Centre for Internet and Society

CIS Cybersecurity Series (Part 18) – Lobsang Gyatso Sither

purba — 2014-07-31T05:34:34Z

CIS interviews Lobsang Gyatso Sither, Tibetan field coordinator and activist, as part of the Cybersecurity Series.

“The digital arms trade and the digital arms race, that is going on right now is a huge problem, in terms of what is happening around the world. A lot of people talk about digital arms like it’s just digital technology; it’s just surveillance technology; it’s just censorship technology; it’s just technology; it doesn’t kill anyone, but the fact of the matter is that it does kill. It’s as bad as a gun; it’s as bad as a weapon. It's the same thing in my opinion and it has to be restricted; it has to be curtailed, it has to be controlled so that it doesn’t go to places where there are no human rights and where there are rampant human rights violations. People know what it is going to be used for and it is going to be used for human rights violations and that is something that has be kept in mind before the whole aspect of digital arms trade and it has to be treated as any other arms trade.”

Centre for Internet and Society presents its eighteenth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Lobsang Gyatso Sither is a Tibetan born in exile dedicated to increasing cybersecurity among Tibetans inside Tibet and in the diasporas. He has helped to develop community-specific technologies and educational content and deploys them via training and public awareness campaigns at the grassroots level. Lobsang works with key communicators and organizations in the Tibetan community, including Voice of Tibet Radio and the Tibetan Centre for Human Rights and Democracy.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-18-2013-lobsang-gyatso-sither

Information Influx Conference

praskrishna — 2014-07-28T06:31:40Z

Malavika Jayaram was a speaker at the event organized by the Institute for Information Law, University of Amsterdam from July 2 to 4, 2014.

Click to read the full details here.

When IViR set up its research 25 years ago, the digital transition was just starting to gather speed. Since then, our societies have been undergoing enormous changes in the modes of expression, organization and (re)use of information. Traditional roles of producers, intermediaries, users and governments blur and are recast. Information is the central building block of market economies. New ways of creating, disseminating and using it impact the workings of democracy, of science and education, creativity and culture.

Information Influx will bridge disciplines, regions and institutional perspectives to confront the major challenges of developing the rules that govern the expression, organization and re(use) of information in our society – as the central aspects of IViR’s Research Programme.

Wednesday 2 July

13.00 – 16.30

Information Influx Young Scholars Competition:

13.00 – 15.00

Welcome by Prof. Mireille van Eechoud & Dr. L. Guibault

Catherine Doldirina (Joint Research Centre EC) – Open data and Earth observations: the case of opening access to and use of EO through the Global Earth Observation System of Systems
Comments by Prof. Mark Perry

Jenny Metzdorf (University of Luxembourg) – The implementation of the Audiovisual Media Services Directive by national regulatory authorities – National reponses to regulatory challenges
Comments by Dr. Tarlach McGonagle

Harry Halpin (MIT/W3C) – No Safe Haven: The Storage of Data Secrets
Comments by Dr. Philippe Aigrain

15.00 – 15.15
Refreshments break

15.15 – 16.30

Ellen Wauters (ICRI – University of Leuven) – Social Networking Sites’ Terms of Use: addressing imbalances in the user-provider relationship through ex ante and ex post mechanisms
Comments by Dr. Chantal Mak

Nicolo Zingales (Tilburg University) – Virtues and perils of anonymity: should intermediaries bear the burden?
Comments by Prof. Joel Reidenberg

Closing remarks

17.00 – 18.30

Information Influx public opening:

Welcome Louise Gunning-Schepers (University of Amsterdam), Edgar du Perron (University of Amsterdam) and Bernt Hugenholtz (Institute for Information Law)
Keynote – Degrees of Freedom: Sketches of a political theory for an age of deep uncertainty and persistent imperfection – prof. Yochai Benkler (Harvard Law School)
Young Scholars Award ceremony
Speech by Neelie Kroes (Vice-President of the European Commission) – Our Single Market is Crying out for Copyright Reform!

19.00 – 22.00

IViR 25th birthday soirée – by invitation

Thursday 3 July

9.00 – 10.00

Keynote – Governance, Function and Form – prof. Deirdre Mulligan (University of California, Berkeley)

As data and technology to wield it become pervasive, privacy protection must take new forms. Traditional models of governance centered on state actors, and human oversight do not scale to today’s challenges. Drawing from several research projects Mulligan suggests that focusing on roles and functions, rather than traditional forms and actors, can assist us in leveraging the potential of a range of human and technical actors towards privacy’s protection.

10.30 – 12.30

Parallel sessions:

12.30 – 13.45

Lunch

13.45 – 14.30

Julian Oliver & Danja Vasiliev

14.30 – 16.30

Parallel sessions:

17.00 – 18.00

Keynote – Copyright as Innovation Policy – Fred von Lohmann (Google)

Copyright has historically been concerned with encouraging commercial cultural production. Thanks to digital technology, however, copyright law today finds itself called upon to take on additional unfamiliar roles, including fostering technological innovation and encouraging amateur creative expression. The talk will suggest some ways that copyright can successfully grow into these new roles.

19.00 – 22.00

Conference Dinner

Friday 4 July

9.00 – 10.00

Keynote – Datafication, dataism and dataveillance – prof. José van Dijck (University of Amsterdam)

The popularization of datafication as a neutral paradigm is carried by a widespread belief and supported by institutional guardians of trust. That notion of trust becomes problematic when it leads to dataveillance by a number of institutions that handle people’s (meta)data. The interlocking of government, business, and academia in the adaptation of this ideology (“dataism”) prompts us to look more critically at the entire ecosystem of connective media.

10.30 – 12.30
Parallel sessions:

12.30 – 14.00

Buffet Lunch, plus: Brown bag lunch with Rob Frieden – Net Neutrality: One step beyond

14.00 – 15.00

Keynote – Intellectual Property: Two Pasts and A Future – prof. James Boyle (Duke Law School)

Twenty years from now, will our children look up from their digital devices and ask “Daddy, did anyone ever own a book”? In his keynote speech, James Boyle will trace the past lives of intellectual property, the battles fought, the technologies regulated. Can we find hints of the future in the battles of our past? Boyle’s answer is yes, and that answer should give us pause.

15.30 – 17.30

Parallel sessions:

17.30 – 18.30

Farewell drinks

Parallel sessions

Rights in the mix

Among amateur and professional creators alike there is a manifest need to not only share but also remix existing works. The panel discusses how adequately open content licensing systems support these needs. It also looks to how well this licensing system fits in the wider legal framework.

prof. Séverine Dusollier (University of Namur) (moderator)
Paul Keller (Kennisland)
prof. Daniel Gervais (Vanderbilt Law School)
prof. Volker Grassmuck (Lüneburg University)

Behavioural targeting – If you cannot control it, ban it?

The discussion about the potential pitfalls of behavioural targeting practices and the problems it may create for users and user rights continues in full force. The growing evidence of the ineffectiveness of the existing informed-consent-approach to regulation can no longer be ignored. Is it time for the regulator to move to more drastic means and ban certain behavioural targeting practices, and if so, which practices?

prof. Chris Hoofnagle (University of California, Berkeley) (moderator)
prof. Neil Richards (Washington University)
Frederik Borgesius (Institute for Information Law)
prof. Joseph Turow (University of Pennsylvania)
prof. Mireille Hildebrandt (University of Nijmegen)
dr. Tal Zarsky (University of Haifa)

Tomorrow’s news: bright, mutualized and open?

As public debate becomes more diversified, crowded, interactive, noisy and technology-dependent than ever before, what survival strategies are being devised for the news as we know it? Are existing expressive and communicative rights, and related duties and responsibilities, fit-for-purpose in increasingly digitized and networked democratic societies? Will tomorrow’s news still be worth tuning into?

dr. Tarlach McGonagle (Institute for Information Law) (moderator)
dr. Susanne Nikoltchev (European Audiovisual Observatory)
Aidan White (Ethical Journalism Network)
dr. Luís Santos (University of Minho)
dr. Eugenia Siapera (Dublin City University)
Gillian Phillips (The Guardian)

Filtering away infringement: copyright, injunctions and the role of ISPs

Can technology solve the problem of intermediary liability for online copyright infringement? If so, should technology be allowed to determine law? This panel shall focus on the issue of injunctions imposed on online intermediaries to force them to adopt measures that filter or block copyright infringements by third parties on their websites.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Dirk Visser (University of Leiden)
Remy Chavannes (Brinkhof)
Fred von Lohmann (Google)
Sir Richard Arnold (High Court UK)
prof. Niva Elkin-Koren (University of Haifa)
prof. Reto Hilty (Max Planck Institute)

Mass-digitization and the conundrum of online access

Cultural heritage institutions face difficulties providing online access to digitized materials in their collections. This session examines a number of pressing issues, taking a trans-Atlantic perspective. When does digitization in public-private partnerships pose a threat to access to public domain materials? What ways are there to manage rights clearance of copyrighted materials and deal with territoriality?

prof. Martin Senftleben (VU University Amsterdam) (moderator)
prof. Pamela Samuelson (University of California, Berkeley)
dr. Elisabeth Niggemann (Deutsche Nationalbibliothek)
prof. Martin Kretschmer (Glasgow University)

The algorithmic public: towards a normative framework for automated media

In the online media, decisions about what users get to see (or not to see) are increasingly automated, through the use of smart algorithms and extensive data about users’ preferences and online behaviour. This raises a number of fundamental questions about freedom of expression, editorial integrity and user autonomy. Leading thinkers will debate algorithmic decision-making in online media and explore the contours of a much needed normative framework for automated media.

prof. Natali Helberger (Institute for Information Law) (moderator)
dr. Joris van Hoboken (New York University)
prof. Wolfgang Schulz (Hans-Bredow-Institut)
prof. Niva Elkin-Koren (University of Haifa)
dr. Bernhard Rieder (University of Amsterdam)

Accountability and the public sector data push

Initiatives to make governments more ‘transparent’ abound. Freedom of information laws are reconfigured to push out ever more information to citizens and businesses. Promises of benefits abound too: better accountability and increased participation, as well as efficiency gains and new business opportunities. Can and should the next generation of freedom of information laws serve both political-democratic objectives and economic ones?

prof. Mireille van Eechoud (Institute for Information Law) (moderator)
Chris Taggart (Open Corporates)
Helen Darbishire (Access Info)
prof. Deirdre Curtin (University of Amsterdam)
dr. Ben Worthy (Birkbeck University College London)
Jonathan Gray (Open Knowledge Foundation / University of London)

A new governance model for communications security?

Today, the vulnerable state of electronic communications security dominates headlines across the globe, while money and power increasingly permeate the policy arena. 2013 has seen no less than five sweeping legislative initiatives in the E.U., while the U.S. seems to trust in the market to deliver. Amidst these diverging approaches, how should communications security be regulated?

Axel Arnbak (Institute for Information Law) (moderator)
prof. Deirdre Mulligan (University of California, Berkeley)
prof. Ian Brown (Oxford University)
prof. Michel van Eeten (Delft university of technology)
Amelia Andersdotter (European Parliament)
Ashkan Soltani (independent researcher)

Global information flows and the nation state

Information flows contest the physical spaces in which the nation state has been deemed a sovereign for almost five centuries. This tension dominates nearly all areas of information law, from data protection and IP enforcement to mass surveillance by national intelligence agencies. This session reflects on the broader challenges that territoriality presents for information law today.

prof. Urs Gasser (Harvard) (moderator)
prof. Joel Reidenberg (Fordham Law School)
prof. Graeme Dinwoodie (Oxford University)
Malavika Jayaram (Harvard)
Hielke Hijmans (Vrije Universiteit Brussel)

United in diversity – the future of the public mission

Digital technologies and the information economy create fascinating new opportunities but also pose fundamental challenges to the fulfilment of the public mission of the media, public archives and libraries alike. This panel is a step towards establishing a dialogue between the three institutions: to explore the congruence between their missions, and their responses to critical issues such as technological convergence, the changing habits of users, the growing abundance of content and their relationship to new information intermediaries, such as search engines, social networks or content platforms.

prof. Natali Helberger (Institute for Information Law) (moderator)
prof. Klaus Schönbach (University of Vienna)
prof. Frank Huysmans (University of Amsterdam)
prof. Egbert Dommering (Institute for Information Law)
Maarten Brinkerink (Netherlands Institute for Sound and Vision)
Richard Burnley (European Broadcasting Union)

Legalizing file-sharing: an idea whose time has come – or gone?

Alternative compensation systems are designed to legalize and monetize online copyright restricted acts of distributing and consuming content. Empirical evidence shows that end-users strongly support paying flat-rate fees for the ability to legally download and share content. So what prevents us from introducing such schemes? The group of experts convened debates the future of alternative compensation systems in light of current legal, business and technology trends.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Neil Netanel (University of California, Los Angeles)
prof. Alexander Peukert (University of Frankfurt)
dr. Philippe Aigrain (Quadrature du Net)
prof. Séverine Dusollier (University of Namur)

Assembly (Information influx)

Taking legal cases and controversies involving intellectual property, art collective Agency composes a growing list of “Things” that resist the split between “nature” and “culture”, a split that intellectual property relies upon. From the list of over a 1,000 Things, Agency calls forth Thing 002094, the copyright controversy Être et Avoir, to jointly speculate upon. The purpose is less to re-enact the judgment and more to prolong hesitation.

Agency
Severine Dusollier
Wilco Kalff
Sanne Rovers
Margot van de Linde
Arnisa Zeqo

Big brother is back

The debate about the pervasive surveillance of the online environment is roaring. Considering what we know now, what better metaphor is there than to conclude that we live in the world of Big Brother? This session will bring together leading thinkers and doers related to power and control in the communication environment, who will provide critical input on the way we think and speak about information freedom and control. Should we aspire to tame Big Brother or should we think differently about the problem?

Axel Arnbak (Institute for Information Law) (moderator)
dr. Joris van Hoboken (New York University) (moderator)
John McGrath (National Theatre of Wales)
dr. Seda Gürses (New York University)
Hans de Zwart (Bits of Freedom)

Who owns the World Cup? The case for and against property rights in sports events

Sports have important economic, social and cultural dimensions. What is the optimal form of legal protection of sports events considering the public-private nature of sports? The focus of debate will be on football because of its major relevance in Europe in terms of diffusion, commercial exploitation, and social impact; but we can expect many insights to hold true for other sports as well.

prof. Bernt Hugenholtz (Institute for Information Law) (moderator)
prof. Lionel Bently (University of Cambridge)
prof. Dirk Voorhoof (Ghent University)
prof. Peter Jaszi (American University Washington)
prof. Graeme Dinwoodie (Oxford University)
prof. Egbert Dommering (Institute for Information Law)
prof. Alan Bairner (Loughborough University)

Associated events

Invitation only:
Wednesday 2 July: Big Breakfast with Joseph Turow & Tal Zarksy – Ethical, normative, social and cultural implications of profiling & targeting in an era of big data – towards a research agenda, Institute for Information Law (IViR) & Amsterdam School of Communication Research (ASCoR), East India House, room E0.02, 09.00-12.00 a.m.

Public event:

Friday 4 July: Lecture James Boyle & Marjan Hammersma about cultural heritage and the public domain
More information and registration at:
Cultural heritage institutions as guardians of public domain works in the digital environment, Rijksmuseum & Kennisland in cooperation with IViR, Rijksmuseum Auditorium, 18.00-20.00 p.m.

About IViR

The Institute for Information Law (IViR) is a centre of excellence in academic research which consistently seeks to further our understanding of how legal norms reflect and shape the creation, dissemination and use of information in our societies. That is the ambition at the heart of the many research initiatives IVIR has undertaken since its foundation in 1989. The urgency of taking an interdisciplinary and international approach has only grown in the past decades. It is crucial if we want to understand and evaluate the rapidly evolving complex and myriad legal norms that govern information relations in markets, in social and in political spaces. With over 30 researchers, teachers and support staff based in our offices in the historic centre of Amsterdam, we have the critical mass to broach key regulatory challenges of today’s information society.

Our focus on information relations deliberately cuts across traditional boundaries in legal scholarship. We bring together insights from constitutional law, human rights, public administration, intellectual property, contract and property law, and competition law. Our functional approach enables fruitful collaboration with experts from an array of academic disciplines, in information and communications technology, economics, media studies, political science and the arts.

Continuing a long Dutch tradition of openness towards the world, our work has a strong international orientation. It shows in the topics we study, the strong global network of affiliations we have in academia and the wonderful dynamic mix of upcoming and experienced researchers from all over Europe and beyond that make up IViR.

With each consecutive research programme we prioritize legal developments that fascinate us, and translate them into a variety of research projects. This includes doctoral research, research for policymakers at national, European and international level, and projects funded through national and European research grant programmes. Our current research programme and an overview of research projects can be found here. Doctoral dissertations, journal articles, books, case comments, studies, reports, lectures, debates, workshops, conferences and summer schools are the staple means of communicating what we do. Browse our publications here.

Media reports and conference outputs will be posted on the IViR website

For more details visit https://cis-india.org/news/information-influx-conference

UK’s Interception of Communications Commissioner — A Model of Accountability

joe — 2014-07-24T06:08:53Z

The United Kingdom maintains sophisticated electronic surveillance operations through a number of government agencies, ranging from military intelligence organizations to police departments to tax collection agencies. However, all of this surveillance is governed by one set of national laws outlining specifically what surveillance agencies can and cannot do.

The primary law that governs government investigations is the Regulation of Investigatory Powers Act 2000, abbreviated as RIPA 2000.

To ensure that this law is being followed and surveillance operations in the United Kingdom are not conducted illegally, the RIPA 2000 Part I establishes an Interception of Communications Commissioner, who is tasked with inspecting the surveillance operations, assessing their legality, and compiling an annual report to for the Prime Minister.

On April 8, 2014 the current Commissioner, Rt Hon. Sir Anthony May, laid the 2013 annual report before the House of Commons and the Scottish Parliament. In its introduction, the report notes that it is responding to concerns raised as a result of Edward Snowden’s actions, especially misuse of powers by intelligence agencies and invasion of privacy. The report also acknowledges that the laws governing surveillance, and particularly RIPA 2000, are difficult for the average citizen to understand, so the report includes a narrative outline of relevant provisions in an attempt to make the legislation clear and accessible. However, the report points out that while the Commissioner had complete access to any documents or investigative records necessary to construct the report, the Commissioner was unable to publish surveillance details indiscriminately, due to confidentiality concerns in a report being issued to the public. (It is worth noting here that though the Commissioner is one man, he has an entire agency working under him, so it is possible that he himself did not do or write all of that the report attributes to him). As a whole, the report outlines a series of thorough audits of surveillance operations, and reveals that the overwhelming majority of surveillance in the UK is conducted entirely legally, and that the small minority of incorrectly conducted surveillance appears to be unintentional. Looking beyond the borders of the United Kingdom, the report represents a powerful model of a government initiative to ensure transparency in surveillance efforts across the globe.

The Role of the Commissioner

The report begins in the first person, by outlining the role of the Commissioner. May’s role, he writes, is primarily to audit the interception of data, both to satisfy his own curiosity and to prepare a report for the Prime Minister. Thus, his primary responsibility is to review the lawfulness of surveillance actions, and to that end, his organization possesses considerable investigative powers. He is also tasked with ensuring that prisons are legally administrated, though he makes this duty an afterthought in his report.

Everyone associated with surveillance or interception in the government must disclose whatever the commissioner asks for. In short, he seems well equipped to carry out his work. The Commissioner has a budget of £1,101,000, almost all of which, £948,000 is dedicated to staff salaries.

The report directly addresses questions about the Commissioner’s ability to carry out his duties. Does the Commissioner have full access to whatever materials or data it needs to conduct its investigations, the report asks, and it answers bluntly, yes. It is likely, the report concludes, that the Commissioner also has sufficient resources to adequately carry out his duties. Yes, the Commissioner is fully independent from other government interests; the commissioner answers his own question. Finally, the report asks if the Commissioner should be more open in his reports to the public about surveillance, and he responds that the sensitivity of the material prohibits him from disclosing more, but that the report adequately addresses public concern regardless. There is a degree to which this question and answer routine seems self-congratulatory, but it is good to see that the Commissioner is considering these questions as he carries out his duties.

Interception of Communications

The report first goes into detail about the Commissioner’s audits of communications interception operations, where interception means wiretapping or reading the actual content of text messages, emails, or other communications, as opposed to the metadata associated with communications, such as timestamps and numbers contacted. In this section, the report outlines the steps necessary to conduct an interception, outlining that an interception requires a warrant, and only a Secretary of State (one of five officials) can authorize an interception warrant. Moreover, the only people who can apply for such warrants are the directors of various intelligence, police, and revenue agencies. In practice, the Secretaries of State have senior staff that read warrant applications and present those they deem worthy to the Secretary for his or her signature, as their personal signature is required for authorization.

For a warrant to be granted, it must meet a number of criteria. First, interception warrants must be necessary in the interests of national security, to prevent or detect serious crime, or to safeguard economic wellbeing of the UK. Additionally, a warrant can be granted if it is necessary for similar reasons in other countries with mutual assistance agreements with the UK. Warrants must be proportionate to the ends sought. Finally, interception warrants for communications inside the UK must specify either a person or a location where the interception will take place. Warrants for communications outside of the UK require no such specificity.

In 2013, 2760 interception warrants were authorized, 19% fewer warrants than in 2012. The Commissioner inspected 26 different agencies and examined 600 different warrants throughout 2013. He gave inspected agencies a report on his findings after each inspection, so they could see whether or not they were following the law. He concluded that the agencies that undertake interception “do so lawfully, conscientiously, effectively, and in our national interest.” Thus, all warrants adequately meet the application and authorization requirements outlined in RIPA 2000.

Communications Data

The report goes on to discuss communications data collection, where communications data refers to metadata–not the content of the communications itself, but data associated with it, such as call durations, or a list of email recipients. The Commissioner explains that metadata is easier to obtain than an interception warrant. Designated officials in their respective surveillance organization read and grant metadata warrant applications, instead of one of the Secretaries of State who could grant interception warrants. Additionally, the requirements for a metadata warrant are looser than for interception warrants. Metadata warrants must still be necessary, but necessary for a broader range of causes, ranging from collecting taxes, protecting public health, or for any purpose specified by a Secretary of State.

The relative ease of obtaining a metadata warrant is consistent with a higher number of warrants approved. In 2013, 514,608 metadata warrants were authorized, down from 570,135 in 2012. Local law enforcement applied for 87.5% of those warrants while intelligence agencies accounted for 11.5%. Only a small minority of requests was sent from the revenue office or other departments.

The purposes of these warrants were similarly concentrated. 76.9% of metadata warrants were issued for prevention or detection of crime. Protecting national security justified 11.4% of warrants and another 11.4% of warrants were issued to prevent death or injury. 0.2% of warrants were to identify people who had died or otherwise couldn’t identify themselves, 0.11% of warrants were issued to protect the economic wellbeing of the United Kingdom, and 0.02% of warrants were associated with tax collection. The Commissioner identified less than 0.01% of warrants as being issued in a miscarriage of justice, a very low proportion.

The Commissioner inspected metadata surveillance efforts, conducting 75 inspections in 2013, and classified the practices of those operations inspected as good, fair or poor. 4% of operations had poor practices. He noticed two primary errors. The first was that data was occasionally requested on an incorrect communications address, and the second was that he could not verify that some metadata was not being stored past its useful lifetime. May highlighted that RIPA 2000 does not give concrete lengths for which data should be stored, as Section 15(3) states only that data must be deleted “as soon as there are no longer grounds for retaining it as necessary for any of the authorized purposes.” He noted that he was only concerned because some metadata was being stored for longer periods than associated interception data. As May put it, “I have yet to satisfy myself fully that some of these periods are justified and in those cases I required the agencies to shorten their retention periods or, if not, provide me with more persuasive reasons.” The Commissioner seems determined that this practice will either be eliminated or better justified to him in the near future.

Indian Applications

The United Kingdom’s Interception of Communications Commissioner has similar powers to the Indian Privacy Commissioner suggested by the Report of the Group of Experts on Privacy. Similar to the United Kingdom, it is recommended that a Privacy Commissioner in India have investigative powers in the execution of its charter, and that the Privacy Commissioner represent citizen interests, ensuring that data controllers are in line with the stipulated regulations. The Report also broadly states that “with respect to interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material, the Commissioner may exercise broad oversight functions.” In this way, the Report touches upon the need for oversight of surveillance, and suggests that this responsibility may be undertaken by the Privacy Commissioner, but does not clearly place this responsibility with the Privacy Commissioner. This raises the question of if India should adopt a similar model to the United Kingdom – and create a privacy commissioner – responsible primarily for overseeing and enforcing data protection standards, and a separate surveillance commissioner – responsible for overseeing and enforcing standards relating to surveillance measures. When evaluating the different approaches there are a number of considerations that should be kept in mind:

Law enforcement and security agencies are the exception to a number of data protection standards including access and disclosure.
There is a higher level of ‘sensitivity’ around issues relating to surveillance than data protection and each needs to be handled differently.
The ‘competence’ required to deliberate on issues related to data protection is different then the ‘competence’ required deliberating on issues related to surveillance.

Additionally, this raises the question of whether India needs a separate regulation governing data protection and a separate regulation governing surveillance.

Allegations of Wrongdoing

It is worth noting that though May describes surveillance operations conducted in compliance with the law, many other organizations have accused the UK government of abusing their powers and spying on citizens and internet users in illegal ways. The GCHQ, the government’s communications surveillance center has come under particular fire. The organization has been accused indiscriminate spying and introducing malware into citizen’s computers, among other things. Led by the NGO Privacy International, internet service providers around the world have recently lodged complaints against the GCHQ, alleging that it uses malicious software to break into their networks. Many of these complaints are based on the information brought to light in Edward Snowden’s document leaks. Privacy International alleges that malware distributed by GCHQ enables access to any stored content, logging keystrokes and “the covert and unauthorized photography or recording of the user and those around him,” which they claim is similar to physically searching through someone’s house unbeknownst to them and without permission. They also accuse GCHQ malware of leaving devices open to attacks by others, such as identity thieves.

Snowden’s files also indicate a high level of collaboration between GCHQ and the NSA. According to the Guardian, which analyzed and reported on many of the Snowden files, the NSA has in past years paid GCHQ to conduct surveillance operations through the US program called Prism. Leaked documents report that the British intelligence agency used Prism to generate 197 intelligence reports in the year to May 2012. Prism is not mentioned at all in the Interception of Communications Commissioner’s report. In fact, while the report’s introduction explains that it will attempt to address details revealed in Snowden’s leaked documents, very little of what those documents indicate is later referenced in the report. May ignores the plethora of accusations of GCHQ wrongdoing.

Thus, while May’s tone appears genuine and sincere, the details of his report do little to dispel fears of widespread surveillance. It is unclear whether May is being totally forthcoming in his report, especially when he devotes so little energy to directly responding to concerns raised by Snowden’s leaks.

Conclusion

May wrapped up his report with some reflections on the state of surveillance in the United Kingdom. He concluded that RIPA 2000 protects consumers in an internet age, though small incursions are imaginable, and especially lauds the law for it’s technological neutrality. That is, RIPA 2000 is a strong law because it deals with surveillance in general and not with any specific technologies like telephones or Facebook, use of which changes over time. The Commissioner also was satisfied that powers were not being misused in the United Kingdom. He reported that there have been a small number of unintentional errors, he noted, and some confusion about the duration of data retention. However, any data storage mistakes seemed to stem from an unspecific law.

Despite May’s report of surveillance run by the books, other UK groups have accused GCHQ, the government’s communications surveillance center, of indiscriminate spying and introducing malware into citizen’s computers. Privacy International has submitted a claim arguing that a litany of malware is employed by the GCHQ to log detailed personal data such as keystrokes. The fact that May’s report does little to disprove these claims casts the Commissioner in an uncertain light. It is unclear whether surveillance is being conducted illegally or, as the report suggests, all surveillance of citizens is being conducted as authorized.

Still, the concept of a transparency report and audit of a nation’s surveillance initiatives report is a step towards government accountability done right, and should serve as a model for enforcement methods in other nations. May’s practice of giving feedback to the organizations he inspects allows them to improve, and the public report he releases serves as a deterrent to illegal surveillance activity. The Interception of Communications Commissioner–provided he reports truthfully and accurately–is what gives the safeguards built into the UK’s interception regime strength and accountability. In other nations looking to establish privacy protections, a similar role would make their surveillance provisions balanced with safeguards and accountability to ensure that the citizens fundamental rights–including the right to privacy–are not compromised.

For more details visit https://cis-india.org/internet-governance/blog/uk-interception-of-communications-commissioner-a-model-of-accountability

First Privacy and Surveillance Roundtable

anandini — 2014-08-09T04:13:50Z

The Privacy and Surveillance Roundtables are a CIS initiative, in partnership with the Cellular Operators Association of India (COAI), as well as local partners. From June 2014 – November 2014, CIS and COAI will host seven Privacy and Surveillance Roundtable discussions across multiple cities in India. The Roundtables will be closed-door deliberations involving multiple stakeholders.

Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India. The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and Training.

The first of seven proposed roundtable meetings on “Privacy and Surveillance” conducted by the Centre for Internet and Society in collaboration with the Cellular Operators Association of India and the Council for Fair Business Practices was held in Mumbai on the 28th of June, 2014.

The roundtable’s discussion centered on the Draft Privacy Protection Bill formed by CIS in 2013, which contains provisions on the regulation of interception and surveillance and its implications on individual privacy. Other background documents to the event included the Report of the Group of Experts on Privacy, and the International Principles on the Application of Human Rights to Communications Surveillance.

Background and Context

The Chair of the Roundtable began by giving a brief background of Surveillance regulation in India, focusing its scope to primarily telegraphic, postal and electronic surveillance.

Why a surveillance regime now?

A move to review the existing privacy laws in India came in the wake of Indo-EU Fair Trade Agreement negotiations; where a Data Adequacy Assessment conducted by European Commission found India’s data protection policies and practices inadequate for India to be granted EU secure status. The EU’s data protection regime is in contrast, fairly strong, governed by the framework of the EU Data Protection Directive, 1995.

In response to this, the Department of Personnel and Training, which drafted the Right to Information Act of 2005 and the Whistleblower’s Protection Act, 2011 was given the task of forming a Privacy Bill. Although the initial draft of the Bill was made available to the public, as per reports, the Second draft of the Bill has been shared selectively with certain security agencies and not with service providers or the public.

Discussion

The Chair began the discussion by posing certain preliminary questions to the Roundtable:

What should a surveillance law contain and how should it function?
If the system is warrant based, who would be competent to execute it?
Can any government department be allowed a surveillance request?

A larger question posed was whether the concerns and questions posed above would be irrelevant with the possible enforcement of a Central Monitoring System in the near future? As per reports, the Central Monitoring System would allow the government to intercept communications independently without using service providers and thus, in effect, shielding such information from the public entirely.

The CIS Privacy Protection Bill’s Regulatory Mechanism

The discussion then focused on the type of regulatory mechanism that a privacy and surveillance regime in India should have in place. The participants did not find favour in either a quasi-judicial body or a self-regulatory system – instead opting for a strict regulatory regime.

The CIS Draft Privacy Protection Bill proposes a regime that consists of a Data Protection Regulation Authority that is similar to the Telecom Regulatory Authority of India, including the provision for an appellate body. The Bill envisions that the Authority will act as an adjudicating body for all complaints relating to the handling of personal data in addition to forming and reviewing rules on personal data protection.

Although, the Draft Bill dealt with privacy and surveillance under one regulatory authority, the Chair proposes a division between the two frameworks, as the former is governed primarily by civil law, and the latter is regulated by criminal law and procedure. Though in a 2014 leaked version of the governments Privacy Bill, surveillance and privacy are addressed under one regulation, as per reports, the Department of Personnel and Training is also considering creating two separate regulations: one for data protection and one for surveillance.

Authorities in Other Jurisdictions

The discussion then moved to comparing the regulatory authorities within other jurisdictions and the procedures followed by them. The focus was largely on the United States and the United Kingdom, which have marked differences in their privacy and surveillance systems.

In the United Kingdom, for example, a surveillance order is reviewed by an Independent Commissioner followed by an Appellate Tribunal, which has the power to award compensation. In contrast, the United States follows a far less transparent system which governs foreigners and citizens under separate legislations. A secret court was set up under the FISA, an independent review process, however, exists for such orders within this framework.

The Authority for Authorizing Surveillance in India

The authority for regulating requests for interceptions of communication under the Draft CIS Privacy Protection Bill is a magistrate. As per the procedure, an authorised officer must approach the Magistrate for approval of a warrant for surveillance. Two participants felt that a Magistrate is not the appropriate authority to regulate surveillance requests as it would mean vesting power in a few people, who are not elected via a democratic process.

In the present regime, the regulation of interception of telecommunications under Indian Law is governed by the Telegraph Act,1885 and the Telegraph Rules,1951. Section 5(2) of the Act and Rule 419A of the Telegraph Rules, permit interception only after an order of approval from the Home Secretary of the Union Government or of the State Governments, which in urgent cases, can be granted by an officer of the Joint Secretary Level or above of the Ministry of Home Affairs of the Union or that State’s Government.

Although most participants felt confident that a judicial authority rather than an executive authority would serve as the best platform for regulating surveillance, there was debate on what level of a Magistrate Judge would be apt for receiving and authorizing surveillance requests - or whether the judge should be a Magistrate at all. Certain participants felt that even District Magistrates would not have the competence and knowledge to adjudicate on these matters. The possibility of making High Court Judges the authorities responsible for authorizing surveillance requests was also suggested. To this suggestion participants noted that there are not enough High Court judges for such a system as of now.

The next issue raised was whether the judges of the surveillance system should be independent or not, and if the orders of the Courts are to be kept secret, would this then compromise the independence of such regulators. As part of this discussion, questions were raised about the procedures under the Foreign Intelligence Surveillance Act, the US regulation governing the surveillance of foreign individuals, and if such secrecy could be afforded in India. During the discussions, certain stakeholders felt that a system of surveillance regulation in India should be kept secret in the interests of national security. Others highlighted that this is the existing practice in India giving the example of the Intelligence Bureau and Research and Analysis Wing orders which are completely private, adding however, that none of these surveillance regulations in India have provisions on disclosure.

When can interception of communications take place?

The interception of communications under the CIS Privacy Protection Bill is governed by the submission of a report by an authorised officer to a Magistrate who issues a warrant for such surveillance. Under the relevant provision, the threshold for warranting surveillance is suspicious conduct. Several participants felt that the term ‘suspicious conduct’ was too wide and discretionary to justify the interception of communication and suggested a far higher threshold for surveillance. Citing the Amar Singh Case, a participant stated that a good way to ensure ‘raise the bar’ and avoid frivolous interception requests would be to require officers submitting interception request to issue affidavits. A participant suggested that authorising officers could be held responsible for issuing frivolous interception requests. Some participants agreed, but felt that there is a need for a higher and stronger standard for interception before provisions are made for penalising an officer. As part of this discussion, a stakeholder added that the term “person” i.e. the subject of surveillance needed definition within the Bill.

The discussion then moved to comparing other jurisdictions’ thresholds on permitting surveillance. The Chair explained here that the US follows the rule of probable cause, which is where a reasonable suspicion exists, coupled with circumstances that could prove such a suspicion true. The UK follows the standard of ‘reasonable suspicion’, a comparatively lesser degree of strength than probable cause. In India, the standard for telephonic interception under the Telegraph Act 1885 is the “occurrence of any public emergency or in the interest of public safety” on the satisfaction of the Home Secretary/Administrative Officer.

The participants, while rejecting the standard of ‘suspicious conduct’ and agreeing that a stronger threshold was needed, were unable to offer other possible alternatives.

Multiple warrants, Storing and sharing of Information by Governmental Agencies

The provision for interception in the CIS Privacy Protection Bill stipulates that a request for surveillance should be accompanied by warrants previously issued with respect to that individual. The recovery of prior warrants suggests the sharing of information of surveillance warrants across multiple governmental agencies which certain participants agree, could prevent the duplication of warrants.

Participants briefly discussed how the Central Monitoring System will allow for a permanent log of all surveillance activities to be recorded and stored, and the privacy implications of this. It was noted that as per reports, the hardware purported to be used for interception by the CMS is Israeli, and is designed to store a log of all metadata.

A participant stated that automation component of the Centralized Monitoring System may be positive considering that authentication of requests i.e. tracing the source of the interception may be made easier with such a system.

Conditions prior to issuing warrant

The CIS Privacy Protect Bill states that a Magistrate should be satisfied of either. A reasonable threat to national security, defence or public order; or a cognisable offence, the prevention, investigation or prosecution of which is necessary in the public interest. When discussing these standards, certain participants felt that the inclusion of ‘cognizable offences’ was too broad, whereas others suggested that the offences would necessarily require an interception to be conducted should be listed. This led to further discussion on what kind of categorisation should be followed and whether there would be any requirement for disclosure when the list is narrowed down to graver and serious offences.

The chair also posed the question as to whether the term ‘national security’ should elaborated upon, highlighting the lack of a definition in spite of two landmark Supreme Court judgments on national security legislations, Terrorist and Disruptive Activities Act,1985 and the Prevention of Terrorism Act, i.e. Kartar Singh v Union of India [1] and PUCL v Union of India.[2]

Kinds of information and degree of control

The discussion then focused on the kinds of information that can be intercepted and collected. A crucial distinction was made here, between content data and metadata, the former being the content of the communication itself and the latter being information about the communication. As per Indian law, only content data is regulated and not meta-data. On whether a warrant should be issued by a Magistrate in his chambers or in camera, most participants agreed that in chambers was the better alternative. However, under the CIS Privacy Protection Bill, in chamber proceedings have been made optional, which stakeholders agreed should be discretionary depending on the case and its sensitivity.

Evidentiary Value

The foundation of this discussion, the Chair noted, is the evidentiary value given to information collected from interception of communications. For instance, the United States follows the exclusionary rule, also known as the “fruit of the poisonous tree rule”, where evidence collected from an improper investigation discredits the evidence itself as well as further evidence found on the basis of it.

Indian courts however, allow for the admission of evidence collected through improper collection, as does the UK. In Malkani v State of Maharashtra[3] the Supreme Court stated that an electronically recorded conversation can be admissible as evidence, and stated that evidence collected from an improper investigation can be relied upon for the discovery of further evidence - thereby negating the application of the exclusionary rule.

Emergent Circumstances: who should the authority be?

The next question posed to the participants was who the apt authority would be to allow surveillance in emergent circumstances. The CIS Privacy Protection Bill places this power with the Home Secretary, stating that if the Home Secretary is satisfied of a grave threat to national security, defence or public order, he can permit surveillance. The existing law under the Telegraph Act 1885 uses the term ‘unavoidable circumstance’, though not elaborating on what this amounts to for such situations, where an officer not below the rank of a Joint Secretary evaluates the request. In response to this question, a stakeholder suggested that the issuing authority should be limited to the police and administrative services alone. In the CIS Privacy Protection Bill - a review committee for such decisions relating to interception is comprised of senior administrative officials both at the Central and State Government level. A participant suggested that the review committee should also include the Defence secretary and the Home secretary.

Sharing of Information

The CIS Privacy Protection Bill states that information gathered from surveillance should not be shared be shared amongst persons, with the exception that if the information is sensitive in terms of national security or prejudicing an investigation, an authorised officer can share the information with an authorised officer of any other competent organisation.

A participant highlighted that this provision is lacking an authority for determining the sharing of information. Another participant noted that the sharing of information should be limited amongst certain governmental agencies, rather than to ‘any competent organisation.’

Proposals for Telecommunication Service Providers

In the Indian interception regime, although surveillance orders are passed by the Government, the actual interception of communication is done by the service provider. Certain proposals have been introduced to protect service providers from liability. For example, an execution provision ensures that a warrant is not served on a service provider more than seven days after it is issued. In addition an indemnity provision prevents any action being taken against a service provider in a court of law, and indemnifies them against any losses that arise from the execution of the warrant, but not outside the scope of the warrant. During discussions, stakeholders felt that the standard should be a blanket indemnity without any conditions to assure service providers.

Under the Indian interception regime, a service provider must also ensure confidentiality of the content and meta data of the intercepted communications. To this, a participant suggested that in situations of information collection, a service provider may have a policy for obtaining customer consent prior to the interception. The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011 are clearer in this respect, which allow for the disclosure of information to governmental agencies without consent.

Another participant mentioned that the inconsistencies between laws on information disclosure and collection, such as the IT Act, the Right to Information Act and the recently enacted Whistleblower’s Protection Act, 2011 need to be harmonised. Other stakeholders agreed with this, though they stated that surveillance regulations should prevail over other laws in case of any inconsistency.

Conclusions

The inputs from the Bombay Roundtable seem to point towards a more regulated approach, with the addition of a review system to enhance accountability. While most stakeholders here agreed that national security is a criterion that takes precedence over concerns of privacy vis-à-vis surveillance, there is a concomitant need to define the limits of permissible interception. The view here is that a judicial model would prove to be a better system than the executive system; however, there is no clear answer as of yet on who would constitute this model. While the procedure for interception was covered in depth, the nature of the information itself was covered briefly and more discussion would be welcome here in forthcoming sessions.

Click to download the Report (PDF, 188 Kb)

[1]. 1994 4 SCC 569.

[2]. (1997) 1 SCC 301.

[3]. [1973] 2 S.C.R. 417.

For more details visit https://cis-india.org/internet-governance/blog/privacy-surveillance-roundtable-mumbai

Living in a Fish Bowl

praskrishna — 2014-07-16T07:15:22Z

Though India needs a comprehensive law on the right to privacy, it may not be ready for something as avant garde as the “right to be forgotten” on the Internet, argues Shuma Raha

The article by Shuma Raha was published in the Telegraph on July 16, 2014. Sunil Abraham gave his inputs.

If you do a Google search for journalist and television personality Barkha Dutt, a raft of scurrilous information about her pops up. It isn’t tucked away somewhere on the 10th page either — it’s all up front, right there in “autosuggest”, almost prompting you to go and check it out. And thanks to Google’s search algorithm, the more people click on that link, it further strengthens the score for that “hit”.

Dutt says she has brought the matter to the attention of Google, but to no avail. “I have lost interest in the whole struggle,” she says. “But Google definitely needs to do something about the slanderous, inaccurate, fictional information out there that creates a narrative of its own.”

Well, in Europe at least, the tech giant has taken a step in that direction. Late last month, it started erasing search results that threw up information deemed to be “irrelevant”, “outdated” or “excessive”. The move came after the European Court of Justice ruled that Internet search engines would have to allow people the “right to be forgotten” in specific cases and accordingly, take down information about them.

The European Court ruling has triggered a huge debate since an individual’s right to be forgotten seems to be at complete loggerheads with people’s right to know. Nevertheless, it’s a landmark decision when it comes to right to privacy on the Internet. After all, the online space has perma-memory and inaccurate or irrelevant or outdated information about a person can be embedded there forever, damaging him or her in manifold ways.

So how far are we in India from securing the right to be forgotten on the Internet?

The short answer to that is, very far. That is because India does not have a well-defined privacy regime wherein one could envisage a court of law handing out a similar — and some would say a somewhat radical — order on a Google or a Bing. “The right to be forgotten is a bit too advanced for us,” says Sunil Abraham, director, Centre for Internet and Society, a non-profit organisation that works on policy issues relating to freedom of expression and privacy. “After all, we are yet to come up with a privacy and data protection regime that implements the best practices of European countries.”

Adds Apar Gupta, a Delhi-based lawyer, who has written extensively on privacy issues, “Sector specific privacy legislation do exist, but they do not provide substantive rights or efficient remedy in case of violations.”
No one disputes that India should get a right to privacy law, especially one that relates to the collection, processing and use of personal data. Right now the government’s surveillance mechanisms like the Central Monitoring System and the Lawful Interception and Monitoring Systems allow security agencies and income tax authorities to intercept communication, snoop on phone conversations, read emails and SMSes with little or no safeguards for privacy protection.

A right to privacy bill has, in fact, been in the works since as early as 2011. But the government has been dragging its feet over it. Early this year, a new version of the draft bill was “leaked” to the press. But few are happy with it. On the positive side, it raises the penalty for unlawful interception of communication (from Rs 1 lakh to Rs 2 crore) and increases penalties for other offences such as obtaining personal data under false pretexts. But crucially, it almost wholly exempts intelligence agencies from the purview of the law, thereby allowing them unbridled access to personal information. Of course, no one knows if this “leaked” draft is indeed the official one.

Experts say that the government should really formulate a right to privacy law based on the recommendations of a committee chaired by Justice A.P. Shah. The report, which was published in 2012, proposes that the right to privacy be statutorily extended to all Indians. It recommends, among other things, the appointment of privacy commissioners and the formulation of certain “national privacy principles” such as taking the consent of the individual prior to the collection of data, allowing him the choice to withdraw such consent, limiting the use of personal information to the stated purpose and so on. The privacy principles would apply to all data collectors in both private and public sectors.
There are, of course, a number of provisions in existing laws that relate to privacy. For example, Rule 419A of the Indian Telegraph Rules, 1951, sets down certain privacy safeguards such as maintaining details about the officer ordering an intercept of telecommunication.

Moreover, Section 66E of the Information Technology Act, 2000, prescribes “punishment for the violation of privacy” (in the context of capturing “private” images of a person without his or her consent); Section 43A lays down that a “body corporate” will be liable to pay compensation in case it fails to protect personal data gathered in the course of its operation; and Section 79 stipulates that “intermediaries” — entities such as Google, Facebook, Twitter — would have to take down any information stored or transmitted by them that is found to be grossly harassing, defamatory, blasphemous, obscene, pornographic and so on, within 36 hours of being notified.

Of course, this section of the IT Act has been roundly criticised as arbitrary and Draconian, but that is another story.
The point is that despite the fair number of privacy provisions, in the absence of a comprehensive law, the untrammelled and unauthorised use of personal data cannot be ruled out. “Every country in the world collects personal data. But once the data are collected for a particular purpose they should not be used for any other purpose. The law has to be in a position to catch the violators,” says Kamlesh Bajaj, CEO of Data Security Council of India, an organisation that works to promote data protection and privacy best practices.

As always, the key issue is that an individual’s right to privacy has to be balanced with public interest. And it is in that context that experts feel that even if India were to have a privacy law, it is probably not ready for something akin to the European Court ruling on the right to be forgotten. As Gupta says, “It raises a real danger of public personalities blocking legitimate journalism on grounds of privacy. This is specially true in a country like India which permits a high degree of illegality in the name of secrecy and confidentiality.”

Abraham agrees with that view. “I’m not sure if the right to be forgotten will enhance privacy or usher in a level of censorship,” he says.

As Europe grapples with that debate, India’s privacy warriors are asking for something far more fundamental — a comprehensive law that guarantees the right to privacy to all.

For more details visit https://cis-india.org/news/the-telegraph-july-16-2014-living-in-a-fish-bowl

Rethinking Privacy: The Link between Florida v. Jardines and the Surveillance of Nature Films

praskrishna — 2014-07-28T05:51:48Z

Bhairav Acharya gave a talk on "Rethinking Privacy" at an event organized by the Indian Institute of Technology, Madras (IIT-M) on July 11, 2014.

In a 2010 article in Continuum: Journal of Media & Cultural Studies, Brett Mills proposed that animals have a right to privacy and that wildlife documentaries, specifically BBC's Nature's Great Events (2009), invaded this right without an examination of animal conservation ethics. In the 2013 Florida v. Jardines decision, the Supreme Court of the United States re-examined the constitutional validity of 'dog sniff laws' that permitted police animals to enter the threshold of private property to conduct 'minimally invasive warant-less searches' and 'Terry stops'; this was the latest in a long line of Fourth Amendment cases that examine the ethics of conserving and protecting public order. I attempt to draw links between the two scenarios that highlight the dissonance between sociological and jurisprudential constructions of privacy.

For more details visit https://cis-india.org/news/rethinking-privacy

COAI, Centre for Internet & Society to hold pan-India meetings on privacy issues

praskrishna — 2014-07-07T07:37:34Z

In order to discuss possible legal frameworks to enable surveillance of voice and data communications in India, the Cellular Operators' Association of India (COAI) along with the Centre for Internet and Society (CIS) will hold seven roundtable meetings across the country in the coming weeks on privacy and surveillance issues.

Originally published by IANS on July 4, 2014 the news was mirrored in the Times of India, NDTV, Business Standard, Economic Times, and World News on the same day. Bhairav Acharya gave his inputs.

The recommendations and dialogues from each of these roundtables will be compiled and submitted to the relevant ministries of the government, a statement issued by COAI said here on Friday.

The roundtable meetings will take place in Mumbai, Ahmedabad, Hyderabad, Bangalore, Chennai and twice in New Delhi.

These roundtables are closed-door meetings involving multiple stakeholders such as the industry leaders, policy makers, and experts from the legal fraternity and civil society.

In the era of freedom, when data connectivity via the internet, has emerged as one of the most powerful tools for communications, infringement of customer privacy by government agencies through telecom networks have forced the industry to initiate discussions on the international best practices on communications privacy and surveillance, and the relevant Indian jurisprudence.

"COAI, with the Centre for Internet and Society has taken this initiative by bringing the relevant stakeholders on a common platform to discuss the matter to arrive at an acceptable conclusion," COAI Director General Rajan S Mathews said.

According to Bhairav Acharya, who advises the CIS: "Legal reform is necessary to identify the limits of permissible surveillance, the protection of privacy, the procedure of intercepting communications, the expectations of service providers, and freedom of all Indians. The law must keep up with technological advancements to create a balanced, proportionate and fair mechanism to enable and regulate surveillance. This will serve India’s national interest."

For more details visit https://cis-india.org/news/ians-july-4-2014-coai-cis-to-hold-pan-india-meetings-on-privacy-issues

Free Speech and Surveillance

Gautam Bhatia — 2014-07-07T04:59:59Z

Gautam Bhatia examines the constitutionality of surveillance by the Indian state.

The Indian surveillance regime has been the subject of discussion for quite some time now. Its nature and scope is controversial. The Central Monitoring System, through which the government can obtain direct access to call records, appears to have the potential to be used for bulk surveillance, although official claims emphasise that it will only be implemented in a targeted manner. The Netra system, on the other hand, is certainly about dragnet collection, since it detects the communication, via electronic media, of certain “keywords” (such as “attack”, “bomb”, “blast” and “kill”), no matter what context they are used in, and no matter who is using them.

Surveillance is quintessentially thought to raise concerns about privacy. Over a series of decisions, the Indian Supreme Court has read in the right to privacy into Article 21’s guarantee of the right to life and personal liberty. Under the Supreme Court’s (somewhat cloudy) precedents, privacy may only be infringed if there is a compelling State interest, and if the restrictive law is narrowly tailored – that is, it does not infringe upon rights to an extent greater than it needs to, in order to fulfill its goal. It is questionable whether bulk surveillance meets these standards.

Surveillance, however, does not only involve privacy rights. It also implicated Article 19 – in particular, the Article 19(1)(a) guarantee of the freedom of expression, and the 19(1)(c) guarantee of the freedom of association.

Previously on this blog, we have discussed the “chilling effect” in relation to free speech. The chilling effect evolved in the context of defamation cases, where a combination of exacting standards of proof, and prohibitive damages, contributed to create a culture of self-censorship, where people would refrain from voicing even legitimate criticism for fear of ruinous defamation lawsuits. The chilling effect, however, is not restricted merely to defamation, but arises in free speech cases more generally, where vague and over-broad statutes often leave the border of the permitted and the prohibited unclear.

Indeed, a few years before it decided New York Times v. Sullivan, which brought in the chilling effect doctrine into defamation and free speech law, the American Supreme Court applies a very similar principle in a surveillance case. In NAACP v. Alabama, the National Association for the Advancement of Coloured People (NAACP), which was heavily engaged in the civil rights movement in the American deep South, was ordered by the State of Alabama to disclose its membership list. NAACP challenged this, and the Court held in its favour. It specifically connected freedom of speech, freedom of association, and the impact of surveillance upon both:

“Effective advocacy of both public and private points of view, particularly controversial ones, is undeniably enhanced by group association, as this Court has more than once recognized by remarking upon the close nexus between the freedoms of speech and assembly. It is beyond debate that freedom to engage in association for the advancement of beliefs and ideas is an inseparable aspect of the “liberty” assured by the Due Process Clause of the Fourteenth Amendment, which embraces freedom of speech. Of course, it is immaterial whether the beliefs sought to be advanced by association pertain to political, economic, religious or cultural matters, and state action which may have the effect of curtailing the freedom to associate is subject to the closest scrutiny… it is hardly a novel perception that compelled disclosure of affiliation with groups engaged in advocacy may constitute [an] effective a restraint on freedom of association… this Court has recognized the vital relationship between freedom to associate and privacy in one’s associations. Inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association, particularly where a group espouses dissident beliefs.”

In other words, if persons are not assured of privacy in their association with each other, they will tend to self-censor both who they associate with, and what they say to each other, especially when unpopular groups, who have been historically subject to governmental or social persecution, are involved. Indeed, this was precisely the argument that the American Civil Liberties Union (ACLU) made in its constitutional challenge to PRISM, the American bulk surveillance program. In addition to advancing a Fourth Amendment argument from privacy, the ACLU also made a First Amendment freedom of speech and association claim, arguing that the knowledge of bulk surveillance had made – or at least, was likely to have made – politically unpopular groups wary of contacting it for professional purposes (the difficulty, of course, is that any chilling effect argument effectively requires proving a negative).

If this argument holds, then it is clear that Articles 19(1)(a) and 19(1)(c) are prima facie infringed in cases of bulk – or even other forms of – surveillance. Two conclusions follow: first, that any surveillance regime needs statutory backing. Under Article 19(2), reasonable restrictions upon fundamental rights can only be imposed by law, and not be executive fiat (the same argument applies to Article 21 as well).

Assuming that a statutory framework is brought into force, the crucial issue then becomes whether the restriction is a reasonable one, in service of one of the stated 19(2) interests. The relevant part of Article 19(2) permits reasonable restrictions upon the freedom of speech and expression “in the interests of… the security of the State [and] public order.” The Constitution does not, however, provide a test for determining when a restriction can be legitimately justified as being “in the interests of” the security of the State, and of public order. There is not much relevant precedent with respect to the first sub-clause, but there happens to be an extensive – although conflicted – jurisprudence dealing with the public order exception.

One line of cases – characterised by Ramji Lal Modi v. State of UP and Virendra v. State of Punjab – has held that the phrase “for the interests of” is of very wide ambit, and that the government has virtually limitless scope to make laws ostensibly for securing public order (this extends to prior restraint as well, something that Blackstone, writing in the 18^th century, found to be illegal!). The other line of cases, such as Superintendent v. Ram Manohar Lohia and S. Rangarajan v. P. Jagjivan Ram, have required the government to satisfy a stringent burden of proof. In Lohia, for instance, Ram Manohar Lohia’s conviction for encouraging people to break a tax law was reversed, the Court holding that the relationship between restricting free speech and a public order justification must be “proximate”. In Rangarajan, the Court used the euphemistic image of a “spark in a powder keg”, to characterise the degree of proximity required. It is evident that under the broad test of Ramji Lal Modi, a bulk surveillance system is likely to be upheld, whereas under the narrow test of Lohia, it is almost certain not to be.

Thus, if the constitutionality of surveillance comes to Court, three issues will need to be decided: first, whether Articles 19(1)(a) and 19(1)(c) have been violated. Secondly – and if so – whether the “security of the State” exception is subject to the same standards as the “public order” exception (there is no reason why it should not be). And thirdly, which of the two lines of precedent represent the correct understanding of Article 19(2)?

Gautam Bhatia — @gautambhatia88 on Twitter — is a graduate of the National Law School of India University (2011), and has just received an LLM from the Yale Law School. He blogs about the Indian Constitution at http://indconlawphil.wordpress.com. Here at CIS, he blogs on issues of online freedom of speech and expression.

For more details visit https://cis-india.org/internet-governance/blog/free-speech-and-surveillance

The Constitutionality of Indian Surveillance Law: Public Emergency as a Condition Precedent for Intercepting Communications

bedaavyasa — 2014-08-04T04:52:42Z

Bedavyasa Mohanty analyses the nuances of interception of communications under the Indian Telegraph Act and the Indian Post Office Act. In this post he explores the historical bases of surveillance law in India and examines whether the administrative powers of intercepting communications are Constitutionally compatible.

Introduction

State authorised surveillance in India derives its basis from two colonial legislations; §26 of the Indian Post Office Act, 1898 and §5 of the Telegraph Act, 1885 (hereinafter the Act) provide for the interception of postal articles[1] and messages transmitted via telegraph[2] respectively. Both of these sections, which are analogous, provide that the powers laid down therein can only be invoked on the occurrence of a public emergency or in the interest of public safety. The task of issuing orders for interception of communications is vested in an officer authorised by the Central or the State government. This blog examines whether the preconditions set by the legislature for allowing interception act as adequate safeguards. The second part of the blog analyses the limits of discretionary power given to such authorised officers to intercept and detain communications.

Surveillance by law enforcement agencies constitutes a breach of a citizen’s Fundamental Rights of privacy and the Freedom of Speech and Expression. It must therefore be justified against compelling arguments against violations of civil rights. Right to privacy in India has long been considered too ‘broad and moralistic’[3] to be defined judicially. The judiciary, though, has been careful enough to not assign an unbound interpretation to it. It has recognised that the breach of privacy has to be balanced against a compelling public interest [4] and has to be decided on a careful examination of the facts of a certain case. In the same breath, Indian courts have also legitimised surveillance by the state as long as such surveillance is not illegal or unobtrusive and is within bounds [5]. While determining what constitutes legal surveillance, courts have rejected “prior judicial scrutiny” as a mandatory requirement and have held that administrative safeguards are sufficient to legitimise an act of surveillance. [6]

Conditions Precedent for Ordering Interception

§§5(2) of the Telegraph Act and 26(2) of the Indian Post Office Act outline a two tiered test to be satisfied before the interception of telegraphs or postal articles. The first tier consists of sine qua nons in the form of an “occurrence of public emergency” or “in the interests of public safety.” The second set of requirements under the provisions is “the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence.” While vesting the power of interception in administrative officials, the sections contemplate a legal fiction where a public emergency exists and it is in the interest of sovereignty, integrity, security of the state or for the maintenance of public order/ friendly relations with foreign states. The term “public emergency,” however, has not been clearly defined by the legislature or by the courts. It thus vests arbitrary powers in a delegated official to order the interception of communication violating one’s Fundamental Rights.

Tracing the History of the Expression “Public Emergency”

The origins of the laws governing interception can be traced back to English laws of the late 19th Century; specifically one that imposed a penalty on a postal officer who delayed or intercepted a postal article.[7] This law guided the drafting of the Indian Telegraph Act in 1885 that legitimised interception of communications by the state. The expression “public emergency” appeared in the original Telegraph Act of 1885 and has been adopted in that form in all subsequent renderings of provisions relating to interception. Despite the contentious and vague nature of the expression, no consensus regarding its interpretation seems to have been arrived at. One of the first post-independence analyses of this provision was undertaken by the Law Commission in 1968. The 38th Law Commission in its report on the Indian Post Office Act, raised concerns about the constitutionality of the expression. The Law Commission was of the opinion that the term not having been defined in the constitution cannot serve as a reasonable ground for suspension of Fundamental Rights.[8] It further urged that a state of public emergency must be of such a nature that it is not secretive and is apparent to a reasonable man.[9] It thus challenged the operation of the act in its then current form where the determination of public emergency is the discretion of a delegated administrative official. The Commission, in conclusion, implored the legislature to amend the laws relating to interception to bring them in line with the Constitution. This led to the Telegraph (Amendment) Act of 1981. Questions regarding the true meaning of the expression and its potential misuse were brought up in both houses of the Parliament during passing of the amendment. The Law Ministry, however, did not issue any additional clarifications regarding the terms used in the Act. Instead, the Government claimed that the expressions used in the Act are “exactly those that are used in the Constitution.” [10] It may be of interest to note here that the Constitution of India, neither uses nor defines the term “public emergency.” Naturally, it is not contemplated as a ground for reasonably restricting Fundamental Rights provided under Article 19(1). [11] Similarly, concerns regarding the potential misuse of the powers were defended with the logically incompatible and factually inaccurate position that the law had not been misused in the past.[12]

Locating “Public Emergency” within a Proclamation of Emergency under the Constitution (?)

Public emergency in not equivalent to a proclamation of emergency under Article 352 of the Constitution simply because it was first used in legislations over six decades before the drafting of the Indian Constitution began. Besides, orders for interception of communications have also been passed when the state was not under a proclamation of emergency. Moreover, public emergency is not the only prerequisite prescribed under the Act. §5(2) states that an order for interception can be passed either on the occurrence of public emergency or in the interest of public safety. Therefore, the thresholds for the satisfaction of both have to be similar or comparable. If the threshold for the satisfaction of public emergency is understood to be as high as a proclamation of emergency then any order for interception can be passed easily under the guise of public safety. The public emergency condition will then be rendered redundant. Public emergency is therefore a condition that is separate from a proclamation of emergency.

In a similar vein the Supreme Court has also clarified[13] that terms like “public emergency” and “any emergency,” when used as statutory prerequisites, refer to the occurrence of different kinds of events. These terms cannot be equated with one another merely on the basis of the commonality of one word.

The Supreme Court in Hukam Chand v. Union of India,[14] correctly stated that the terms public emergency and public safety must “take colour from each other.” However, the court erred in defining public emergency as a situation that “raises problems concerning the interest of the public safety, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or the prevention of incitement to the commission of an offence.” This cyclic definition does not lend any clarity to the interpretive murk surrounding the term. The Act envisages public emergency as a sine qua non that must exist prior to a determination that there is a threat to public order and sovereignty and integrity of the state. The court’s interpretation on the other hand would suggest that a state of public emergency can be said to exist only when public order, sovereignty and integrity of the state are already threatened. Therefore, while conditions precedent exist for the exercise of powers under §5(2) of the Act, there are no objective standards against which they are to be tested.

Interpretation of Threshold Requirements

A similar question arose before the House of Lords in Liversidge v. Anderson.[15] The case examined the vires of an Act that vested an administrative authority with the conditional power to detain a person if there was reasonable cause to believe that the person was of hostile origin. Therein, Lord Atkin dissenting with the majority opinion stated in no unclear terms that power vested in the secretary of state was conditional and not absolute. When a conditional authority is vested in an administrative official but there aren’t any prescriptive guidelines for the determination of the preconditions, then the statute has the effect of vesting an absolute power in a delegated official. This view was also upheld by the Supreme Court in State of Madhya Pradesh v. Baldeo Prasad.[16] The court was of the opinion that a statute must not only provide adequate safeguards for the protection of innocent citizens but also require the administrative authority to be satisfied as to the existence of the conditions precedent laid down in the statute before making an order. If the statute failed to do so in respect of any condition precedent then the law suffered from an infirmity and was liable to be struck down as invalid.[17] The question of the existence of public emergency, therefore being left to the sole determination of an administrative official is an absolute and arbitrary power and is ultra vires the Constitution

Interestingly, in its original unamended form, §5 contained a provisio stating that a determination of public emergency was the sole authority of the secretary of state and such a finding could not be challenged before a court of law. It is this provision that the government repealed through the Telegraph (Amendment) Act of 1981 to bring it in line with Constitutional principles. The preceding discussion shows that the amendment did not have the effect of rectifying the law’s constitutional infirmities. Nonetheless, the original Telegraph Act and its subsequent amendment are vital for understanding the compatibility of surveillance standards with the Constitutional principles. The draconian provisio in the original act vesting absolute powers in an administrative official illustrates that the legislative intent behind the drafting of a 130 year law cannot be relied on in today’s context. Vague terms like public emergency that have been thoughtlessly adopted from a draconian law find no place in a state that seeks to guarantee to its citizens rights of free speech and expression.

Conclusion

Interception of communications under the Telegraph Act and the Indian Post office act violate not only one’s privacy but also one’s freedom of speech and expression. Besides, orders for the tapping of telephones violate not only the privacy of the individual in question but also that of the person he/she is communicating with. Considering the serious nature of this breach it is absolutely necessary that the powers enabling such interception are not only constitutionally authorised but also adequately safeguarded. The Fundamental Rights declared by Article 19(1) cannot be curtailed on any ground outside the relevant provisions of Cls. 2-6.[18] The restrictive clauses in Cls. (2)-(6) of Article 19 are exhaustive and are to be strictly construed.[19] Public emergency is not one of the conditions enumerated under Article 19 for curtailing fundamental freedoms. Moreover, it lacks adequate safeguards by vesting absolute discretionary power in a non-judicial administrative authority. Even if one were to ignore the massive potential for misuse of these powers, it is difficult to conceive that the interception provisions would stand a scrutiny of constitutionality.

Over the course of the last few years, India has been dangerously toeing the line that keeps it from turning into a totalitarian surveillance state. [20] In 2011, India was the third most intrusive state[21] with 1,699 requests for removal made to Google; in 2012 that number increased to 2529[22]. The media is abuzz with reports about the Intelligence Bureau wanting Internet Service Providers to log all customer details [23] and random citizens being videotaped by the Delhi Police for “looking suspicious.” It becomes essential under these circumstances to question where the state’s power ends and a citizens’ privacy begins. Most of the information regarding projects like the CMS and the CCTNS is murky and unconfirmed. But under the pretext of national security, government officials have refused to divulge any information regarding the kind of information included within these systems and whether any accountability measures exist. For instance, there have been conflicting opinions from various ministers regarding whether the internet would also be under the supervision of the CMS [24]. Even more importantly, citizens are unaware of what rights and remedies are available to them in instances of violation of their privacy.

The intelligence agencies that have been tasked with handling information collected under these systems have not been created under any legislation and therefore not subject to any parliamentary oversight. Attempts like the Intelligence Services (Powers and Regulation) Bill, 2011 have been shelved and not revisited since their introduction. The intelligence agencies that have been created through executive orders enjoy vast and unbridled powers that make them accountable to no one[25]. Before, vesting the Indian law enforcement agencies with sensitive information that can be so readily misused it is essential to ensure that a mechanism to check the use and misuse of that power exists. A three judge bench of the Supreme Court has recently decided to entertain a Public Interest Litigation aimed at subjecting the intelligence agencies to auditing by the Comptroller and Auditor General of India. But the PIL even if successful will still only manage to scratch the surface of all the wide and unbridled powers enjoyed by the Indian intelligence agencies. The question of the constitutionality of interception powers, however, has not been subjected to as much scrutiny as is necessary. Especially at a time when the government has been rumoured to have already obtained the capability for mass dragnet surveillance such a determination by the Indian courts cannot come soon enough.

[1] Indian Post Office Act, 1898, § 26

[2] Indian Telegraph Act, 1885 § 5(2)

[3] PUCL v. Union of India, AIR 1997 SC 568

[4] Govind vs. State of Madhya Pradesh, (1975) 2 SCC 148

[5] Malak Singh vs. State Of Punjab & Haryana, AIR 1981 SC 760

[6] Supra note 3

[7] Law Commission, Indian Post Office Act, 1898 (38^th Law Commission Report) para 84

[8] ibid

[9] id

[10] Lok Sabha Debates , Minister of Communications, Shri H.N. Bahuguna, August 9, 1972

[11] The Constitution of India, Article 358- Suspension of provisions of Article 19 during emergencies

[12] Lok Sabha Debates , Minister of Communications, Shri H.N. Bahuguna, August 9, 1972

[13] Hukam Chand v. Union of India, AIR 1976 SC 789

[14] ibid

[15] Liversidge v. Anderson [1942] A.C. 206

[16] State of M.P. v. Baldeo Prasad, AIR 1961 (SC) 293 (296)

[17] ibid

[18] Ghosh O.K. v. Joseph E.X. Air 1963 SC 812; 1963 Supp. (1) SCR 789

[19] Sakal Papers (P) Ltd. v. Union of India, AIR 1962 SC 305 (315); 1962 (3) SCR 842

[20] See Notable Observations- July to December 2012, Google Transparency Report, available at http://www.google.com/transparencyreport/removals/government/ (last visited on July 2, 2014) (a 90% increase in Content removal requests by the Indian Government in the last year)

[21] Willis Wee, Google Transparency Report: India Ranks as Third ‘Snoopiest’ Country, July 6, 2011 available at http://www.techinasia.com/google-transparency-report-india/ (last visited on July 2, 2014)

[22] See Notable Observations- July to December 2012, Google Transparency Report, available at http://www.google.com/transparencyreport/removals/government/ (last visited on July 2, 2014) (a 90% increase in Content removal requests by the Indian Government in the last year)

[23] Joji Thomas Philip, Intelligence Bureau wants ISPs to log all customer details, December 30, 2010 http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps (last visited on July 2, 2014)

[24] Deepa Kurup, In the dark about ‘India’s Prism’ June 16, 2013 available at http://www.thehindu.com/sci-tech/technology/in-the-dark-about-indias-prism/article4817903.ece

[25] Saikat Dutta, We, The Eavesdropped May 3, 2010 available at http://www.outlookindia.com/article.aspx?265191 (last visited on July 2, 2014)

For more details visit https://cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law

Implications of post-Snowden Internet localization proposals

praskrishna — 2014-07-03T07:09:25Z

The Ninth Annual Internet Governance Forum (IGF) Meeting will be held in Istanbul, Turkey on 2-5 September 2014. The venue of the meeting is Lütfi Kirdar International Convention and Exhibition Center (ICEC).

Sunil Abraham will be speaking in this workshop organized by Internet Society and Center for Democracy and Technology at the IGF.

Following the 2013-2014 disclosures of large-scale pervasive surveillance of Internet traffic, various proposals to "localize" Internet users' data and change the path that Internet traffic would take have started to emerge.

Examples include mandatory storage of citizens' data within country, mandatory location of servers within country (e.g. Google, Facebook), launching state-run services (e.g. email services), restricted transborder Internet traffic routes, investment in alternate backbone infrastructure (e.g. submarine cables, IXPs), etc.

Localization of data and traffic routing strategies can be powerful tools for improving Internet experience for end-users, especially when done in response to Internet development needs. On the other hand, done uniquely in response to external factors (e.g. foreign surveillance), less optimal choices may be made in reactive moves.

How can we judge between Internet-useful versus Internet-harmful localisation and traffic routing approaches? What are the promises of data localization from the personal, community and business perspectives? What are the potential drawbacks? What are implications for innovation, user choice and the availability of online services in the global economy? What impact might they have on a global and interoperable Internet? What impact (if any) might these proposals have on user trust and expectations of privacy?

The objective of the session is to gather diverse perspectives and experiences to better understand the technical, social and economic implications of these proposals.

Name(s) and stakeholder and organizational affiliation(s) of institutional co-organizer(s)

Organizer:
Nicolas Seidler, Policy advisor
Technical community
Internet Society
Co-organizer:
Matthew Shears
Civil society
Center for Democracy and Technology

Names and affiliations (stakeholder group, organization) of speakers the proposer is planning to invite

Mr. Chris Riley, Senior Policy Engineer, Mozilla Corporation, Private sector (CONFIRMED)
Mr. Jari Arkko, Chair of the Internet Engineering Task Force, Technical community (CONFIRMED)
Mr. Christian Kaufmann, Director Network Architecture at Akamai Technologies, Private sector (CONFIRMED)
Ms. Emma Llanso, Director of Free Expression Project, Center for Democracy and Technology, Civil Society (CONFIRMED)
Mr. Sunil Abraham, Executive Director, Center for Internet and Society, India, Civil Society (CONFIRMED)
Mr. Thomas Schneider, Deputy head of international affairs, Swiss Federal Office of Communication (OFCOM), Government (CONFIRMED)

Name of Moderator(s)

Nicolas Seidler, Policy advisor, Internet Society

Name of Remote Moderator(s)

Konstantinos Komaitis

For more details visit https://cis-india.org/news/igf-2014-session-post-snowden-localisation

Models for Surveillance and Interception of Communications Worldwide

bedaavyasa — 2014-07-10T07:50:08Z

This is an evaluation of laws and practices governing surveillance and interception of communications in 9 countries. The countries evaluated represent a diverse spectrum not only in terms of their global economic standing but also their intrusive surveillance capabilities. The analysis is limited to the procedural standards followed by these countries for authorising surveillance and provisions for resolving interception related disputes.

Sl. No.	Country	Legislation	Model
1.	Australia	Telecommunications (Interceptions and Access) Act, 1979 Governs interception of communications Relevant provisions: S. 3, 7, 6A, 34, 46 Surveillance Devices Act, 2004 Establishes procedure for obtaining warrants and for use of surveillance devices Relevant Provisions: S.13, 14	Authorisation for surveillance is granted in the form of a warrant from a Judge or a nominated member of the Administrative Appeals Tribunal The warrant issuing authority must be satisfied that information obtained through interception shall assist in the investigation of a serious crime The Acts provide a list of prescribed offences for which interception of communication may be authorized The Acts also specify certain federal and state law enforcement agencies that may undertake surveillance
2.	Brazil	Federal Law No. 9,296, 1996: Regulates wiretapping	Authorisation for interception is granted on a Judge’s order for a period of 15 days at a time Interception is only allowed for investigations into serious offences like drug smuggling, corruption murder and kidnapping
3.	Canada	Criminal Code, 1985 Governs general rules of criminal procedure including search and seizure protocols Relevant Provision: §§ 184.2, 184.4	Grants power to intercept communication by obtaining authorisation from a provincial court judge or a judge of the superior court Before granting his authorisation, the judge must be satisfied that either the originator of the communication or the recipient thereof has given his/her consent to the interception Under exceptional circumstances, however, a police officer owing to the exigency of the situation may intercept communication without prior authorisation
4.	France	*Loi d'orientation et de programmation pour la performance de la sécurité intérieure* (LOPPSI 2), 2011: Authorises use of video surveillance and interception of communications Relevant Provisions: Article 36 *Loi de Programmation Militaire* (LPM), 2013: Authorises surveillance for protection of national security and prevention of terrorism	Interception of communication under LOPPSI 2 requires previous authorization from an investigating Judge after consultation with the Public Prosecutor Such authorization is granted for a period of 4 months which is further extendable by another 4 months Interception of communication under LPM does not require prior sanction from an investigating judge and is instead provided by the Prime Minister’s office Information that can be intercepted under LPM includes not only metadata but also content and geolocation services
5.	Germany	Gesetz zur Beschränkung des Brief-, Post und Fernmeldegeheimnisses (G10 Act), 2001 Imposes restrictions on the right to privacy and authorizes surveillance for protecting freedom and democratic order, preventing terrorism and illegal drug trade Relevant Provisions: §3 The German Code of Criminal Procedure (StPO), 2002 Lays down search and seizure protocol and authorizes interception of telecommunications for criminal prosecutions Relevant Provisions: §§ 97, 100a	Authorises warrantless surveillance by specific German agencies like the Bundesnachrichtendienst (Federal Intelligence Service) Lays down procedure that must be followed while undertaking surveillance and intercepting communications Authorises sharing of intercepted intelligence for criminal prosecutions Mandates ex post notification to persons whose privacy has been violated but no judicial remedies are available to such persons The Code of Criminal Procedure authorises interception of communication of a person suspected of being involved in a serious offence only on the order of a court upon application by the public prosecution office
6.	Pakistan	Pakistan Telecommunications Reorganisation Act, 1996: Controls the flow of false and fabricated information and protects national security Relevant Provisions: § 54 Investigation for Fair Trial Act, 2013: Regulates the powers of law enforcement and intelligence agencies regarding covert surveillance and interception of communications Relevant Provisions: §§ 6,7, 8, 9	Authorisation for interception is provided by the federal government. No formal legal structure to monitor surveillance exists Interception can be authorized in the interest of national security and on the apprehension of any offence Requests for filtering and blocking of content are routed through the Inter-Ministerial Committee for the Evaluation of Websites, a confidential regulatory body Under the Fair Trial Act, interception can only be authorised on application to the Fedral Minister for Interior who shall then permit the application to be placed before a High Court Judge The warrant shall be issued by a judge only on his satisfaction that interception will aid in the collection of evidence and that a reasonable threat of the commission of a scheduled offence exists
7.	South Africa	The Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002 Regulates and authorizes monitoring and interception of telecommunications services Relevant Provisions: §§ 16, 22	Warrant for intercepting communications and installing surveillance devices is granted by a designated judge The warrant is issued on satisfaction of the judge that the investigation relates to a serious offence or that the information gathering is vital to public health or safety, national security or compelling national economic interests
8.	United Kingdom	Regulation of Investigatory Powers Act, 2000: Authorises interception of communications and surveillance Relevant Provisions: §§ 5, 6, 65	Authorisation for interception is granted in the form of a warrant by the Secretary of State or in certain special cases by a ‘senior officer’ Communications can be intercepted only it is necessary to do so in the interest of national security or for the purpose of preventing and detecting serious crimes Complaints of alleged illegal surveillance are heard by the Investigatory Powers Tribunal
9.	United States	Electronic Communications Privacy Act, 1986 (Title III, Omnibus Crime Control and Safe Streets Act) Governs authorisation for wiretapping and interception Relevant Provisions: §18	Authorisation for interception can be granted by a district court or federal appeals court on application by a law enforcement officer duly signed by the attorney general Application mandates obtaining the information through a service provider before invading upon individual’s privacy

For more details visit https://cis-india.org/internet-governance/blog/models-for-surveillance-and-interception-of-communications-worldwide

June 2014 Bulletin

praskrishna — 2014-07-14T10:05:11Z

Our newsletter for month of June is below:

Highlights

Nehaa Chaudhari participated in a Stakeholders Consultation organized by the Planning Commission and the Ministry of Human Resource Development in New Delhi, February 21, 2014, on Mapping Institutions of Intellectual Property. She blogged about the outcome in a two-part series. The first part discusses establishment of a National Institute of Intellectual Property Rights and the second part deals with the documents introduced at the Stakeholders’ Consultation for India’s National Programme on Intellectual Property.
For the first time in the history of Indian books, 10 Telugu books by a single author were released under Creative Commons license (CC-BY-SA 3.0). These books will be uploaded on Telugu Wikisource and converted into Unicode (searchable) text. This will ensure that these books are freely read, both online and offline in various formats like PDF, epub, mobi, text, etc. This is a major milestone initiative by CIS-A2K to make the sum of all knowledge in Telugu freely available to all Telugus over the internet.
ICANN published a call for public comments on "Enhancing ICANN Accountability" in the wake of the IANA stewardship transition spearheaded by ICANN and related concerns of ICANN's external and internal accountability mechanisms. CIS submitted its comments.
ICANN sought comments on the existing barriers to Registrar Accreditation and operation and suggestions on how these challenges might be mitigated. CIS sent its comments.
Vodafone, the world’s second largest mobile carrier released a report disclosing to what extent governments can request their customers’ data. Joe Sheehan analyses the report to tell us that if more companies were transparent about the level of government surveillance their customers were being subjected to then the public would press the government for stronger privacy safeguards and protections.

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing two projects. The first project is on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India. We compiled the National Compendium of Policies, Programmes and Schemes for Persons with Disabilities (29 states and 6 union territories). We will be publishing this soon. The draft chapters along with the quarterly reports can be accessed on the project page. The second project is on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed here.

NVDA and eSpeak

►Monthly Update

Work Report for June (by Suman Dogra, June 30, 2014).

►Other

Blog Entry

For a Truly Inclusive Consultative Process (by Amba Salelkar, June 25, 2014).

Media Coverage

NISH Website to Help the Disabled (The New Indian Express, June 26, 2014).

Access to Knowledge

As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Analysis

Mapping Institutions of Intellectual Property (Part A): India's National Programme on Intellectual Property Management (by Nehaa Chaudhari, June 10, 2014). This discusses establishment of a National Institute of Intellectual Property Rights.
Mapping Institutions of Intellectual Property: Part B — India's National Program on Intellectual Property Management (by Nehaa Chaudhari, June 26, 2014). This deals with the documents introduced at the Stakeholders’ Consultation for India’s National Program on Intellectual Property

►Participation in Event

Yogyakarta Meeting on Open Culture and Critical Making (organized by organized by HONF Foundation, Catec, and r0g, June 12 – 15, 2014). Sharath Chandra Ram was a panelist.

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

The following were done this month:

►Articles / Blog Entries

Twitter weekly Curation WeAreWikipedia brings one Wikipedian Every Week (by Diptiman Panigrahi, June 16, 2014).
This Twitter Account Puts a Face to the Unsung Volunteer Editors Behind Wikipedia (by Subhashish Panigrahi, Global Voices, June 18, 2014).
Odia Language gets a new Unicode Font Converter (by Subhashish Panigrahi, June 20, 2014).
Ten Telugu Books Re-released Under CC-BY-SA 3.0 License (by Rahmanuddin Shaik, June 22, 2014).

►Events Organized

Kannada Wikipedia Workshop for Kannada Book Lovers (co-organized by Navakarnataka Publications, Bangalore, June 4, 2014). Dr. U.B.Pavanaja conducted the workshop.
Knowledge and Openness in the Digital Era (co-organized by Andhra Loyola College and CIS, Vijaywada, June 24-25, 2014).

►News and Media Coverage
CIS gave its inputs to the following media coverage:

Knowledge and Openness in the Digital Era: Coverage in Sakshi (Sakshi, June 25, 2014).
Knowledge and Openness in the Digital Era: Coverage in Enadu (Enadu, June 25, 2014).
Loyola Faculty Enlightened About Open Edn Resources (The New Indian Express, June 25, 2014).

Internet Governance

Freedom of Expression

As part of our project on Freedom of Expression (funded through a grant from the MacArthur Foundation) to study the restrictions placed on freedom of expression online by the Indian government and contribute to the debates around Internet governance and freedom of expression at forums like ICANN, ITU, IGF, WSIS, etc., we bring you the following outputs:

►Submissions

CIS Comments: Enhancing ICANN Accountability (by Geetha Hariharan, June 10, 2014).
Comments to ICANN Supporting the DNS Industry in Underserved Regions (by Jyoti Panday, June 13, 2014).

►Blog Entries

Free Speech and Contempt of Court: Overview (by Gautam Bhatia, June 8, 2014).
Multi-stakeholder Models of Internet Governance within States: Why, Who & How? (by Geetha Hariharan, June 16, 2014).
UN Human Rights Council Urged to Protect Human Rights Online (by Geetha Hariharan, June 19, 2014).
Free Speech and Source Protection for Journalists (by Gautam Bhatia, June 19, 2014).
WSIS+10 High Level Event: A Bird's Eye Report (by Geetha Hariharan, June 20, 2014).
Understanding IANA Stewardship Transition (by Smarika Kumar, June 22, 2014).
IANA Transition: Suggestions for Process Design (by Smarika Kumar, June 22, 2014).
Free Speech and Civil Defamation (by Gautam Bhatia, June 25, 2014).
CIS Policy Brief: IANA Transition Fundamentals & Suggestions for Process Design (by Geetha Hariharan and Smarika Kumar, June 22, 2014).
An Evidence based Intermediary Liability Policy Framework: Workshop at IGF (by Jyoti Panday, June 30, 2014).

►FOEX Live
We are also posting a selection of news from across India implicating online freedom of expression and use of digital technology: June 8 – 15, 2014 and June 16 – 23, 2014.

Privacy

As part of our Surveillance and Freedom: Global Understandings and Rights Development (SAFEGUARD) project with Privacy International we are engaged in enhancing respect for the right to privacy in developing countries. We have produced the following outputs during the month:

►Blog Entries

A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicatory Officers under the IT Act (by Divij Joshi, June 16, 2014).
Content Removal on Facebook — A Case of Privatised Censorship? (by Jessamine Mathew, June 16, 2014).
Vodafone Report Explains Government Access to Customer Data (by Joe Sheehan, June 16, 2014).

►Event Organized

Privacy and Surveillance Roundtable (co-organized with the Cellular Operators Association of India and the Council for Fair Business Practices, June 28, 2014, IMC Building, Churchgate, Mumbai).

►Participation in Events

Commonwealth Domain Name System Forum 2014 (organized by the CTO, hosted by ICANN, and supported by Nominet and the Public Interest Registry, London, June 19, 2014). Pranesh Prakash was a panelist. Jyoti Panday participated in the event.
Research Advisory Network Meeting (organized by the Global Commission on Internet Governance’s Research Advisory Network, OECD Headquarters, Paris, June 26-27, 2014). Sunil Abraham was a panelist.

►News & Media Coverage

CIS gave its inputs to the following media coverage:

Right to be forgotten poses a legal dilemma in India (by Leslie D' Monte, Livemint, June 5, 2014).
Stay connected even when you go underground (by Sunita Sekhar, The Hindu, June 12, 2014).

Digital Humanities

CIS is building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia:

►Blog Entries

Not a Goodbye; More a ‘Come Again’: Thoughts on being Research Director at a moment of transition (by Nishant Shah, June 15, 2014).
Living in the Archival Moment (by P.P. Sneha, June 19, 2014).

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

►Newspaper Column

A Great Start (for the Modi government) (by Shyam Ponappa, Business Standard and Organizing India Blogspot, June 5, 2014).

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

► Follow us elsewhere

Twitter: https://twitter.com/CISA2K
Facebook group: https://www.facebook.com/cisa2k
Visit us at: https://meta.wikimedia.org/wiki/India_Access_To_Knowledge
E-mail: a2k@cis-india.org

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71

► Request for Collaboration:

We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org. To discuss collaborations on Indic language Wikipedia, write to T. Vishnu Vardhan, Programme Director, A2K, at vishnu@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/june-2014-bulletin

An Evidence based Intermediary Liability Policy Framework: Workshop at IGF

jyoti — 2014-07-04T06:41:10Z

CIS is organising a workshop at the Internet Governance Forum 2014. The workshop will be an opportunity to present and discuss ongoing research on the changing definition of intermediaries and their responsibilities across jurisdictions and technologies and contribute to a comprehensible framework for liability that is consistent with the capacity of the intermediary and with international human-rights standards.

The Centre for Internet and Society, India and Centre for Internet and Society, Stanford Law School, USA, will be organising a workshop to analyse the role of intermediary platforms in relation to freedom of expression, freedom of information and freedom of association at the Internet Governance Forum 2014. The aim of the workshop is to highlight the increasing importance of digital rights and broad legal protections of stakeholders in an increasingly knowledge-based economy. The workshop will discuss public policy issues associated with Internet intermediaries, in particular their roles, legal responsibilities and related liability limitations in context of the evolving nature and role of intermediaries in the Internet ecosystem. distinct

Online Intermediaries: Setting the context

The Internet has facilitated unprecedented access to information and amplified avenues for expression and engagement by removing the limits of geographic boundaries and enabling diverse sources of information and online communities to coexist. Against the backdrop of a broadening base of users, the role of intermediaries that enable economic, social and political interactions between users in a global networked communication is ubiquitous. Intermediaries are essential to the functioning of the Internet as many producers and consumers of content on the internet rely on the action of some third party–the so called intermediary. Such intermediation ranges from the mere provision of connectivity, to more advanced services such as providing online storage spaces for data, acting as platforms for storage and sharing of user generated content (UGC), or platforms that provides links to other internet content.

Online intermediaries enhance economic activity by reducing costs, inducing competition by lowering the barriers for participation in the knowledge economy and fuelling innovation through their contribution to the wider ICT sector as well as through their key role in operating and maintaining Internet infrastructure to meet the network capacity demands of new applications and of an expanding base of users.

Intermediary platforms also provide social benefits, by empowering users and improving choice through social and participative networks, or web services that enable creativity and collaboration amongst individuals. By enabling platforms for self-expression and cooperation, intermediaries also play a critical role in establishing digital trust, protection of human rights such as freedom of speech and expression, privacy and upholding fundamental values such as freedom and democracy.

However, the economic and social benefits of online intermediaries are conditional to a framework for protection of intermediaries against legal liability for the communication and distribution of content which they enable.

Intermediary Liability

Over the last decade, right holders, service providers and Internet users have been locked in a debate on the potential liability of online intermediaries. The debate has raised global concerns on issues such as, the extent to which Internet intermediaries should be held responsible for content produced by third parties using their Internet infrastructure and how the resultant liability would affect online innovation and the free flow of knowledge in the information economy?

Given the impact of their services on communications, intermediaries find themselves as either directly liable for their actions, or indirectly (or “secondarily”) liable for the actions of their users. Requiring intermediaries to monitor the legality of the online content poses an insurmountable task. Even if monitoring the legality of content by intermediaries against all applicable legislations were possible, the costs of doing so would be prohibitively high. Therefore, placing liability on intermediaries can deter their willingness and ability to provide services, hindering the development of the internet itself.

Economics of intermediaries are dependent on scale and evaluating the legality of an individual post exceeds the profit from hosting the speech, and in the absence of judicial oversight can lead to a private censorship regime. Intermediaries that are liable for content or face legal exposure, have powerful incentives, to police content and limit user activity to protect themselves. The result is curtailing of legitimate expression especially where obligations related to and definition of illegal content is vague. Content policing mandates impose significant compliance costs limiting the innovation and competiveness of such platforms.

More importantly, placing liability on intermediaries has a chilling effect on freedom of expression online. Gate keeping obligations by service providers threaten democratic participation and expression of views online, limiting the potential of individuals and restricting freedoms. Imposing liability can also indirectly lead to the death of anonymity and pseudonymity, pervasive surveillance of users' activities, extensive collection of users' data and ultimately would undermine the digital trust between stakeholders.

Thus effectively, imposing liability for intermediaries creates a chilling effect on Internet activity and speech, create new barriers to innovation and stifles the Internet's potential to promote broader economic and social gains. To avoid these issues, legislators have defined 'safe harbours', limiting the liability of intermediaries under specific circumstances.

Online intermediaries do not have direct control of what information is or information are exchanged via their platform and might not be aware of illegal content per se. A key framework for online intermediaries, such limited liability regimes provide exceptions for third party intermediaries from liability rules to address this asymmetry of information that exists between content producers and intermediaries.

However, it is important to note, that significant differences exist concerning the subjects of these limitations, their scope of provisions and procedures and modes of operation. The 'notice and takedown' procedures are at the heart of the safe harbour model and can be subdivided into two approaches:

a. Vertical approach where liability regime applies to specific types of content exemplified in the US Digital Copyright Millennium Act

b. Horizontal approach based on the E-Commerce Directive (ECD) where different levels of immunity are granted depending on the type of activity at issue

Current framework

Globally, three broad but distinct models of liability for intermediaries have emerged within the Internet ecosystem:

1. Strict liability model under which intermediaries are liable for third party content used in countries such as China and Thailand

2. Safe harbour model granting intermediaries immunity, provided their compliance on certain requirements

3. Broad immunity model that grants intermediaries broad or conditional immunity from liability for third party content and exempts them from any general requirement to monitor content.

While the models described above can provide useful guidance for the drafting or the improvement of the current legislation, they are limited in their scope and application as they fail to account for the different roles and functions of intermediaries. Legislators and courts are facing increasing difficulties, in interpreting these regulations and adapting them to a new economic and technical landscape that involves unprecedented levels user generated content and new kinds of and online intermediaries.

The nature and role of intermediaries change considerably across jurisdictions, and in relation to the social, economic and technical contexts. In addition to the dynamic nature of intermediaries the different categories of Internet intermediaries‘ are frequently not clear-cut, with actors often playing more than one intermediation role. Several of these intermediaries offer a variety of products and services and may have number of roles, and conversely, several of these intermediaries perform the same function. For example , blogs, video services and social media platforms are considered to be 'hosts'. Search engine providers have been treated as 'hosts' and 'technical providers'.

This limitations of existing models in recognising that different types of intermediaries perform different functions or roles and therefore should have different liability, poses an interesting area for research and global deliberation. Establishing classification of intermediaries, will also help analyse existing patterns of influence in relation to content for example when the removal of content by upstream intermediaries results in undue over-blocking.

Distinguishing intermediaries on the basis of their roles and functions in the Internet ecosystem is critical to ensuring a balanced system of liability and addressing concerns for freedom of expression. Rather than the highly abstracted view of intermediaries as providing a single unified service of connecting third parties, the definition of intermediaries must expand to include the specific role and function they have in relation to users' rights. A successful intermediary liability regime must balance the needs of producers, consumers, affected parties and law enforcement, address the risk of abuses for political or commercial purposes, safeguard human rights and contribute to the evolution of uniform principles and safeguards.

Towards an evidence based intermediary liability policy framework

This workshop aims to bring together leading representatives from a broad spectrum of stakeholder groups to discuss liability related issues and ways to enhance Internet users’ trust.

Questions to address at the panel include:

1. What are the varying definitions of intermediaries across jurisdictions?

2. What are the specific roles and functions that allow for classification of intermediaries?

3. How can we ensure the legal framework keeps pace with technological advances and the changing roles of intermediaries?

4. What are the gaps in existing models in balancing innovation, economic growth and human rights?

5. What could be the respective role of law and industry self-regulation in enhancing trust?

6. How can we enhance multi-stakeholder cooperation in this space?

Confirmed Panel:

Technical Community: Malcolm Hutty: Internet Service Providers Association (ISPA)
Civil Society: Gabrielle Guillemin: Article19
Academic: Nicolo Zingales: Assistant Professor of Law at Tilburg University
Intergovernmental: Rebecca Mackinnon: Consent of the Networked, UNESCO project
Civil Society: Anriette Esterhuysen: Association for Progressive Communication (APC)
Civil Society: Francisco Vera: Advocacy Director: Derechos Digitale
Private Sector: Titi Akinsanmi: Policy and Government Relations Manager, Google Sub-Saharan Africa
Legal: Martin Husovec: MaxPlanck Institute

Moderator(s): Giancarlo Frosio, Centre for Internet and Society (CIS) and Jeremy Malcolm, Electronic Frontier Foundation

Remote Moderator: Anubha Sinha, New Delhi

For more details visit https://cis-india.org/internet-governance/blog/igf-workshop-an-evidence-based-intermediary-liability-policy-framework

Privacy and Surveillance Roundtable

praskrishna — 2014-06-29T14:50:20Z

The Centre for Internet and Society and the Cellular Operators Association of India invite you to a roundtable at the India International Centre, New Delhi on July 4, 2014.

Background and Context to the Roundtables

In India, lawful interception of communications may be conducted by the state in three ways: firstly, intercepting telephone calls and other telecommunications may take place under powers listed in the Telegraph Act, 1885 and procedure set out in the Telegraph Rules, 1951; secondly, intercepting written communications transmitted through the postal service or by private couriers may occur under the Post Office Act, 1898; and, thirdly, intercepting, de-crypting, and monitoring email messages and other electronic communications may take place under the Information Technology Act, 1950 and two sets of Rules issued in 2008.

The government’s intention to create a Central Monitoring System to automate the existing process of telephone tapping is significant for a number of reasons. It will bypass private telephone service providers; currently the active cooperation of TSPs is required and compelled in order to intercept and monitor a telephone conversation. This creates an extra layer of compliance activity for TSPs which is cumbersome and expensive. Interception orders from the state often do not comply with the procedure required by law. This uncertainty is compounded by the lack of an indemnity for TSPs.

However, while the CMS will release TSPs from legal liability, it will leave the government free to conduct telephone interceptions in absolute secrecy and without a credible system of oversight and checks and balances. Amongst the world’s major democratic countries, India is alone in refusing to overhaul its telephone tapping regime. The legal requirements of probable cause, judicial sanction, and warrant-based interception – which are followed with exceptions in democracies around the world – are not adequately protected in India. The same principles also apply to the interception of postal and electronic communications.

There are several intelligence and police agencies in India that conduct interceptions of communications without central coordination. Previous cases in the Supreme Court of India and a few Indian High Courts reveal many cases of improper and even illegal surveillance. The sheer number of interested state agencies, the concerns of inadequate oversight, the lack of a credible legal regime, the constant leaks of private communications, and the poor legal protection given to TSPs and ISPs must be legally addressed.

Information about the Roundtables

The Privacy and Surveillance Roundtables are a CIS initiative, in partnership with the Cellular Operators Association of India (COAI). From June 2014 – November 2014, CIS and COAI will host seven Privacy and Surveillance Roundtable discussions across multiple cities in India. The Roundtables will be closed-door deliberations involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India. The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The Report of the Group of Experts on Privacy

In January 2012 Justice A.P. Shah formed a committee to create a report of recommendations for privacy legislation in India. The committee met seven times from January 2012 to September 2012. The Report is made up of six chapters and begins by reviewing the international best practices around privacy and the relevant Indian jurisprudence. The Report then recommends nine National Privacy Principles to be adopted by each sector in India. The Nine National Privacy Principles reflect international standards, as well as taking into consideration the Indian context. Along with the National Privacy Principles, the Report lays out a regulatory framework for privacy including privacy commissioners at the regional and national level, self regulating organizations at the industry level, and a system of complaints. Finally the report demonstrates how the National Privacy Principles could be used to harmonize existing legislation and practices.

The Draft CIS Citizens Privacy (Protection) Bill 2013

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness, completing in depth research, and driving a privacy legislation in India. As part of this work, the Centre for Internet and Society has drafted the Privacy (Protection) Bill 2013. The Citizens Privacy Protection Bill contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the privacy commissioner, and lays out offenses and penalties for contravention of the Act. The Bill represents a citizens’ version of a privacy legislation, and will be shared with civil society, industry, and government. It is hoped that the review and revision of the Bill will be a participatory process, and thus comments and feedback to it’s’ provisions will be included as annex’s to the Bill.

The International Principles on the Application of Human Rights to Communication Surveillance

These principles were defined in 2013 in response to rapidly changing technologies and surveillance practices. The principles are the outcome of a global consultation with civil society groups, industry and international experts in communications surveillance law, policy and technology, spearheaded by the Electronic Frontier Foundation US and Privacy International UK. As technologies that facilitate State surveillance of communications advance, States are failing to ensure that laws and regulations related to communications surveillance adhere to international human rights and adequately protect the rights to privacy and freedom of expression. These principles attempt to explain how international human rights law applies in the current digital environment, particularly in light of the increase in and changes to communications surveillance technologies and techniques. These principles can provide civil society groups, industry, States and others with a framework to evaluate whether current or proposed surveillance laws and practices are consistent with human rights.

Tentative Agenda

Time	Detail
10.00 11.00	Introduction
11.00 11.30	Tea
11.30 13.00	Discussion
13.00 14.00	Lunch
14.00 16.00	Discussion
16.00 16.15	Tea

Resources

For more details visit https://cis-india.org/internet-governance/events/privacy-and-surveillance-roundtable-new-delhi

PMA Policy and COAI Recommendations

dipankar — 2014-07-02T06:45:22Z

Introduction

The Ministry of Communications and Information Technology on the 10th of February, 2012 released a notification [1] in the Official Gazette outlining the Preferential Market Access [2] Policy for Domestically Manufactured Electronic Goods 2012. The Policy is applicable to procurement of telecom products by Government Ministries/Departments and to such electronics that had been deemed to having security concerns, thus making the policy applicable to private bodies in the latter half. The Notification reasoned that preferential access was to be given to domestically manufactured electronic goods predominantly for security reasons. Each Ministry or Department was to notify the products that had security implications, with reasons, after which the notified agencies would be required to procure the same from domestic manufacturers. This policy was also meant to be applicable to even procurement of electronic goods by Government Ministries/Agencies for Governmental purposes except Defence. Each Ministry would be required to notify its own percentage of such procurement, though it could not be less than 30%, and also had to specify the Value Addition that had to be made to a particular product to qualify it as a domestically manufactured product, with the policy again specifying the minimum standards. The policy was also meant for procurement of electronic hardware as a service from Managed Service Providers (MSPs).

The procurement was to be done as according to the policies of the each procuring agency. The tender was to be apportioned according to the procurement percentage notified and the preference part was to be allotted to the domestic manufacturer at the lowest bid price. If there were no bidders who were domestic manufacturers or if the tender was not severable, then it was to be awarded to the Foreign Manufacturer and the percentage adjusted as against other electronic procurement for that period.

Telecom equipment that qualifies as domestically manufactured telecom products for preferential market access include: encryption and UTM platforms, Core/Edge/Enterprise routers, Managed leased line network equipment, Ethernet Switches, IP based Soft Switches, Media gateways, Wireless/Wireline PABXs, CPE, 2G/3G Modems, Leased-line Modems, Set Top Boxes, SDH/Carrier Ethernet/Packet Optical Transport Eqiupments, DWDN systems, GPON equipments, Digital Cross connects, small size 2G/3G GSM based Base Station Systems, LTE based broadband wireless access systems, Wi-Fi based broadband wireless access systems, microwave radio systems, software defined radio cognitive radio systems, repeaters, IBS, and distributed antenna system, satellite based systems, copper access systems, network management systems, security and surveillance communication systems (video and sensors based), optical fiber cable.

The Policy also mentioned the creation of a self-certification system to declare domestic value addition to the vendor. The checks would be done by the laboratories accredited by the Department of Information Technology. The policy was to be in force for a period of 10 years and any dispute concerning the nature of product was to be referred to the Department of Information Technology.

International and Domestic Response to the Policy

There was a large scale opposition, usually from international sectors, towards the mooting of this policy. Besides business houses, even organizations like those of the United States Trades Representatives criticized the policy as being harmful to the global market and in violation of the World Trade Organization Guidelines.[3] Criticism also poured in from domestic bodies in terms of recommendations towards modification of the policy largely on three grounds: (i) the high domestic value addition requirement and the method of calculation of the same, (ii) the lack of a link between manufacturing and security and (iii) application of the policy to the private sector.

The Cellular Operations Association of India (COAI) in a letter dated March 15, 2012 to the Secretary of the Department Technology and Chairman of the Telecom Commission expressed its views on the telecom manufacturing in the country.[4]The COAI stated that such a development had to be done realistically and holistically so that the whole eco-system was developed as a comprehensive whole. In that regard it also forwarded a study that had been commissioned by COAI and conducted by M/s. Booz and Company titled “Telecom Manufacturing Policy – Developing an Actionable Roadmap”. The report was a comprehensive study of the telecom industry and outlined the challenges and opportunities that lay on its development trajectory. It also talked about Government involvement in the development process. The Report while citing the market share of Indian Telecom Industry which would be around 3% [5] of the Global Market highlighted the fact that no country could be self-sufficient in technology. It further talked about the development of local clusters in order to cut costs and encourage manufacturing, while ensuring that the PMA Policy was consistent with the WTO Guidelines. It further recommended opening up of foreign investments and making capital available to ensure growth of innovation. Finally it highlighted the lack of a connection between manufacturing and security and instead stressed upon proper certification, checks and development of a comprehensive CIIP framework across all sensitive networks for security purposes.

In a further letter to the Joint Secretary of the Department of Information and Technology dated April 25, 2012 the COAI expressed some reservations concerning the draft guidelines that had been published along with the notification.[6] While stressing upon the fact that a higher value addition would be impossible with the lack of basic manufacturing capabilities for the development of technological units, it also highlighted the need to redefine Bill of Materials which had been left ambiguous and subject to exploitation. It further highlighted the fact that allowing every Ministry to make its own specifications would lead to inconsistent definitions and an administrative challenge and hence such matters should be handled by a Central Body. Furthermore it opined that the calculation of BOMs and the Value Additions should be done using the concept of substantial transformation as has been given in the Booz Study. Furthermore, while discouraging the use of disincentives, it stated that one individual Ministry should be in charge of specifying such incentives to avoid confusion and for the sake of ease of business.

In another letter to a Member of the Department of Telecommunications dated July 12, 2012 the COAI stressed upon the futility of having high value additions as the same was impossible under the present scenario.[7] There was a lack of manufacturing sector which had to be comprehensively developed backed by fiscal incentives and comprehensive policies. In spite of that, it stressed that no country could become self-reliant and that such policies, like the PMA, were reminiscent of the “license and permit raj” era. It further said that such policies should be consistent with WTO Guidelines and should not give undue preference to domestic manufacturers to the detriment of other manufacturers. Countering the security aspect, it said that the same had been addressed by the DoT License Amendment of May 31, 2011 whereby all equipments on the network would have to comply with the “Safe to Connect” standard, and stressed upon the lack of any link between manufacturing and security. Furthermore for calculation of Value Addition it suggested an alternative to the method proposed by the Government as the same would lead to disclosures of sensitive commercial information which were contained in the BOMs. The COAI said that the three stages as laid out in the Substantial Transformation (as mentioned in the Booz Study) should be used for calculating the VA. It made several proposals to develop the telecom manufacturing industry in India including provision of fiscal incentives, development of telecom clusters and comprehensive policies which led to harmonization with laws and creation of SEZs among other such benefits.

In October 2012 the Government released a draft notification notifying products due to security consideration in furtherance of the PMA Policy.[8] The document outlined the minimum PMA and VA specification for a range of products. It also stated several security reasons for pursuing such a policy and stated that India had to be completely self-reliant for its active telecom products. It also contained data on the predicted growth of the telecom market in India. The COAI thereafter released a document commenting upon the draft notification of the Government.[9]

Besides highlighting the fact that the COAI still had not received a response to its former comments, it again stressed upon the lack of a link between security and manufacturing. It reiterated its point on the impossibility of a complete self-reliance on any nation’s part, and stressed upon the need of involving other stakeholders in the promulgation of such policies. It also made changes to the notified list of equipments, reclassifying it according to technology and only listing equipments which had volumes. Furthermore it also suggested changes towards the calculation of value addition to include materials sourced from local suppliers, in-house assemblage to be considered local material and the calculation to be done for complete order and not for each item in the order. It further recommended a study be conducted and the industry be involved while predicting demands as such were dated and needed revision. The Government thereafter released a revised notification[10] on October 5, 2012 but it did not contain much of the commented changes that the COAI had proposed.

Thereafter in April 2013, the DeitY released draft guidelines[11] for providing preference to domestically manufactured electronic products in Government Procurement in further of the second part of the PMA Policy. The guidelines besides containing definitions to several terms such as BOM also prescribed a minimum of 20% domestic procurement while leaving the specifications onto individual Ministries. It recommended the establishment of a technical committee by the concerned Ministry or Department that would recommend value addition to products. It followed a BOM based calculation of Value Addition while leaving the matter of certification to be dealt by DeitY certified laboratories that are notified for such purposes by the concerned Ministry/Department. DeitY was the nodal ministry for monitoring the implementation of the policy while particular monitoring was left to each Ministry or Department concerned. Among the annexures were indicative lists of generic and telecom products and a format for Self Certification regarding Domestic Value Addition in an Electronic Product.

The COAI thereafter released a revised draft containing its own comments on April 15, 2013.[12] The COAI pointed out faults in the definition of BOM. It highlighted the difficulty in splitting R&D according to countries, and also stressed upon the impractical usage of BOM in calculation of value addition as the same was confidential business information. As it had already suggested earlier, it reiterated the usage of the Substantial Transformation process for the calculation of Value Addition. While removing the lists of equipments mentioned, it further pointed out that the disqualification in the format for self-certification would be a very harsh disincentive and would result in driving away manufacturers. It suggested that there should be incentives for compliance instead.

The COAI along with the Association of Unified Telecom Service Providers of India sent a letter dated January 24, 2013 to the Secretary, DoT containing their inputs on Draft List of Security Sensitive Telecom Products for Preferential Market Access (PMA).[13] It again stressed upon the fact that security and manufacturing were not related and that the security aspect had been dealt by the “Safe to Connect” requirement mandated by the DoT License Amendment. It talked of the impossibility of arriving at VA figures until the same is defined to internationally accepted norms. Further it opined that if the Government had security concerns it should consider VA at a network level in the configurations as would be deployed in the network or its segments rather at element or subsystem levels as the latter would leave too many calculations open and the procurement entities will find it very difficult to ensure if they meet the PMA requirement or not. It further stressed upon the need to comply with WTO Guidelines while stressing upon the need to pay heed to certification standards than pursue the unavailable link between manufacturing and security through a PMA Policy. Finally it suggested a grouping of telecom products for the policy based on technology rather than individual products.

Pursuant to a Round Table Conference Organized by the Department of Information and Technology, AUSPI and COAI sent another letter dated April 15, 2013 to the Secretary, Department of Information and Technology.[14] It reiterated several points that both the AUSPI and COAI had been suggesting to the Government on the Telecom Manufacturing Policy. It cited the examples of other manufacturing nations to reiterate the fact that no country could be completely self-reliant in manufacturing electronics and such positions would only lead to creation of an environment that would not be conducive to global business. It further stressed upon the need to change the manner of calculation of VA while highlighting the fact that every Department should notify its list of products having security implications and the list of telecom equipment should be deleted from the draft guidelines being issued by DeitY to ensure better implementation.

A major change came in on July 8, 2013 when the Prime Minister’s Office made a press release withdrawing the PMA policy for review and withholding all the notifications that had been issued in that regard.[15] It said that he revised proposal will incorporate a detailed provision for project / product / sector specific security standards, alternative modes of security certification, and a roadmap for buildup of domestic testing capacity. It further noted that the revised proposal on PMA in the private sector for security related products will not have domestic manufacturing requirements, percentage based or otherwise and that the revised proposal will incorporate a mechanism for a centralised clearing house mechanism for all notifications under the PMA Policy.

The COAI thereafter on November 7, 2013 sent a letter to the DoT containing feedback on the list of items slated for Government procurement.[16] It noted that there were 23 products on which PMA was applicable. It pointed out that there were no local manufacturers for many of the products notified. It also asked the Government to take steps to ensure that fiscal incentives were given to encourage manufacturing sector which was beset by several costs such as landing costs which acted as impediments to its development. It stressed upon the tiered development of the industry needed to ensure that a holistic and comprehensive growth is attained which would result in manufacturing of local products. It requested that the Government "focus on right enablers (incentives, ecosystem, infrastructure, taxation) as the outcome materializes once all of these converge."

The COAI sent a further letter dated November 13, 2013 to the DoT concerning the investment required in the telecom manufacturing industry.[17] It noted the projected required investment of 152bn USD in the telecom sector and that the Government had projected that 92% of the investment would have to come from the Private Sector. COAI, while stressing upon the need of the Government and the Private Industry to work in tandem with each other, suggested that the Government devise methods to attract investments in the telecom sectors from international telecom players and that the Telecom Equipment Manufacturing Council meet to review and revise methods for attracting such investments.

Pursuant to the PMO directive, DeitY released a revised PMA Policy on the 23rd of December, 2014.[18] While there have been a few major changes, not all of recommendations by various bodies have been adhered to.[19] The major changes in the revised policy included the exemption of the private sector from the policy and the removal of PMA Policy to equipments notified for security reasons. The manner of calculation of the domestic value addition has not been changed though there has been a reduction in the percentage of value addition needed to qualify a product as domestic product. Another addition has been of a two-tiered implementation mechanism for the Policy. Tier-I includes a National Planning and Monitoring Council for Electronic Products which would design a 10-year roadmap for the implementation of the policy including notification of the products and subsequent procurement. Under Tier-II, the Ministries and Departments will be issuing notifications specifying products and the technical qualifications of the same, after approval by the Council. The former notifications under the 2012 Policy, including the notification of 23 telecom products by Department of Telecom,[20] are still valid until revised further.[21]

[1]. No. 8(78)/2010-IPHW. Available at http://www.dot.gov.in/sites/default/files/5-10-12.PDF (accessed 03 June, 2014).

[2]. Preferential Market Access

[3]. See The PMA Debate, DataQuest at http://www.dqindia.com/dataquest/feature/191001/the-pma-debate/page/1 (accessed June 2014).

[4]. The letter is available at http://www.coai.com/Uploads/MediaTypes/Documents/letter-to-dit-on-pma-notification.pdf (accessed June, 2014).

[5]. Around $17bn.

[6]. The letter is available at http://www.coai.com/Uploads/MediaTypes/Documents/letter-to-dit-on-pma-notification.pdf (accessed June, 2014).

[7]. The letter is available at http://www.coai.com/Uploads/MediaTypes/Documents/coai-to-dot-on-enhancing-domestic-manufacturing-of-telecom-equipment-bas.pdf (accessed June, 2014).

[8]. The notification no. 18-07/2010-IP can be found at http://www.coai.com/Uploads/MediaTypes/Documents/DoT-draft-notification-on-Policy-for-preference-to-domestically-manufactured-telecom-products-in-procurement-October-2012.pdf (accessed June, 2014).

[9]. The commented COAI draft can be found at http://www.coai.com/Uploads/MediaTypes/Documents/Annexure-1-Comments-on-draft-notification-by-DoT.pdf (accessed June, 2014).

[10]. Available at http://www.coai.com/Uploads/MediaTypes/Documents/dots-notification-on-telecom-equipment-oct-5,-2012.pdf (accessed June, 2014).

[11]. The draft guidelines can be found at http://www.coai.com/Uploads/MediaTypes/Documents/pma_draft-govt-procurement-guidelines-april-2013.pdf (accessed June, 2014).

[12]. The COAI commented draft can be found at http://www.coai.com/Uploads/MediaTypes/Documents/pma-draft-security-guidelines-15-april-2013.pdf (accessed June, 2014).

[13]. The letter can be found at http://www.coai.com/Uploads/MediaTypes/Documents/jac-007-to-dot-on-Januarys-list-of-telecom-products-final.pdf (accessed June, 2014).

[14]. The letter can be found at http://www.coai.com/Uploads/MediaTypes/Documents/jac-to-moc-on-pma.pdf (accessed June, 2014).

[15]. The press release can be found at http://www.coai.com/Uploads/MediaTypes/Documents/pmo-on-pma.pdfhttp://www.coai.com/Uploads/MediaTypes/Documents/pmo-on-pma.pdf (accessed June, 2014).

[16]. The letter can be found at http://www.coai.com/Uploads/MediaTypes/Documents/COAI-letter-to-DoT-on-Feedback-on-List-of-Items-for-Govt-Procurement.pdf (accessed June, 2014).

[17]. The letter can be found at http://www.coai.com/Uploads/MediaTypes/Documents/COAI-letter-to-DoT-on-Investments-Required-(TEMC)-Nov%2013-2013.pdf (accessed June, 2014).

[18]. The Notification No. 33(3)/2013-IPHW can be found at http://deity.gov.in/sites/upload_files/dit/files/Notification_Preference_DMEPs_Govt_%20Proc_23_12_2013.pdf (accessed June, 2014).

[19]. For more information, see http://electronicsb2b.com/policy-corner/revised-preferential-market-access-policy/# (accessed June, 2014).

[20]. The notification has been mentioned and discussed above.

[21]. A list of notifications dealing with electronic products except telecom products can be found on the website of DeitY at http://deity.gov.in/esdm/pma (accessed June, 2014).

For more details visit https://cis-india.org/internet-governance/blog/pma-policy-and-coai-recommendations