Centre for Internet and Society

RIM Offered Security Fixes

praskrishna — 2011-04-02T10:24:12Z

In India Talks, BlackBerry Maker Said It Could Share Metadata, Notes Show

Research In Motion Ltd. has offered information and tools to help India conduct surveillance of wireless email and messaging services on RIM's popular BlackBerry, say people familiar with the negotiations, illuminating RIM's dealings as it seeks to balance sovereign security concerns with its customers' privacy.

In a series of discussions that intensified this summer, RIM offered to provide crucial information that would help the Indian government track down messages sent via the company's popular and encrypted corporate email service, according to those familiar with the confidential talks and to minutes of meetings reviewed by The Wall Street Journal.

In a July 26 meeting, RIM representatives told Indian officials "they have a setup to help the security agencies in tracking the messages in which security agencies are interested," according to an Indian government summary of the meeting.

The Waterloo, Ontario, company has become an industry leader in part on the strength of a secure technology that offers information privacy to customers. But as RIM seeks to expand, it is grappling with how its promise of user confidentiality is encountering resistance from governments around the globe.

RIM's challenge, along with Google Inc.'s face-off with China over censorship issues, illustrates the growing tensions between Western technology giants, who seek to woo millions of emerging-market consumers with increasingly sophisticated technology, and governments that are trying to maintain security in the face of it.

The stakes are high in India, the world's No. 2 wireless market, behind China, with 635 million subscribers. Emerging economies are vital to RIM as its smartphones face competition in North America from Apple Inc.'s iPhone and devices that run on Google's Android software. RIM's new international subscribers for the first time outnumbered new North American subscribers in the quarter that ended Feb. 27, according to brokerage GMP Securities.

Discussions between RIM and India took a public turn Thursday when India's government threatened to block some BlackBerry services from the country's telecommunications networks unless the services could be opened to surveillance by Aug. 31. On Friday, an Indian government official said RIM had assured India it would meet the deadline.

A spokesman for RIM in India declined to comment on negotiations with India. Sachin Pilot, India's Minister of State for Communications and Information Technology said Friday there are promising signs that the company is willing to cooperate, but there's no deal "until I have something in writing."

RIM has come under scrutiny in recent months amid contentious negotiations with countries including the United Arab Emirates and Saudi Arabia, which have also sought to monitor BlackBerry services for threats to national security.

A person familiar with the negotiations in the U.A.E. said officials in the region believed RIM had been holding back from them technological solutions that had been offered to Western governments, specifically in regards to BlackBerry Messenger.

RIM declines to discuss its negotiations with governments and didn't comment on negotiations in India and other countries.

In a statement issued Thursday, RIM outlined its guidelines for how far it is willing to go in helping carriers meet surveillance needs. RIM said it will only help carriers meet strict national-security rules, won't provide more access than its competitors already do and won't alter the security architecture of its corporate email servers in response to government needs.

"RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries," the statement said.

Governments are pressuring RIM to comply with their demands for information in part because unlike other smartphone vendors, it operates its own network of servers, the biggest of which is in Canada, outside their monitoring reach and jurisdiction.

That contrasts with devices such as the iPhone, which don't operate their own email services. Governments generally have laws that allow them to monitor traffic on mobile and computer networks operating within their own countries.

Talks between RIM and various countries have centered mostly on data routed through the company's system for corporate emails, BlackBerry Enterprise Server, and its instant-messaging service, BlackBerry Messenger, whose high levels of encryption can prevent government monitors from deciphering content or determining sender or recipient. RIM has said that even it can't decrypt BlackBerry corporate emails.

India's security services argue they need access to selected emails to ward off criminal and terrorist threats. "In terms of our issues of national security, any responsible government would not want to compromise," said Mr. Pilot, the communications minister. "I don't think what we are asking is out of the ordinary vis-à-vis other countries."

Security and technology experts say each country has different surveillance needs, technology infrastructures and laws governing how security forces and police can access data. It is generally Internet service providers and telecommunications carriers that must implement the country's monitoring regime, and the kinds of help RIM gives carriers in doing that varies with each nation, says a person familiar with RIM's operations.

According to minutes taken by the Indian side, the parties discussed whether RIM could provide "metadata" from encrypted corporate emails—information such as the email's sender and recipient and the time sent. "After some persuasion, the [RIM] representative agreed that they can provide the metadata of the message," according to an Indian summary of one discussion.

Cyber-security experts say such metadata would give government intelligence services important leads to locate BlackBerry traffic on corporate email servers, where messages are in decrypted form. It wasn't clear under what circumstances RIM would agree to divulge such information.

In the meetings, RIM also promised to develop tools to help Indian authorities tap into third-party Internet chat services, such as Google's Gmail, that run on its handsets, according to the meeting minutes. It isn't clear whether or how RIM has proposed to help security officials decode BlackBerry Messenger.

RIM also appears to have put itself in a role of educating Indian officials over the operation of its network and on network security in general, suggesting to officials that emails that aren't subject to heavy corporate encryption can be viewed with assistance from local carriers.

Governments that have been reviewing their data-access arrangements with RIM have been sharing information with each other, said an official in the region with knowledge of the Indian negotiations.

The U.A.E. and Saudi Arabia, the Middle East's largest economies, upped their ante with RIM weeks before India did. Both countries have been negotiating with RIM for the same kinds of access to data that India wants, but people familiar with talks in the Gulf countries say they have been acrimonious.

Government officials say RIM has taken a condescending attitude to developing countries' security demands, and say they believe the company was holding out on solutions to access information, such as on BlackBerry Messenger, that had been offered to other countries.

"They refuse to listen to us," said a person familiar with the negotiations. "It's like we aren't speaking the same language."

Anger boiled over last month with the U.A.E. announcing a ban on BlackBerry email, Internet and instant-messaging services from Oct. 11, citing a lack of progress in more than three years of negotiations. Saudi Arabia followed with a threatened ban on BlackBerry Messenger.

Tensions were fueled when RIM co-CEO Michael Lazaridis said in an interview earlier this month with The Wall Street Journal that many of the nations the company deals with aren't tech-savvy and don't understand the Internet. "We work with these countries to educate them," he said.

Negotiations between the U.A.E. and RIM are ongoing. The government says it remains optimistic of a solution. In Saudi Arabia, telecommunications regulators announced earlier this week that RIM had offered them a technical fix that would let them access data from BlackBerry Messenger.

In RIM's home country of Canada, the U.S. and other countries, police and security agents typically must get a court order to gain access to things like the content of emails.

India's regulations in this area are murky. An 1885 law that has been updated over the years allows the government to intercept Internet traffic "on the occurrence of any public emergency." A 2008 law gives bureaucrats in various agencies the authority to order monitoring of any entity's Web traffic, though the matter can be challenged in court.

It remains unclear whether RIM's promise to provide metadata to corporate messages will be enough to satisfy India's concerns. A more drastic solution, says Sunil Abraham of the Bangalore-based Center for Internet and Society, would be for the government to require RIM to build a BlackBerry data center within India—something that could cost tens of millions of dollars, people familiar with the matter say—and then classify the company as an Indian Internet service provider.

Such a move would put India on stronger legal footing, analysts say, to demand data from RIM as well as companies whose employees use BlackBerrys. Under such a scenario, "the government would be allowed to get a room inside RIM and install whatever machines they want to monitor that traffic," Mr. Abraham said.

It wasn't clear from the government documents summarizing the meetings between RIM and the government whether such an option is being considered. The company would vehemently oppose such a classification, people familiar with the situation say. In the U.A.E, RIM has balked at the government's request that it set up a local data center, people familiar with those negotiations said.

Read the original in Wall Street Journal

For more details visit https://cis-india.org/news/rim-offered-security-fixes

RightsCon 2014

praskrishna — 2014-04-08T05:04:09Z

RightsCon Silicon Valley 2014 was an incredible mixture of more than 700 attendees from more than 65 countries and 375 institutions. Pranesh Prakash and Malavika Jayaram were speakers at this event organized by RightsCon at San Francisco on March 3 and 4, 2014.

This incredible union of expertise has led to real outcomes, many of which are viewable here or as a PDF report here. Missed a session? A special thanks to all our speakers and sponsors who made 2014 so smart and productive.

Missed a session in San Francisco? Many of the videos are available for viewing. To learn more about past RightsCon conferences, head here.

Even as we continue to work diligently on the the work generated from RightsCon Silicon Valley 2014, we are looking ahead to 2015 and Southeast Asia, where we will convene civil society and key decision-makers in this rapidly evolving region. Click here to learn more about the planning for RCSEA2015.

Pranesh was invited to be on five panels, and spoke in three.

He spoke in the following sessions:

March 3 from 14:00-15:15 - Nicolas Seidler's panel on "Localizing the Global Internet: Data Centers, Traffic Rerouting, and the Implications of Post-Surveillance Policy Proposals"

March 4 from 12:00-13:15 - Paul & Bertrand's panel on "Internet and Jurisdiction: How Can Heterogenous Laws Coexist in Cross-Border Online Spaces?"

March 4 from 14:30-15:45 - Amie Stepanovich's panel on "The NSA Strikes Back: Who Really Won the Crypto Wars?"

He was also invited to the following panels:

"Toward Accountability: Reflecting on ICT Industry Action To Protect User Rights"

"Policy Laundering: Hacking the International Innovation Policy Machine"

For more info on the conference, click here. For the full list of speakers, see here.

Video

For more details visit https://cis-india.org/news/rights-con-2014

Right to Privacy in Peril

vipul — 2015-08-13T15:32:18Z

It seems to have become quite a fad, especially amongst journalists, to use this headline and claim that the right to privacy which we consider so inherent to our being, is under attack. However, when I use this heading in this piece I am not referring to the rampant illegal surveillance being done by the government, or the widely reported recent raids on consenting (unmarried) adults who were staying in hotel rooms in Mumbai. I am talking about the fact that the Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist.

In an order dated August 11, 2015 the Supreme Court finally gave in to the arguments advanced by the Attorney General and admitted that there is some “unresolved contradiction” regarding the existence of a constitutional “right to privacy” under the Indian Constitution and requested that a Constitutional Bench of appropriate strength.

The Supreme Court was hearing a petition challenging the implementation of the Adhaar Card Scheme of the government, where one of the grounds to challenge the scheme was that it was violative of the right to privacy guaranteed to all citizens under the Constitution of India. However to counter this argument, the State (via the Attorney General) challenged the very concept that the Constitution of India guarantees a right to privacy by relying on an “unresolved contradiction” in judicial pronouncements on the issue, which so far had only been of academic interest. This “unresolved contradiction” arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[1] and Kharak Singh v. State of U.P. & Others,[2] (decided by Eight and Six Judges respectively) the Supreme Court has categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[3] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India.[4] Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal & Another v. State of Tamil Nadu & Others,[5] (popularly known as Auto Shanker’s case) and People’s Union for Civil Liberties (PUCL) v. Union of India & Another.[6] However, as was noticed by the Supreme Court in its August 11 order, all these judgments were decided by two or three Judges only.

The petitioners on the other hand made a number of arguments to counter those made by the Attorney General to the effect that the fundamental right to privacy is well established under Indian law and that there is no need to refer the matter to a Constitutional Bench. These arguments are:

(i) The observations made in M.P. Sharma regarding the absence of right to privacy are not part of the ratio decidendi of that case and, therefore, do not bind the subsequent smaller Benches such as R. Rajagopal and PUCL.

(ii) Even in Kharak Singh it was held that the right of a person not to be disturbed at his residence by the State is recognized to be a part of a fundamental right guaranteed under Article 21. It was argued that this is nothing but an aspect of privacy. The observation in para 20 of the majority judgment (quoted in footnote 2 above) at best can be construed only to mean that there is no fundamental right of privacy against the State’s authority to keep surveillance on the activities of a person. However, they argued that such a conclusion cannot be good law any more in view of the express declaration made by a seven-Judge bench decision of this Court in Maneka Gandhi v. Union of India & Another.[7]

(iii) Both M.P. Sharma (supra) and Kharak Singh (supra) were decided on an interpretation of the Constitution based on the principles expounded in A.K. Gopalan v. State of Madras,[8] which have themselves been declared wrong by a larger Bench in Rustom Cavasjee Cooper v. Union of India.[9]

Other than the points above, it was also argued that world over in all the countries where Anglo-Saxon jurisprudence is followed, ‘privacy’ is recognized as an important aspect of the liberty of human beings. The petitioners also submitted that it was too late in the day for the Union of India to argue that the Constitution of India does not recognize privacy as an aspect of the liberty under Article 21 of the Constitution of India.

However these arguments of the petitioners were not enough to convince the Supreme Court that there is no doubt regarding the existence and contours of the right to privacy in India. The Court, swayed by the arguments presented by the Attorney General, admitted that questions of far reaching importance for the Constitution were at issue and needed to be decided by a Constitutional Bench.

Giving some insight into its reasoning to refer this issue to a Constitutional Bench, the Court did seem to suggest that its decision to refer the matter to a larger bench was more an exercise in judicial propriety than an action driven by some genuine contradiction in the law. The Court said that if the observations in M.P. Sharma (supra) and Kharak Singh (supra) were accepted as the law of the land, the fundamental rights guaranteed under the Constitution of India would get “denuded of vigour and vitality”. However the Court felt that institutional integrity and judicial discipline require that smaller benches of the Court follow the decisions of larger benches, unless they have very good reasons for not doing so, and since in this case it appears that the same was not done therefore the Court referred the matter to a larger bench to scrutinize the ratio of M.P. Sharma (supra) and Kharak Singh (supra) and decide the judicial correctness of subsequent two judge and three judge bench decisions which have asserted or referred to the right to privacy.

[1] AIR 1954 SC 300. In para 18 of the Judgment it was held: “A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction.”

[2] AIR 1963 SC 1295. In para 20 of the judgment it was held: “… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitutionand therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

[3] (1975) 2 SCC 148.

[4] It is interesting to note that while the decisions in both Kharak Singh and Gobind were given in the context of similar facts (challenging the power of the police to make frequent domiciliary visits both during the day and night at the house of the petitioner) while the majority in Kharak Singh specifically denied the existence of a fundamental right to privacy, however they held the conduct of the police to be violative of the right to personal liberty guaranteed under Article 21, since the Regulations under which the police actions were undertaken were themselves held invalid. On the other hand, while Gobind held that a fundamental right to privacy does exist in Indian law, it may be interfered with by the State through procedure established by law and therefore upheld the actions of the police since they were acting under validly issued Regulations.

[5] (1994) 6 SCC 632.

[6] (1997) 1 SCC 301.

[7] (1978) 1 SCC 248.

[8] AIR 1950 SC 27.

[9] (1970) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

Right to Food Campaign, Ranchi Convention, 2016

sumandro — 2019-03-16T04:40:52Z

The Right to Food Campaign held its 2016 Convention in Ranchi during September 23-25, 2016. While three years have elapsed since the passage of the National Food Security Act, despite improvements in the Public Distribution System (PDS), large implementation gaps remain. This is what the Convention focused on, and gathered researchers and campaigners from across the country to share experiences and case studies on effectiveness and exclusions from the PDS. Sumandro Chattapadhyay took part in a session of the Convention to discuss how UID-linked welfare delivery is being rolled out across key programmes like provision of pension and rationed distribution of essential commodities, and their impact on people's right to welfare services.

Right to Food Campaign: Website.

Right to Food Campaign: Cash Transfers and UID: Our Main Demands.

Ranchi Convention, 2016: Programme.

For more details visit https://cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016

Rick van Amersfoort to give a public lecture on his work at CIS on May 15

praskrishna — 2011-04-05T04:07:10Z

Rick van Amersfoort, researcher based in Amsterdam will describe his work at Buro Jansen & Janssen, in the Netherlands and Europe.

Reading, digging in archives, procedures under the freedom of Information Act, supporting people for access to their police and intelligence service records, describing mechanisms the state uses to monitor, control and discipline civilians, but also means to overcome eavesdropping, surveillance, arrest or jail is the daily practice of Jansen. Since 25 years it has been active on the edge of legality and illegality. No scientists, nor journalists, but active civilians in a constant battle with the state and its services. Not only the state is evaluated. ‘City of Discipline’ is a project that tries to explain the lack of public outrage against far-reaching laws, although the crime rate is going down and the effectiveness of more security is doubtful.

Buro Jansen & Janssen hosts a variety of websites, some of these are:

The NTRO (National Technical Research Organization) eavesdropping scandal with so-called IMSI-catchers; According to the magazin Outlook the Mata Hari (the Dutch woman Margaretha Geertruida) of India, Madhuri Gupta; Possible police and state operations against protesting farmers in for example Devanahalli and Doddaballapur; Threats from the Indian government towards people and organizations who have contacts with the CPI or other Maoist groups; The 26 November 2008 Mumbai attacker verdict of five death sentences; Destroyed archives on the 1971 war between India and Pakistan are just some news items from the last week that describe the work/research/ activities which Buro Jansen & Janssen is conducting in the Netherlands, Europe and abroad. Van Amersfoort will shed light on the work of Jansen & Janssen in the Netherlands and Europe in relation to the above mentioned news items in India.

About Rick van Amersfoort

The past 10 years Rick van Amersfoort (1964 NL) has been researcher at Buro Janssen & Jansen, an organisation that critically investigates police, justice, secret services and home affairs in Holland and the European Union. Buro Jansen and Janssen publish online the Observant, a bimonthly mailing informing subscribers of the latest governmental infringements and political lobbies within the Netherlands. Other websites include http://www.openheid.nl/ that gives legal advise for public access to people’s records held by police and security services, http://www.preventieffouilleren.nl/, deals with stop and search operations by police and http://www.identificatieplicht.nl that addresses mandatory identification regulation. In 2006 Amersfoort co-authored (Wil van der Schans) Under Pressure, antiterrorism in the Netherlands. Buro Jansen & Janssen regularly appear in the media, local and national newspapers, radio and internet interviews. Current projects include ‘City of Discipline’, a project that tries to explain the lack of public outrage against far-reaching laws, although the crime rate is going down and the effectiveness of more security is doubtful. Van Amersfoort is presently designing a website for public access in connection with the Freedom of Information Act. http://openbaarheid.nl

For more details visit https://cis-india.org/events/rick-van-amersfoort

Rethinking Privacy: The Link between Florida v. Jardines and the Surveillance of Nature Films

praskrishna — 2014-07-28T05:51:48Z

Bhairav Acharya gave a talk on "Rethinking Privacy" at an event organized by the Indian Institute of Technology, Madras (IIT-M) on July 11, 2014.

In a 2010 article in Continuum: Journal of Media & Cultural Studies, Brett Mills proposed that animals have a right to privacy and that wildlife documentaries, specifically BBC's Nature's Great Events (2009), invaded this right without an examination of animal conservation ethics. In the 2013 Florida v. Jardines decision, the Supreme Court of the United States re-examined the constitutional validity of 'dog sniff laws' that permitted police animals to enter the threshold of private property to conduct 'minimally invasive warant-less searches' and 'Terry stops'; this was the latest in a long line of Fourth Amendment cases that examine the ethics of conserving and protecting public order. I attempt to draw links between the two scenarios that highlight the dissonance between sociological and jurisprudential constructions of privacy.

For more details visit https://cis-india.org/news/rethinking-privacy

Rethinking Privacy Principles

elonnai — 2017-09-11T02:17:02Z

For more details visit https://cis-india.org/internet-governance/files/rethinking-privacy-principles

Rethinking National Privacy Principles: Evaluating Principles for India's Proposed Data Protection Law

amber — 2017-09-11T02:22:01Z

This report is intended to be the first part in a series of white papers that CIS will publish which seeks to contribute to the discussions around the enactment of a privacy legislation in India. In subsequent pieces we will focus on subjects such as regulatory framework to implement, supervise and enforce privacy principles, and principles to regulate surveillance in India under a privacy law.

Edited by Elonnai Hickok and Vipul Kharbanda

This analysis intends to build on the substantial work done in the formulation of the National Privacy Principles by the Committee of Experts led by Justice AP Shah.1 This brief, hopes to evaluate the National Privacy Principles and the assertion by the Committee that right to privacy be considered a fundamental right under the Indian Constitution. The national privacy principles have been revisited in light of technological developments such as big data, Internet of Things, algorithmic decision making and artificial intelligence which are increasingly playing a greater role in the collection and processing of personal data of individuals, its analysis and decisions taken on the basis of such analysis. The solutions and principles articulated in this report are intended to provide starting points for a meaningful and nuanced discussion on how we need to rethink the privacy principles that should inform the data protection law in India.

Click to read the full blog post

For more details visit https://cis-india.org/internet-governance/blog/rethinking-national-privacy-principles

Rethinking Data Exchange & Delivery Models

Pallavi Bedi, Amber Sinha — 2021-04-08T06:36:06Z

Executive Summary

In 2020, reports of the government's proposal to create a social registry to update the Socio Economic Caste Census 2011 data started surfacing. Based on the limited information around these proposals in the public domain, it is imperative that adequate consideration be provided to develop such systems in a manner that protects the informational privacy of the individuals. Currently, the proposed Personal Data Protection Bill, 2019 is being deliberated by the Joint Parliamentary Committee and is expected to be tabled in the Monsoon Session of Parliament. The proposed data protection framework is a marked improvement over its predecessor, Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. One substantial change in the context of welfare delivery is that the scope of the application of the proposed framework extends to the personal data processing by the government and its agencies.

The objective of the white paper is to examine the application of the proposed data protection provisions on such a welfare delivery model (data exchange and delivery model) and suggest ways to operationalise key provisions. The scope of this white paper is limited to examining the personal data implications of the model and the effective governance of such platforms in India. The paper relies on publicly available details of India’s and other selected countries (Indonesia, Brazil, China, Malawi, Kenya, Estonia) digital infrastructure, proposals, schemes and legal frameworks in relation to welfare delivery in the country. International best practices around implementation of the principles of privacy and openness are analysed to suggest methods to operationalise these requirements in the context of the data exchange and delivery models and the proposed data protection framework of the country.

Based on the global experience of implementing data exchange and delivery models and the best practices for implementation of data protection provisions, following are some of the key recommendations (in addition to discussing ways to operationalise the data protection provisions) for such a platform in the Indian context:

Application of Data Protection Legislation: Due to the sensitive processing of personal data accompanied with harms arising from unlawful surveillance, such a data exchange and delivery model should not be deployed without an overarching data protection legislation. It is vital that the application of the legislation extends to the model. The Data Protection Authority of India should be able to exercise its investigative, corrective and advisory powers over the functioning and management of the model.

Independent Regulator: Oversight over the functioning of the platform should not be vested with the agency that is responsible for the maintenance of the platform to address potential conflict of interest issues. Additional sub - committees based on subject matter expertise for each individual scheme can be set up to assist the regulator, if required. The independent regulator should have strong investigative, corrective and advisory powers for effective oversight over the activities of the platform. Enforcement actions of the regulator should be transparent.

Governance: The data fiduciary responsible for the management and operation of the data exchange and delivery platform should be clearly identified. The platform should have valid legislative backing. In case of involvement of private actors, additional safeguards related to the privacy and confidentiality of the data in the platform should be implemented.

Data Protection Authority of India and Platform: There should be clear channels of communication between the data protection authority of India and the data fiduciaries managing and accessing the platform for guidance on data protection issues.
Grievance Redressal Mechanism: An accessible grievance redressal mechanism should be set up at different points of the service delivery and their existence should be publicised through different mediums. As the platform can act as a single point of failure for multiple schemes, an integration of the redressal mechanisms across multiple schemes should be considered based on existing institutional structures. Multiple channels for receiving complaints must be set up for the citizen’s convenience.

Read the full report here.

For more details visit https://cis-india.org/internet-governance/blog/rethinking-data-exchange-delivery-models

Rethinking Acquisition of Digital Devices by Law Enforcement Agencies

Harikartik Ramesh — 2022-05-02T09:27:54Z

This article has been selected as a part of The Right to Privacy and the Legality of Surveillance series organized in collaboration with the RGNUL Student Research Review (RSRR) Journal.

Read the article originally published in RGNUL Student Research Review (RSRR) Journal

Abstract

The Criminal Procedure Code was created in the 1970s when the concept of the right to privacy was highly unacknowledged. Following the Puttuswamy I (2017) judgement of the Supreme Court affirming the right to privacy, these antiquated codes must be re-evaluated. Today, the police can acquire digital devices through summons and gain direct access to a person’s life, despite the summons mechanism having been intended for targeted, narrow enquiries. Once in possession of a device, the police attempt to circumvent the right against self-incrimination by demanding biometric passwords, arguing that the right does not cover biometric information . However, due to the extent of information available on digital devices, courts ought to be cautious and strive to limit the power of the police to compel such disclosures, taking into consideration the right to privacy judgement.

Keywords: Privacy, Criminal Procedural Law, CrPc, Constitutional Law

Introduction

New challenges confront the Indian criminal investigation framework, particularly in the context of law enforcement agencies (LEAs) acquiring digital devices and their passwords. Criminal procedure codes delimiting police authority and procedures were created before the widespread use of digital devices and are no longer pertinent to the modern age due to the magnitude of information available on a single device. A single device could provide more information to LEAs than a complete search of a person’s home; yet, the acquisition of a digital device is not treated with the severity and caution it deserves. Following the affirmation of the right to privacy in Puttuswamy I (2017), criminal procedure codes must be revamped, taking into consideration that the acquisition of a person’s digital device constitutes a major infringement on their right to privacy.

Acquisition of digital devices by LEAs through summons

Section 91 of the Criminal Procedure Code (CrPc) grants powers to a court or police officer in charge of a police station to compel a person to produce any form of document or ‘thing’ necessary and desirable to a criminal investigation. In Rama Krishna v State, ‘necessary’ and ‘desirable’ have been interpreted as any piece of evidence relevant to the investigation or a link in the chain of evidence. Abhinav Sekhri, a criminal law litigator and writer, has argued that the wide wording of this section allows summons to be directed towards the retrieval of specific digital devices.

As summons are target-specific, the section has minimal safeguards. However, several issues arise in the context of summons regarding digital devices. In the current day, access to a user’s personal device can provide comprehensive insight into their life and personality due to the vast amounts of private and personal information stored on it. In Riley v California, the Supreme Court of the United States (SCOTUS) observed that due to the nature of the content present on digital devices, summons for them are equivalent to a roving search, i.e., demanding the simultaneous production of all contents of the home, bank records, call records, and lockers. The Riley decision correctly highlights the need for courts to recognise that digital devices ought to be treated distinctly compared to other forms of physical evidence due to the repository of information stored on digital devices.

The burden the state must surpass in order to issue summons is low as the relevancy requirement is easily provable. As noted in Riley, police must identify which evidence on a device is relevant. Due to the sheer amount of data on phones, it is very easy for police to claim that there will surely be some form of connection between the content on the device and the case. Due to the wide range of offences available for Indian LEAs to cite, it is easy for them to argue that the content on the device is relevant to any number of possible offences. LEAs rarely face consequences for slamming the accused with a huge roster of charges – even if many of them are baseless – leading to the system being prone to abuse. The Indian Supreme Court in its judgement in Canara Bank noted that the burden of proof must be higher for LEAs when investigations violate the right to privacy. Tarun Krishnakumar notes that the trickle-down effect of Puttuswamy I will lead to new privacy challenges with regards to a summons to appear in court. Puttuswamy I, will provide the bedrock and constitutional framework, within which future challenges to the criminal process will be undertaken. It is important for the court to recognise the transformative potential within the Puttuswamy judgement to help ensure that the right to privacy of citizens is safeguarded. The colonial logic of policing – wherein criminal procedure law was merely a tool to maximise the interest of the state at the cost of the people – must be abandoned. Courts ought to devise a framework under Section 91 to ensure that summons are narrowly framed to target specific information or content within digital devices. Additionally, the digital device must be collected following a judicial authority issuing the summons and not a police authority. Prior judicial warrants will require LEAs to demonstrate their requirement for the digital device; on estimating the impact on privacy, the authority can issue a suitable summons. Currently, the only consideration is if the item will furnish evidence relevant to the investigation; however, judges ought to balance the need for the digital device in the LEA’s investigation with the users’ right to privacy, dignity, and autonomy.

Puttuswamy I provides a triple test encompassing legality, necessity, and proportionality to test privacy claims. Legality requires that the measure be prescribed by law, necessity analyses if it is the least restrictive means being adopted by the state, and proportionality checks if the objective pursued by the measure is proportional to the degree of infringement of the right. The relevance standard, as mentioned before, is inadequate as it does not provide enough safeguards against abuse. The police can issue summons based on the slightest of suspicions and thus get access to a digital device, following which they can conduct a roving enquiry of the device to find evidence of any other offence, unrelated to the original cause of suspicion.

Unilateral police summons of digital devices cannot pass the triple test as it is grossly disproportionate and lacks any form of safeguard against the police. The current system has no mechanism for overseeing the LEAs; as long as LEAs themselves are of the view that they require the device, they can acquire it. In Riley, SCOTUS has already held that warrantless seizure of digital devices constitutes a violation of the right to privacy. India ought to also adopt a requirement of a prior judicial warrant for the procurement of devices by LEAs. A re-imagined criminal process would have to abide by the triple test in particular proportionality wherein the benefit claimed by the state ought not to be disproportionate to the impact on the fundamental right to privacy; and further, a framework must be proposed to provide safeguards against abuse.

Compelling the production of passwords of devices

In police investigations, gaining possession of a physical device is merely the first step in acquiring the data on the device, as the LEAs still require the passcodes needed to unlock the device. LEAs compelling the production of passcodes to gain access to potentially incriminating data raises obvious questions regarding the right against self-incrimination; however, in the context of digital devices, several privacy issues may crop up as well.

In Kathi Kalu Oghad, the SC held that compelling the production of fingerprints of an accused person to compare them with fingerprints discovered by the LEA in the course of their investigation does not violate the right to protection against self-incrimination of the accused. It has been argued that the ratio in the judgement prohibits the compelling of disclosure of passwords and biometrics for unlocking devices because Kathi Kalu Oghad only dealt with the production of fingerprints in order to compare the fingerprints with pre-existing evidence, as opposed to unlocking new evidence by utilising the fingerprint. However, the judgement deals with self-incrimination and does not address any privacy issues.

The right against self-incrimination approach alone may not be enough to resolve all concerns. Firstly, there may be varying levels of protection provided to different forms of password protections on digital devices; text- and pattern-based passcodes are inarguably protected under Art. 20(3) of the Constitution. However, the protection of biometrics-based passcodes relies upon the correct interpretation of the Kathi Kalu Oghad precedent. Secondly, Art. 20(3) only protects the accused in investigations and not when non-accused digital devices are acquired by LEAs and the passcodes of the devices demanded.

Therefore, considering the aforementioned points, it is pertinent to remember that the right against self-incrimination does not exist in a vacuum separate from privacy. It originates from the concept of decisional autonomy – the right of individuals to make decisions about matters intimate to their life without interference from the state and society. Puttuswamy I observed that decisional autonomy is the bedrock of the right to privacy, as privacy allows an individual to make these intimate decisions away from the glare of society and/or the state. This has heightened importance in this context as interference with such autonomy could lead to the person in question facing criminal prosecution. The SC in Selvi v Karnataka and Puttuswamy I has repeatedly affirmed that the right against self-incrimination and the right to privacy are linked concepts, with the court observing that the right to remain silent is an integral aspect of decisional autonomy.

In Virendra Khanna, the Karnataka High Court (HC) dealt with the privacy and self-incrimination concerns caused by LEAs compelling the disclosure of passwords. The HC brushes aside concerns related to privacy by noting that the right to privacy is not absolute and that an exception to the right to privacy is state interest and protection of law and order (para 5.11), and that unlawful disclosure of material to third parties could be an actionable wrong (para 15). The court’s interpretation of privacy effectively provides a free pass for the police to interfere with the right to privacy under the pretext of a criminal investigation. This conception of privacy is inadequate as the issue of proportionality is avoided, and the court does not attempt to ensure that the interference is proportionate with the outcome.

US courts also see the compelling of production of passcodes as an issue of self-incrimination as well as privacy. In its judgement in Application for a Search Warrant, a US court observed that compelling the disclosure of passcodes existed at an intersection of the right to privacy and self-incrimination; the right against self-incrimination serves to protect the privacy interests of suspects.

Disclosure of passwords to digital devices amounts to an intrusion of the privacy of the suspect as the collective contents on the digital device effectively amount to providing LEAs with a method to observe a person’s mind and identity. Police investigative techniques cannot override fundamental rights and must respect the personal autonomy of suspects – particularly, the choice between silence and speech. Through the production of passwords, LEAs can effectively get a snapshot of a suspect’s mind. This is analogous to the polygraph and narco-analysis test struck down as unconstitutional by the SC in Selvi as it violates decisional autonomy.

As Sekhri noted, a criminal process that reflects the aspirations of the Puttuswamy judgement would require LEAs to first explain with reasonable detail the material which they wish to find in the digital devices. Secondly, they must provide a timeline for the investigation to ensure that individuals are not subjected to inexhaustible investigations with police roving through their devices indefinitely. Thirdly, such a criminal process must demand, a higher burden to be discharged from the state if the privacy of the individual is infringed upon. These aspirations should form the bedrock of a system of judicial warrants that LEAs ought to be required to comply with if they wish to compel the disclosure of passwords from individuals. The framework proposed above is similar to the Virendra Khanna guidelines, as they provide a system of checks and balances that ensure that the intrusion on privacy is carried out proportionately; additionally, it would require LEAs to show a real requirement to demand access to the device. The independent eyes of a judicial magistrate provide a mechanism of oversight and a check against abuse of power by LEAs.

Conclusion

The criminal law apparatus is the most coercive power available to the state, and, therefore, privacy rights will become meaningless unless they can withstand it. Several criminal procedures in the country are rooted in colonial statutes, where the rights of the populace being policed were never a consideration; hence, a radical shift is required. However, post-1947 and Puttuswamy, the ignorance and refusal to submit to the rights of the population can no longer be justified and significant reformulation is necessary to guarantee meaningful protections to device owners. There is a need to ensure that the rights of individuals are protected, especially when the motivation for their infringement is the supposed noble intentions of the criminal justice system. Failing to defend the right to privacy in these moments would be an invitation for allowing the power of the state to increase and inevitably become absolute.

For more details visit https://cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies

Rethinking Data Exchange & Delivery Models pdf

pranav — 2021-04-08T05:06:10Z

For more details visit https://cis-india.org/internet-governance/rethinking-data-exchange-delivery-models-pdf

Response to the Pegasus Questionnaire issued by the SC Technical Committee

Anamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi Bedi — 2022-04-13T14:45:41Z

On March 25, 2022, the Supreme Court appointed Technical Committee constituted to examine the allegations of alleged unauthorised surveillance using the Pegasus software released a questionnaire seeking responses and comments from the general public.

The questionnaire had 11 questions and the responses had to be submitted through an online form- which was available here. The last date for submitting the response was March 31, 2022. CIS had submitted the following responses to the questions in the questionnaire. Access the Response to the Questionnaire

For more details visit https://cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee

Response to the Pegasus Investigation

Anamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi Bedi — 2022-04-13T14:44:43Z

For more details visit https://cis-india.org/internet-governance/response-to-the-pegasus-investigation

Response to the Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services

Gurshabad Grover, Nikhil Srinath and Aayush Rathi — 2019-01-11T15:59:59Z

For more details visit https://cis-india.org/internet-governance/files/response-to-the-consultation-paper-on-regulatory-framework-for-over-the-top-ott-communication-services

Response to the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks

praskrishna — 2016-12-11T03:17:38Z

For more details visit https://cis-india.org/telecom/files/response-to-the-consultation-note-on-model-for-nation-wide-interoperable-and-scalable-public-wi-fi-networks