machinery. Even though the international human rights law and various Internet policy organizations are pushing the Internet and human rights agenda, the same is yet to gain momentum in India.

But at the same time, an interesting development that could be witnessed from the above discussion is the manner in which the Internet users are asserting their rights over the Internet and slowly paving the path for an enriching view towards applying the human rights perspective to Internet. In the first instance, the freedom of speech and expression was not pro-actively applied to the digital space and Internet. This has happened when Article 19 of Constitution of India has clearly provided for freedom of speech and expression. The second instance of net neutrality has thrown wide open the lack of clear policy regarding Internet access in Indian context. The public opinion has pointed out to the fact that there is a public interest demand to ensure that there is no discrimination in the case of Internet access. The third instance of looking at ‘right to be forgotten’ in Indian perspective, provides the understanding that the users of Internet are becoming conscious of their individual rights in the digital space in a more affirmative manner.

Further, the operationalization of human rights in these three instances also needs to be critically looked into. The assertion of the freedom of speech and expression in the Internet medium could be made possible effectively due to the fact that Article 19 of the Constitution of India, 1950, protects freedom of speech and expression. The vast amount of precedence existing in the field of freedom of speech and expression relating to constitutional litigation and allied jurisprudence has helped in crafting the extension of the right of freedom of expression to the digital medium of Internet. Further, using the social action tool of Public Interest Litigation, the unconstitutionality of Article 19 of the Constitution of India, 1950 could be brought before the Supreme Court.

But interestingly, the net neutrality issue, which is concerning the access to Internet in a non-discriminatory manner, is yet to be perceived in Indian context from a strong human rights perspective. Internet access as a public utility concept is yet to be evolved and articulated in concrete manner in the Indian context. Further, the Indian network neutrality discourse attempts to operationalize through the free market approach. In the free market approach the entire non-discriminatory access has to be ensured by the market competition with the necessary regulatory bodies. In this sense, the human rights angle of access to Internet will have to be ensured by effective competition in the market along with the proper oversight of regulatory bodies such as TRAI and Competition Commission of India. It is important for the regulatory bodies to have broad goals for furthering public interest by ensuring non-discriminatory access to Internet. Further, with the financial and infrastructure led limitations of government’s capability of ensuring access to Internet for all, the market-led model with sufficient regulation might be the right way forward.

Looking at the issue of the right to be forgotten, it could be easily perceived that the Indian milieu is yet to articulate privacy rights to that high standard. Even though the right to privacy is being understood in the constitutional law context through effective interpretation by the judiciary, the concept of digital privacy has not yet evolved in India. There is no collective understanding, till now, that has emerged regarding right to be forgotten in India. Even though individual attempts to assert the right was witnessed, there is much room for an evolved collective understanding in Indian context. Civil society organizations would have a crucial role to play in this regard.

There is an emerging consciousness amongst a set of Internet users in India, who values and gives importance to the Internet being a democratic space, without unwanted restriction from the government machinery or even the private entities. Hence looking at the Internet discourse of India from the perspective of human rights, there is an implicit way in which the human rights are being applied to the Internet space. The lack of a state’s pro-active approach in asserting human rights to Internet space is highlighted by the assertions being made by the Internet users in India.

Way Forward

For Internet to remain as a democratic space, there is need for pro-active application of these human rights norms and clear understanding in Internet governance. At present, the state of affairs in India regarding application of human rights to Internet is far from satisfactory.

This essay which is part of the ‘Studying Internet in India’ series, has till now done a stock taking analysis of emerging dimension of human rights and Internet in India. Lack of interest from government and state machinery to further the human rights and Internet dimension need to be seriously reconsidered. Attempting to intervene in Internet law and policy in India from the rights based approach should be an important agenda for furthering digital rights in India. For this, civil society organizations have an important role to play. Exploring the public interest could be done effectively with public participation of stakeholders. Here in, platforms such as India Internet Governance Forum could play a crucial role.

Apart from the civil society organizations, it is also pertinent for state and governmental institutional mechanism to also take a pro-active stance. For ensuring that the rights based approach to Internet has to be duly included in the Internet law and policy; and there should be institutional mechanism, which could look into areas pertaining to human rights and Internet. It is a well know fact that India lacks institutional mechanism for looking into communication and privacy issues regulation. Further, the National Human Rights Commission (NHRC) also needs to look at the relevance of human rights for Internet. Inspiration could be drawn from the pioneering work of Australian Commission of Human Rights on applying human rights norms and standards to Internet medium [15]. This essay has only flagged the need to apply the established human rights norms to Internet space. Much more issues such as access to Internet by disabled, safety of children and Internet medium are also pertinent areas.

Moreover, it is important to have digital rights of Internet users in India to be explicitly enshrined in a legal framework. Presently, a gap in law and policy framework regarding human rights and Internet is evident, as highlighted in this essay. The pertinent questions regarding access, privacy and freedom of expression are to be taken seriously by the government and state machinery for which clear and well-defined rights relating to Internet space have to be framed. For Internet and human rights to be taken seriously, it is high time that legal and institutional framework to explore these issues also are evolved.

Emphasizing the Right to Communication in India

Further, the present understanding of right to communication in India, which is perceived in narrow manner, could be re-worked with the help of a pro-active application of human rights norms to the Internet governance. The intrusion into the freedom of speech and expression especially in the telecommunication context has to be highlighted. Protection of communal harmony has been used as rationale for capping the number of the SMS messages that could be sent per day during the exodus of people of Northeastern states origin from Bangalore, Pune and other major cities in India.

This move has been criticized for being unreasonable and universality of capping the number of SMS messages [16]. Further, the telecommunication and Internet services (especially Facebook and YouTube) were blocked in Kashmir for restricting the protest [17]. The telecommunication and Internet services were blocked on the grounds of protection of national security. The reasonableness of restrictions that could be imposed on right to communication is a major concern in the above-mentioned instances. Making a blanket ban applicable in a universal manner undermines the right to communication of various genuine users of bulk messaging and social media sites.

The right to communication especially in the digital and telecommunication media needs to be emphasized. Applying human rights perspective and norms to Internet governance would help in articulating and evolving the right to communication in India. With adequate institutional oversight, the human rights norms could make the digital right to communication an effective right.

To conclude, the Internet discourse in India has already paved path for human rights norms to be applied to Internet space. The seriousness that could be attributed to those rights is evident by the assertions by the Internet users in India. But the state and government machinery in India also should explore the human rights and Internet agenda seriously.

Endnotes

[1] Frank La Rue, Report Of The Special Rapporteur On The Promotion And Protection Of The Right To Freedom Of Opinion And Expression, Available at http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf (Last accessed on 25/05/2015).

[2] Ibid, Special Rapporteur in the Report points out that the language of Article 19 of ICCPR is media neutral and is applicable to online media technological developments also. Para 20 and 21 of the Report.

[3] UN High Commissioner on Human Right, Report on ‘The Right To Privacy In The Digital Age’, Available at http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf (Last accessed on 25/05/2015).

[4] WSIS Declaration for Building of Information Society, Available at http://www.itu.int/wsis/docs/geneva/official/dop.html. (Last accessed on 25/05/2015). Article 58, WSIS Declaration reads as follows: “The use of ICTs and content creation should respect human rights and fundamental freedoms of others, including personal privacy, and the right to freedom of thought, conscience, and religion in conformity with relevant international instruments”.

[5] Charter of Human Rights and Principles for the Internet Available at http://internetrightsandprinciples.org/site/wp-content/uploads/2013/10/IRP_booklet_final1.pdf, (Last accessed on 25/05/2015).

[6] See Section 66A:Six Cases That Sparked Debate, Available at http://www.livemint.com/Politics/xnoW0mizd6RYbuBPY2WDnM/Six-cases-where-the-draconian-Section-66A-was-applied.html, (Last accessed on 25/05/2015). Also see, Facebook Trouble:10 Cases of Arrest Under Section 66A of IT Act, Available at http://www.hindustantimes.com/india-news/facebook-trouble-people-arrested-under-sec-66a-of-it-act/article1-1329883.aspx (Last accessed on 25/05/2015).

[7] Shreya Singhal v. Union of India, Available at http://indiankanoon.org/doc/110813550/ (Last accessed on 25/05/2015).

[8] Tim Wu, Network Neutrality, Broadband Discrimination, Available at https://cdt.org/files/speech/net-neutrality/2005wu.pdf (Last accessed on 25/05/2015).

[9] F.C.C. Approves Net Neutrality Rules, Classifying Broadband Internet Service as a Utility, Available at http://www.nytimes.com/2015/02/27/technology/net-neutrality-fcc-vote-internet-utility.html (Last accessed on 25/05/2015).

[10] The online campaign by www.savetheinternet.in and the AIB video have played a crucial role in gathering public support.

[11] Court of Justice of European Union, Case C-131/12.

[12] Rising like a Phoenix: The ‘Right to be Forgotten’ before the ECJ, Available at http://europeanlawblog.eu/?p=2351 (Last accessed on 25/05/2015).

[13] Viktor Mayor Schonberg, Delete: The Virtue of Forgetting in Digital Age, Princeton University Press (2009).

[14] Right to be Forgotten Poses A Legal Dilemma in India, Available at http://www.livemint.com/Industry/5jmbcpuHqO7UwX3IBsiGCM/Right-to-be-forgotten-poses-a-legal-dilemma-in-India.html, (Last accessed on 25/05/2015). Also see We received a Right to be Forgotten request from an Indian user, Available at http://www.medianama.com/2014/06/223-right-to-be-forgotten-india/ (Last accessed on 25/05/2015).

[15] Human Rights and Internet, Available at https://www.humanrights.gov.au/our-work/rights-and-freedoms/projects/human-rights-and-internet (Last accessed on 25/05/2015).

[16] Chinmayi Arun, SMS Block as Threat to Free Speech, Available at http://cis-india.org/internet-governance/www-the-hindubusinessline-op-ed-sep-1-2012-chinmayi-arun-sms-block-as-threat-to-free-speech (Last accessed on 15/07/2015).

[17] Pamposh Raina and Betwa Sharma, Telecom Services Blocked to Curb Protests in Kashmir, Available at http://india.blogs.nytimes.com/2012/09/21/telecom-services-blocked-to-curb-protests-in-kashmir/?_r=0 (Last accessed on 15/07/2015).

Author's Note: All the views expressed are my own and in no way are linked to the opinion of my employers. I thank CIS for this opportunity to explore Internet and Human Rights interface in India as part of the Studying Internet in India essay series.

Note: The post is published under Creative Commons Attribution 4.0 International license, and copyright is retained by the author.

For more details visit https://cis-india.org/raw/blog_studying-the-internet-discourse-in-india-through-the-prism-of-human-rights

Study of Privacy Policies of Indian Service Providers

praskrishna — 2014-12-21T15:09:49Z

For more details visit https://cis-india.org/internet-governance/blog/study-of-privacy-policies-indian-service-providers.pdf

StateGovtCovidApps PDF

pranav — 2020-07-14T08:03:10Z

For more details visit https://cis-india.org/internet-governance/stategovtcovidapps-pdf

State-led interference in encrypted systems: A public debate on different policy approaches

Admin — 2017-12-05T14:03:09Z

State-led interference in encrypted systems. Sunil Abraham is a speaker for this event.

Proposer's Name: Mr. Carlos Alberto Afonso
Proposer's Organization: Instituto Nupef
Co-Proposer's Name: Mr. Hartmut Glaser
Co-Proposer's Organization: CGI.br

Co-Organizers:

Mr., Carlos, AFONSO,Civil Society, Instituto Nupef
Mr. Hartmut, GLASER, Technical Community, CGI.br
Ms. Jamila, VENTURINI,Technical Community, NIC.br
Mr. Diego, CANABARRO, Technical Community, NIC.br

Session Format: Other - 90 Min
Format description: The session is designed to host a dialectic debate segment followed by a traditional round-table segment structured around a Q&A format.

Proposer:
Country: Brazil
Stakeholder Group: Civil Society

Co-Proposer:
Country: Brazil
Stakeholder Group: Technical Community

Speakers

Christoph Steck (Telefonica, Spain)
Riana Pfefferkorn (Stanford CIS, EUA)
Cristine Hoepers (CERT.br, Brazil)
Carlos A. Afonso (Nupef Institute, Brazil)
Neide Oliveira (Federal Prosecution Service, Brazil)
Sunil Abraham (CIS India)
Monica Guise Rosina (Facebook Brazil)
Jonah F. Hill (NTIA, EUA)
Nina Leemhuis Janssen (Govt of The Netherlands)

Content of the Session

The workshop is built around a policy question that approaches some historical controversies inherent to the widespread use and availability of encryption in the Internet, with a special focus on the tension between the increasing use of cryptography after Snowden and the supposed challenges it poses to public and national security in a digital era. The session promotes a space for multistakeholder debate on: the state of the art in the development and employment of cryptography; different attitudes towards the freedom to use encryption in different jurisdictions; modes of state-led interference in/with encrypted systems; and the limits posed by national and international law to such interference, as well as the impacts it might have to the protection and promotion fundamental human rights and shared values, to permission-less innovation on the Internet and the open architecture of the network. The session will host two segments: one will consist of two presentations made by government officials from the UK and the Netherlands that will detail different policy approaches for dealing with the use of encryption. The second comprises a multistakeholder round-table that gathers comments and questions about the previous presentations. In the end, moderators will summarize discussions and an overarching and documented report of the session will be made available for the session. The unorthodox format chosen for this session allows public scrutiny over some very practical policy-oriented approaches. The bulk of discussions registered during the workshop can provide dialogued feedback into policy development processes elsewhere.

Relevance of the Session

The development and use of encryption to protect information and communication dates back to ancient times. Encryption has been mainly employed over the centuries to protect personal data, business information, governmental classified information, etc. Attempts to break encryption in general as well as the notion of inserting vulnerabilities (such as backdoors) in systems that rely on encryption have been a parallel phenomenon to (and also an integral part of) the longstanding efforts of cryptography. One might even say that those two processes function as the two different sides of the same coin.

The advent and the great pace of development of computing and networking technologies boosted the science behind cryptography to unprecedented levels of relevance for society in general. More recently, after the Snowden affairs, cryptography has been perceived as a necessary condition (not a sufficient one though) for Internet users to curb the abuses entailed by massive digital surveillance and espionage by an ever growing number of countries. In parallel, together with other measures, the deployment of encryption to commercial applications seems to have become a, somehow, sine qua non condition for some Internet companies to regain consumer trust and retain competitive advantages in relation to other players in the market.

The widespread use and availability of encryption tools however refueled tensions and entailed policy responses in a myriad of countries (e.g.: the Apple vs FBI case in the context of the San Bernadino Shooting; the announcement made by some European countries of their willingness to outlaw some uses of encryption as well as the public commitment of the Netherlands government to support encryption and oppose the development of backdoors; and the successive orders by Brazilian courts that aimed at blocking Whatsapp in the country due to the company’s denial to delivery communication records from some of its users). Those tensions generally revolve around the fact that as general-purpose technology, encryption can be also employed to conceal irregular and/or illicit activities, which would justify the creation of some narrow but allegedly needed exceptions to the constitutional limits built over the last century in several countries to impose limits to criminal investigation in order to uphold privacy and personal data protection.

The cases mentioned above gave rise to fierce discussions on whether or not the use of encryption increases by itself the likelihood of and facilitate the occurrence of crime and other illicit activities (most notably organized crime of all sorts and terrorism). Some law enforcement agencies and security forces have argued that encryption impairs crime investigation and the prosecution of criminals, and therefore the development of technology with embedded backdoors might be needed. Other actors, including representatives from the technical community, however, argue that such interference might disrupt regularly protected flows of information and communication as well as compromise privacy and the protection of other fundamental human rights. At this point, we are in a stage in which the trade-off between those two perspectives have to be settled through democratic means and public participation and that is why this workshop was submitted for the IGF 2017.

Besides dealing with several different topics that comprise the overarching agenda of Internet governance (human rights, cybersecurity, openness and permission-less innovation, economic development, infrastructure governance, etc), the topic of this workshop is directly connected to two different goals comprised in the UN SDGs: sound institutions and innovation. Discussions on the contours of sound political institutions and on challenges and incentives for innovation are integral components of any sort of political agenda that aims at reflecting upon the “digital future”, which is the case of the 2017 IGF and highlight the importance of adding this proposal to the overall agenda of the event.

For more details visit https://cis-india.org/internet-governance/news/state-led-interference-in-encrypted-systems-a-public-debate-on-different-policy-approaches

State Surveillance and Human Rights Camp: Summary

elonnai — 2013-07-12T16:02:51Z

On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.

The camp also served as a platform for collaboration on the Draft International Principles on Communications Surveillance and Human Rights. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.

The draft principles were institutionalized for a number of reasons including:

Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data.
Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated.
New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.
Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual.

This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.

A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed here .

Summary of the Draft International Principles on Communications Surveillance and Human Rights

Legality: Any surveillance of communications undertaken by the government must be codified by statute.

Legitimate Purpose: Laws should only allow surveillance of communications for legitimate purposes.

Necessity: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.

Adequacy: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes.

Competent Authority: Any authorization for surveillance of communications must be made by a competent and independent authority.

Proportionality: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose.

Due process: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.

User notification: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information.

Transparency about use of government surveillance: The governments ability to survey communications and the process for surveillance should be transparent to the public.

Oversight: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications.

Integrity of communications and systems: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.

Safeguards for international cooperation: When governments work with other governments across borders to fight crime, the higher/highest standard should apply.

Safeguards against illegitimate access: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications.

Cost of surveillance: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.

Types of Data

The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.[1]

Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.[2]

It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.

Ways of Accessing Data

Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.

Access and Technology

In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.[3]

In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).[4] Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.[5] With this information it is possible to read the actual content of packets, and identify the program or service being used.[6]

DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.[7]

Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".[8]

Access and Legislation

The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.

1]. EFF. Mandatory Data Retention: United States. Available at: https://www.eff.org/issues/mandatory-data-retention/us
[2].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/
[3]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0
[4]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html
[5]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works
[6]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609
[7]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138
[8].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/

For more details visit https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary