Centre for Internet and Society

Is the new ‘interception’ order old wine in a new bottle?

Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare — 2018-12-29T16:02:00Z

The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.

An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in Newslaundry.com on December 27, 2018.

On December 20, 2018, through an order issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

On December 21, the Press Information Bureau published a press release providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.

Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.

As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.

- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.

- Condition 42 of the Unified Licence for Access Services, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.

- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.

- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.

Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—nine Central Government agencies and one State Government agency have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:

- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.

- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.

That said, the IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government authorised the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.

While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are constitutionally valid, the lack of transparency by the government and the prohibition of transparency by service providers, heavy handed penalties on service providers for non-compliance, and a lack of legal backing and oversight mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.

Conclusion

The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .

The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On December 24, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.

But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle

Is India's government becoming Big Brother?

praskrishna — 2013-06-05T09:39:53Z

India's new Central Monitoring System will give officials unprecedented access to calls, texts, and online activity.

The blog post by Talia Ralph and Jason Overdorf was published in Global Post on May 9, 2013. Pranesh Prakash is quoted.

The government has quietly started putting into place its new Central Monitoring System, a project that will give it access to its citizens' telephone calls, texts, and online activities.

The system, in development since 2009, will enable state agencies to monitor all digital interactions, the Times of India reported.

Work on CMS has been kept quiet for the past few years, although the newspaper reported that several government agencies ordered specialized equipment and systems for monitoring telecommunications.

India's government has steadily been increasing its access to telecommunications since the 2008 Mumbai bombings to help track militants and illegal activities.

The country — one of the world's fastest-growing internet markets — enacted its information technology law in 2000, and amended it twice, in 2008 and again in 2011.

As PCWorld described the new system,

The CMS will have central and regional databases to help central and state-level enforcement agencies intercept and monitor communications, the government said. It will also have direct electronic provisioning of target numbers by government agencies without any intervention from telecom service providers, it added. It will also feature analysis of call data records and data mining of these records to identify call details, location details, and other information of the target numbers.

Internet freedom activists and privacy experts worry the project offers far too much access to citizens' communications. They say official agencies allegedly misused and leaked tapped phone conversations, while the government has sought to quash dissent and silence critics on the internet under the guise of preventing hate speech.

"In the absence of a strong privacy law that promotes transparency about surveillance and thus allows us to judge the utility of the surveillance, this kind of development is very worrisome," Pranesh Prakash, the director of policy at the Center for Internet and Society, told the Times of India.

"Further, this has been done with neither public nor parliamentary dialog, making the government unaccountable to its citizens," he added.

The government last year blocked mobile phones and shut down social media sites ostensibly to prevent communal riots, but in the process blocked some 16 Twitter handles known to be critical of the government.

Critics of the CMS movement wrote a blog post arguing that the Indian government wants to use the law to censor "hate speeches and government criticism."

"We know the government today hates public criticizing it," the group Stop ICMS wrote on their blog. "The recent arrests of people for tweeting or posting on Facebook has proved that. Govt. does not like criticism that can be seen by everyone on the Internet."

The CMS program is in place in a "preliminary state" right now, with the full version expected to be in place by August 2014.

For more details visit https://cis-india.org/news/global-post-talia-ralph-jason-overdorf-may-9-2013-is-indias-govt-becoming-big-brother

Is India's Digital Health System Foolproof?

aayush — 2019-12-30T17:58:00Z

This contribution by Aayush Rathi builds on "Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?" (by Aayush Rathi and Ambika Tandon, EPW Engage, Vol. 54, Issue No. 6, 09 Feb, 2019) and seeks to understand the role that state-run reproductive health portals such as the Mother and Child Tracking System (MCTS) and the Reproductive and Child Health will play going forward. The article critically outlines the overall digitised health information ecosystem being envisioned by the Indian state.

This article was first published in EPW Engage, Vol. 54, Issue No. 47, on November 30, 2019

Introduced in 2013 and subsequently updated in 2016, the Ministry of Health and Family Welfare (MHFW) published a document laying out the standards for electronic health records (EHRs). While there exist varying interpretations of what constitutes as EHRs, some of its characteristics include electronic medical records (EMRs) of individual patients, arrangement of these records in a time series, and inter-operable linkages of the EMRs across various healthcare settings (Häyrinen et al 2008; OECD 2013).

To work effectively, EHRs are required to be highly interoperable so that they can facilitate exchange among health information systems (HIS) across participating hospitals. For this, the Integrated Health Information Platform (IHIP) is being developed so as to assimilate data from various registries across India and provide real-time information on health surveillance (Krishnamurthy 2018).

EHR Implementation: Unpacking the (Dis)incentive Structure

As the implementation of EHR standards is voluntary, anecdotal evidence indicates that their uptake in the Indian healthcare sector has been very slow. Here, the opposition of the Indian Medical Association to the Clinical Establishments (Registration and Regulation) Act, 2010, resulting in nationwide protests and subsequent legal challenges to the act, is instructive. To start with, the act prescribes the minimum standards that have to be maintained by clinical establishments which are registered or seeking registration (itself mandatory to run a clinic under the act) [1]. Further, Rule 9(ii) of the Clinical Establishments (Registration and Regulation) Rules, 2012, drafted under the act, requires clinical establishments to maintain EMRs or EHRs for every patient. However, with health being a state subject in India, the act has only been enforced in 11 states and all union territories except the National Capital Territory of Delhi (Jyoti 2018). The resistance to the act is largely due to protests by stakeholders from within the medical fraternity regarding its adverse impact on small- and medium-sized hospitals (Jyoti 2018).

Contextualising Clinicians' Inertia

Another major impediment to the adoption of EHRs by health service providers is reluctance on the part of individual physicians to transition to an EHR system. This is because compliance with EHR standards requires physicians to input clinical notes themselves.

Comparing the greater patient load faced by doctors in India vis-à-vis the United States (US), the chief medical officer of an EHR vendor in India estimates that the average Indian doctor sees about 40–60 patients a day, whereas in the US it may be around 18–20 patients (Kandhari 2017). This is suggestive of the wide disparity in the number of physicians per 1,000 citizens in both countries (World Bank nd). Given this, doctors in India tend to be more problem-oriented, time-strapped, and pay less attention to clinical notes (Kandhari 2017). Thus, clinicians will consider a system to be efficient only if the system reduces their documentation time, even if the time savings do not translate into better patient care (Allan and Englebright 2000). The inability of EHRs to help reduce documentation time deters clinicians from supporting their implementation (Poon et al 2004). Additionally, research done in the United States indicates that there is no evidence to suggest that an information system helps save time expended by clinicians on documentation (Daly et al 2002). Moreover, the use of an information system is stated to have had no impact on patient care, but doctors have acknowledged its use for research purposes (Holzemer and Henry 1992).

Prohibitive Costs of Implementation

While national-level EHRs have been adopted globally, their distribution across countries is telling. In a survey published in 2016 by the World Health Organization, wealthier countries were over-represented, with two-thirds from the upper-middle-income group and roughly half from the high-income countries having introduced EHR systems. On the other hand, only a third of lower-middle-income countries and 15% of low-income countries reported having implemented EHRs (World Health Organization 2016). A major reason for the slow uptake of EHRs in poorer countries is likely to be funding as EHR implementation requires considerable investment, with most projects averaging several million dollars (US) (Kuperman and Gibson 2003). Although various funding models for EHR implementation are being utilised globally, it is unclear what model will be adopted in India to bring in private healthcare service providers within its ambit (Healthcare Information and Management Systems Society 2007). This absence of funding direction for private actors poses to be a significant impediment in the integration of private databases with other public ones.

In general, poorer countries are also more likely to have less developed infrastructure and health Information and Communication Technology (ICT) to support EHR systems. Besides this, they not only lack the capacity and human resources required to develop and maintain such complex systems (Tierney et al 2010; McGinn et al 2011), but training periods have also been found to be long and more costly than expected (Kovener et al 1997).

Socio-economic Exclusions and Cross-cultural Barriers

There exists scant research investigating the existing use of EHRs in India, though preliminary work is being undertaken to assess EHR implementation in other developing countries (Tierney et al 2010; Fraser et al 2005). Even in the context of developed countries, where widespread adoption of EHRs has been gaining traction for some time now, very little data exists around implementation and efficacy in underserved regions and communities. This is further problematised as clinical information systems and user populations also vary in their characteristics and, for this reason, individual studies are unable to identify common trends that would predict EHR implementation success.

Underserved settings may lack the infrastructure needed to support EHRs. The risk of exclusion already exists in parts such as difficulties inherent in delivering care to remote locations, barriers related to cross-cultural communication, and the pervasive problem of providing care in the setting of severe resource constraints. Equally important is the fact that health workers who already report significant existing impediments in their delivery of routine care in these settings do not necessarily see EHRs as being useful in catering to the specific needs of their patient population (Bach et al 2004). Moreover, experience with EHRs also reveals that there are cultural barriers to capturing accurate data (Miklin et al 2019). What this could mean is that stigma associated with the diagnosis of conditions such as HIV/AIDS or induced abortions will result in their under-reporting even within EHR systems.

Stick or Twist?

Other modalities have been devised to nudge healthcare providers into adopting EHR standards voluntarily. The National Accreditation Board for Hospitals and Healthcare Providers (NABH), India, a constituent board of the Quality Council of India (a public–private initiative), has been reported to have incorporated the EHR standards within its accreditation matrix. NABH accreditation, considered an indicator of high quality patient care, is highly sought–after by hospitals in India in order to attract medical tourists as well as insurance companies: two prominent sources of income for hospitals (Kandhari 2017). Additionally, NABH accreditation is valid for a term of three years, thus requiring hospitals seeking to renew their accreditation to adopt EHR standards as well.

Another commercial use of EHR has been in health insurance. The Federation of Indian Chambers of Commerce and Industry (FICCI) and the Insurance Regulatory and Development Authority (IRDAI) have both voiced their support for expediting the implementation of the EHR standards (EMR Standards Committee 2013). Both, the FICCI and IRDAI have placed emphasis on adopting EHRs, seeing it as a necessary move for formalising the health insurance industry (FICCI 2015). They have also had representation on the committee that sent recommendations to the MHFW on the first version of the EHR standards in 2013 (FICCI 2015). FICCI had additionally played a coordination role in having the recommendations framed for the 2013 EHR standards.

Fluid Data Objectives

The push for EHR implementation is emblematic of a larger shift in the healthcare approach of the Indian state, that of an indirect targeting of demand-side financing by plugging data inefficiencies in health insurance.

The draft National Health Policy (NHP), published in 2015, reflected the mandate of the Ministry of Health and Family Welfare to strengthen the public health system by creating a right to healthcare legislation and reaching a public spend of 2.5% of the gross domestic product by 2018. The final version of the NHP, published in 2017, however, codified a shift in healthcare policy by focusing on strategic purchasing of secondary and tertiary care services from the private sector and a publicly funded health insurance model.

In line with the vision of the NHP 2017, in February 2018, the Union Minister for Finance and Corporate Affairs, Arun Jaitley, announced two major initiatives as a part of the government’s Ayushman Bharat programme (Ministry of Finance 2018). Administered under the aegis of the Ministry of Health and Family Welfare, these initiatives are intended to improve access to primary healthcare through the creation of 150,000 health and wellness centres as envisioned under the NHP 2017, and improve access to secondary and tertiary healthcare for over 100 million vulnerable families by providing insurance cover of up to ₹ 500,000 per family per year under the Pradhan Mantri–Rashtriya Swasthya Suraksha Mission/National Health Protection Scheme (PM–RSSM/NHPS) (Ministry of Health and Family Welfare 2018). The NHPS, modelled along the lines of the Affordable Care Act in the US, was later rebranded as the Pradhan Mantri–Jan Arogya Yojana (PM-JAY) at the time of its launch in September 2018. It is claimed to be the world’s largest government-funded healthcare programme and is intentioned to provide health insurance coverage for vulnerable sections in lieu of the Sustainable Development Goal-3 (National Health Authority nd).

To enable the implementation of the Ayushman Bharat programme, the NITI Aayog then proposed the creation of a supply-side digital infrastructure called National Health Stack (NHS) (NITI Aayog 2018). As outlined in the consultation and strategy paper, the NHS is “built for NHPS, but beyond NHPS.” The NHS seeks to leverage the digitisation push through IndiaStack, which seeks to digitalise “any large-scale health insurance program, in particular, any government-funded health care programs.” The synergy is clear, with the NHPS scheme also aiming to be “cashless and paperless at public hospitals and empanelled private hospitals" (National Health Authority nd) [2].

The NHS is also closely aligned with the NHP 2017, which draws attention to leveraging technologies such as big data analytics on data stored in universal registries. The Vision document for the NHS emphasises the fragmented nature of health data as an impediment to reducing inequities in healthcare provision. The NHS, then, also seeks to be the master repository of health data akin to the IHIP. By creating a base layer of registries containing information about various actors involved in the healthcare supply chain (providers such as hospitals, beneficiaries, doctors, insurers and Accredited Social Health Activists), it potentially allows for recording of data from both public and private sector entities, plugging a significant gap in the coverage of the HIS currently implemented in India. With the provision of open, pullable APIs, the NHS also shares the motivations of the IndiaStack to monetise health data.

A key component of the proposed NHS is the Coverage and Claims platform, which the vision document describes as “provid[ing] the building blocks required to implement any large-scale health insurance program, in particular, any government-funded healthcare programs. This platform has the transformative vision of enabling both public and private actors to implement insurance schemes in an automated, data-driven manner through open APIs " (NITI Aayog2018). A post on the iSPIRT website further explains the centrality of this Coverage and Claims platform in enabling a highly personalised medical insurance market in India: “This component will not only bring down the cost of processing a claim but ... increased access to information about an individual’s health and claims history ... will also enable the creation of personalised, sachet-sized insurance policies." These data-driven customised insurance policies are expected to generate “care policies that are not only personalized in nature but that also incentivize good healthcare practices amongst consumers and providers … [and] use of techniques from microeconomics to manage incentives for care providers, and those from behavioural economics to incentivise consumers" (Productnation Network 2019). The Coverage and Claims platform, and especially the Policy (generation) Engine that it will contain, is aimed at intensive financialisation of personal healthcare expenses, and extensive experiments with designing personalised nudges to shape the demand behaviour of consumers.

The imagination of healthcare the NHS demonstrates is one where broadening health insurance coverage is equated to providing equitable healthcare and as a panacea for the public healthcare sector. The first phase of this push towards better healthcare provision is to focus on contextualising the historical socio-economic divide. The next phase is characterised by digitalisation: the introduction of ICT to bridge the socio-economic divide in healthcare provision. In this process, the resulting data divide has been invisibilised in reframing better healthcare as an insurance problem for which data needs to be generated. Each policy innovation is then characterised by further marginalisation of those that were originally identified as underserved. This is a result of increasing repercussions of the data-divide, with access to benefits increasingly being mediated by technology.

Concluding Remarks

The idea that any person in India can go to any health service provider/ practitioner, any diagnostic center or any pharmacy and yet be able to access and have fully integrated and always available health records in an electronic format is not only empowering but also the vision for efficient 21st century healthcare delivery.
— Ministry of Health and Family Welfare, Electronic Health Record Standards For India (2013)

The objective of health data collection has evolved over the course of the institution of the HIS in 2011, to the development of the NHPS and National Health Policy in 2017. What began as a solution to measure and address gaps in access and quality in healthcare provisioning through data analysis has morphed into data centralisation and insurance coverage. Shifting goalposts can also be found in the objectives behind introducing digital systems to collect data.

In recent iterations of the healthcare imaginary, such as the IHIP and the NHS, data ownership by the beneficiaries is stressed upon. In the absence of a rights-based framework dictating the use of data, the role of ownership should be interrogated, especially in the context of a prevalent data divide (Tisne 2019). The legitimisation of data capture can be seen in the emergence of opt-in models of consent, data fiduciaries managing consent on the data subject’s behalf, etc. (Zuboff 2019).

This framing forecloses a discussion about the quality and kind of data being used. The push towards datafication needs to be questioned for its re-indexing of categorical meaning away from the complexities of narrative, context and history (Cheney-Lippold 2018). Instead, the proposed solution is one that stores datafied elements within a closed set (reproductive health= [abortion, aids, contraceptive,...vaccination, womb]). While this set may be editable, so new interpretations can be codified, it inherently remains stable, assuming a static relationship between words and meaning. Health is then treated as having an empirically definable meaning, thus losing the dynamism of what the health and wellness discourse could entail.

It has been historically demonstrated in the Indian context that multiple tools and databases for health data management are a barrier to an efficient HIS. However, generating centralised or federated databases without addressing concerns in data flows, quality, uses in existing data structures, and the digital divide across health workers and beneficiaries alike will lead to the amplification of existing exclusions in data and, consequently, service provisioning.

Acknowledgements

The author would like to express his gratitude to Sumandro Chattapadhyay and Ambika Tandon for their inputs and editorial work on this contribution. This work was supported by the Big Data for Development Network established by International Development Research Centre (Canada).

Notes

[1] Section 2 (a) of the Clinical Establishments (Registration and Regulation) Act, 2010: A hospital, maternity home, nursing home, dispensary, clinic, sanatorium or institution by whatever name called that offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicine established and administered or maintained by any person or body of persons, whether incorporated or not.

[2] The National Health Stack, then, is the latest manifestation of the Indian government’s push for a “Digital India.” A key component of Digital India has been e-governance, financial inclusion, and digitisation of transaction services. The nudge towards cashless modes of transaction and delivery, also accelerated by India’s demonetisation drive in November 2016, has led to rapid uptake of digital payment services in particular, and that of the IndiaStack initiative in general. Developed by iSPIRT, IndiaStack (https://indiastack.org/) aspires to transform service delivery by public and private actors alike through its “presence-less, paperless, and cashless” mandate.

References

Allan, J and Jane Englebright (2000): “Patient-Centered Documentation,” JONA: The Journal of Nursing Administration, Vol 30, No 2, pp 90–95.

Bach, Peter, Hoangmai Pham, Deborah Schrag, Ramsey Tate and J Lee Hargraves (2004): “Primary Care Physicians Who Treat Blacks and Whites,” New England Journal of Medicine, Vol 351, pp 575–84.

Cheney-Lippold, John (2018): We Are Data: Algorithms and the Making of Our Digital Selves, New Delhi: Sage.

Daly, Jeanette, Buckwalter Kathleen and Meridean Maas (2002): “Written and Computerized Care Plans,” Journal of Gerontological Nursing, Vol 28, No 9, pp 14–23.

EMR Standards Committee (2013): “Recommendations on Electronic Medical Records Standards in India,” Ministry of Health and Family Welfare, Government of India, New Delhi, https://mohfw.gov.in/sites/default/files/24539108839988920051EHR%20Standards-v5%20Apr%202013.pdf.

Federation of Indian Chambers of Commerce and Industry (2015): "A Guiding Framework for OPD and Preventive Health Insurance in India: Supply and Demand Side Analysis," http://ficci.in/spdocument/20678/P&P-helath-insurance.pdf.

Fraser, Hamish, Paul Biondich, Deshendran Moodley, Sharon Choi, Burke Mamlin and Peter Szolovits (2005): “Implementing Electronic Medical Record Systems in Developing Countries,” Journal of Innovation in Health Informatics, Vol 13 No 2, pp 83–95.

Häyrinen, Kristiina, Kaija Saranto and Pirkko Nykänen (2008): “Definition, Structure, Content, Use and Impacts of Electronic Health Records: A Review of the Research Literature,” International Journal of Medical Informatics, Vol 77, No 5, pp 291–304.

Healthcare Information and Management Systems Society (2007): “Electronic Health Records: A Global Perspective,” http://www.providersedge.com/ehdocs/ehr_articles/Electronic_Health_Records-A_Global_Perspective-Exec_Summary.pdf.

Holzemer, William and S B Henry (1992): “Computer-supported Versus Manually-generated Nursing Care Plans: A Comparison of Patient Problems, Nursing Interventions, and AIDS Patient Outcomes,” Computers in Nursing, Vol 10 No 1, pp 19–24.

Jha, Ashish, Catherine DesRoches, Eric Campbell, Karen Donelan, Sowmya Rao, Timothy Ferris, Alexandra Shields, Sarah Rosenbaum and David Blumenthal (2009): "Use of Electronic Health Records in U.S. Hospitals," New England Journal of Medicine, Vol 360 No 16, pp 1628–1638.

Jyoti, Archana (2018): “States Give Clinical Establishment Act Cold Shoulder," Pioneer, https://www.dailypioneer.com/2018/india/states-give-clinical-establishment-act-cold-shoulder.html.

Kandhari, Ruhi (2017): “Why a Backdoor Push Towards eHealth,” Ken, https://the-ken.com/story/why-backdoor-push-towards-ehealth/.

Kovner, Christine, Lynda Schuchman and Catherin Mallard (1997): “The Application of Pen-Based Computer Technology to Home Health Care,” CIN: Computers, Informatics and Nursing, Vol 15, No 5, pp 237–44.

Krishnamurthy, R (2018): “Integrated Health Information Platform for Integrated Disease Surveillance Program,” Training of the Trainer Workshop, World Health Organisation, New Delhi, https://idsp.nic.in/WriteReadData/IHIP/IHIP%20ToT-Overview-Presentation.pdf.

Kuperman, Gilad and Richard Gibson (2003): “Computer Physician Order Entry: Benefits, Costs, and Issues,” Annals of Internal Medicine, Vol 139 No 1, pp 31–9.

Leung, Gabriel, Philip Yu, Irene Wong, Janice Johnston and Keith Tin (2003): “Incentives and Barriers That Influence Clinical Computerization in Hong Kong: A Population-based Physician Survey,” Journal of the American Medical Informatics Association, Vol 10 No 2, pp 201–12.

McGinn Carrie Anna, Sonya Grenier, Julie Duplantie, Nicola Shaw, Claude Sicotte, Luc Mathieu, Yvan Leduc, France Légaré and Marie-Pierre Gagnon (2011): “Comparison of User Groups' Perspectives of Barriers and Facilitators to Implementing Electronic Health Records: A Systematic Review,” BMC Medicine, Vol 9 No 46.

Miklin, Daniel, Sameera Vangara, Alan Delamater and Kenneth Goodman (2019): “Understanding of and Barriers to Electronic Health Record Patient Portal Access in a Culturally Diverse Pediatric Population,” JMIR Medical Informatics, Vol 7, No 2.

Ministry of Finance (2018): “Budget 2018-19: Speech of Arun Jaitley,” New Delhi, https://www.indiabudget.gov.in/ub2018-19/bs/bs.pdf.

Ministry of Health and Family Welfare, Government of India (2008): "4 Years of Transforming India-Healthcare for All," New Delhi. https://mohfw.gov.in/ebook2018/gvtbook.html.

Ministry of Health and Family Welfare, Government of India (2013): “Electronic Health Record Standards For India,” Government of India, New Delhi, https://www.nhp.gov.in/NHPfiles/ehr_2013.pdf.

Ministry of Health and Family Welfare, Government of India (2017): Request for Proposal: Development and Implementation of Integrated Health Information Platform (IHIP), Centre for Health Informatics, National Institute of Health and Family Welfare, New Delhi, https://nhp.gov.in/NHPfiles/IHIP_RFP%20.pdf.

Ministry of Health and Family Welfare, Government of India (2018): “IDSP Segment of Integrated Health Information Platform,” New Delhi, https://idsp.nic.in/index4.php?lang=1&level=0&linkid=454&lid=3977.

National Health Authority (nd): “About Pradhan Mantri Jan Arogya Yojana (PM-JAY) | Ayushmaan Bharat,” https://www.pmjay.gov.in/about-pmjay.

NITI Aayog (2018): “National Health Stack- Strategy and Approach,” NITI Aayog, New Delhi, http://www.niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf.

Organisation for Economic Co-operation and Development (2013): “Strengthening Health Information Infrastructure for Health Care Quality Governance: Good Practices, New Opportunities and Data Privacy Protection Challenges,” OECD Health Policy Studies, Paris, OECD Publishing, https://read.oecd-ilibrary.org/social-issues-migration-health/strengthening-health-information-infrastructure-for-health-care-quality-governance_9789264193505-en.

Poon, Eric, David Blumenthal, Tonushree Jaggi, Melissa Honour, David Bates and Rainu Kaushal (2004): “Overcoming Barriers to Adopting and Implementing Computerized Physician Order Entry Systems in U.S. Hospitals,” Health Affairs, Vol 23 No 4, pp 184–90.

Productnation Network (2019): “India’s Health Leapfrog–Towards A Holistic Healthcare Ecosystem,” iSpirt, https://pn.ispirt.in/towards-a-holistic-healthcare-ecosystem/.

Rathi, Aayush and Ambika Tandon (2019): “Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?” EPW Engage, https://www.epw.in/engage/article/data-infrastructures-inequities-why-does-reproductive-health-surveillance-india-need-urgent-attention.

Sequist, Thomas, Theresa Cullen, Howard Hays, Maile Taualii, Steven Simon, and David Bates (2007): “Implementation and Use of an Electronic Health Record Within the Indian Health Service,” Journal of the American Medical Informatics Association, Vol 14, No 2, pp 191–97.

World Bank (nd): Physicians (per 1,000 people) | Data, https://data.worldbank.org/indicator/SH.MED.PHYS.ZS.

Tierney, William et al. (2010): “Experience Implementing Electronic Health Records in Three East African Countries,” Studies in Health Technology and Informatics, Vol 160, No 1, pp 371–75.

Tisne, Martin (2018): “It’s Time for a Bill of Data Rights,” MIT Technology Review, https://www.technologyreview.com/s/612588/its-time-for-a-bill-of-data-rights/.

World Health Organization (2016): “Global Diffusion of eHealth: Making Universal Health Coverage Achievable,” https://apps.who.int/iris/bitstream/handle/10665/252529/9789241511780-eng.pdf;jsessionid=9DD5F8603C67EEF35549799B928F3541?sequence=1.

Zuboff, Soshana (2019): The Age of Surveillance Capitalism, New York: PublicAffairs.

For more details visit https://cis-india.org/raw/is-indias-digital-health-system-foolproof

Is freedom of expression under threat in the digital age?

praskrishna — 2013-02-03T10:50:52Z

This week Index held a high level panel debate in partnership with the Editors Guild of India and the India International Centre to discuss the question “Is freedom of expression under threat in the digital age?” Mahima Kaul reports

This post by Mahima Kaul was published in Index on Censorship on January 18, 2013.

Index on Censorship, in partnership with The Editors Guild of India, hosted a debate in New Delhi on Tuesday (15 January) asking, “Is freedom of expression under threat in the digital age?” Discussing the topic were Ajit Balakrishnan (founder and Chief Executive of rediff.com), Index on Censorship CEO Kirsty Hughes, Sunil Abraham (Executive Director of the centre for Internet and Society), and Professor Timothy Garton Ash, Director of the Free Speech Debate project.

Sunil Abraham questioned the idea of technology specific “internet freedom” that has been advocated by many not least the US Secretary of State Hillary Clinton. He said there was for instance much greater freedom and diversity on Indian TV than in the US. He also argued that that this freedom does not seem to extend to a right of access to knowledge, as demonstrated by the charges brought against open access activist and developer Aaron Swartz, who committed suicide earlier this month. Swartz was facing charges for allegedly downloading 4.8 million academic articles from subscription-only digital library JSTOR.

Abraham said one unintentional effect of censorship by governments is that it teaches citizens how to protect themselves online. Finally, he questioned the Indian government’s draconian laws and arbitrary actions in the digital realm, wondering whether this is the authorities’ way of warning future netizens about “acceptable online behaviour”, to condition the public not to criticise the government and to create a chilling effect.

Digital

Is freedom of expression under threat in the digital age?

18 Jan 2013

This week Index held a high level panel debate in partnership with the Editors Guild of India and the India International Centre to discuss the question “Is freedom of expression under threat in the digital age?” Mahima Kaul reports

Freedom of expression is always under threat and in need of defending, argued Timothy Garton Ash. However, he didn’t think the threat was particularly high today in the digital realm — rather the threats to privacy were what were particularly concerning online. With 76.8 per cent of India’s 1.2 billion population connected by mobile phone, there is an extraordinary opportunity for the prevalence of freedom of expression brought about by new technologies. But he said there are also a lot of challenges to free expression in India — and that “swing states” such as Brazil and India will be very important in determining where the global conversation goes on freedom of expression

Ajit Balakrishnan, founder of web portal Rediff.com, explained that many of the problems that have occurred in the digital realm in India have to do with poor drafting of legislation. He was particularly concerned about intermediary liability and explained why and how intermediaries roles needed protecting. He also explained that government officials have genuine problems with phrasing, and that when it comes to the application of these laws, understanding them and when they should be applied will take another 25 years. He added that the country is challenged by a legal system ill-equipped for coping with new technologies.

Kirsty Hughes said that freedom of expression is a universal right, meant to be applied across borders not just within countries. She said that while the digital domain allowed a big expansion in freedom of expression there were risks we are heading towards a more controlled net, a partially censored net, and a fragmented net (for instance with Iran attempting to build its own internet disconnected from the rest of the world). She said that some of the negative reactions by government to social media in India were seen to in the UK where there had been a trend towards criminalising supposedly offensive comment — although the new interim guidelines on social media prosecutions were a step in the right direction. Hughes emphasised three main concerns — state censorship, privatisation of censorship and the role of big companies, and mass surveillance. She pointed out that the British government had pushed for extensive surveillance with the Communications Data Bill, but this has now been shelved after a critical report from MPs.

Ramanjit Singh Chima, policy adviser for Google, said that the question is not about absolute freedom, but about what is appropriate and lawful. He emphasised that in the US, judges had strongly defended free expression online as they saw the digital world as a powerful space for free exprssion. He pointed out how effective social media tools, including Google’s own products, have become in helping during emergency situations like natural disasters and terrorist attacks. He also pointed out that the internet is not only about free expression but business as well. The internet contributes to 1.6 per cent of India’s GDP. Singh Chima said positive judgements by US and EU courts protect the users, adding that regulation for the net should be appropriate for its engineering.

For more details visit https://cis-india.org/news/index-on-censorship-mahima-kaul-january-18-2013-is-freedom-of-expression-under-threat-in-the-digital-age

Is CMS a Compromise of Your Security?

praskrishna — 2013-07-15T06:27:05Z

By secretly monitoring and recording all Indians through a Central Monitoring System, our government will end up making citizens and businesses less safe.

This article appeared in the Forbes India magazine of 12 July, 2013. Sunil Abraham is quoted.

Are you reading this article on your PC or smartphone? No? Do you own a smartphone? Surely a phone then?

If you also happen to live in Delhi, Haryana or Karnataka, then from April this year nearly all your electronic communication—telephony, emails, VOIP, social networking—has been sucked up under an innocuous sounding programme called the Central Monitoring System, or CMS.

There’s no way to tell if you are being watched really, because telecom service providers aren’t part of the set-up. In most cases, they may not even be aware which of their users is being monitored. Neither can you approach a government agency or court to find out more, because there’s practically very little oversight or disclosure. What the government does with the data—how it is stored, secured, accessed or deleted—we don’t know.

Unlike the US and other Western democracies where even for a large scale programme like Prism (leaked recently by 29-year-old whistleblower and now fugitive Edward Snowden), surveillance orders need to be signed by a judge. But in India most orders are signed by either the Central or state home secretary, says Sunil Abraham, executive director for Centre for Internet and Society, Bangalore. This leads to a conflict of interest as the executive branch is both undertaking law enforcement and providing oversight on its own work.

In most cases, the officials are overwhelmed with other work, and don’t have the time to apply their minds to each request. “There is supposed to be an oversight committee that reviews the decisions of home secretaries, but we don’t have any idea about that committee either,” says Abraham.

Meanwhile, government bodies like the R&AW, Central Bureau of Investigation, National Investigation Agency, Central Board of Direct Taxes, Narcotics Control Bureau and the Enforcement Directorate will have the right to look up your data. Starting next year, all mobile telephony operators will also need to track and store the geographical location from which subscribers make or receive calls.

“I see it as the rise of techno-determinism in our security apparatus. Previously, our philosophy was to avoid infringing on individual privacy, and monitor a small set of individuals directly suspected of engaging in illegal activities. Now, thanks to the Utopianism being offered up by ‘Big Data’ infrastructure, putting everybody under blanket surveillance seems like a better way to serve our security and law enforcement agendas more effectively,” says Abraham.

There is a real risk that CMS and the numerous other monitoring programmes that will subsequently connect to it will end up harming more Indians than protecting them.

The biggest risk is that these programmes will turn into lucrative ‘honey pots’ for hackers, criminals and rival countries. Why bother hacking individuals and companies if you can attack the CMS? We’ve seen private corporations and government agencies in the US, Israel and the UK getting hacked. So let’s not have any illusions that India is going to fare much better.

Another consequence is that sooner or later innocent citizens will be wrongly accused of being criminals based on mistaken data patterns. While searching for matches in any database with hundreds of millions of records, the risk of a ‘false positive’ increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified.

As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?

But arguably the biggest threat of 24x7 surveillance is to businesses. Security and trust are the foundations atop which most modern businesses are built. From your purchase of a gadget on an ecommerce site to a large conglomerate’s secret bid in a government auction to discussions within a company on future business strategies to patent applications—everything requires secrecy and security. All an unscrupulous competitor, whether it be a company or a country, has to do to go one-up on you is to attack the CMS and other central databases.

“The reason why the USA historically decided not to impose blanket surveillance wasn’t because of human rights, but to protect its businesses and intellectual property. Because while we may be able to live in a society without human rights, we cannot be in one without functional markets,” says Abraham.

He goes on to say that the recent disclosures around the various spying programmes run by the US have made the private surveillance and security industry very happy. “Each incident becomes a case-study to pit one country against another, forcing each one to cherry-pick the worst global practices in a dangerous race to the bottom. Civil society and privacy activists don’t have the resources to fight large vendors and so the only thing that will stop this is the leak of large databases, like that of 9 million Israeli biometric records a few years back.”

Recollecting the news about a family-business break-up some years ago, where two brothers agreed to split their businesses, the net result was one brother opted out of telephony services offered by the other. All of that is now moot. “There are no more shadows now. Nobody will have refuge and everybody will be exposed,” says Abraham.

For more details visit https://cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security

IRC22 Call for Sessions pdf

pranav — 2022-02-11T12:10:27Z

For more details visit https://cis-india.org/raw/irc22-call-for-sessions-pdf

IRC22 - Proposed Session - #DigitisingCrisesRemakingHome

Admin — 2022-04-25T12:23:42Z

Details of a session proposed for the Internet Researchers' Conference 2022- #Home.

Internet Researchers' Conference 2022 - # Home - Call for Sessions

Session Type: Panel Discussion

Session Plan

The session is planned as a panel discussion between three scholars on three distinct, interconnected notions of home – specifically the home as a dwelling unit, an administrative unit (such as a municipality, a city, or a state), and a country (or a nation state) in the context of India. We intend to parse these ideas within the context of the ongoing Covid-19 pandemic to discuss notions of ‘safety’, ‘trust’, ‘support’, and ‘access’ by examining the digital turn in all three kinds of ‘home’. The session will open with the scholars speaking to each other, and laying out the central ideas. The conversation between the three scholars will act as provocations to enable a larger discussion with other attendees.

In 2020, when the first Covid-19 lockdowns began, the internet was discussed as a space of solidarity, of meeting, entertainment, work, and of support. But soon it became evident that access to such spaces of solidarity or support was not necessarily equal. While for some it was almost non-existent, for many others it was limited or regulated. In the Indian context these differences only stood out further due to unequal access to infrastructure, healthcare, and even basic necessities such as food that was starkly apparent in the long march of several thousand migrant workers from cities back to their ‘homes’ in rural areas at the height of the Indian summer.

At the national level, the digital response to the pandemic was most palpable. The use of contact tracing through apps such as Aarogya Setu, the CoWin portal for vaccinations, and the often arbitrary use of drones, facial recognition, and artificial intelligence have raised questions about surveillance, inclusion, and how useful technology can be in assisting a public health crisis. Often such responses reflected a law and order response to what has been a public health crisis. On the other hand, the establishment of Vande Bharat missions to bring stranded Indians from around the world ‘back home to India’ presented a very different idea of home.

Administrative units at the state and local levels had differing procedures and interventions. Many attempted to follow the guidelines and interventions laid out by the central government, others introduced their own digital solutions but soon found that these were not enough to actually deliver governance during the pandemic.

This session will explore the ‘how’ and ‘why’ of the digital becoming the default mode of managing the pandemic–or any sort of threat. We ask if the idea of ‘home’ as a ‘safe space’ had ever really been so and whether the pandemic exacerbated existing exploitative mechanisms within a ‘home’ – be it the dwelling, the city, or even one’s country. We also intend to discuss issues of access, surveillance, privacy, vulnerability, the burdens of care-work, the exploitative extraction of data, and divergent understandings of consent frameworks within these three axes of the idea of the ‘home’.

Session Team

Vidya Subramanian is Raghunathan Family Fellow, South Asia Institute, Harvard University. She is an interdisciplinary scholar whose research interests lie at the intersection of technologies and societies. Her current research investigates the changing nature of citizenship in the technological society we now inhabit. Focusing on India, her research is loosely framed by two large issues: the first is the colonisation of the everyday so-called real world by the digital; and the second is how power permeates and is implicated in such technologies.

Kalindi Kokal is Post Doctoral Fellow, Centre for Policy Studies, IIT Bombay. She has a doctorate in law from the Martin Luther University, Halle-Wittenberg, Germany. Her doctoral work centred on understanding how non-state actors in dispute processing engage with state law. Her dissertation is an ethnographic study of dispute-processing mechanisms in two rural communities in the states of Maharashtra and Uttarakhand in India. She works on understanding how the manner in which people actually experience state law coupled with their perceptions of dispute resolution and state courts underscore the need to explore broader understandings of law and dispute resolution.

Uttara Purandare is PhD Researcher, IITB-Monash Research Academy. She is pursuing her PhD in Public Policy under a joint programme offered by IIT Bombay and Monash University. Her area of research is smart cities. Looking specifically at the intersection of technology, gender, and governance, Uttara’s research focuses on how safety and surveillance are constructed by the smart city rhetoric and the role of private sector firms in governing the smart city. The COVID-19 pandemic and the technologies that have been introduced by national governments and smart cities purportedly to curb the spread of the virus have raised interesting questions about privacy and citizens’ rights during a crisis. Uttara is presently exploring some of these questions within the Indian context.

For more details visit https://cis-india.org/raw/irc22-proposed-session-digitisingcrisesremakinghome

IRC19 - Proposed Session - #ListsAsDatabase

sumandro — 2018-11-26T13:20:14Z

Details of a session proposed by Ria De and Samata Biswas for the Internet Researchers' Conference 2019 - #List.

Internet Researchers' Conference 2019 - #List - Call for Sessions

Session Plan

The internet-based List of Sexual Harassers in Academia (LoSHA), initiated by Dalit feminist and lawyer activist Raya Sarkar in 2017 anonymously crowd-sourced names of academics and activists who were accused of harassing women colleagues and students. While a large number of women in the academia rallied in support of the list and its motivations, it also unleashed anxieties about how the list was put together, and the kind of impact it was feared to have. Variously, it has been equated to Khap Panchayats, vigilantism, mob lynchings etc. Last month, the government of India launched an online National Database on Sexual Offenders (NDSO), which will contain the details—names, photographs, residential address, fingerprints, DNA samples, PAN and Aadhar numbers—of individuals convicted on charges of sexual offences against women and children. An associated portal, the Cyber Crime Prevention Against Women and Children (CCPWC) was also launched where citizens can enter complaints against child pornography and other sexually explicit material. Both are modes of digital enlisting through the use of new media technologies, one that is open access and therefore available for modification, co-option and critique, while the other is to be accessible only to law personnel. This two-member panel locates the list in the context of ongoing debates about the conversion of social justice and rights issues in to data repositories. We take in to account the debates on the Right to be Forgotten or the right to delist from the internet, as a specific concern raised in the Personal Data Protection Bill 2018 submitted by the Justice B.N. Krishna Committee. The Bill recognises data principals (or the individuals to whom personal data belongs) as a central component of the legal framework, and subjects data fiduciaries (or agencies seeking to collect, use and process personal data) to the free, informed and explicit consent of the data principals. Right to be Forgotten has clearly emerged as a logical extension of the demands for one’s Right to Privacy. Given that a number of logics, that of ‘naming and shaming’ of offenders, a digital list (database) as a means of communication, dissemination of information and surveillance etc. underscore both the #LoSHA and the NDSO, how do we navigate the messy terrain of human rights concerns about the freedom of speech and expression on the one hand, and the rights to privacy on the other hand? We also think about this vis-a-vis the larger issues related to the data economy and those of data ownership. We refer to studies on state-generated data on crime in India and elsewhere to understand how such data artefacts can be monopolised and processed by private and non-governmental agencies, and how they co-opt contemporary feminist politics and articulations?

We, Samata Biswas and Ria De, will present a collaborative study, organised across two 30 minute long papers, plus a 15 minute discussion time for each totalling to the mandated 90 minute session. The first paper will study the form and scope of the list as a digital artefact through a detailed analysis of the #LoSHA and the NDSO. The second paper will configure the two lists in terms of their status within the data economy.

Session Team

Ria De is pursuing her PhD in Film Studies at the English and Foreign Languages University, Hyderabad. Her doctoral research was about stardom and intermediality. She is interested in popular culture, network and media studies and gender. Currently, she is interested in the women’s movements in the Indian film industries.

Samata Biswas teaches English Literature at Bethune College, Kolkata, India. Her doctoral research was about body cultures in contemporary India, analysing fitness, weight loss, and diet discourses as present in popular media as well as through narratives of participants. She is interested in visual culture, gender studies, and literature and migration. At present, she is trying to map Kolkata as a sanitary city, focusing on access to clean sanitation or the lack thereof. She runs the blog ‘Refugee Watch Online’. Her latest publication is on “Haldia: Logistics and Its Other(s)” in Brett Neilson, Ned Rossiter, Ranabir Samaddar (Edited) Logistical Asia: The Labour of Making a World Region. (Palgrave Mcmillan, 2018)

For more details visit https://cis-india.org/raw/irc19-proposed-session-listsasdatabase

IRC16 - Proposed Session - #MinimalComputing

sumandro — 2016-01-03T06:57:20Z

This is a session proposed for the Internet Researchers' Conference (IRC) 2016 by Padmini Ray Murray and Sebastian Lütgert.

Session

The triumphal mythic narrative of India’s relatively high and rapid rates of Internet penetration is underpinned by the country’s access to data via mobile devices. The black box proprietary technology of the iPhone, or the less explicitly restrictive nexus (pun unintended) between the Android OS with device manufacturers, has meant we have large swathes of technology users whose only encounter with online content has been via these closed ecosystems. Minimal computing is both an intellectual intention and pragmatic response that seeks to disrupt these systems by subverting existing frameworks and creating new infrastructures, acknowledging the ground realities that exist in India, such as lack of resources and access. This position essentially privileges “ease of use, ease of creation, increased access and reductions in computing—and by extension, electricity” (Gil). The intention of this workshop is to explore, discover, discuss and build resources that observe these tenets, under different heads, such as physical computing, archives, interface, database.

One of the obvious outcomes of the growth of digital technology in the region is the increasing intersection with the scholarly record – be that a theorizing of these new contexts, as is the case at this conference, or in the building of dissemination tools for memory institutions or academic scholarship. As such scholarship (which would be considered under the rubric of the digital humanities) is still in its early stages, it is incumbent upon us to set an example for other scholars when we build these resources; fast to load, easy to build and administer, which can function in low-bandwidth areas – especially as we embark on larger scale projects that are now possible through advances in digitization of different forms of content, as well as of Indic language character sets. Uses of technology in India are often anarchic, and the digital is constantly imbricated with the analogue and these grassroots, informal practices could usefully inform scholarship in this area, and possibly be transposed to other similar environments, such as those found in the global south.

The other crucial exploration that will be undertaken in this workshop will be how to use guerilla computing and other methods to safeguard our fundamental human rights both online and offline, strategies increasingly essential in a country where censorship against individuals and misuse of personal data is rapidly on the rise. The online citizen must be encouraged to think about the virtual space in which s/he works and plays, and learn how to navigate it responsibly, by being alert to the dangers of the networked world being overly regulated, and this workshop will also discuss surveillance and collection of personal data by governments, corporations, advertisers, and hackers, and how to circumvent it using relatively simple methods.

Plan

At the outset of the workshop, participants will be introduced by the co-leaders to some examples and concepts in #minimalcomputing, and then to a range of tools and resources such as Markdown, Jekyll, Pan.do/ra, Pandoc etc., as well as simple encrypting methods. Participants will also be encouraged to share examples of good practice that they might have encountered in their own contexts.

Participants will then be asked to consider a digital project that they might be in the process of building, or envisioning, or to reflect on their personal digital footprint and be facilitated by the co-leaders on how to rebuild and reimagine these using a minimal computing perspective, and to document these ideas so they might be shared with the rest of the group, and promote more discussion.

The aim of the workshop is to draw upon collective expertise to create a handbook of sustainable, scalable resources that can be created without over reliance on third party infrastructures, in order to retain agency over projects initiatives and digital identities; and provide a roadmap for an alternative Internet that meets the needs of users in both personal and professional contexts.

Readings

Budish, Ryan and West, Sarah Myers and Gasser, Urs. Designing Successful Governance Groups: Lessons for Leaders from Real-World Examples (August 2015). Berkman Center Research Publication No. 2015-11. Available at SSRN: http://ssrn.com/abstract=2638006.

This reading sets out how an effective multistakeholder governance group might be structured, convened and operate and its stated values of inclusiveness, transparency, accountability, legitimacy, and effectiveness might serve as a useful guide to how we might envision a #minimalcomputing community.

Gil, Alex. The User, the Learner and the Machines We Make. Minimal Computing website. (May 2015). Available at: https://go-dh.github.io/mincomp/thoughts/2015/05/21/user-vs-learner/.

This reading sets out some of the underlying concepts of #minimalcomputing and raises important questions that might be flagged up for discussion during the workshop.

https://github.com/xpmethod/dhnotes/

A growing resource for relevant material and information on #minimalcomputing – start here.

For more details visit https://cis-india.org/raw/irc16-proposed-minimalcomputing

IRC16 - Proposed Session - #DisruptiveTransport (Aggregators, Ownership, Tracking, Space, Internet Models)

sumandro — 2016-01-03T07:00:57Z

This is a session proposed for the Internet Researchers' Conference (IRC) 2016 by Srinivas Kodali and William F. Stafford Jr.

Session

Transportation has been seeing disruptions through Internet aggregators using complex models which nobody understands in detail. This is primarily being seen in the space of urban transport, but is not limited to them alone. 1960`s saw disruptions in airline industry when each airline was fighting for it's own space in flight reservations and aggregations. This disruptive trend is now being observed globally in other transport modes. Aggregators are playing an important role in transporting people and disrupting markets globally. Internet Models are varying within aggregators who are not limiting themselves to ticket reservation, but are also providing information about the availability of transportation options. With increasing demand and surge pricing taking up the market, what is the role of the state. What are the ownership rights of an aggregator? What are licensing/lease models of a provider? What about un-fair practices and consumer rights? What forms of labour and regulation are imagined? What is the role of state run aggregators like IRCTC in this changing landscape?

Many of the platforms that have been created, primarily in the beginning concerning tracking or making complaints, were accessed through websites and have since been migrated either to a combined website/ app structure, or wholly to smartphone apps. This raises interesting and important questions concerning the imagination of an increased reliability and accesibility of services, as well as a power to hold public institutions accountable, as they relate to the question of access to these technologies and the habits of their use, especially demographically and linked to class.

Furthermore, both the near and far future promise an reworking of the internet as a system with which commuters and others interface to consume or deliver a service, to transport as one part of a mobility ecosystem, which is currently being tooled (both in regulatory frameworks and industrial planning) as a microcosm of the internet of things. With internet being connected to personal transport at every intersection of the road, what is the scope of privacy and accountability, the role of encryption layer and also the importance of governance in the fragile/disrupting space. How will the internet impact personal transport of citizens and the economy? Cashless payments, driver-less cars, surge-congestion pricing with disruptive internet models need regulation before they over-run and create chaos with the system.

Plan

The session will focus on Delhi as a case study.

Discussants will present their current work around these questions, and then open a discussion among those present on the issues raised therein.

The first discussant will present on the changing architecture of the auto-rickshaw meter as a regulatory platform, from the recent introduction of GPS to the creation of various surveillance and business models which either exploit its native GPS or duplicate and substitute it through the use of smartphones, and the folding of autos into the emerging e-hailing environment and the possible implications of changes being sought in the regulatory framework for connected vehicles. These include technological treatments of questions of class, trust and accountability, as well as significant policy and material changes in the classification of what is owned, by whom, and its conditions of transfer.

Srinivas will continue the presentation on transport data by showing use cases and potential harms about the data. How big data is changing the landscape of transportation systems and privacy concerns with the future of autonomous vehicles and intelligent traffic management systems. Data driven decisions are a big concern when data can also be used to lie at a scale. Data ownership and rights are a challenge the state and the citizen need to think about before forcibly submitting data.

The discussion will be primarily around:

Digital Ownership and Physical Ownership
Scope of Internet Governance on Aggregators
Pricing Models and Service Availability
Future of On-Demand Transportation Services vs Public Transportation

Readings

None.

For more details visit https://cis-india.org/raw/irc16-proposed-disruptivetransport

IRC 22 - Proposed Session - # ActFromHome

Admin — 2022-04-25T12:46:10Z

Details of a session proposed for the Internet Researchers' Conference 2022 - #Home.

Internet Researchers' Conference 2022 - # Home - Call for Sessions

Session Type: Workshop or Collaborative Working Session

Session Plan

Objectives of the Session

With the onset of the COVID-19 pandemic, nations across the world instituted a range of public health measures that limited mobility in many areas, while confining families to homes for indefinite periods of time. Poverty, unemployment and other forms of inequality rose - both within and outside the home. Further, angst against various issues rose- worsening climate injustices, racial violence, gender discrimination, arbitrary layoffs across workplaces, and silencing of minority voices. In a pre-pandemic era, such issues would have elicited physical protest movements by the groups concerned, but with limited mobility - the digital space has become an arena for home-based protests and movements.

This workshop seeks to answer a fundamental question: “Can democracies under crisis survive the home based protests across digital platforms?” It will highlight the role of emerging technologies in shaping the role of home-based digital protests across nations and cultures, with a specific focus on perspectives from Israel and India. Further, it will analyse the immense opportunities and pitfalls of driving home-based social movements on digital platforms. Moreover, the workshop will investigate the ambiguous positioning of online government surveillance and content moderation on collective human rights, with a specific focus on human rights within the home. In addition, it will examine the impact of digital home-based protests upon the aptness and scope of modern democratic regimes.

Course of the Session and Work Division

Overview on the role of digital spaces and emerging technologies in promoting the role of the home as a space for protest
Thought exercise involving participants in analysing the merits and demerits of digitising home-based social movements.
Discussion on government surveillance and content moderation
Discussion on the impact of digital home-based protests
Group work involving participants in designing a digital social movement for a given cause (from a range of causes including climate action, gender equality, vaccine nationalism etc.)

Session Team

Maya Sherman is an Israeli Weidenfeld-Hoffmann leadership Scholar and MSc student of Social Sciences of the Internet at the Oxford Internet Institute, exploring the aptness of digital surveillance policies in democratic regimes. At Oxford, she was selected to represent the university in the Europaeum Policy Seminar, discussing data governance and stargu in the EU, as well as serving as one of 100 promising young leaders in the Global Leadership Challenge 2021. Maya is currently leading several research and policy projects and teams of AI for Good, cooperating with big tech companies as Dell and Microsoft in the UK.

Rai Sengupta is currently pursuing an MSc in Evidence-Based Social Intervention and Policy Evaluation at the University of Oxford. She is the recipient of the prestigious Weidenfeld Hoffmann Scholarship, a

prestigious full scholarship to Oxford which is granted to 35 scholars globally, in a bid to cultivate the leaders of tomorrow. While at Oxford, Rai is working as a consultant with the Asian Development Bank, helping to

integrate Environmental, Social and Governance (ESG) considerations across the national statistical infrastructure of 5 Asian nations.

For more details visit https://cis-india.org/raw/irc22-proposed-session-actfromhome

IPv6: The Transition Challenge

nishant — 2012-06-13T09:59:27Z

The future of our connected networks is Internet Protocol version 6 (IPv6). Not only is it more efficient and faster than IPv4 which we are currently working with, it is also more reliable and secure.

The IPv6, for instance, has an in-built security protocol called IPSec, which authenticates and secures all IP data. The data carrying capacity of IPv6 networks is also going to be higher. This means that more devices with more features will be able to work seamlessly through these networks. Despite the larger load of information, IPv6 packets are easier to handle and route, just like postcards with pincodes in their addresses are easier to deliver than those without.

We have already seen great examples of successful implementation during the 2008 Beijing Olympics. Every aspect from the security surveillance to managing vehicles and the coverage of the Olympic events was done over IPv6, including live streaming of the events over the Internet. The Chinese government, in fact, has already launched a ‘China Next Generation Internet’ (CNGI) project to build IPv6 networks which are going to radically change the face of high-speed internet in the country. With all these benefits available to us in this next generation protocol, the question that remains is why only a meagre 2% of the world’s internet traffic is conducted through it? Why haven’t more ISPs shifted to IPv6?

There are two very clear reasons. The first one is that of costs and infrastructure. The IPv6 platforms do not communicate easily with the IPv4 networks. We have the choice of a mammoth transition of all IPv4 websites and networks to new IPv6 protocols. This idea of abandoning IPv4 and moving to a new protocol is not only redundant; it is also futile, because IPv4 is already running the largest network in human history quite efficiently. What we need is translators which will be able to speak to both the different versions and help our devices work through them seamlessly. Older, more successful technologies have been able to do this. So, television, for instance, whether it receives terrestrial data, satellite images or data transferred via cable, is able to translate and render them into images and sounds which we can consume with ease. However, the translators for the IPv4 – IPv6 still expensive and we need more resources diverted towards making them affordable.

The second reason is linked to the first. In order for IPv6 to become popular, it needs a minimum threshold of service providers and users riding that network. As long as the deployment remains nascent, there will be no concentrated energy to actually try and make the bridges between versions 4 and 6. While global technology organisations like Tata Communications are ready for the transition, we are going to need a systemic change among all stakeholders to make IPv6 a reality, towards a faster, safer and more robust Internet.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

Nishant Shah is Director-Research at the Bangalore based Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com

The above blog post was reproduced in MIS Asia, CIO Asia, Computer World Singapore, and Computer World Malaysia.

For more details visit https://cis-india.org/internet-governance/ip-v-6-the-transition-challenge

IP Addresses and Expeditious Disclosure of Identity in India

Prashant Iyengar — 2012-12-14T10:20:59Z

In this research, Prashant Iyengar reviews the statutory mechanism regulating the retention and disclosure of IP addresses by Internet companies in India. Prashant provides a compilation of anecdotes on how law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Over the past decade, with the rise in numbers of users, the internet has become an extremely fraught site that has been frequently used in India for the perpetration of a range of 'cyber crimes' — from extortion to defamation to financial fraud. In a revealing statistic, in 2010, the Mumbai police reportedly "received 771 complaints about internet-related offences, 319 of which were from women who were the victims of fake profiles, online upload of private photographs and obscene emails."[1]

Law enforcement authorities in India have not exactly lagged behind in bringing these new age cyber criminals to book, and have installed special ‘Cyber crime cells’ in different cities to combat crimes on the internet. These cells have been particularly adept at using IP Addresses information to trace individuals responsible for crimes. Very briefly, an Internet Protocol address (IP address) is a numeric label – a set of four numbers (Eg. 202.54.30.1) - that is assigned to every device (e.g., computer, printer) participating on the internet. [2] Website operators and ISPs typically maintain data logs that track the online activity of each IP address that accesses their services. Although IP Addresses refer to particular computers – not necessarily individual users – it is possible to trace these addresses backwards to expose the individual behind the computer. [3] As even a casual Google search with the phrase “IP, police, India” would reveal, police authorities in different cities in India have been quite successful in employing this technology to trace culprits.

However, along with its utility in the detection of crime, the tracking of persons by their IP addresses is potentially invasive of individuals’ privacy. In the absence of a culture of strict adherence to the ‘rule of law’ by the police apparatus in India, the unbridled ability to track persons through IP addresses has the potential of becoming an extremely oppressive tool of surveillance.

In this short note, we review the statutory mechanism regulating the retention and disclosure of IP addresses by internet companies in India. In order to provide context, we begin with a compilation of anecdotes on how various law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Examples of use and abuse by Indian authorities

As mentioned above, the online media has been humming with stories which indicate the extent to which IP Addresses has become a useful and frequently deployed weapon in the arsenal of law enforcement agencies:

In May 2010, an Army officer stationed in Mumbai was arrested for distributing child pornography from his computer. [4] He was traced by the Mumbai Police after the German Federal Police alerted Interpol that objectionable pictures were being uploaded from the IP address he was using.
In February 2011, Cyber Crime Police in Mumbai sought IP address details of a user who had posted ‘Anti Ambedkarite’ content on Facebook – the popular social networking site. [5]
In February 2008, internet search company Google was ordered by the Bombay High Court to reveal "particulars, names and the address of the person" who had posted defamatory content against a company on Google’s blogging service Blogger.[6]
In September 2009, a man was arrested by the Delhi Police in Mumbai for blackmailing classical musician Anoushka Shankar. The culprit had allegedly hacked into her email account and downloaded copies of personal photographs. He was traced by using his IP address.[7]
In April 2010, Gurgaon Police arrested a teenage boy for allegedly posting obscene messages about an actress on Facebook. The newspaper account reports that "During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer." [8]
In February 2011, the police traced a missing boy who had run away from home, by following the IP address trail he left when he updated his Facebook profile status. [9]

What is clearly evident from these accounts is a growing awareness and enthusiasm on the part of Indian law enforcement agencies to use IP address trails as a routine part of their criminal investigative process. While this is not unwelcome, considering the kinds of grievances listed above and the backdrop a dismal record of criminal enforcement in India, there is also a flip side. In a shocking incident in August 2007, Lakshmana Kailash. a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. [10] The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and jailed for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages.[11] This incident sounds a cautionary note, amidst so many celebratory accounts, signalling that grave human rights abuses could result from the unchecked use of this technology.

These are just seven out of scores of instances of Indian investigative authorities tracing culprits using IP addresses. The crimes range from blackmail to impersonation, to defamation to planning terror attacks. Seldom in these cases has a court order actually been required by the agency that discloses the IP address of the individual.[12] Clearly there seems to be a very easy relation between law enforcement agencies in India one the one hand, and Internet Service Providers and online services such as Google and Facebook on the other.

Google’s own ‘Transparency Report’[13] which provides statistics on the number of instances where Governments agencies have approached the company demanding information or take-down, states that that it received close to 1700 ‘data requests’ from Indian authorities between January to June 2010 – ranking India 3rd globally in terms of such requests behind the United States and Brazil. That a high percentage – 79% - of these requests have been complied with indicate that within a short span of time, ‘Indian authorities’ have discovered in Google, a reliable and pliable ally in seeking information about their subjects. In 2007, Orkut -a social-networking site owned by Google- even entered into a co-operation agreement with the Mumbai police in terms of which “'forums' and 'communities'” which contained “defamatory or inflammatory content” would be blocked and the IP addresses from which such content has been generated would be disclosed to the police. [15]

Although similar transparency reports are not forthcoming from the other Internet giants such as Yahoo or Facebook, one may presume that this co-operation has not been withheld by them. [16]

In the sections that follow, we outline the legal framework that facilitates this co-operation between law enforcement authorities and web service providers.

Lawful disclosure of IP Addresses

In this section, we are seeking a legal source for the compulsion of ISPs and intermediaries (including websites) to disclose IP Address data. Are there guidelines in Indian law on how much information must be disclosed, under what circumstances and for how long?

Broadly, there are four sources to which we may trace this regime of disclosure and co-operation. Firstly, ISPs are required, under the operating license they are issued under the Telegraph Act, to provide assistance to law enforcement authorities. Secondly, the Information Technology Act contains provisions which empower law enforcement authorities to compel information from those in charge of any ‘computer resources’. Reciprocally, ‘intermediaries’ – including ISPs and websites - are charged under new Rules under the IT Act with co-operating with government agencies on pain of exposure to financial liability. Thirdly, the Code of Criminal Procedure defines the scope of police powers of investigation which include powers to interrogate and summon information and Fourthly, individual subscribers enter into contracts with ISPs and web services which do not offer any stiff assurances of privacy with regard to the IP Address details.

The sections that follow offer greater detail on each of these areas of the law.

Monitoring of internet users under the ISP licenses

ISPs are regulated and operate under a license issued under the Telegraph Act 1885. Section 5 of the Telegraph Act empowers the Government to take possession of ‘licensed telegraphs’ and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence."

Although the statute governs the actions of ISPs in a general way, more detailed guidelines regulating their behaviour are contained in the terms of the licenses issued to them which set out the conditions under which they are permitted to conduct business. The Internet Services License Agreement (which authorizes ISPs to function in India) contains provisions requiring telecom operators to safeguard the privacy of their consumers or to co-operate with government agencies when required to do so. Some of the important clauses in this agreement are:

Part VI of the License Agreement gives the Government the right to inspect/monitor the ISPs systems. The ISP is responsible for making facilities available for such interception.
Clause 32 under Part VI contains provisions mandating the confidentiality of information held by ISPs. These provisions hold ISPs responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place. Towards this, ISPs are required:

to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavours to secure that :
to ensure that no person acting on behalf of the ISPs divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and
This safeguard however does not apply where (i) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or (ii) The information is already open to the public and otherwise known.
To take necessary steps to ensure that any person(s) acting on their behalf observe confidentiality of customer information.

Clause 33.4 makes it the responsibility of the ISP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.
Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.
Clause 34.12 and 34.13 requires the ISP to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.
Clause 34.16 requires the ISP to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.
Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.
Clause 34.23 mandates that the ISP maintain "all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor".
Clause 34.28 (viii) forbids the ISP from transferring the following information to any person/place outside India:

Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and
User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

Clause 34.28(ix) and (x) require the ISP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.
Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well).

From the list above, it is very clear that by the terms of their licenses, ISPs are required to maintain extensive logs of user activity for unspecified periods. However, it is unclear, in practice, to what extent these requirements are being followed by ISPs. For instance, an article in the Economic Times in December 2010 [18] reports:

"The Intelligence Bureau wants internet service providers, or ISPs, to keep a record of all online activities of customers for a minimum of six months. Currently, mobile phone companies and internet service providers do not keep online logs that track the web usage pattern of their customers. They selectively monitor online activities of only those customers as required by intelligence and security agencies, explained an executive with a telecom company." (emphasis added)

The news report goes on to disclose the ambitious plans of the Intelligence Bureau to “put in place a system that can uniquely identify any person using the internet across the country” through “a technology platform where users will have to mandatorily submit some form of an online identification or password to access the internet every time they go online, irrespective of the service provider.” Worryingly, the report goes on to discuss the setting up by the telecommunications department of “India's indigenously-built Centralised Monitoring System (CMS), which can track all communication traffic—wireless and fixed line, satellite, internet, e-mails and voice over internet protocol (VoIP) calls—and gather intelligence inputs. The centralised system, modeled on similar set-ups in several Western countries, aims to be a one-stop solution as against the current practice of running several decentralised monitoring agencies under various ministries, where each one has contrasting processing systems, technology platforms and clearance levels.” Although as of this writing, this CMS is not yet fully functional, its launch seems to be imminent and will inaugurate with it, an era of constant and continuous surveillance of all internet users.

Provisions under the IT Act 2000

The IT Act enables government agencies to obtain IP Address details from intermediaries, including ISPs, by following a stipulated procedure. In addition, it enjoins intermediaries to co-operate with law enforcement agencies as a part of their due-diligence behaviour.

In a parallel, seemingly conflicting move, the IT Act also requires intermediaries to observe stiff Data Protection norms. In the sub-sections that follow, we look at each of these various provisions under the IT Act.

Interception and Monitoring of computer resources

There are two regimes of interception and monitoring information under separate sections the Information Technology Act. Both would seem capable of authorising access of IP Addresses, among other information to government agencies.

Section 69 deals with “Power to issue directions for interception or monitoring or decryption of any information through any computer resource”.

In addition, the Government has been given a more generalised monitoring power under Section 69B to “monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource”. This monitoring power may be used to aid a range of “purposes related to cyber security.”[19] “Traffic data” has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.”

Rules have been issued by the Central Government under both these sections which are similar, although with important distinctions. These rules stipulate the manner in which the powers conferred by the sections may be exercised.

The important difference between the two sections is that while Section 69 provides a mechanism whereby specific computer resources can be monitored in order to learn the contents of communications that pass through such resource, Section 69B by contrast provides a mechanism for obtaining ‘meta-data’ about all communications transacted using a computer resource over a period of time – their sources, destinations, routes, duration, time etc without actually learning the content of the messages involved. The latter type of monitoring is specifically in order to combat threats to ‘cyber security’, while the former can be invoked for a number of purposes such as the securing of public order and criminal investigation. [21]

However, this distinction is not very sharp – an interception order under Section 69 directed at a computer resource located in an ISP can yield traffic data in addition to the content of all communications. Thus for instance, if a direction was passed ordering my ISP to intercept “all communications sent or received by Prashant Iyengar”, the information obtained by such interception would include a resume of all emails exchanged, websites visited, files downloaded etc. In such a case, a separate order under Section 69B would be unnecessary. An important clue about their relative importance may lie in the different purposes for which each section may be invoked coupled with the fact that while directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. [22] This indicates that the collection of traffic data by the government under Section 69B is intended to facilitate the securing of India’s ‘cyber security’ from possible external threats – a Defence function – while the interception powers under Section 69 are to be exercised for more domestic purposes as aids to Police functions.

The rules framed under Section 69 and Section 69B contain important safeguards stipulating, inter alia, to a) Who may issue directions b) How are the directions to be executed c) The duration they remain in operation d) to whom data may be disclosed e) Confidentiality obligations of intermediaries f) Periodic oversight of interception directions by a Review Committee under the Telegraph Act g)maintenance of records of interception by intermediaries h) Mandatory destruction of information in appropriate cases.

Although these sections provide powerful tools of surveillance in the hands of the state, these powers may only be exercised by observing the rather tedious procedures laid down. In the absence of any data on interception orders, it is unclear to what extent these powers are in fact being used in the manner laid down. Certainly, from the instances cited in the beginning of this paper, the police departments in the various states do not seem to need to invoke these powers in order to obtain IP Address information from ISPs or websites. This information appears to be available to them merely for the asking. How do we account for this unquestioning pliancy on the part of the ISPs?

In February 2011, Reliance Communications, a large telecom service provider disclosed to the Supreme Court that over a hundred and fifty thousand telephones had been tapped by it between 2006 and 2010 – almost 30,000 a year. A majority of these interceptions were conducted based on orders issued from state police departments whose legal authority to issue them is suspect. New rules framed under the Telegraph Act in 2007 required such orders to be issued only by a high-ranking Secretary in the Department/Ministry of Home Affairs. [23] The willing compliance by Reliance with the police’s requests indicates both their own as well as the police’s blithe unawareness about the change in the regime governing tapping. Things seem to have continued just as before through pure inertia.

To return to the question about why ISPs comply with police requests, it is conceivable that this same inertia, and an intuitive confidence both on the part of the police and the ISPs that they would not be made to answer for their disclosures, is what explains the ready and expeditious access that ISPs give police departments to IP Address details. In the next sub-section we examine intermediary liability rules which require intermediaries to positively disclose personal information to law enforcement authorities.

Data Protection Rules

Section 43A of the IT Act obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which, they would be liable to compensate those affected by any negligence attributable to this failure.

In April 2011, the Central Government notified rules under section 43A of the Information Technology Act in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold. Since traffic data including IP Address data is one kind of personal information that ISPs hold, and since all ISPs are ‘body corporates’, these rules apply to them equally and define the terms on which they may deal with such information.

Rule 3 of these Rules designates various types of information as ‘sensitive personal information’ including passwords, medical records etc.[25] Significantly, for the purposes of this paper, IP address details are not included in this list.

Body Corporates are forbidden from collecting any information without prior consent in writing for the proposed usage. Further, Sensitive personal information may not be collected unless - (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose. [Rule 5]

Rule 4 enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” including on a website. The policy must provide the following details:

Clear and easily accessible statements of its practices and policies;
Type of personal or sensitive information collected;
Purpose of collection and usage of such information;
Disclosure of such information as provided in rule 6 [27]
Reasonable security practices and procedures as provided under rule 8.

Rule 6 enacts as a general rule that disclosure of information “by the body corporate to any third party shall require prior permission from the provider of such information”. Consent is, however, not required, “where disclosure is necessary for compliance of a legal obligation”. This is further fortified by a proviso to the rule which stipulates the mandatory sharing of information “without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.” In such a case, the Government agency is required to “send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information.” The government agency is also required to “state that the information thus obtained will not be published or shared with any other person.” [28]

Sub Rule (2) of Rule 6 requires “any Information including sensitive information” to be “disclosed to any third party by an order under the law for the time being in force.” This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

Rule 8 requires body corporates to implement documented security standards such as the international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System”.

What is curious about these rules is that its provisions, particularly those relating to lawful disclosure, appear to go much further than the limited purpose authorised by section 43A under which they are framed. Section 43A is intended only to fix liability for the negligent disclosure of information by body corporates which results in wrongful loss. It is not intended to inaugurate a regime of mandatory disclosure, as the Rules attempt to do. In positively requiring, body corporates to disclose information upon a mere request by any ‘government agency’, these rules attempt to create a parallel, much softer mechanism by which the same information that is dealt with under Sections 69 and 69A and rules framed under them can be accessed by a far wider range of governmental actors.

Even more curious is the fact that the only legal consequence to the ISP for its negligence in disclosing information to government agencies as stipulated in the rules is that it exposes itself to possible civil liability from the ‘person affected’. [29] Thus, conceivably, if an ISP failed to disclose IP Address data of its users to the police at the instance of, say, targets of online financial fraud, they can be sued by the victims of such fraud. With no incentive to assume this ridiculous burden, it is foreseeable that ISPs would hasten to comply with every request for information from a government agency– however whimsically issued.

Intermediary Due Diligence

Section 79 of the IT Act makes intermediaries, including ISPs liable for third party content hosted or made available by them unless they observe ‘due diligence’, follow prescribed guidelines and disable access to any unlawful content that is brought to their attention. Rules were notified under this section in April 2011 which defined the ‘due diligence’ measures they were required to observe. [30]

Accordingly, ISPs are required to forbid users from publishing, uploading or sharing any information that:

belongs to another person and to which the user does not have any right to;
is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
harm minors in any way;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
impersonates another person;
contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

Upon being notified by any ‘affected person’ who objects to such information in writing, the ISP is required to “act within thirty six hours and where applicable, work with user or owner of such information to disable such information”. [31]

Further, “when required by lawful order”, the ISP, website or any other intermediary “shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.”

Visible here is the same attempt at subversion of Sections 69 and 69B as discussed in the previous section under the Data Protection Rules. Failure to observe these ‘due diligence’ measures – including disclosure of IP Address details – would expose ISPs and web-services like Google and Facebook to civil liability under Section 79, a risk they would not likely or lightly wish to assume.

Police powers of investigation

Apart from the provisions under the IT Act, to what extent are the police in India empowered under the Criminal Procedure Code to simply requisition information - including IP Addresses of suspects - from ISPs and Websites? In the course of routine investigation into other offences, the police have wide powers to summon witnesses, interrogate them and compel production of documents. Can these powers be invoked to obtain IP Address information? Are ISPs and Websites somehow immune from complying with these requirements?

Section 91 of the Code of Criminal Procedure empowers courts or police officers to call for, by written order, the production of documents or other things that are “necessary or desirable” for the purpose of “any investigation, inquiry, trial or other proceeding under the Code”.

Sub-section 3 of this section however limits the application of this power by exempting any “letter, postcard, telegram, or other document or any parcel or thing in the custody of the postal or telegraph authority.” Such documents can only be obtained under judicial scrutiny by following a more rigorous procedure laid down in Section 92. Under this section, it is only if a “District Magistrate, Chief Judicial Magistrate, Court of Session or High Court” is of the opinion that “any document, parcel or thing in the custody of a postal or telegraph authority is.. wanted for the purpose of any investigation, inquiry, trial or other proceeding under this Code” that such document, parcel or thing can be required to be delivered to such Magistrate or Court.

However the same section empowers lesser courts and officers such as “any other Magistrate, whether Executive or Judicial, or of any Commissioner of Police or District Superintendent of Police” to require “the postal or telegraph authority, as the case may be .. to cause search to be made for and to detain such document, parcel or thing” pending the order of a higher court.

Section 175 makes it an offence for a person to intentionally omit to produce a document which he is legally bound to produce. In case the document was to be delivered to a public servant or police officer, such omission is punishable with simple imprisonment of up to one month, or with fine up to five hundred rupees or both. If the document was to be delivered to a Court of Justice, omission could invite simple imprisonment up to six with or without a fine of one thousand rupees.

In the context of our discussion on IP Addresses, the following questions emerge:

Are ISPs “telegraph authorities” so that the police are ordinarily prohibited from requisitioning information from them without obtaining orders from a court.
Similarly are Webmail and social networking sites “telegraph or postal authorities” so that securing information from them requires the following of the special procedure laid down in Section 92

Section 3(6) of the Indian Telegraph Act, 1885 defines "telegraph authority" as “the Director General of [Posts and Telegraphs], and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act”. This would seem to exclude all private sector ISPs from the definition, presumably opening them up to ordinary summons issued under Section 91.

However, Section 3(2) defines a "telegraph officer" to mean “any person employed either permanently or temporarily in connection with a telegraph established, maintained or worked by [the Central Government] or by a person licensed under this Act;” Under this section, employees of private ISPs such as Airtel would also be regarded as “telegraph officers” and if we can extend this logic, with some interpretative work, the ISPs themselves might be regarded as “telegraph authorities”. In the absence of definite rulings by the judiciary on this question, however, the ordinary presumption would be that private ISPs are not “telegraph authorities” and are answerable, like all private companies, to requisitions made under Section 91.

This leaves open the question of whether a government company like BSNL would count as a ‘telegraph authority’. If it is, then it would put internet communications conducted through BSNL on a more secure footing than through other ISPs. As things stand, however, it appears that BSNL seems to be extending its co-operation to the police in tracking mischief online , in the same manner as other ISPs.

The second question is relatively more straightforward. The definition of “Post Office” in the Indian Post Office Act 1898 restricts its meaning to “the department, established for the purposes of carrying the provisions of this Act into effect and presided over by the Director General [of Posts and Telegraphs]” (Section 2k). Despite their primary functions as email providers, it seems unlikely that any magistrate would interpret webmail providers like Hotmail and Google as “postal authorities” so as to be immune from police summonses under Section 91. Such an interpretation would, nevertheless, be in keeping with the spirit of the postal exemptions, since these sections seem to be aimed at requiring judicial oversight before the privacy of communications may be disturbed. It would be fitting for an amendment to be introduced to the Code of Criminal Procedure to update these sections in line with new technological developments.

Before parting with this section, it must be asked whether the procedure under the IT Act or the CrPC must be followed. Section 81 of the Information Technology Act unequivocally declares that act to have “overriding effect” “notwithstanding anything inconsistent therewith contained in any other law for the time being in force.” This seems to suggest that at least with respect to interception of electronic communications and obtaining traffic data, the provisions of the CrPC would be overridden by the procedure laid down by the rules under the IT Act. The evidence from the practice of the Indian police routinely obtaining IP Address from web service providers and ISPs seems to suggest that the IT Act has not been invoked in these transactions. This is a trend that is likely to continue until their legality is questioned in a court of law.

Subscriber Contracts with web service providers

In addition to statutory provisions mandating the disclosure of IP Address information, such disclosure may also be permissible by the terms under which individual websites provides their services. Two examples would suffice here:

Google’s privacy policy which governs its full range of services from its popular search service to Gmail, as well as the groups and blogging services, states that the company will disclose personal information inter alia if

"We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law."

Information collected by Google includes server logs which include the following information: "your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account." [34]

Similarly, social networking site Facebook contains an equally expansive ‘lawful disclosure’ clause in its Privacy Policy [35] which states that the company will disclose information:

"To respond to legal requests and prevent harm. We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."

Information collected by Facebook includes information about the device (computer, mobile phone, etc) about your browser type, location, and IP address, as well as the pages visited. [36]

Examples of such clauses abound and it would be fair to assume that almost every corporate website one visits has analogously worded terms of service permitting ‘lawful disclosure’. This contractual backdoor negatives any expectation of absolute privacy of IP Address details that one might mistakenly have harboured.

Conclusion

As indicated in the introduction, IP addresses have proven to be a dependable way for the police in India to track down a range of cyber-criminals – from financial frauds, to vengeful spurned-lovers, to blackmailers and terrorists. The novelty of ‘cyber crimes’, as well as the relative high-tech ease of their resolution makes for attractive press, and offers an inexpensive way for police departments to accrue some credibility and goodwill for themselves. So long as the police track down genuine culprits, the question of privacy violations will necessarily remain suppressed since, in the words of the Supreme Court “the protection [of privacy] is not for the guilty citizen against the efforts of the police to vindicate the law." [37] However it is the possibility of an increase in egregious cases such as those of Lakshmana Kailash, mentioned above, wrongfully jailed for 50 days on account of a technical error, that reveals the pathologies of the unchecked system of IP Address disclosure that prevails today.

Legal regimes in the West have largely been indecisive about whether to characterize the maintenance of IP Address logs as handmaids for Orwellian thought-policing, or merely as implements that aid the apprehension of cyber criminals who have no legitimate expectation of privacy. Their laws typically come with procedural safeguards such as mandatory notices to affected persons [38], and judicial review which greatly mitigate the severity of these disclosures when they do occur.

Far from incorporating such safeguards, the various layers of Indian law create an atmosphere that is intensely hostile to the withholding of such information by ISPs and intermediaries. Overlapping layers of regulation between the Telegraph Act and the IT Act, and the conflict among various rules under the IT Act have created a climate of such indeterminacy that immediate compliance with even the most capricious of information demands by any government agency is the only prudent recourse for ISPs and other intermediaries. The DoT has issued a circular requiring the registration of public and domestic wifi networks to facilitate greater precision in tracking individuals behind IP Addresses. [39] For the same purpose, new Cyber Café Rules under the IT Act require extensive registers and logs to be maintained that track the identity of every user and the websites they have visited. [40] And if the full ambitions of the Unique Identity Numbering Scheme and the Centralised Monitoring System are realized, we will shortly be headed for exactly the kind of persistent surveillance society that Orwell wrote so fondly about.

The Indian judiciary, which could have played a counterbalancing role to the legislature’s apathy towards privacy and the executive’s increasingly totalitarian tendencies, has so far not risen to the challenge. The Supreme Court has repeatedly condoned the obtaining of evidence through illegal means, [41] and this has rendered the requirement of adherence to procedural due process by the police merely optional. This guarantee of judicial inaction in the face of executive illegality will be the biggest stumbling block to the securing of privacy – despite the occasionally good intentions of the legislature.

So, in the absence of a general assurance of privacy of our internet communications, where does one look to for hope? I would venture to suggest that there are four sources of optimism:

Notwithstanding the iron determination of the Central Government to install a panoptic communication surveillance system, the realization and smooth functioning of these technocratic fantasies will depend on the reconfiguration of the relative powers of various ministries at the Central Level– chiefly the Ministry of Communications and Information Technology and the Home Ministry – and between the Centre and the State. One can rely, one feels, on the unwillingness of various ministries to cede their powers to forestall or at least delay or diminish the execution of this project. The success of the technology, in other words, is not as much in doubt as the success of the politics. Privacy will triumph in this ‘failure’ of politics. I advance this point naively and with only the slightest sense of irony.
Another ironic point : I suggest the ingenious and very Indian phenomena of inefficiency and ignorance as robust privacy safeguards. How does one account for the fact that despite heavily worded and repeated invocations of disclosure requirements in the ISP licenses for almost a decade, it was not until December 2010 that the Home Ministry tentatively suggests to ISPs that IP records must be kept for a minimum of six months? This despite the fact that the ISP license itself requires that such records be kept for one year. How does one explain the unanimous blinking astonishment of the industry at this suggestion, other than they expected never to have to implement it? Or that the extensive logs that cyber café owners are required to maintain about their clientele are seldom checked? [43] In India it seems to be an unstated element of the business climate that one can reliably depend on the non-enforcement of contractual clauses. Sometimes this inefficiency on the part of the state has inadvertent privacy-preserving effects.
The power of the state to rely on IP Addresses depends on the availability of global internet behemoths such as Microsoft, Google, Facebook and Yahoo who are vulnerable to bullying in order to maintain their transnational empires. In each of the success stories mentioned at the start of this paper, IP Address details were obtained from one of the big companies named, from which the lesson that emerges is that our ability to retain our anonymity will depend on our ability to find smaller, non-Indian substitutes who have nothing to fear from Indian authorities. In June 2010, for instance, the Cyber Crime Police Station, Bangalore sent a notice under Section 91 of the CrPC to the manager of BloggerNews.Net (BNN) seeking the IP Address and details of a user who had allegedly posted “defamatory comments” on BNN about an Indian company called E2-Labs. The manager of BNN bluntly refused to comply stating: “our policy is not to give out that information, BNN holds peoples privacy in high esteem.”[44] The lesson here is that in the future, the ability of Indians to preserve their online ‘privacy’ and freedom of speech will depend on their being able to find sufficiently small overseas clients to host their speech. Conflict of Laws rather than domestic legislation is a more reliable guarantor of privacy.

Notes

[1].Hafeez, M., 2011. A tangled web of vengeance. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-03-28/mumbai/29353669_1_boyfriend-social-networking-police-officer [Accessed June 21, 2011].

[2].Adapted from the Wikipedia entry on IP Address.

[3].McIntyre, Joshua J., Balancing Expectations of Online Privacy: Why Internet Protocol (IP) Addresses Should be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011. Available at SSRN: http://ssrn.com/abstract=1621102 [Accessed June 21, 2011] .

[4].Anon, 2010. Army officer held in city for child porn -. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-05-08/mumbai/28292650_1_hard-disks-obscene-clippings-downloading [Accessed June 15, 2011].

[5].Anon, 2011. Anti-Ambedkar page on Facebook blocked. Hindustan Times. Available at: http://www.hindustantimes.com/Anti-Ambedkar-page-on-Facebook-blocked/Article1-663383.aspx [Accessed May 24, 2011].

[6].Sarokin, David. Google Ordered to Reveal Blogger Identity in Defamation Suit in India:Gremach Infrastructure vs Google India [Internet]. Version 5. Knol. 2008 Aug 15. Available from: http://knol.google.com/k/david-sarokin/google-ordered-to-reveal-blogger/l9cm7v116zcn/7.

[7].Anon, 2009. Mumbai: Man held for blackmailing Anoushka Shanka. Rediff.com. Available at: http://news.rediff.com/report/2009/sep/20/police-arrest-man-for-blackmailing-anoushka-shankar.htm [Accessed May 24, 2011].

[8].Anon, 2010. Cyber cell nets Delhi teen for lewd online posts - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011].

[9].Hafeez, M., 2011. Police find runaway student “online” - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-02-17/mumbai/28554314_1_social-networking-networking-site-sim-card [Accessed June 21, 2011].

[10].Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article§id=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[11].Ibid.

[12].This is not atypical. In the US, for instance, as Joshua McIntyre writes, “While various federal statutes protect similar data such as telephone numbers and mailing addresses as Personally Identifiable Information (PII), federal privacy law does not generally regard IP addresses as information worthy of protection. It has, therefore, become commonplace for litigants to subpoena ISPs to unmask online speakers. Many ISPs have no reason to fight these subpoenas and readily give up their subscribers’ names, addresses, telephone numbers, and other identifying data without demanding any court oversight or providing any notice to the subscriber. Even when courts become involved, a full consideration of the online speaker’s privacy interests is far from certain” Joshua McIntyre, supra note 3 at p.5.

[13].Anon, 2011. User Data Requests - India. Google Transparency Report. Available at: http://www.google.com/transparencyreport/governmentrequests/IN/?p=2010-12&p=2010-12&t=USER_DATA_REQUEST&by=PRODUCT [Accessed June 29, 2011].

[14].Ibid.

[15].Anon, 2007. Orkut’s tell-all pact with cops. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson [Accessed June 15, 2011].

[16].In June 2011, Hotmail supplied IP Address details which enabled Delhi Police to trace, with further assistance from Airtel, the sender of obscene emails to a noted actress. Sharma, M., 2011. Priyanka Chopra’s cousin harrassed in Delhi. Mid-Day. Available at: http://www.mid-day.com/news/2011/jun/100611-news-delhi-priyanka-chopra-cousin-Meera-Chopra-harrassed.htm [Accessed June 28, 2011].

[17]. In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.

[18].Thomas Philip, J., 2010. Intelligence Bureau wants ISPs to log all customer details. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps [Accessed June 28, 2011].

[19].The Monitoring Rules list 10 ‘cyber security’ concerns for which Monitoring may be ordered: (a) forecasting of imminent cyber incidents; (b) monitoring network application with traffic data or information on computer resource; (c) identification and determination of viruses/computer contaminant; (d) tracking cyber security breaches or cyber security incidents; (e) tracking computer resource breaching cyber security or spreading virus/computer contaminants; (f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security; (g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force; (i) any other matter relating to cyber security.

[20].Respectively the INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR INTERCEPTION, MONITORING AND DECRYPTION OF INFORMATION) RULES, 2009, G.S.R. 780(E) (2009), http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/Itrules301009.pdf (last visited Jun 30, 2011). and INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009, G.S.R. 782(E) (2009), http://cca.gov.in/rw/resource/gsr782.pdf?download=true (last visited Jun 30, 2011).

[21].Section 69 lists the following grounds for which interception may be ordered : a) sovereignty or integrity of India, b) defense of India, c) security of the State, d)friendly relations with foreign States or e)public order or f)preventing incitement to the commission of any cognizable offence relating to above or g) for investigation of any offence.

[22].Rule 2(d) of the Monitoring and Collecting of Traffic Data Rules 2009.

[23].Telegraph (Amendment) Rules 2007, Available at: http://www.dot.gov.in/Acts/English.pdf [Accessed June 28, 2011].

[24].INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION), (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[25].The full list under Rule 3 includes : password; financial information such as Bank account or credit card or debit card or other payment instrument details ; physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

[26].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[27].This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6..

[28].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?.

[29].The consequence of disobeying the rules is that the ‘body corporate’ is legally deemed not to have observed ‘reasonable security practices’. Section 43A penalizes such failure if it causes wrongful loss due to the disclosure.

[30].INFORMATION TECHNOLOGY (INTERMEDIARIES GUIDELINES) RULES, (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[31].The easily-affronted have thus been provisioned with a cheaper, swifter and more decisive means of curtailing free speech, where courts in India might have dithered ponderously instead Or they might not have. As of this writing, an obscure court in a Silchar, Assam issued an ex-parte injunction prohibiting the online publication of a highly-acclaimed biopic about Arindam Chaudhuri – a self-proclaimed ‘management guru’ who has gained notoriety in India due the questionable nature of a management institute that he runs. The choice of this particular court as the venue to file the suit, rather than one in New Delhi where both the plaintiff and the publisher reside, coupled Chaudhuri’s consistent success in obtaining such plenary gag-orders from this judge against any content he deems unflattering to himself, strongly suggests foul-play. Although this is not a typical case, it does caution against placing too much optimism on supposed judicial restraint and conservativeness. Anon, 2011. IIPM’s Rs500-million lawsuit against The Caravan. The Caravan, 3(6). Available at: http://caravanmagazine.in/Story/950/IIPM-s-Rs500-million-lawsuit-against-The-Caravan.html [Accessed June 28, 2011].

[32].See Ali, S.A., 2010. Cyber cell nets Delhi teen for lewd online posts. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011]. (“During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer.”); See also Rehman, T., 2008. A Case For Fools? Tehelka. Available at: http://www.tehelka.com/story_main40.asp?filename=Ws181008case_fools.asp [Accessed June 30, 2011].(“ The state police reportedly traced the email to the cyber café through its IP address. “We traced the email to a BSNL line. The BSNL has a cell in Bangalore to track such details. They traced the number to that particular cyber café in Shillong,” S.B. Singh, IGP (special branch) Meghalaya police told TEHELKA”)..

[33].Anon, 2010. Privacy Policy. Google Privacy Center. Available at: http://www.google.com/privacy/privacy-policy.html [Accessed June 28, 2011].

[34].Ibid.

[35].Anon, 2010. Privacy Policy. Facebook. Available at: http://www.facebook.com/policy.php [Accessed June 28, 2011].

[36].Ibid.

[37].R. M. Malkani v State Of Maharashtra AIR 1973 SC 157, 1973 SCR (2) 417.

[38].Eg. Title 18 US Code § 2703 provides for mandatory notice in case of wiretapping with a provision of ‘delayed notice’ where an ‘adverse result’ is apprehended such as (A) endangering the life or physical safety of an individual; (B) flight from prosecution; (C) destruction of or tampering with evidence; (D) intimidation of potential witnesses; or (E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. Title 18,2705., Available at: http://www.law.cornell.edu/uscode/18/usc_sec_18_00002705----000-.html [Accessed June 28, 2011].

[39].Ministry of Communications & IT. Letter to All Internet Service Providers. “Instructions under the ISP License regarding provisioning of Wi-Fi internet service under delicenced frequency band”, February 23, 2009. http://www.dot.gov.in/isp/Wi-%20fi%20Direction%20to%20ISP%2023%20Feb%2009.pdf (last visited Jun 30, 2011). Internationally, this does not appear to be an uncommon move. See Thompson, C., 2011. Innocent Man Accused Of Child Pornography After Neighbor Pirates His WiFi. Huffington Post. Available at: http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html [Accessed June 30, 2011]. (“In Germany, the country's top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party.”).

[40].INFORMATION TECHNOLOGY (GUIDELINES FOR CYBER CAFE) RULES, 2011., G.S.R. 315(E) (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[41].See State Of Maharashtra v. Natwarlal Damodardas Soni AIR 1980 SC 593 , 1980 SCR (2) 340.

[42].Supra note 15.

[43].Manocha, S., 2009. Cops no more interested in checking cyber cafes. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2009-08-03/lucknow/28172232_1_cyber-cafe-proper-records-ip-address [Accessed June 28, 2011]. (The cyber cafe owners claim that the registers which they maintain are seldom checked by the police. "I maintained the records properly which included recording of the name and address of the visitors and a photocopy of their identification proofs but not even once any cop had checked my records," said Rajeev, a cyber cafe owner in Aliganj. "It is this carelessness on the part of cops that gives those not maintaining proper records to carry on their business without any fear of the law," he added).

[44].Barrett, S., 2010. Blogger News Censored In India. Blogger News Network. Available at: http://www.bloggernews.net/124890 [Accessed June 28, 2011].

For more details visit https://cis-india.org/internet-governance/ip-addresses-and-identity-disclosures

Inventions that will make a difference

praskrishna — 2014-02-12T11:07:02Z

In an increasingly tech-driven world, what does 2014 have to offer? Geeta Padmanabhan turns the spotlight on some life-changing gadgets.

Geeta Padmanabhan's article published in the Hindu on January 1, 2014 quotes Maria Xynou.

Digiterati, have you tried Snapchat, the service that makes messages/photos/captions you send disappear in a few seconds once opened? The app with its swelling popularity among the young demands a re-think about data: do you need it around forever? In a remarkable step forward, 2014 may see Forever Internet and Erasable Internet living side by side.

What else is in store? “Your mobile devices and PCs will get more intelligent and remember your different passwords,” said J. Prasanna, AVS labs. “Advanced biometrics will enable scanning (fingerprint/retina) without devices. Sharper attack simulation on the cyber-world will force corporates to improve defence. Industrial houses will opt for more mobile devices — computers like raspberry pi — for logistics/checking. “You may not see a workstation at all!” Maria Xynou, The Centre for Internet and Society, foresees surveillance technologies getting smarter with artificial intelligence software, and people fending them off with crypto-like privacy software. “This might trigger more intrusive technologies,” she said.

Big data will grow bigger. Many of the products we depend on — Google's spell-checker, translation service, traffic maps, search-suggestions; Amazon.com's AMZN +0.13% media; Facebook’s News Feed, “friend” facilities — have come out of a huge cache of user data. But Kaspersky Lab expects cybercriminals to use refined mobile-phishing, banking-Trojans and mobile-botnets to hack and modify private information. VPN (virtual private network) services and Tor-anonymisers will become popular, demand for local encryption tools will spurt, it predicts.

Folding phones?

Now that curved display (G-Flex) is here, 2014 may bring in “roll-up or fold” smartphones/tablets to fit into our wallets. Also, with smarter tracking-tools and voice-recognition technology smartphones will become so intuitive and efficient that they may reflexively cater to our needs. “It will become a context engine — aware of where it is, where you are going, what you need,” said futurist Paul Saffo. Apple will launch the anticipated big-screen iPhones and iPads (12.9-inch or 13.3-inch), reports Digitimes. Upcoming iPhone models will have a 20mm chipset, and a choice between 4.7-inch and 6-inch display panel. But don't throw away your MacBook Air or MacPro yet.

“Prepare for a life-changing gadget,” says BBC, referring to Oculus Rift, a “consumer-focused virtual-reality headset”, to be launched by Kickstarter. You wear it and you'll see yourself running along a beach, flying in a spaceship, riding a roller-coaster, it says. Impatient for the “real” one? There are no tech hurdles to having a vehicle that is part-car, part-plane, part-drone parked outside your home, says Missy Cummings, Aeronautics/Astronautics Professor, MIT. The fly-by-wire Airbus is a drone, anyway. Automated systems with micro-second reactions will make transportation network — ground and air — safer. Your regular car will gain advanced tech features, from in-built sat-navs, parking assistance to voice-activated/touchscreen DVD players and radios.

Educator Sugata Mitra hopes to launch an entire school in the cloud — the tech-cloud. Retired teachers in remote areas will teach through Skype, classrooms will be beamed from all parts of the planet — “deep in the jungle, or high on a mountain.” Kids can just gather at one home for lessons, he said.

Robots will take longer strides in 2014. Google's Japanese start-up robot won the Darpa rescue-challenge by carrying out all the eight rescue-themed tasks ahead of rivals. Its dexterous, independent “robot army” will carry packages, push strollers. LiveScience reports Knightscope's five-foot K5 robot-cop's on-board sensor that can see, hear, touch and smell its surroundings will combine its observations with public data and use the information to predict if, when and where a crime is likely to occur. Asutosh Saxena's team at Cornell University has created a robot (PR2) programmed to free shop-assistants from drudgery — it packs purchases at check-out counters. Forrester Research's Jeff Ernst believes ICANN’s gTLD (generic top-level domain) program is a game-changer. The introduction of .brand and .category will help you choose products with ease and marketers fight off cybersquatters.

The best gift

To me the best gift of 2014 is the Copenhagen wheel. With an attached computer/sensor-aided device, this bicycle wheel monitors pedalling and activates an on-board electric-motor when you need support. Connecting wirelessly to the biker's smartphone, the device tracks distance travelled and elevation gained, shares with friends the number of calories burned, locks the wheel remotely as you walk away from the bike. An electric-hybrid bicycle!

Mark Anderson, Strategic News Service anticipates Apple's Siri-like products to get an upgrade, visualisation tools to usher in “seeing data.” Software-defined networking and storage will cause a “stampede to virtualise everything.” Technical work to break down barriers between clouds will spawn software that can run anywhere. E-mapping will include MALT (Micromapping, Advertising, Location/ID, Transactions). Indoor maps and location information will place advertising targeted at you, leading to transaction in which “your phone will direct you to where things on your shopping-list are. You pick them up, the store knows who you are, how you pay, and you’ll just walk out.”

Track these

2014 will see computers that can learn from their own mistakes.
Spending on mobile, work-collaboration and video-conferencing apps will rise.
Demand for “big data” analysts will soar.
Small start-ups will raise money more through crowdfunding, less from venture capitalists.

For more details visit https://cis-india.org/news/the-hindu-january-1-2014-geeta-padmanabhan-inventions-that-will-make-a-difference

Introduction: About the Privacy and Surveillance Roundtables

manoj — 2014-11-27T13:34:56Z

The Privacy and Surveillance Roundtables is a Centre for Internet and Society (CIS) initiative, in partnership with the Cellular Operators Association of India (COAI), as well as local partners. The Roundtable will be closed-door deliberation involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India.

The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The third Privacy and Surveillance Roundtable was held in New Delhi at the India International Centre by the Centre for Internet and Society in collaboration with the Cellular Operators Association of India and Vahura, legal Partner on the 1^st of September, 2014.

The aim of the discussion was to gain inputs on what would constitute an ideal surveillance regime in India working with theCIS Draft Privacy Protection Bill, the Report of the Group of Experts on Privacy prepared by the Justice Shah committee, and the International Principles on the Application of Human Rights to Communications Surveillance.

Background and Context: Privacy and Surveillance in India

The discussion began with the chair giving an overview of the legal framework that governs communications interception under Indian Law in the interest of the participants since many were there for the first time.

The legal system to govern the manner in which communications are intercepted in India are defined under three main acts

1. Interception of Telephonic Calls : The Telegraph Act 1885

2. Interception of Posts : The Indian Post Office Act,1898

3. Interception of Electronic communication like e-mails etc :The IT Act, 2000

While the interception of postal mail is governed by Section 26 of the Post Office Act, 1898, the interception of modern forms of communication that use electronic information and traffic data are governed under Sections 69 and 69B of the Information Technology Act, 2000, while interception of telephonic conversations are governed by section 5(2) of the Indian Telegraph Act 1885 and subsequent rules under section 419A.

The main discussion of the meeting revolved around the Telegraph Act since it is the main Act which covers the interception of telecommunications. In 1968 the 30th Law Commission Report studying Section 5(2) of this Act came to the conclusion that the standards in the Act may be unconstitutional given factors such as 'public emergency' & 'public safety' were too wide in nature and called for a relook at the provision.

Objective of Round Table Meetings

The objective of the round table meetings is to, be prepared with the proposals on the Privacy Bill which the new government intends to split into separate Bill for Surveillance and Data privacy. Thus these submissions once out in the public domain would further deliberate more discussion and shape the course of the Bill.

Discussion

Authorisation

The chair initiated the discussion continuing from the last meeting about the two models of authorisation for Interception 1. The Judiciary & 2. The Executive

The chair explained why the earlier proposed Judiciary based model, based on the efficient experience of separation of power, would not fit into the Indian context. The main reason for this being that the lower judiciary in India is not competent enough to take decisions of this nature. Providing examples, the chair explained how in many cases the lower Judiciary overlooks essential human rights in their decisions, and such rights are only addressed when the case is appealed in Higher courts. While participants felt that High Court judges would be favourable, it was expressed that the immense backlog at the High Court level and the lack of judges is a challenge and risks being inefficient. Thus an additional responsibility for the High Court would not be a feasible model. Furthermore, adopting a judicial based model would mean that the existing model of executive would need to be entirely replaced. Owing to these practical implementation issues consensus was built over adoption of the existing executive model, but with more safeguards.

Safeguards proposed:

1. A redressal tribunal: Establishing a tribunal for the redressal of interception complaints. The tribunal could be a non-active body. Such a model would be different from other models adopted around the world - for example e in UK a designated tribunal suo-motu reviews cases on a regular basis. The tribunal could also have judicial review authority, to which one of the participants raised an issue that the tribunals usually will not have the power of Judicial review, however the chair assured him that the delegation of Judicial review to a tribunal does exist in Indian law.

2. A review commission: Establishing a commission to review the interceptions carried out on the orders of home secretary. For such an overseeing body, the commissioner should be appointed independently. The commissioner must be a Judge or a senior Lawyer and should report to the Parliament.

Content data and Metadata

In the next session the chair explained the difference between content data and metadata while initiating discussion on provisions addressing them in the proposed Bill. Content data, also called as payload data, is the actual content of the communication which takes place between X and Y.

Example 1: In the VOIP call the voice is packetized and sent in different packets to the destination, the content of that packet is the content data whereas the information of this content i.e the header, footer and checksum of the packet is the metadata.

Example 2: In the serial communication of the normal phone call the content data will be what the communication happened between two or more people over the call and the metadata will be who were involved in the call, on what date and time the call was made from which place, and under which tower.

It was noted that generally it is easier to intercept metadata than content data. In the proposed bill, section 2 (C) refers to the definition of content data and section 2(E) to metadata.

Participants also pointed out that often it is with metadata that concerned governmental authorities are able to carry out tracking. Thus, when determining procedural safeguards for surveillance - and specifically for interception - the question of whether or not content data and meta data should be treated the same under law must be addressed. Participants suggested looking into German laws, which have procedure to deal with this question. Despite differences over the exact level of protection meta data should legally be afforded, participants agreed that a higher authority should be responsible for the interception, collection, and access to metadata and content data.

In India, because the existing legal framework in India has different standards for different modes of communication, it is proposed that a uniform legal framework be created by harmonizing the three Acts through amendments or overriding existing legislation regulating surveillance in India, and establishing a new framework under a Privacy legislation.

Big Data, Cloud & OTT

In this session a participant raised the issue of Big data and Cloud services, and asked whether the CIS Privacy Protection Bill or the draft Privacy Bill from the government addresses this issue. This question was of particular relevance because a number of the cloud data centres are located in locations outside India. Thus a question of jurisdiction arises. The participant opined that in the coming years and with the new government's vision to have space for every citizen in cloud and data localisation being priority, he stressed that the Bill should clearly address issues related to the cloud, big data, outsourcing, and questions of jurisdiction. Responding to this the chair was of the view that the crimes committed outside the territory of India come under Extra-territorial law, section 4 of IPC and Section 188 Cr. P.C. But it was noted that due to the fact that the crime is committed outside the territory of India, despite the provision, it is practically not implementable unless there is a contract between countries or a treaty signed. The solution could be data localisation, hosting the cloud servers in India, but that again has its own pros & cons. In response participants indicated that if a choice had to be made about data localization - the best option would be one that would be economical for Indian business and the government.

OTT (Over the Top) Services

Another participant brought to the notice of the meeting that most of the networks of service provider's are adopting IP (Internet Protocol). In the context of surveillance, this means that for an interception to take place, Deep Packet Inspection (DPI) must be adopted by service providers. This is currently placing a burden on service providers, as it is costly and the connection time of the calls for the number under surveillance increases - though not enough to be noticed by customers.

Telephone Tapping Process

In India the process of intercepting telephones can be broken down into the following three steps:

1. Authorization

a. The Home Secretary issues an authorization for an interception request.

b. The Authorization is handed over to Police Officer in charge of the investigation.

c. The Police Officer serves the order to the nodal officer in the relevant service provider.

2. The service provider conducts the interception.

3. The intercepted data is handed over to the Police officer.

Under Rule 419A, a committee to review the authorization exists, comprising of officials such as the Cabinet Secretary, Secretary of the Department of Telecommunications, Secretary of the Department of Law and Justice and the Secretary of Information Technology and Communication ministry at the Centre and the Chief Secretary, the Law Secretary and an officer not below the rank of a Principal secretary at the State level.

Since the current infrastructure of telecom and broadband is with private service providers, the government is dependent on service providers to carry out surveillance. As national security is a concern of the government and because in the past intercepted material has been leaked by various sources, the government has proposed to replace the existing system. In this regard the government has proposed to set up a Central Monitoring System (CMS) for the interception of voice and data communications.

It is proposed that the CMS infrastructure will be positioned at the service provider's facilities, and will allow governmental agencies to directly intercept traffic on the network of service providers - thus there would no longer be a need for the government to reply on service providers to carry out interception requests. During the meeting it was discussed how this system has pros & cons

Pros

1. For private companies it eliminates an entire level of compliance.

2. It will reduce the possibility of unlawful, extra legal, & fraudulent authorizations of interception requests.

3. The interception carried out would be maintained in a log, which would clearly recorded, making the interception process becomes accountable.

Cons

1. Even though the existing system gives room for leaks, ironically it is the only way through which a person who is tapped will come to know, hence accounting for some transparency eg: Nira Radia & Amar Singh phone Tap case.

2. CMS will be built upon an existing interception framework, which is not procedurally fair - because of issues such as Internal Authorization, Adhoc procedure, that it is not under the ambit of RTI etc. This will result in a system with no transparency and accountability.

To this last point the Chair noted that in 2011 there were 7.5 Lakh phone taps by a single agency which was reportedly illegal. In an attempt to minimize such brazen violations a Privacy Bill is mooted and the round table conference is a step towards making it possible.

Immunity to TSP's & ISP's

Participants also raised the issue of difficulties that TSPs face while engaged in the process of interception, as they are caught between the customers and government authorities and subjected to harassment sometimes. This places service providers in a position where they must often make a number of compromises as they are expected to store traffic data for a specified period of time, but sometimes a judge might ask for access to data that is dated past the specific retention period. In such a scenario, service providers must provide it by accessing backup data.

The question of who should be the custodian of intercepted data was raised by participants as well as who should be held accountable if intercepted data is leaked into the public domain. The chair responded that the officers investigating the case should be held accountable for the intercepted data. This would be analogous to the system under the Right to Information Act whereby the Information officer is named and held accountable for the data or information he provides. Similarly, for the case of intercepted material, an officer should be named and held accountable for the data and ensuring that it reaches those that it is legally intended to.

It was also expressed that a market regulator, responsible for the safeguarding the interest of communication service providers, could be appointed for handling the personal data. Such a role could be merged with the traditional role of a Data Protection Authority and could be the first step towards an information security and assurance regime.

Legal immunity given to service providers was also discussed, as there was a general concern about the position service providers find themselves in - being held legally liable for not complying with orders from the government and being taken to court by citizens.

Format of Interception Orders and Interception as a service

A question was also posed to participants about what information ideally - apart from the intended duration of the order - should be incorporated into interception orders. Participants suggested that the order should be as specific and precise as possible, which the existing format to a large extent confirms. On the topic, a participant noted that in some cases, despite DoPT guidelines, interception orders are issued in regional languages. This can pose as a problem as the nodal officer might not know the language, thus leading to possible ambiguity & misinterpretation of the order. Participants suggested that orders should be in English.

Participants also pointed out that in most European countries - like France and Italy - a fee for the compliance cost arising out of implementing an interception order is paid to service providers by the government. In India, huge costs are involved in carrying out interceptions which service providers presently have to bare. As law enforcement and security agencies ask for more and more accuracy in surveillance, the charges of carrying out surveillance. To address this, participants suggested that interception as a service should be accommodated in the proposed Bill.

Conclusion

The discussions in the Surveillance and Privacy Roundtable in New Delhi mainly revolved around the authorization model and the process of interception. Overall, participants agreed on an organised executive model with an established accountability and review system. Also discussed was how to ensure that service providers are legally protected from disproportionate and unwarranted penalties. Towards this, the interception process should be viewed as a service rather than an obligation.

For more details visit https://cis-india.org/internet-governance/blog/introduction-about-the-privacy-and-surveillance-roundtables