Centre for Internet and Society

Interview with Big Brother Watch on Privacy and Surveillance

maria — 2013-10-15T14:24:27Z

Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!

For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.

Big Brother Watch was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.

Emma Carr joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:

How do you define privacy?
Can privacy and freedom of expression co-exist? Why/Why not?
What is the balance between Internet freedom and surveillance?
According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?
Should people have the right to give up their right to privacy? Why/Why not?
What implications on human rights can mass surveillance potentially have?
“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.
Do we have Internet freedom?

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance

Internet users enraged over US online spying

praskrishna — 2013-07-01T04:10:05Z

India is the fifth most tracked nation by American intelligence agencies.

The article by Maitreyee Boruah was published in the Times of India on June 29, 2013. Sunil Abraham is quoted.

Have you been posting pictures and messages with gay abandon on your social networking sites or having personal discussions on instant chat or video messaging and thinking that no one other than the intended recipient(s) has access to it? Well, going by the recent revelation that government agencies, and that too from the US, have been spying on our internet usage and collating private information, even the most hardcore security settings for your online data are apparently of no use.

According to former US Central Intelligence Agency (CIA) employee Edward Snowden's testimony, the US National Security Agency ( NSA) has been using major tech giants to spy on private information of users around the world. And India is the fifth most tracked nation by the US intelligence system. But isn't this a direct infringement on our right to privacy? Or are such measures the need of the hour, given the increasing incidences of terror acts across the world?

What should the Indian government do?

Recently, a PIL (Public Interest Litigation) was filed in the Indian Supreme Court on the issue of the web snooping by the US. The PIL sought the Centre to initiate action against internet companies for sharing information with foreign authorities, which amounts to breach of contract and violation of the right to privacy.

"First, we need to urgently enact a horizontal privacy law, which articulates privacy principles and institutes the office of the privacy commissioner. Second, we need to promote the use of encryption and other privacy-enhancing technologies. The use of foreign internet infrastructure by those in public offices should be banned, except in the case of public dissemination. And last, but not the least, take action against online firms that have access to personal data of users and violate the privacy of Indian citizens through the office of the regulator," suggests Sunil Abraham, executive director of Bangalore-based research organization, Centre for Internet and Society.

Anja Kovacs, project director at the Internet Democracy Project in India, meanwhile, wants the Indian government to assert itself. "The best the Indian government can do is to demand that this kind of snooping does not happen. However, it can't ensure that such episodes won't happen in the future, as there is no enforceable global legal framework to deal with online snooping."

Era of the Big Brother?

Given the lack of legal support, does it mean that internet users have no right to privacy? "We do have a right to privacy. Unfortunately, our right is not respected. By and large, unless they use special tools to protect themselves, internet users do not have any real privacy in many countries, including India," says Anja, adding, "The right to privacy is not explicitly included in the Constitution, and the Privacy Bill continues to be pending. Also, Indian intelligence agencies are not under supervision of the Parliament, which is an important weakness in the accountability system." Echoing Anja, Sunil says, "In India, unfortunately, our right to privacy is not sufficiently protected. Indian laws are not strong enough to safeguard privacy of Internet users."

Anger in the online community

A large number of internet users who we spoke to said they were "shocked" after hearing about the US government's spying mechanism. "The recent revelation of snooping by the US government is a clear case of intrusion into our privacy. It is absolutely illegal," says 24-year-old IT professional Subodh Gupta.

For more details visit https://cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying

Internet Surveillance Policy: “…the second time as farce?” – A Public Lecture by Caspar Bowden

praskrishna — 2011-09-08T03:19:35Z

The Centre for Internet and Society, Bangalore, invites you to a public lecture by Caspar Bowden*, the Chief Privacy Adviser of Microsoft’s Worldwide Technology Office, on Internet Surveillance Policy: “…the second time as farce?

Abstract

In 2000, as Director of the independent think-tank, "Foundation for Information Policy Research", Caspar led a campaign to revise several aspects of a new comprehensive UK law governing electronic surveillance ("the RIP Act"). UK legislated in this area many years before most other countries, and the approach was widely criticized although some amendments were achieved. After a hiatus of a decade, many Commonwealth countries are now copying the RIP law (evidently unaware of the original controversies over its defects). Caspar will discuss the legal-technical intricacies of such legislation, the underlying policy dilemmas, the background context of the failed 1990s policy of “key escrow”, and the subsequent privacy catastrophe of blanket retention of the “traffic data” of all of the 500m citizens of the EU.

Caspar Bowden

Caspar Bowden is Microsoft's Worldwide Technology Officer for Privacy, providing advice on technology policy matters concerning privacy in over 40 countries, with particular focus on Europe and regions with horizontal privacy law. His goal is to ensure that users of Microsoft products and services are in control of their personal data and that fair information practices are respected. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication.

Earlier he was the director of the Foundation for Information Policy Research and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy issues, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.

Who should attend?

This public talk aims to engage in a dialogue with anybody interested in questions of technology, surveillance, policy and the politics of Internet based governance. Students, research scholars, academics, practitioners, those in the business of technology development, design and study, are invited to attend the lecture that approaches the issue from different angles of technology, society and politics.

Entry: Free; Limited Seating

Registration recommended: prasad@cis-india.org

For additional info click here [PDF, 521 kb]

* Caspar is speaking in his private capacity and his remarks do not necessarily reflect any official Microsoft position

Videos

For more details visit https://cis-india.org/events/internet-surveillance-policy-lecture

Internet Surfing

praskrishna — 2013-07-15T10:09:34Z

Internet Surfing

For more details visit https://cis-india.org/home-images/Surveillance.png

Internet Shutdowns

praskrishna — 2017-04-27T15:53:53Z

For more details visit https://cis-india.org/internet-governance/files/internet-shutdowns

Internet Shutdown Stories

Ambika Tandon — 2018-05-17T10:45:20Z

A collection of stories of the impact of internet shutdowns on the lives of Indian citizens.

For more details visit https://cis-india.org/internet-shutdown-stories

Internet Researchers' Conference 2018 (IRC18): Offline - Call for Sessions

sneha-pp — 2017-11-29T12:30:13Z

Does being offline necessarily mean being disconnected? Beyond anxieties such as FOMO, being offline is also seen as disengagement from a certain milieu of the digital (read: capital), an impediment to the way life is organised by and around technologies in general. However, being offline is not the exception, as examples of internet shutdown and acts on online censorship illustrate the persistence and often alarming regularity of the offline even for the ‘connected’ sections of the population. The *offline* is the theme of the third Internet Researchers' Conference (IRC18). We invite teams of two or more members to submit sessions proposals by Sunday, November 19 (final deadline). The session selection process is described below. The Conference will be hosted by the Sambhaavnaa Institute of Public Policy and Politics (Kandbari, Palampur, Himachal Pradesh) on February 22-24, 2018.

IRC18: Offline

Call for Sessions

Proposed Sessions (Conference Website)

Sambhaavnaa Institute of Public Policy and Politics (External Link)

IRC18: Offline

State and commercial providers of internet and telecommunication services work in tandem to produce both the “online” and the “offline” - through content censorship, internet regulation, generalised service provision failures, and so on. Further, efforts to prioritise the use of digital technologies for financial transactions, especially since demonetisation, has led to a not-so-subtle equalisation of the ‘online economy’ with the ‘formal economy’; thus recognising the offline as the zones of informality, corruption, and piracy. This contributes to the offline becoming invisible, and in many cases, illegal, rather than being recognised as a condition that necessarily informs what it means to be digital.

Who is offline, and is it a choice? The global project of bringing people online has spurred several commendable initiatives in expanding access to digital devices, networks, and content, and often contentious ones such as Free Basics / internet.org, which illustrate the intersectionalities of scale, privilege, and rights that we need to be mindful of when we imagine the offline. Further, the experience of the internet, for a large section of people is often mediated through prior and ongoing experiences of traditional media, and through cultural metaphors and cognitive frames that transcend more practical registers such as consumption and facilitation. How do we approach, study, and represent this disembodied internet – devoid of its hypertext, platforms, devices, it's nuts and bolts, but still tangible through engagement in myriad, personal and often indiscernible ways.

For the third edition of the Internet Researchers’ Conference (IRC18), we invite participants to critically discuss the offline. We invite sessions that present or propose academic, applied, creative, or technical works that explore social, economic, cultural, political, infrastructural, or aesthetic dimensions of the offline.

For example, the sessions may explore one or more of the following themes:

Geographies of internet access: Infrastructural, socio-political, and discursive forces and contradictions
Terms, objects, metaphors, and events of the internet and their offline remediation and circulation
Minimal computing, maker cultures, and digital collaboration and creativity in the offline
Offline economic cultures and transition towards less-cash economy
Offline as democratic choice: the right to offline lives in the context of global debates on privacy, surveillance, and data justice
Methodologies of studying the *offline* at the intersections of offline and online lives

Please note that the above are not sub-themes or tracks under which a session should be proposed, but are illustrations of possible session themes and concerns.

Call for Sessions

We invite teams of two or more members to propose sessions for IRC18. All sessions will be one and half hours long, and will be fully designed and facilitated by the team concerned, including moderation (if any). Please remember this when planning the session. Everything happening during the session, except for logistical support, will be led and managed by the session team.

The sessions are expected to drive conversations on the topic concerned. They may include presentation of research papers but this is not mandatory.

We look forward to sessions that involve collaborative work (either in groups or otherwise), including discussions, interactions, documentation, learning, and making, are most welcome.

We also look forward to sessions conducted in Indic languages. The proposing team, in such a case, should consider how participants who do not understand the language concerned may engage with the session. IRC organisers and other participants shall help facilitate these sessions, say by offering translation support.

The only eligibility criteria for proposing sessions are that they must be proposed by a team of at least two members, and that they must engage with the *offline*.

The deadline for submission of sessions proposals for IRC18 is Sunday, November 19 (final deadline).

To propose a session, please send the following documents (as attached text files) to raw@cis-india.org:

Title of the Session: The session should be named in the form of a hashtag (check the IRC17 selected sessions for example).
Context of the Session: This should be a 300 words note discussing the context, the motivations, and the expectations behind the proposed session.
Session Plan: This should describe the objectives of the session, what will be done and discussed during the session, and who among the people organising the session will be responsible for what. This note need not be more than 300 words long. If your session involves inviting others to present their work (say papers), then please provide a description and timeline of the process through which these people will be identified.
Session Team Details: Please share brief biographic notes of each member of the session team, and contact details.

There is no registration fee for the Conference, but participants are expected to pay for their own travel and accommodation (to be organised by CIS) expenses. Limited funding will be available to support travel and accommodation expenses of few participants who are unemployed or under-employed.

Session selection process:

November 19: Deadline of submission of session proposals.All submitted sessions will be posted on the CIS website, along with the names and details of the session team members.
November 20 - December 17: Open review period. All session teams, as well as other interested contributors, are invited to review and comment upon each other's submitted proposals and revise their own. Read the proposed sessions here: Conference Website.
December 18-31: The selection process takes place. All session teams will select 10 sessions to be included in the IRC18 programme. The votes will be anonymous, that is no session team will know which other sessions have voted for their session.
January 08: Announcement of selected sessions.
February 22-24: IRC18 at Sambhaavnaa Institute!

For more details visit https://cis-india.org/raw/irc18-offline-call

Internet Privacy in India

elonnai — 2014-01-08T13:51:06Z

Internet privacy encompasses a wide range of issues and topics. It can be understood as privacy rights that an individual has online with respect to their data, and violations of the same that take place online. Given the dynamic nature of the online sphere, privacy concerns and issues are rapidly changing.

The Changing Nature of Information

For example – the way in which the internet allows data to be produced, collected, combined, shared, stored, and analyzed is constantly changing and re-defining personal data and what type of protections personal data deserves and can be given. For example, seemingly harmless data such IP address, key words used in searches, websites visited, can now be combined and analysed to identify individuals and learn personal information about an individual. From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet. In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used. For example, law enforcement routinely troll social media sites for information that might be useful in an investigation.

The Blurry Line between the Public and Private Sphere

The above example also highlights how the “sphere” of information on the internet is unclear i.e. is information posted on social media public information – free for use by any individual or entity including law enforcement, employees, data mining companies etc. or is information posted on social media – private, and thus requires authorization for further use. For example, in India, in 2013 the Mumbai police established a “social media lab” for the purposes of monitoring and tracking user behavior and activities.[1]

Authorization is not required for the lab to monitor individuals and their behavior, and individuals are not made aware of the same, as the project claims to analyze only publicly available information. Similar dilemmas have been dealt with by other countries. For example, in the U.S, individuals have contested the use of their tweets without permission,[2] while courts in the US have ruled that tweets, private and public, can be obtained by law enforcement with only a subpoena, as technically the information has been shared with another entity, and is therefore no longer private.[3] Indian Courts have yet to deal directly with the question of social media content being public or private information.

The Complication of Jurisdiction

The borderless nature of information flows over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in. Thus, for example an Indian using Gmail, will be subject to the laws of the United States. On one hand this could be seen as a positive, if one country has stronger privacy protections than another, but could also be damaging to privacy in the reverse situation – where one company has lower privacy standards and safeguards. In addition to the dilemma of different levels of protection being provided over data as it flows through different jurisdictions, access by law enforcement to data stored in a different jurisdiction, or data from one country accessible to law enforcement because it is being processed in their jurisdiction, are two other complications that arise. These complications cannot be emphasized more than with the case of the NSA Leaks. Because Indian data was residing in US servers, the US government could access and use the data with no obligation to the individual.[4] In response to the NSA leaks, the government of India has stated that all facts need to be known before any action is taken, while citizens initially sought to hold the companies who disclosed the data to US security agencies such as Google, Facebook etc. accountable.[5]

Despite this, because the companies were acting within the legal limits of the United States where they were incorporated, they could not be held liable. In response to the dilemma, many actors in India, including government and industry are asking for the establishment of 'domestic servers'. For example, Dr. Kamlesh Bajaj, CEO of Data Security Council of India was quoted in Forbes magazine promoting the establishment of India centric social media platforms.[6] Similarly, after the PRISM scandal became public, the National Security Advisor requested the Telecom Department to only route traffic data through Indian servers.[7]

In these contexts, the internet is a driving force behind a growing privacy debate and awareness in India.

Current Policy for Internet Privacy in India

Currently, India's most comprehensive legal provisions that speak to privacy on the internet can be found in the Information Technology Act (ITA) 2000. The ITA contains a number of provisions that can, in some cases, safeguard online privacy, or in other cases, dilute online privacy. Provisions that clearly protect user privacy include: penalizing child pornography,[8]penalizing, hacking and fraud[9] and defining data protection standards for body corporate.[10]

Provisions that serve to dilute user privacy speak to access by law enforcement to user's personal information stored by body corporate[11] collection and monitoring of internet traffic data[12] and real time monitoring, interception, and decryption of online communications.[13] Additionally, legislative gaps in the ITA serve to weaken the privacy of online users. For example, the ITA does not address questions and circumstances like the evidentiary status of social media content in India, merging and sharing of data across databases, whether individuals can transmit images of their own “private areas” across the internet, if users have the right to be notified of the presence of cookies and do-not track options, the use of electronic personal identifiers across data bases, and if individuals have the right to request service providers to take down and delete their personal content.

Online Data Protection

Since 2010, there has been an increasing recognition by both the government and the public that India needs privacy legislation, specifically one that addresses the collection, processing, and use of personal data. The push for adequate data protection standards in India has come both from industry and industrial bodies like DSCI – who regard strong data protection standards as an integral part of business, and from the public, who has voiced increasing concerns that governmental projects, such as the UID, involved with collecting, processing, and using personal data are presently not adequately regulated and are collecting and processing data in such a way that abuses individual privacy. As mentioned above, India's most comprehensive data protection standards are found in the ITA and are known as the Information Technology “Reasonable security practices and procedures and sensitive personal data or information” Rules 2011.[14]

The Rules seek to provide rights to the individual with regards to their information and obligate body corporate to take steps towards protecting the privacy of consumer's information. Among other things, the Rules define “sensitive personal information' and require that any corporate body must publish an online privacy policy, provide individuals with the right to access and correct their information, obtain consent before disclosing sensitive personal information ' except in the case of law enforcement, provide individuals the ability to withdraw consent, establish a grievance officer, require companies to ensure equivalent levels of protection when transferring information, and put in place reasonable security practices. Though the Rules are the strongest form of data protection in India, they have not been recognized by the European Union as meeting the EU standards of “data secure”[15] and many gaps still exist. For example, the Rules apply only to:

Body corporate and not to the government
Electronically generated and transmitted information
A limited scope of sensitive personal information.
A body corporate when a contractual agreement is not already in place.

These gaps leave a number of bodies unregulated and types of information unprotected, and limits the scope of the Rules. It is also unclear to what extent companies are adhering to these Rules, and if they are applying the Rules only to the use of their website or if they are also applying the Rules to their core business practices.

Cyber Cafés

In 2011 the Guidelines for Cyber Café Rules were notified under the Information Technology Act. These Rules, among other things, require Cyber Café’s to retain the following details for every user for a period of one year: details of identification, name, address, contact number, gender, date, computer terminal identification, log in time, and log out time. These details must be submitted to the same agency as directed, on a monthly basis.[16] Cyber Cafes must also retain the history of websites accessed and logs of proxy servers installed at the cyber café for a period of one year.[17] Furthermore, Cyber Café’s must ensure that the partitions between cubicles do not exceed four and half feet in height from floor level.[18] Lastly, the cyber café owner is required to provide every related document, register, and information to any officer authorized by the registration agency on demand.[19] In effect, the identification and retention requirements of these rules both impact privacy and freedom of expression, as cyber cafes users cannot use the facility anonymously and all their information, including browser history, is stored on an a-priori basis. The disclosure provisions in these rules also impact privacy and demonstrate a dilution of access standards for law enforcement to users internet communications as the provision does not define:

An authorization process by which the registration agency follows to authorize individuals to conduct inspections.
Circumstances on which inspection of a Cyber Café by an authorized officer is necessary and permissible.
The process for which information can be requested, and instead vaguely requires cyber café owners to disclose information “on demand”.

Online Surveillance and Access

The ITA also allows for the interference of user privacy online by defining broad standards of access to law enforcement and security agencies, and providing the government with the power to determine what tools individuals can use to protect their privacy. This is most clearly demonstrated by provisions that permit the interception, monitoring, and decryption of digital communications[20] provide for the collection and monitoring of traffic data[21] and allow the government to set the national encryption standard.[22] In particular, the structure of these provisions and the lack of safeguards incorporated, serve as a dilution to user privacy. For example, though these provisions create a framework for interception they are missing a number of internationally recognized safeguards and practices, such as notice to the individual, judicial oversight, and transparency requirements. Furthermore, the provisions place extensive security and technical obligations on the service provider – as they are required to extend all facilities necessary to security agencies for interception and decryption, and hold the service provider liable for imprisonment up to seven years for non-compliance. This creates an environment where it is unlikely that the service provider would challenge any request for access or interception from law enforcement. Interception is also regulated through provisions and rules under the Indian Telegraph Act 1885 and subsequent ISP and UAS licenses.

Scope of Surveillance and Access

The extent to which the Government of India lawfully intercepts communications is not entirely clear, but in 2011 news items quoted that in the month of July 8,736 phones and e-mail accounts were under lawful surveillance.[23]

Though this number is representative of authorized interception, there have been a number of instances of unauthorized interceptions that have taken place as well. For example, in 2013 it was found that in Himachel Pradesh 1371 phones were tapped based on verbal approval, while the Home Ministry had only authorized interception of 170.[24] This demonstrates that there are instances of when existing safeguards for interception and surveillance are undermined and highlights the challenge of enforcement for even existing safeguards.

Demonstrating the tensions between right to privacy and governmental access to communications, and at the same time highlighting the issue of jurisdiction was the standoff between RIM/BlackBerry and the Indian Government. For several years, the Indian Government has requested that RIM provide access to the company’s communication traffic, both BIS and BES, as Indian security agencies have been unable to decrypt the data. Solutions that the Indian Government has proposed include: RIM providing the decryption keys to the government, RIM establishing a local server, local ISPs and telcos developing an indigenous monitoring solution. In 2012, RIM finally established a server in Mumbai and in 2013 provided a lawful interception solution that satisfied the Indian Government.[25]

The implementation of the Central Monitoring System by the Indian Government is another example of the Government seeking greater access to communications. The system will allow security agencies to bypass service providers and directly intercept communications. It is unclear if the system will provide for the interception of only telephonic communications or if it will also allow for the interception of digital communications and internet traffic. It is also unclear what checks and balances exist in the system. By removing the service provider from the equation the government is not only taking away a potential check, as service providers can resist unauthorized requests, but it is also taking away the possibility for companies to be transparent about the interception requests that they comply with.

Future frameworks for privacy in India: The Report of the Group of Experts on Privacy

In October 2012 the Report of the Group of Experts on Privacy was published by a committee of experts chaired by Justice A.P. Shah.[26] The report creates a set of recommendations for a privacy framework and legislation in India. Most importantly, the Report recognizes privacy as a fundamental right and defines nine National Privacy Principles that would apply to all data controllers both in the private sector and the public sector. This would work to ensure that businesses and governments are held accountable to protecting privacy and that legislation and practices found across sectors, states/governments, organizations, and governmental bodies are harmonized. The privacy principles are in line with global standards including the EU, OECD, and APEC principles on privacy, and include: notice, choice & consent, collection limitation, purpose limitation, access and correction, accountability, openness, disclosure of information, security.

The Report also envisions a system of co-regulation, in which the National Privacy Principles will be binding for every data controller, but Self Regulatory Organizations at the industry level will have the option of developing principles for that specific sector. The principles developed by industry must be approved by the privacy commissioner and be in compliance with the National Privacy Principles. In addition to defining principles, the Report recommends the establishment of a privacy commissioner for overseeing the implementation of the right to privacy in India and specifies that aggrieved individuals can seek redress either through issuing a complaint the privacy commissioner or going before a court.

The nine national privacy principles include:

Notice: Principle 1: Notice

A data controller shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:

During Collection

What personal information is being collected;
Purposes for which personal information is being collected;
Uses of collected personal information;
Whether or not personal information may be disclosed to third persons;
Security safeguards established by the data controller in relation to the personal information;
Processes available to data subjects to access and correct their own personal information;
Contact details of the privacy officers and SRO ombudsmen for filing complaints.

Other Notices
Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Service providers would have to explain how the information would be used and if it may be disclosed to third persons such as advertisers, processing Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.

Example of Implementation: A telecom service provider must make available to individuals a privacy policy before any personal information is collected by the company. The notice must include all categories of information as identified in the principle of notice. For example, the service provider must identify the types of personal information that will be collected from the individual from the initial start of the service and during the course of the consumer using the service. For a telecom service provider this could range from name and address to location data. The notice must identify if information will be disclosed to third parties such as advertisers, processers, or other telecom companies. If a data breach that was the responsibility of the company takes place, the company must notify all affected customers. If individuals have their personal data accessed or intercepted by Indian law enforcement or for other legal purposes, they have the right to be notified of the access after the case or other purpose for the data has been met.

Principle 2: Choice and Consent

A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required.

Example of implementation: If an individual is signing up to a service, a company can only begin collecting, processing, using and disclosing their data after consent has been taken. If the provision of information is mandated by law, as is the case for the census, this information must be anonymized after a certain amount of time if it is published in public databases. If there is a case where consent is not possible, such as in a medical emergency, consent before processing information, does not need to be taken.

Principle 3: Collection Limitation

A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.

Example of Implementation: If a bank is collecting information to open an account for a potential customer, they must collect only that information which is absolutely necessary for the purpose of opening the account, after they have taken the consent of the individual.

Principle 4: Purpose Limitation

Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.

Example of Implementation: If a bank is collecting information from a customer for opening a bank account, the bank can only use that information for the purpose of opening the account and any other reasons consented to. After a bank has used the information to open an account, it must be destroyed. If the information is retained by the bank, it must be done so with consent, for a specific purpose, with the ability of the individual to access and correct the stored information, and in a secure fashion.

Principle 5: Access and Correction

Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.

Example of Implementation: An individual who has opened a bank account, has the right to access the information that was initially provided and subsequently generated. If there is a mistake, the individual has the right to correct the mistake. If the individual requests information related to him that is stored on a family member from the bank, the bank cannot disclose this information without explicit consent from the family member as it would impact the privacy of another.

Principle 6: Disclosure of Information

A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.

Example of Implementation: If a website, like a social media site, collects information about how a consumer uses its website, this information cannot be sold or shared with other websites or partners, unless notice of such sharing has been given to the individual and consent has been taken from the individual. If websites provide information to law enforcement, this must be done in accordance with laws in force, and cannot be done through informal means. The social media site would be prohibited from publishing, sharing, or making public the personal information in any way without obtaining informed consent.

Principle 7: Security

A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.

Example of Implementation: If a company is a telecommunication company, it must have security measures in place to protect customers communications data from loss, unauthorized access, destruction, use, processing, storage, modification, denanonmyization, unauthorized disclosure, or other forseeable risk. This could include encrypting communications data, having in place strong access controls, and establishing clear chain of custody for the handling and processing communications data.

Principle 8: Openness

A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.

Example of Implementation: If a hospital is collecting and processing personal information of, for example, 1,000 patients, their policies and practices must reflect and be applicable to the amount, sensitivity, and nature of information that they are collecting. The policies about the same must be made available to all individuals – this includes individuals of different intelligence, skill, and developmental levels.

Principle 9: Accountability

The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.

Example of Implementation: To ensure that a hospital is in compliance with the national privacy principles, it must undertake activities like running trainings and providing educational information to employees on how to handle patient related information, conducting audits, and establishing an officer or body for overseeing the implementation of privacy.

Public Discourses on Privacy

In India, there have been a number of important discourses related to privacy around various projects and topics. These discourses have been driving public awareness about privacy in India, and represent an important indication of public perception of privacy and privacy concerns.

The Unique Identification Project

One of these discourses is a public dialogue and debate on the Unique Identification Project. Since 2009 the Government of India has been rolling out an identity scheme known as UID or Aadhaar. The scheme is applicable to all residents in India, and seeks to provide individuals with an identity based on their fingerprints, iris scans, and photograph. The project has been heavily supported by some, and at the same time, heavily critiqued by others. Of those critiquing the project, which included a Parliamentary Standing Committee on Finance,[27] privacy has been a driving force behind the concerns about the project. Arguing that not only does the UID Bill not have sufficient privacy safeguards in its provisions[28] but the design of the project and the technology of the project places individual privacy at risk. For example, the project relies on centralized storage of biometrics collected under the scheme; it does not account for or address how transaction data that is generated each time an individual identifies himself/herself with the UID will be stored, processed, and shared; and does not provide adequate security measures to protect sensitive information like biometrics.

The Human DNA Profiling Bill

In 2006 the Department of Biotechnology piloted a draft human DNA Profiling Bill with the objective of creating DNA databases at the national and regional levels, and enabling the creation and storage of DNA profiles for forensic purposes. Since 2006 there have been two more drafts of the bill released to the public, and an expert committee has been created to finalize the text of the bill. Individuals, including the Centre for Internet and Society, publicly raising concern about the bill, cite a lack of privacy safeguards in the provisions, and expansive circumstances and reasons that the bill permits the creation and storage of DNA profiles.[29]

Surveillance

For many years there has been running public discourse about the surveillance that the Indian government has been undertaking. This discourse is growing and is now being linked to privacy and the need for India to enact a privacy legislation. As discussed above, the current surveillance regime is lacking on many fronts, while at the same time the government continues to seek greater interception powers and more access to larger sets of information in more granularity. Projects like the Central Monitoring System, NATGRID, and Lawful Interception Solutions have caused individuals to question the government on the proportionality of State surveillance and ask for a comprehensive privacy legislation that also regulates surveillance.

The need for strong and enforceable surveillance provisions is not unique to India, and in 2013 the International Principles on the Application of Human Rights to the Surveillance of Communications were drafted. The principles lay out standards that ensure that surveillance is in compliance with international human rights law and serve as safeguards that countries can incorporate into their regimes to ensure the same. The principles include: legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, safeguards against illegitimate access. Along with defining safeguards, the principles highlight the challenge of rapidly changing technology and how it is constantly changing how information can be surveilled by governments and what information surveilled by governments, and how information can be combined and analysed to draw conclusions about individuals.

A Privacy Legislation for India

Since 2010, there has been a strong public discourse around the need for a privacy legislation in India. In November 2010, a “Privacy Approach” paper was released to the public which envisioned the creation of a data protection legislation. In 2011, the Department of Personnel and Training released a draft privacy bill that defined a privacy regime that encompassed data protection, surveillance, and mass marketing, and recognized privacy as a fundamental right.[31] In 2012 the Report of the Group of Experts on Privacy, as discussed above, was published.[32] Presently, the Department of Personnel and Training is drafting the text of the Governments Privacy Bill. In 2013, the Centre for Internet and Society drafted the Citizen’s Privacy Protection Bill – a citizen’s version of a privacy legislation for India.[33] From April 2013 – October 2013, the Centre for Internet and Society, in collaboration with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India, held a series of seven Privacy Roundtables across India. The objective of the Roundtables was to gain public feedback to a privacy framework in India. Topics discussed during the meetings included, how to define sensitive personal information vs. Personal information, if co-regulation should be a model adopted as a regulatory framework, and what should be the legal exceptions to the right to privacy.[34]

Conclusion

Clearly, privacy is an emerging and increasingly important field in India’s internet society. As companies collect greater amounts of information from and about online users, and as the government continues to seek greater access and surveillance capabilities, it is critical that India prioritizes privacy and puts in place strong safeguards to protect the privacy of both Indians and foreigners whose data resides temporarily or permanently in India. The first step towards this is the enactment of a comprehensive privacy legislation recognizing privacy as a fundamental right. The Report of the Group of Experts on Privacy and the government considering a draft privacy bill are all steps in the right direction.

[1]. http://www.zdnet.com/in/india-sets-up-social-media-monitoring-lab-7000012758/

[2]. http://www.techdirt.com/articles/20130203/18510621869/investigative-journalist-claims-her-public-tweets-arent-publishable-threatens-to-sue-blogger-who-does-exactly-that.shtml

[3]. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us

[4]. http://www.bbc.co.uk/news/technology-24744695

[5]. http://www.thehindu.com/news/national/sc-to-hear-pil-on-us-surveillance-of-internet-data/article4829549.ece

[6]. http://forbesindia.com/article/checkin/indias-internet-privacy-woes/35971/1

[7]. http://www.thehindubusinessline.com/industry-and-economy/info-tech/route-domestic-net-traffic-via-india-servers-nsa-tells-operators/article5022791.ece

[8]. ITA section 67

[9]. ITA section 43, 66, and 66F

[10]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011.

[11]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011. section 6(1)

[12]. Information Technology (Procedure and Safeguards for monitoring and collection of Traffic Data or other information) Rules 2009

[13]. Information Technology (Procedure and Safeguards for intercepting, monitoring, and decryption) Rules 2009

[14]. Ibid footnote 6

[15]. Business Standard. Data secure status for India is vital: Sharma on the FTA with EU. September 3rd 2013. Available at: http://www.business-standard.com/article/economy-policy/data-secure-status-for-india-is-vital-sharma-on-fta-with-eu-113090300889_1.html

[16]. Guidelines for Cyber Cafe Rules 5(2) & 5(3). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR315E_10511(1).pdf

[17]. Guidelines for Cyber Cafe Rules 5(4)

[18]. Guidelines for Cyber Cafe Rules 5(6)

[18]. Guidelines for Cyber Café Rules 5(6)

[19]. Guidelines for Cyber Café Rules 7(1)

[20]. Ibid footnote 9

[21]. Ibid footnote 8

[22]. ITA section 84A

[23]. Jain, B. 8,736 phone and e-mail accounts tapped by different government agencies in July. September 17th 2011. Available at: http://articles.economictimes.indiatimes.com/2011-09-17/news/30169231_1_phone-tap-e-mail-accounts-indian-telegraph-act

[24]. The Economic Times. Action to be taken in ‘phone tapping’ during BJP rule: Virbhadra Singh. March 6th 2013. Available at: http://articles.economictimes.indiatimes.com/2013-03-06/news/37500338_1_illegal-phone-virbhadra-singh-previous-bjp-regime

[25]. Chaudhary, A. BlackBerry’s Tussle with Indian Govt. Finally Ends; BB Provides Interception System. http://www.medianama.com/2013/07/223-blackberrys-tussle-with-indian-govt-finally-ends-bb-provides-interception-system/

[26]. Report of the Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[27]. http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf

[28]. http://www.indianexpress.com/news/uid-bill-skips-vital-privacy-issues/688614/

[29]. http://www.epw.in/authors/elonnai-hickok

[30]. http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf

[31]. http://www.iltb.net/2011/06/analysis-of-the-privacy-bill-2011/

[32]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[33]. http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft

[34]. http://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings

For more details visit https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india

Internet Privacy and Surveillance

praskrishna — 2011-09-08T03:16:39Z

Caspar Bowden, Chief Privacy Adviser for Microsoft gave a public talk at TERI, Bangalore on 27 June 2011. The Centre for Internet and Society organised the event. The views expressed herein are his personal and not attributable to Microsoft.

For more details visit https://cis-india.org/internet-governance/internet-privacy-surveillance.pdf

Internet opens doors to trillions more Net addresses with IPv6

praskrishna — 2012-06-14T05:12:25Z

The global Internet industry reached a key milestone on June 6 when a group of Web sites, Internet service providers (ISPs) and router manufacturers banded together to participate in the World IPv6 Launch.

This blog post by Aaron Tan was published in techgoondu. Nishant Shah is quoted in this.

Google, Facebook and Yahoo have flipped the switch to the new Internet addressing system, while ISPs such as Japan’s KDDI and India’s HNS will permanently enable IPv6 for a significant portion of their residential wireline subscribers. Home networking equipment manufacturers will also turn on IPv6 by default in home router products.

The World IPv6 Launch was organised by the Internet Society as part of its mission to ensure that the Internet remains open and accessible for everyone, including five billion people who have yet to connect to the Internet.

“The support of IPv6 from these thousands of organizations delivers a critical message to the world: IPv6 is not just a ‘nice to have’; it is ready for business today and will very soon be a ‘must have’,” said Leslie Daigle, chief Internet technology officer of Internet Society in a statement Wednesday.

Last April, Asia-Pacific became the first region in the world to run out of IPv4 addresses. Europe will deplete its allocation of IPv4 addresses later this year, followed by the U.S. in 2013, and Latin America and Africa in 2014. With IPv6, the Internet can now support over 340 trillion, trillion, trillion addresses compared with 4.3 billion addresses for IPv4.

“Understanding the importance of IPv6, some governments in Asia Pacific have committed to enable IPv6 in their internal networks with set deadlines and, given that they run such large networks, having them on IPv6 is a big step in itself,” said Rajnesh Singh, regional director of the Internet Society’s Asia-Pacific bureau.

The Singapore Government, for instance, has spearheaded an initiative to make e-government services accessible via IPv6. The Infocomm Development Authority (IDA) has also started an IPv6 transition programme that offers grants and information for companies that intend to implement IPv6 on their networks.

With the launch of IPv6, consumers can expect to see applications and services that take advantage of IPv6′s features. Microsoft’s upcoming Windows 8 operating system will also favour IPv6 connectivity over IPv4.

According to Nishant Shah, research director at the Bangalore-based Centre for Internet and Society, IPv6 has an in-built security protocol called IPSec, which authenticates and secures all IP data. The data carrying capacity of IPv6 networks is also going to be higher.

“This means that more devices with more features will be able to work seamlessly through these networks. Despite the larger load of information, IPv6 packets are easier to handle and route, just like postcards with pincodes in their addresses are easier to deliver than those without”, Shah said in a joint statement with Tata Communications.

As an example, every aspect of the Beijing Olympics – from security surveillance to managing vehicles and media coverage – was done over IPv6. “The Chinese government, in fact, has already launched a ‘China Next Generation Internet’ project to build IPv6 networks which are going to radically change the face of high-speed internet in the country,” Shah revealed.

With all these benefits, why does IPv6 only command two percent of the world’s Internet traffic? Shah offers two clear reasons:

The first one is that of costs and infrastructure. The IPv6 platforms do not communicate easily with the IPv4 networks. We have the choice of a mammoth transition of all IPv4 websites and networks to new IPv6 protocols. This idea of abandoning IPv4 and moving to a new protocol is not only redundant; it is also futile, because IPv4 is already running the largest network in human history quite efficiently.

What we need are translators which will be able to speak to both the different versions and help our devices work through them seamlessly. Older, more successful technologies have been able to do this. So, television, for instance, whether it receives terrestrial data, satellite images or data transferred via cable, is able to translate and render them into images and sounds which we can consume with ease. However, the translators for the IPv4 – IPv6 are still expensive and we need more resources diverted towards making them affordable.

The second reason is linked to the first. In order for IPv6 to become popular, it needs a minimum threshold of service providers and users riding that network. As long as the deployment remains nascent, there will be no concentrated energy to actually try and make the bridges between versions 4 and 6. While global technology organisations like Tata Communications are ready for the transition, we are going to need a systemic change among all stakeholders to make IPv6 a reality, towards a faster, safer and more robust Internet.

For more details visit https://cis-india.org/news/internet-opens-doors-to-trillions-more-net-addresses

Internet Monitor

praskrishna — 2014-01-09T07:33:02Z

Malavika's piece on India's Identity Crisis is published in this report.

For more details visit https://cis-india.org/internet-governance/blog/internet-monitor-2013.pdf

Internet Liability

Admin — 2019-10-20T07:04:53Z

For more details visit https://cis-india.org/internet-governance/files/internet-liability

Internet L@w

praskrishna — 2016-05-30T02:07:00Z

Vanya Rakesh will attend the Internet law course organized by the University of Geneva from 20 June 2016 to 1 July 2016 as part of the Geneva Summer School.

Study Internet Law in Geneva, where the World Wide Web was born!

Topics that will be covered include cybersecurity, digital privacy and online surveillance, free speech, consumer protection, legal issues of social media, dangers of cloud computing, Internet and telecom infrastructure, intellectual property, antitrust, and much more...

This is a unique opportunity to gain hands-on experience in the framework of an Internet law clinic and to discuss cutting edge Internet law and policy issues with academics, practitioners, representatives of global policy makers, international organizations and leading institutions, including the Berkman Center for Internet and Society at Harvard University, the International Telecommunication Union (ITU) and the World Intellectual Property Organization (WIPO).

For its first and second sessions (in June 2014 and 2015), the Internet l@w summer school welcomed participants from very diverse background and countries including Argentina, China, Egypt, Germany, India, Italy, Lithuania, Ukraine and the US.

Discover an international city in the heart of Europe. Participate in an exciting social programme, including excursions and social gatherings, and build a global network of new friends as well as of Internet law and policy experts.

A video testimony of participants to the 2014 edition is available here!

Equivalence of 6 ECTS credits.

Please note: Changes to the draft program may be made at any time prior to the start of the course.

More Info, click here.

For more details visit https://cis-india.org/internet-governance/news/internet-l-w

Internet Institute Repository

praskrishna — 2016-07-17T03:38:33Z

For more details visit https://cis-india.org/internet-governance/files/internet-institute-repository

Internet Governance Forum Report 2017

Admin — 2018-01-11T02:03:44Z

For more details visit https://cis-india.org/internet-governance/files/internet-governance-forum-report-2017