Centre for Internet and Society

CPRsouth 2016 – Young Scholars Programme

praskrishna — 2016-05-30T02:01:21Z

Rohini Lakshané, Amber Sinha and Vidushi Marda have been selected to attend the two-day Young Scholars' Programme to be held in Zanzibar, Tanzania in early September this year. The programme is a part of the CPRSouth conference.

Read the original announcement published by CPRSouth here.

Following highly successful joint Afro-Asian CPR conferences in Mauritius in 2012, and India in 2013, CPRafrica and CPRsouth formally merged under the banner of CPRsouth in 2014. Since then, CPRsouth has hosted conferences in the Cradle of Humankind in South Africa (2014), and at the Innovation Center for Big Data and Digital Convergence at Yuan Ze University, Taiwan (2015).

This year’s conference is co-hosted by COSTECH and TCRA in Zanzibar, and will include sessions on cutting-edge developments on ICT policy and regulation in the South and discussion of the research-policy interface.

30 Young Scholars from Africa and the Asia-Pacific region will be selected to participate in a tutorial programme taught by recognised scholars and practitioners from Africa and Asia, and they will attend the main conference thereafter.

Tutorials are scheduled to be held on the 6^th and 7^th of September 2016, prior to the main CPRsouth conference.

Who will qualify?

Masters/PhD students in Economics, Public policy, Communications and Journalism
Officers of government/regulatory agencies undertaking ICT policy research, developing/gathering indicators (monitoring and evaluation)
Staff of private companies in the communication industries working in regulatory affairs
Officers in NGOs/INGOs working in policy and regulation
Researchers from think tanks, university research centres
Journalists covering communication public policy and regulation

Seminar

The seminar will cover a number of topics of the two days, such as:

policy analysis using supply-side or demand-side data;
ICT impact analysis;
convergence, net neutrality;
funding broadband network extension, open access networks, spectrum;
sector and competition regulation;
research to policy interventions;
Internet governance – privacy, surveillance, human rights online; and
introduction to big data, open data.

(2016 tutorial programme still to be confirmed)

Previous tutorial presentations can be accessed at http://www.cprsouth.org/

Application deadline: 22 April 2016

Application guidelines

Applications should be submitted via this link by 22 April 2016, and must contain the following:

one-page curriculum vitae; and
one-page write-up outlining why you wish to become an African or Asia-Pacific based expert capable of contributing to ICT related policy and regulatory reform in the region

Applicants’ write-ups and biographies should be in a single word document, and named: CPRsouth2016_YoungScholar_ApplicantLastName.

Kindly note: Late applications and applications that do not conform to the prescribed format above will automatically be disqualified.

Review Criteria

Applications will be reviewed according to the following criteria:

content of application;
evidence of interest in, and commitment to, policy-relevant research for Africa or the Asia-Pacific region;
quality of writing; and
gender and country representation

The selection committee may contact your supervisor or mentor before making the final selections.

Candidates selected to participate in the tutorial programme must:

provide a one-page research proposal upon acceptance onto the tutorial programme
participate in all tutorial sessions
participate in the entire CPRsouth 2016 conference

Funding

Selected young scholars who are passport holders of, and travelling from, low and middle income countries within the Asia Pacific and Africa (as classified by the World Bank http://data.worldbank.org/about/country-classifications/country-and-lending-groups#Low_income) will be provided with:

lowest-cost economy airfare to conference destination (less USD 150 registration fee);
ground transfers between the conference venue and airport; and
twin sharing accommodation on bed and breakfast basis, 5 lunches and 1 dinner for the duration of the conference and tutorials (6 – 10 September 2016). Not all meals are covered.

The registration fee for young scholars to attend the conference and tutorials is USD150, and airfares will be reimbursed less this registration fee. Participants will be required to cover:

transport to and from airports in their home countries;
visa fees (if any);
meals not provided; and
any other incidental costs

As the registration fee is so low and should be met personally even if there is no institutional support for attendance of the course and conference, please note that only under exceptional circumstances of extreme financial hardship may the organisers consider a waiver of the conference registration fee. Such waivers will be considered on a case-by-case basis and only where a scholar would otherwise be prevented from attending the YS programme and conference.

Visas

Letters of invitation will be provided for purposes of visa applications after participant selections have been made. Participants are responsible for securing their own visas to enter Tanzania, and are strongly advised to initiate visa approval procedures immediately on receipt of confirmation of their participation.

Kindly direct all enquiries to Ondine Bello: admin@researchictafrica.net orinfo@CPRsouth.org

For more details visit https://cis-india.org/internet-governance/news/cprsouth-2016-2013-young-scholars-programme

CPDP 2015

praskrishna — 2014-09-30T09:52:52Z

The eighth international conference on computers, privacy and data protection will be held in Brussels from January 21 to 23, 2015. The Centre for Internet and Society is a moral supporter of CPDP.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University and has grown into a platform carried by 20 academic centers of excellence from the EU, the US and beyond. As a world-leading multidisciplinary conference CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. Within an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world in Brussels offering them an arena to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world. CPDP2014 welcomed 854 guests including 343 speakers from 43 different countries dispersed over more than 60 panels which took place during three full days. It attracted another 500 people in several public evening events including debates, a pecha kucha evening and an art exhibition. CPDP2015 aims to repeat the success of last year and will stage panels within the following main topical themes: Data Protection Reform: European and Global Developments, Mobility (mobile technologies, wearable technologies, border surveillance), EU-US developments concerning the regulation of government surveillance, Health, privacy and data protection, Love and lust in the digital age, Internet governance and privacy.

In 2015 CPDP will take place from January 21 to 23, 2015 in the Halles de Schaerbeek, Brussels, Belgium. Registrations are already open: http://www.cpdpconferences.org/Registration.html. For more details see here.

For more details visit https://cis-india.org/internet-governance/news/cpdp-2015

CPC Gathering Agenda

Admin — 2019-01-20T02:42:40Z

For more details visit https://cis-india.org/internet-governance/files/cpc-gathering-agenda.pdf

Court’s approval needed to tap phones: Panel

praskrishna — 2012-10-22T07:02:34Z

Investigators can monitor a person for 15-20 days on executive orders in case of emergencies, suggests panel.

Surabhi Agarwal's article was published in LiveMint on October 18, 2012. Sunil Abraham is quoted.

Government agencies need judicial permission before intercepting any communication or starting surveillance of any individual, a panel on the proposed privacy law suggested on Thursday.

If there is any urgency, investigators can tap phones or monitor a person’s movements for 15-20 days on executive orders but will then have to approach the courts to continue, the committee led by retired Delhi high court judge Ajit P. Shah recommended.

“Phone tapping under the present regime is done under executive permission whereas in other countries it is done only with the permission of the courts,” Shah said.

Security agencies currently require permission from home secretaries, either at the Centre or the states, to set up wiretaps or monitor emails. An oversight group of the cabinet, law and telecom secretaries at the Centre reviews all such authorizations.

	The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies. Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles. The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies.

Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles.

The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The Shah panel has recommended appointing privacy commissioners and a system under which organizations will have to develop privacy standards that will be approved by a commissioner as a means of self-regulation.

Sectoral industry associations would form a code of conduct for companies that will comply with law as they will be approved by the privacy commissioner, according to Kamlesh Bajaj, chief executive officer of Data Security Council of India, one of the members of the committee. “These associations could also act as alternative dispute-resolution mechanisms,” Bajaj said.

The committee’s other recommendations include giving individuals a choice to provide personal information, collection of only critical personal information, use of data only for the purpose for which it has been collected, and a penalty for violations.

“Without a comprehensive horizontal regulatory framework and the office of the regulator both private and public entities in India have been trampling on the rights of citizens without complying to any of the international best practices when it comes to protecting the right to privacy,” said Sunil Abraham, executive director of Centre for Internet and Society, a Bangalore-based advocacy group. After the privacy law is enacted and the office of a privacy commissioner is created, people will be able to seek redressal against these erring pubic and private entities if their rights are violated, he added.

The government has been looking to enact a privacy law to ensure data collected by various programmes such as the National Population Register, Unique Identification Authority of India and National Intelligence Grid was not misused. It was expected to scotch criticism of these programmes by privacy and Internet activists. It later expanded the scope of the proposed legislation after catching flak for a leak of tapped conversations between corporate lobbyist Niira Radia, industrialists and journalists.

The government now aims to uphold the right of all Indians against any misuse of personal information, interception of personal communication, unlawful surveillance and unwanted commercial communication. That means it effectively covers everything from the misuse of data collected by the government to spam.

However, there could be opposition from law enforcement agencies if the privacy law mandates that prior permission of the courts will be required before intercepting communication.

If judges begin taking a call on interception requests, there could be chances of leakage, “since there are so many judges at so many levels”, said Rumel Dahiya, deputy director general at Institute of Defence Studies and Analyses, a New delhi-based think tank. “The government carries out surveillance to gain fool-proof intelligence. That purpose will be defeated.”

Last week, Prime Minister Manmohan Singh said a fine balance needs to be maintained between the right to information and the right to privacy.

The Shah committee included representatives from the private sector, the department of information technology, ministry of home affairs, department of telecommunication, the law ministry and the department of personnel and training.

Kirthi V. Rao contributed to this story.

For more details visit https://cis-india.org/news/livemint-october-18-2012-surabhi-agarwal-courts-approval-needed-to-tap-phones

Counter Surveillance Panel: DiscoTech & Hackathon (Flyer)

praskrishna — 2014-02-24T21:29:51Z

For more details visit https://cis-india.org/internet-governance/blog/counter-surveillance.pdf

Counter Surveillance Panel: DiscoTech & Hackathon

praskrishna — 2014-02-28T05:36:15Z

We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.

Overview

Mirroring the call by MIT Civic Media Lab Co-Design Studio, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of DiscoTech.(Discovering Technology)

Agenda

We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy , titled "Privacy for Humanity" at 5.00 p.m.

Introductory Catalyst Sessions

Malavika Jayaram: Fellow at Berkman Center for Internet and Society at Harvard University and the Centre for Internet and Society, Bangalore
Laird Brown: DesiSec Project at the Centre for Internet and Society, Bangalore and University of Toronto
Kaustubh Srikant: Head of Technology, Tactical Technology Collective and Maya Indira Ganesh (Program Director)
Abhay Raj Naik: Assistant Professor, Azim Premji University

Design and Hackathon Lead Catalysts

Yashas Shetty:Faculty@ www.srishti.ac.in and Co-Founder Hackteria.org (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)

Hari Dilip Kumar: Co, Founder, FluxGen: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )

Sharath Chandra Ram: Researcher @ CIS Open Lab and Faculty@Srishti (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing)

Featured Talk and Interactive Closing Session by Smari McCarthy

(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)

Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.

Click to download the flyer invite
Date: Saturday, March 1, 2014
Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)
Venue: Centre for Internet and Society, Bangalore
Map : http://bit.ly /1fcDDLG

Please RSVP due to limited space and logistics for lunch and refreshments

For more details visit https://cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon

Cos spying on competitors, staff: Study

praskrishna — 2012-06-20T08:46:38Z

Most companies are spying on their competitors and their own employees, according to a recent survey conducted by the Associated Chambers of Commerce and Industry of India (Assocham).

The Statesman published this article on June 19, 2012. Sunil Abraham is quoted in it.

The survey's results raise questions about whether employees have enough privacy in the workplace. Rubbishing the survey's findings, head of the Indian Council of Corporate Investigators, Mr Kunwar Vikram Singh, said businesses are not spying but verifying facts.

The Assocham survey said almost 1,200 of 1,500 executives surveyed admitted to hiring people to spy on their employees and monitor their lifestyles. They said they watch former employees, too, especially those who had been laid off or kicked out for fraud.

In the survey, which was done between January and May this year in Ahmedabad, Bangalore, Chennai, the Delhi-National Capital Region and Mumbai, about 900 top industry officials said they carry out corporate espionage, bug the offices of their rivals and plant moles in other companies. About a quarter of respondents said they have hired computer experts to hack networks and track e-mails of their rivals.

Many more respondents — 1,110 of those questioned — said they use social media sites to track their rival companies and employees. “Most of the companies have mentioned their sensitive details including their data, plans, clients’ details, products and other confidential and trade-related secrets on their page and unknowingly share the same in the social media circuit,” said Mr DS Rawat, national secretary-general of Assocham, “which is why it is the most favoured spying activity being carried out by the companies.”

The practice of companies pilfering trade secrets and ideas may be bad for the country's business environment, said Mr Rawat. It “might dampen the spirit of innovation in the long-run,” he said.

The Indian Council of Corporate Investigators’ Mr Singh, however, disputed Assocham's picture of rampant corporate espionage. “I totally deny that corporates are spying on their employees,” he said. “It is not spying. It is verification of facts.”

Mr Singh said that when companies look into their employees or other companies, for example, before they enter into joint ventures, they are just carrying out “due diligence”. He said they legally gather information needed for companies to survive. He also denied there were any privacy issues.

Mr Sunil Abraham, executive director of the Centre for Internet and Society, though, said there are growing concerns about privacy in the workplace, including about intense video surveillance. “Managers started to object to this,” he said. “What they started saying was it really undermines the morale of these locations ... friends and relatives would ask, 'In spite of you being so educated, it's funny your companies don't trust you at all.'”

Companies need to develop more nuanced ways to deal with these problems — perhaps something more similar to the military's multiple levels of clearance — and different ways for people to acquire and lose trust, Mr Abraham said.

Whether or not surveillance is legal, depends on the type, Mr Abraham said. There is some private information a person will expect to remain private, and some information that is expected to be public — like Twitter feeds.

There is no law against monitoring this second type, known as “clear view surveillance”, he said, and blanket legislation could clash with freedom of expression. He said an ideal law for this should include a “proportional relation to power” clause, which would limit the legal ability of the powerful to monitor, but allow individual citizens more leeway.

For more details visit https://cis-india.org/news/co-spying-on-competitors-staff

Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India

jyoti — 2015-10-14T14:40:08Z

The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse.

The European Court of Justice (ECJ) has invalidated a European Commission (EC) decision¹ which had previously concluded that the 'Safe Harbor Privacy Principles'² provide adequate protections for European citizens’ privacy rights³ for the transfer of personal data between European Union and United States. This challenge stems from the claim that public law enforcement authorities in America obtain personal data from organisations in safe harbour for incompatible and disproportionate purposes in violation of the Safe Harbour Privacy Principles. The court's judgment follows the advice of the Advocate General of the Court of Justice of the European Union (CJEU) who recently opined⁴ that US practices allow for large-scale collection and transfer of personal data belonging to EU citizens without them benefiting from or having access to judicial protection under US privacy laws. The inadequacies of the framework is not news for the Commission and action by ECJ has been a long time coming. The ruling raises important questions about how increasingly the contestations of personal data are being employed in asserting claims of citizenship in context of the internet.

As the highest court in Europe, the ECJ's decisions are binding on all member states. With this ruling the ECJ has effectively restrained US firms from indiscriminate collection and sharing of European citizens’ data on American soil. The implications of the decision are significant, because it shifts the onus of evaluating protections of personal data for EU citizens from the 4,400 companies⁵ subscribing to the system onto EU privacy watchdogs. Most significantly, in addressing the rights of a citizen against an established global brand, the judgement goes beyond political and legal opinion to challenge the power imbalance that exists with reference to US based firms.

Today, the free movement of data across borders is a critical factor in facilitating trade, financial services, governance, manufacturing, health and development. However, to consider the ruling as merely a clarification of transatlantic mechanisms for data flows misstates the real issue. At the heart of the judgment is the assessment whether US firms apply the tests of ‘necessity and proportionality’ in the collection and surveillance of data for national security purposes. Application of necessity and proportionality test to national security exceptions under safe harbor has been a sticking point that has stalled the renegotiation of the agreement that has been underway between the Commission and the American data protection authorities.⁶

For EU citizens the stake in the case are even higher, as while their right to privacy is enshrined under EU law, they have no administrative or judicial means of redress, if their data is used for reasons they did not intend. In the EU, citizens accessing and agreeing to use of US based firms are presented with a false choice between accessing benefits and giving up on their fundamental right to privacy. In other words, by seeking that governments and private companies provide better data protection for the EU citizens and in restricting collection of personal data on a generalised basis without objective criteria, the ruling is effectively an assertion of ‘data sovereignty’. The term ‘data sovereignty’, while lacking a firm definition, refers to a spectrum of approaches adopted by different states to control data generated in or passing through national internet infrastructure.⁷ Underlying the ruling is the growing policy divide between the US and EU privacy and data protection standards, which may lead to what is referred to as the balkanization⁸ of the internet in the future.

US-EU Data Protection Regime

The safe harbor pact between the EU and US was negotiated in the late 1990s as an attempt to bridge the different approaches to online privacy. Privacy is addressed in the EU as a fundamental human right while in the US it is defined under terms of consumer protection, which allow trade-offs and exceptions when national security seems to be under threat. In order to address the lower standards of data protection prevalent in the US, the pact facilitates data transfers from EU to US by establishing certain safeguards equivalent to the requirements of the EU data protection directive. The safe harbor provisions include firms undertaking not to pass personal information to third parties if the EU data protection standards are not met and giving users right to opt out of data collection.⁹

The agreement was due to be renewed by May 2015¹⁰ and while negotiations have been ongoing for two years, EU discontent on safe harbour came to the fore following the Edward Snowden revelations of collection and monitoring facilitated by large private companies for the PRISM program and after the announcement of the TransAtlantic Trade and Investment Partnership (TTIP).¹¹ EU member states have mostly stayed silent as they run their own surveillance programs often times, in cooperation with the NSA. EU institutions cannot intervene in matters of national security however, they do have authority on data protection matters. European Union officials and Members of Parliament have expressed shock and outrage at the surveillance programs unveiled by Snowden's 2013 revelations. Most recently, following the CJEU Advocate General’s opinion, 50 Members of European Parliament (MEP) sent a strongly worded letter the US Congress hitting back on claims of ‘digital protectionism’ emanating from the US¹². In no uncertain terms the letter clarified that the EU has different ideas on privacy, platforms, net neutrality, encryption, Bitcoin, zero-days, or copyright and will seek to improve and change any proposal from the EC in the interest of our citizens and of all people.

Towards Harmonization

In November 2013, as an attempt to minimize the loss of trust following the Snowden revelations, the European Commission (EC) published recommendations in its report on 'Rebuilding Trust is EU-US Data Flows'.¹³ The recommendations revealed two critical initiatives at the EU level—first was the revision of the EU-US safe harbor agreement¹⁴ and second the adoption of the 'EU-US Umbrella Agreement¹⁵'—a framework for data transfer for the purpose of investigating, detecting, or prosecuting a crime, including terrorism. The Umbrella Agreement was recently initialed by EU and US negotiators and it only addresses the exchange of personal data between law enforcement agencies.¹⁶ The Agreement has gained momentum in the wake of recent cases around issues of territorial duties of providers, enforcement jurisdictions and data localisation.¹⁷ However, the adoption of the Umbrella Act depends on US Congress adoption of the Judicial Redress Act (JRA) as law.¹⁸

Judicial Redress Act

The JRA is a key reform that the EC is pushing for in an attempt to address the gap between privacy rights and remedies available to US citizens and those extended to EU citizens, including allowing EU citizens to sue in American courts. The JRA seeks to extend certain protections under the Privacy Act to records shared by EU and other designated countries with US law enforcement agencies for the purpose of investigating, detecting, or prosecuting criminal offenses. The JRA protections would extend to records shared under the Umbrella Agreement and while it does include civil remedies for violation of data protection, as noted by the Center for Democracy and Technology, the present framework does not provide citizens of EU countries with redress that is at par with that which US persons enjoy under the Privacy Act.¹⁹

For example, the measures outlined under the JRA would only be applicable to countries that have outlined appropriate privacy protections agreements for data sharing for investigations and ‘efficiently share’ such information with the US. Countries that do not have agreements with US cannot seek these protections leaving the personal data of their citizens open for collection and misuse by US agencies. Further, the arrangement leaves determination of 'efficiently sharing' in the hands of US authorities and countries could lose protection if they do not comply with information sharing requests promptly. Finally, JRA protections do not apply to non-US persons nor to records shared for purposes other than law enforcement such as intelligence gathering. JRA is also weakened by allowing heads of agencies to exercise their discretion to seek exemption from the Act and opt out of compliance.

Taken together the JRA, the Umbrella Act and the renegotiation of the Safe Harbor Agreement need considerable improvements. It is worth noting that EU’s acceptance of the redundancy of existing agreements and in establishing the independence of national data protection authorities in investigating and enforcing national laws as demonstrated in the Schrems and in the Weltimmo²⁰ case point to accelerated developments in the broader EU privacy landscape.

Consequences

The ECJ Safe Harbor ruling will have far-reaching consequences for the online industry. Often, costly government rulings solidify the market dominance of big companies. As high regulatory costs restrict the entrance of small and medium businesses the market, competition is gradually wiped out. Further, complying with high standards of data protection means that US firms handling European data will need to consider alternative legal means of transfer of personal data. This could include evolving 'model contracts' binding them to EU data protection standards. As Schrems points out, “Big companies don’t only rely on safe harbour: they also rely on binding corporate rules and standard contractual clauses.”²¹

The ruling is good news for European consumers, who can now approach a national regulator to investigate suspicions of data mishandling. EU data protection regulators may be be inundated with requests from companies seeking authorization of new contracts and with consumer complaints. Some are concerned that the ruling puts a dent in the globalized flow of data²², effectively requiring data localization in Europe.²³ Others have pointed out that it is unclear how this decision sits with other trade treaties such as the TPP that ban data localisation.²⁴ While the implications of the decision will take some time in playing out, what is certain is that US companies will be have to restructure management, storage and use of data. The ruling has created the impetus for India to push for reforms to protect its citizens from harms by US firms and improve trade relations with EU.

The Opportunity for India

Multiple data flows taking place over the internet simultaneously and that has led to ubiquity of data transfers o ver the Internet, exposing individuals to privacy risks. There has also been an enhanced economic importance of data processing as businesses collect and correlate data using analytic tools to create new demands, establish relationships and generate revenue for their services. The primary concern of the Schrems case may be the protection of the rights of EU citizens but by seeking to extend these rights and ensure compliance in other jurisdictions, the case touches upon many underlying contestations around data and sovereignty.

Last year, Mr Ram Narain, India Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through network functionality and global norms will go a long way in increasing the trust and confidence in use of ICT.”²⁵ In the absence of the recognition of privacy as a right and empowering citizens through measures or avenues to seek redressal against misuse of data, the demand of data sovereignty rings empty. The kind of framework which empowered an ordinary citizen in the EU to approach the highest court seeking redressal based on presumed overreach of a foreign government and from harms abetted by private corporations simply does not exist in India. Securing citizen’s data in other jurisdictions and from other governments begins with establishing protection regimes within the country.

The Indian government has also stepped up efforts to restrict transfer of data from India including pushing for private companies to open data centers in India.²⁶ Negotiating data localisation does not restrict the power of private corporations from using data in a broad ways including tailoring ads and promoting products. Also, data transfers impact any organisation with international operations for example, global multinationals who need to coordinate employee data and information. Companies like Facebook, Google and Microsoft transfer and store data belonging to Indian citizens and it is worth remembering that the National Security Agency (NSA) would have access to this data through servers of such private companies. With no existing measures to restrict such indiscriminate access, the ruling purports to the need for India to evolve strong protection mechanisms. Finally, the lack of such measures also have an economic impact, as reported in a recent Nasscom-Data Security Council of India (DSCI) survey²⁷ that pegs revenue losses incurred by the Indian IT-BPO industry at $2-2.5 billion for a sample size of 15 companies. DSCI has further estimated that outsourcing business can further grow by $50 billion per annum once India is granted a “data secure” status by the EU.²⁸ EU’s refusal to grant such a status is understandable given the high standard of privacy as incorporated under the European Union Data Protection Directive a standard to which India does not match up, yet. The lack of this status prevents the flow of data which is vital for Digital India vision and also affects the service industry by restricting the flow of sensitive information to India such as information about patient records.

Data and information structures are controlled and owned by private corporations and networks transcend national borders, therefore the foremost emphasis needs to be on improving national frameworks. While, enforcement mechanisms such as the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation may seem respectful of international borders and principles of sovereignty,²⁹ for users that live in undemocratic or oppressive regimes such agreements are a considerable risk. Data is also increasingly being stored across multiple jurisdictions and therefore merely applying data location lens to protection measures may be too narrow. Further it should be noted that when companies begin taking data storage decisions based on legal considerations it will impact the speed and reliability of services.³⁰ Any future regime must reflect the challenges of data transfers taking place in legal and economic spaces that are not identical and may be in opposition. Fundamentally, the protection of privacy will always act as a barrier to the free flow of information even so, as the Schrems case ruling points out not having adequate privacy protections could also restrict flow of data, as has been the case for India.

The time is right for India to appoint a data controller and put in place national frameworks, based on nuanced understanding of issues of applying jurisdiction to govern users and their data. Establishing better protection measures will not only establish trust and enhance the ability of users to control data about themselves it is also essential for sustaining economic and social value generated from data generation and collection. Suggestions for such frameworks have been considered previously by the Group of Experts on Privacy constituted by the Planning Commission.³¹ By incorporating transparency in mechanisms for data and access requests and premising requests on established necessity and proportionality Indian government can lead the way in data protection standards. This will give the Indian government more teeth to challenge and address both the dangers of theft of data stored on servers located outside of India and restrain indiscriminate access arising from terms and conditions of businesses that grant such rights to third parties.

1 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) Official Journal L 215 , 25/08/2000 P. 0007 -0047 2000/520/EC: http ://eur -lex .europa .eu /LexUriServ /LexUriServ .do ?uri =CELEX :32000 D 0520:EN :HTML

2 Safe Harbour Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

3 Megan Graham, Adding Some Nuance on the European Court ’s Safe Harbor Decision , Just security

https ://www .justsecurity .org /26651/adding -nuance -ecj -safe -harbor -decision /

4 Advocate General’s Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner Court of Justice of the European Union, Press Release, No 106/15 Luxembourg, 23 September 2015 http ://curia .europa .eu /jcms /upload /docs /application /pdf /2015-09/cp 150106 en .pdf

5 Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour alternatives’, The Register, October 7, 2015 http ://www .theregister .co .uk /2015/10/07/eu _pushes _safe _harbour _alternatives /

6 Draft Report, General Data Protection Regulation, Committee on Civil Liberties, Justice and Home Affairs, European Parliament, 2009-2014 http ://www .europarl .europa .eu /meetdocs /2009_2014/documents /libe /pr /922/922387/922387 en .pdf

7 Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS Characteristics: Data Sovereignty and the Balkanisation of the Internet’, University of Oxford, July 7, 2014 https ://www .usenix .org /system /files /conference /foci 14/foci 14-polatin -reuben .pdf

8 Sasha Meinrath, The Future of the Internet: Balkanization and Borders, Time, October 2013 http ://ideas .time .com /2013/10/11/the -future -of -the -internet -balkanization -and -borders /

9 Safe Harbour Privacy Principles, Issued by the U.S. Department of Commerce, July 2001 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

10 Facebook case may force European firms to change data storage practices, The Guardian, September 23, 2015 http ://www .theguardian .com /us -news /2015/sep /23/us -intelligence -services -surveillance -privacy

11 Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013 https ://iapp .org /news /a /us -eu -safe -harbor -under -pressure

12 Kieren McCarthy, Privacy, net neutrality, security, encryption ... Europe tells Obama, US Congress to back off, The Register, 23 September, 2015 http ://www .theregister .co .uk /2015/09/23/european _politicians _to _congress _back _off /

13 Communication from the Commission to the European Parliament and the Council, Rebuilding Trust in EU-US Data Flows, European Commission, November 2013 http ://ec .europa .eu /justice /data -protection /files /com _2013_846_en .pdf

14 Safe Harbor on trial in the European Union, Access Blog, September 2014 https ://www .accessnow .org /blog /2014/11/13/safe -harbor -on -trial -in -the -european -union

15 European Commission - Fact Sheet Questions and Answers on the EU-US data protection "Umbrella agreement", September 8, 2015 http ://europa .eu /rapid /press -release _MEMO -15-5612_en .htm

16 McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data transfers’, Lexology, September 14, 2015 http ://www .lexology .com /library /detail .aspx ?g =422 bca 41-2 d 54-4648-ae 57-00 d 678515 e 1 f

17 Andrew Woods, Lowering the Temperature on the Microsoft-Ireland Case, Lawfare September, 2015 https ://www .lawfareblog .com /lowering -temperature -microsoft -ireland -case

18 Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement and the Judicial Redress Act: Small Steps Forward for EU Citizens’ Privacy Rights’, October 5, 2015 https ://cdt .org /blog /the -eu -us -umbrella -agreement -and -the -judicial -redress -act -small -steps -forward -for -eu -citizens -privacy -rights /

19 Ibid 18.

20 Landmark ECJ data protection ruling could impact Facebook and Google, The Guardian, 2 October, 2015 http ://www .theguardian .com /technology /2015/oct /02/landmark -ecj -data -protection -ruling -facebook -google -weltimmo

21 Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian, Octover 9, 2015 http ://www .theguardian .com /technology /2015/oct /09/facebook -data -privacy -max -schrems -european -court -of -justice

22 Adam Thierer, Unintended Consequences of the EU Safe Harbor Ruling, The Technology Liberation Front, October 6, 2015 http ://techliberation .com /2015/10/06/unintended -consequenses -of -the -eu -safe -harbor -ruling /#more -75831

23 Anupam Chander, Tweeted ECJ #schrems ruling may effectively require data localization within Europe, https ://twitter .com /AnupamChander /status /651369730754801665

24 Lokman Tsui, Tweeted, “If the TPP bans data localization, but the ECJ ruling effectively mandates it, what does that mean for the internet?” https ://twitter .com /lokmantsui /status /651393867376275456

25 Statement from Indian Head of Delegation, Mr Ram Narain for WGPL, Indian statement on ITU and Internet at the Working Group Plenary November 4, 2014 https ://ccgnludelhi .wordpress .com /author /asukum 87/page /2/

26 Sounak Mitra, Xiaomi bets big on India despite problems, Business Standard, December 2014 http ://www .business -standard .com /article /companies /xiaomi -bets -big -on -india -despite -problems -114122201023_1.html

27 Neha Alawadi, Ruling on data flow between EU & US may impact India’s IT sector, Economic Times,October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49250738.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

28 Pranav Menon, Data Protection Laws in India and Data Security- Impact on India and Data Security-Impact on India - EU Free Trade Agreement, CIS Access to Knowledge, 2011 http ://cis -india .org /a 2 k /blogs /data -security -laws -india .pdf

29 Surendra Kumar Sinha, India wants Mutual Legal Assistance treaty with Bangladesh, Economic Times, October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49262294.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

30 Pablo Chavez, Director, Public Policy and Government Affairs, Testifying before the U.S. Senate on transparency legislation, November 3, 2013 http ://googlepublicpolicy .blogspot .in /2013/11/testifying -before -us -senate -on .htm

31 Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief Justice, Delhi High Court), Planning Commission, October 2012 http ://planningcommission .nic .in /reports /genrep /rep _privacy .pdf

For more details visit https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india

Consumer Privacy

praskrishna — 2012-09-13T09:21:26Z

This chapter will examine the present legal state of consumer privacy in India and seek to understand the gap between policy and implementation of policy. In doing so, it will look at what are the existing avenues for protection of consumer privacy in India, how is the definition of consumer privacy evolving through case law and public opinion, and what are the current challenges to consumer privacy in India. Traditionally speaking, and according to the Consumer Protection Act, 1986, in India, a consumer is a broad label for any person who buys goods or services with the intent of using them for non-commercial purposes. In the typical sense, when people think of themselves as being consumers, they think about transactions with a vendor through a physical exchange of money in a store or through an online exchange for a product or service. Certain services that consumers use put an extraordinary amount of sensitive personal information into the hands of vendors.

For more details visit https://cis-india.org/internet-governance/consumer-privacy.pdf

Constitutional Analysis of the Information Technology (Intermediaries' Guidelines) Rules, 2011

ujwala — 2012-10-31T08:44:41Z

Ujwala Uppaluri provides a constitutional analysis of the Information Technology (Intermediaries' Guidelines) Rules notified in April 2011, and examines its compatibility with Articles 14, 19, 21 of the Constitution of India.

Summary of Salient Provisions

The Information Technology (Intermediaries’ Guidelines) Rules, 2011 (‘the Intermediary Guidelines’) were notified in April, 2011 as rules enacted in exercise of powers conferred under section 87(2)(zg) read with Section 79 of the Information Technology Act, 2000 (as amended) (‘the IT Act’).

Rule 2 of the Intermediary Guidelines imports definitions for key terms from the IT Act. Notably, this includes an importation of Section 2 (w) by Rule 2 (i), which defines “intermediary” broadly in the following terms:

“ “intermediary”, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;”

Rule 3 whose margin note indicates that it is limited to due diligence measures to be adhered to by intermediaries nevertheless also raises other liabilities by creating a regime to censor content, pre-publication as well as once content has been made publically available online.

Sub-rule (2) of Rule 3 inventories the classes of content which are deemed actionable, with only clause (i), clause (c), clause (e) and, arguably clause (h), of that rule addressing the national interest, public order and security restrictions cognizable under Article 19(2) of the Constitution. The remainder of grounds includes private claims such as content which “belongs to another person”[1], or otherwise infringes proprietary rights[2], or is “defamatory”[3]. Still others are terminologically indeterminate and purely subjective, with the terms “grossly harmful”, “harassing” and “disparaging” being examples.

This sub-rule also includes a number of redundancies. While there is reference to libelous as well as defamatory content in clause (b), it is well established that Indian law does not admit of the former concept, instead dissolving the common law distinction between the two to treat them alike.[4] There is also clause (e), which prohibits content which is all ready illegal for violating the provisions of an existing statute and the residuary phrasing of the clause (b)’s reference to content which is “otherwise unlawful in any manner whatever”.

The sub-rules immediately following the list in Rule 3(2) address the consequences of users publishing content listed in that rule:

Sub-rule (3) of rule 3 provides that intermediaries will not knowingly deal in any manner whatsoever, whether by hosting, publication, transmission or otherwise, with any content of the types that are listed in the previous clause.

Sub-rule (4) of rule 3 creates a complaints mechanism in respect of content incompatible with Rule 3 (2) by requiring intermediaries to disable access to offending content within 36 hours of obtaining knowledge themselves or on being brought to “actual knowledge” by an “affected person”. The Intermediaries Guidelines do nothing to clarify what would amount to “actual knowledge”, to indicate in unambiguous terms, which parties would have sufficient locus to bring complaints in order to be deemed an “affected person” for the purposes of these provisions or to suggest that there is a procedure or timeline for action by the intermediary, such that requirements such notice to the author of the content and time for the preparation of a defence by the author and/or the intermediary are accounted for. Rule 3 (4) also requires that all information which is taken down be preserved, along with “associated records” for a duration of atleast ninety days for investigative purposes.

Sub-rule (5) of rule 3 mandates that intermediaries inform users that non-compliance with the Intermediary Guidelines, inter alia, is a ground for the exercise of their right to terminate access or usage rights and remove non-compliant content.

Finally, sub-rule (11) of rule 3 requires intermediaries to name Grievance Officers to receive complaints on any matters relating to the computer resources made available by the intermediary, including for non-compliance or harm in terms of Rule 3 (2). This officer is bound to respond to the complaint within one month from the date of receipt of the complaint.

In the result, the Intermediary Guidelines create a two-track system by which private censorship is legitimized online. In the first place, intermediaries can take down content on their own motion where they are of the opinion that the content falls under any of the grounds enumerated in Rule 3 (2) or, alternatively, do so in response to a complaint, in terms of Rule 3 (4).

In addition to the provisions relating to censorship, the Intermediary Guidelines also provide for information to be given over to government agencies making a request with lawful authority and in writing under sub-rule (7) of rule 3, for data protection measures in accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 notified under Section 43A of the IT Act to be adhered to (sub-rule (8) of rule 3) and for intermediaries to report and share information realting to cyber security with CERT-In (sub-rule (9) of rule 3).

Areas of Infirmity

It is doubtful whether the Intermediary Guidelines could pass constitutional muster, on several grounds:

Compatibility with Article 19 (1) (a) and (2)

(a) Applicability of Article 19 (2) to Rule 3 (2) Grounds

In Romesh Thappar v. State of Madras[5] the Supreme Court held that the freedom of speech and expression under Article 19(1)(a) includes the freedom to propogate and disseminate ideas. It also held that very narrow and stringent limits govern the permissibility of legislative abridgment of the right of free speech. Ordinarily, any abridgement of free speech by means of censorship must be compatible with one or more of the grounds provided for under Article 19 (2), and the Supreme Court held in Express Newspapers (Private) Ltd. v. Union of India[6]that limitations on the exercise of the Article 19(1)(a) right which do not fall within Article 19(2) cannot be upheld.

Further, the right to free speech applies across all media, and the internet is no exception. In Secretary, Ministry of Information and Broadcasting v. Cricket Association of Bengal[7], the Supreme Court reflected the understanding that where media are different, such that the treatment accorded to them must be different in accordance with that indicia of difference, it will treat them as such in order to uphold fundamental rights. More specifically, in Ajay Goswami v. Union of India[8], the Supreme Court opined (in obiter) that the internet, as a unique medium of expression, deserved a different standard of protection than other mediums that have preceded it.

Rule 3 (2) of the Intermediary Guidelines, which lists the grounds for censorship, is not complaint with Article 19 (2) for two reasons:

First, many of the grounds mentioned have no constitutional basis whatsoever. Rule 3 (2) prohibits, inter alia, content which “grossly harmful”, “harassing”, “invasive of another’s privacy”, “hateful”, “disparaging”, “grossly offensive” or “menacing”, in addition to content which is simply illegal, and should be actionable ex post rather than prohibited ex ante (content infringing intellectual property under Rule 3 (2) (d), for example). Most of the terms employed are not legal standards, but merely subjective indicators of personal sensitivities, while still others though legal do not figure in Article 19 (2). Since the whole scheme of the Intermediary Guidelines is premised on these extra-constitutional grounds, they are, as a whole, subject to being to being struck down.

Second, the restriction is unreasonable because instead of preserving rights online in accordance with Ajay Goswami, the Intermediary Guidelines unjustifiably abridge the right to speak and receive information on the internet. The Intermediary Guidelines overreach in their scope, by including as actionable content which is not itself punishable when communicated via any other medium. For example, disparaging speech, as long as it is not defamatory, is not criminalised in India, and cannot be because the Constitution does not allow for it. Similarly, content about gambling in print is not unlawful, but now all Internet intermediaries are required to remove any content that promotes gambling.

(b) Nature of Censorship: Directness of Censorship and Legitimacy of Private and Prior Censorship

In judging whether a statute is constitutional, the effect that the statute will have on the fundamental rights of citizens must be examined. The Supreme Court held in Bennett Coleman & Co. v. Union of India[9] that the test was to examine whether the effect of an impugned action was to abridge a fundamental right, notwithstanding its object.

Further, while it is true in light of the Supreme Court’s holdings in Prakash Jha Productions v. Union of India[10] that pre-censorship is permissible within the Indian constitutional scheme, this permissibility is qualified. Prior censorship may be undertaken only within closely regulated circumstances, such as under the grounds in the Cinematograph Act, 1952, and even then, only by an appropriately empowered governmental entity.

The Intermediary Guidelines create mechanisms for the abridgement of the freedom of speech which amount to indirect and unjustifiable prior censorship, contrary to Article 19 (2):

Firstly, while the state does not itself censor under these rules, it has empowered private, commercial entities to do so vide the Intermediary Guidelines. These rules thus transfer the executive power of censorship to private intermediaries. This amounts to an indirect form of censorship for the purposes of the Bennett Coleman test and has the result of increased censorship on the Internet because the state granted legislative sanction to such a system, although it does not censor by itself or through a state agency. The Intermediary Guidelines, and specifically Rule 3 (4) read with Rule 3 (2), place a burden on intermediaries to decide on the lawfulness of content as a pre-condition for their statutory exemption from liability. An intermediary, on receiving a complaint, to ensure that it continues to receive the protection offered by Section 79 of the IT Act, will be forced to disable access to the content posted by a user. Thus, the direct effect of the rules will be strict censoring of content posted on-line by users. The rules will have a direct effect on the fundamental right of freedom of speech and expression guaranteed under Article 19(1) of the Constitution unreasonable restrictions on fundamental rights, that are imposed by a statute or executive orders are liable to be struck down as unconstitutional.

Secondly, while prior censorship is permissible only in a strictly limited range of cases, the Intermediary Guidelines allow for an unrestrained and unlimited degree of prior and arguably invisible censorship. Rule 3 of the Intermediary Guidelines clearly envisages such a system of prior censorship. Whereas the consequences for passively displaying content incompatible with Rule 3(2) would be a complete waiver and dissolution of the Section 79 immunity that would ordinary accrue to neutral intermediaries, intermediaries or complainants have no obligation in respect of ensuring the tenability of complaints and the grounds cited in them. The Intermediary Guidelines do not draw a distinction between arbitrary actions of an intermediary and take-downs subsequent to a request. Further, the inclusion of a residuary clause in Rule 3 (2) (b) allowing pre-censorship of content which is “unlawful in any manner whatever”, also indicates that the Intermediary Guidelines allow the use of the exceptional instrument of not only allows private censorship, but that they actively encourage it as the default rule rather than the exception without any justification whatsoever.

(c) Vagueness and Overbreadth: Possibility for Over-Censorship

Vagueness in the terms of a restriction to free speech is grounds for it to be struck down, even where the ground is apparently broadly constitutional. The Supreme Court held in Sakal Papers (P) Ltd. v. Union of India[11] that the Constitution must be interpreted in order to enable citizens to enjoy their rights to fullest measure, subject to limited permissible restrictions. In Romesh Thapar[12] the Supreme Court also held that a legislation authorizing the imposition of restrictions on free speech in language wide enough to cover restrictions which are permissible as well as extra-constitutional will be held to be wholly unconstitutional.

The grounds listed in Rule 3 (2) of the Intermediary Guidelines are highly subjective, private interest grounds which are not defined either in the Intermediary Guidelines or in the IT Act itself. These include terms such as “grossly harmful”, “harassing”, “invasive of another’s privacy”, “hateful”, “disparaging”, “grossly offensive” or “menacing”. Consequently, the Intermediary Guidelines constitute unreasonable restrictions on freedom of speech, with Rule 3 (2) containing vague terms which, in addition to falling beyond the purview of Article 19(2), cover only private and subjective grounds, incapable of objective definition or application.

Further, the Intermediary Guidelines do no precisely define the term “affected person” employed in Rule 3 (4). Thus, complaints from any party, including those uninvolved or unaffected by content must all be complied with, without qualification.

In the result, the vagueness of the grounds in Rule 3 (2) and the diffuse terminology of “affected person” leaves Rule 3 (2) grounds serving as placeholders for whatever claim a complainant, having no locus whatsoever, chooses to bring, without regard for whether it is constitutional or even legal. Online content is thus treated as presumptively illegal and take down of content as the presumptive course of action. Additionally, there is a further consequence to the vagueness and overbreadth of the terms in Rule 3 (2): because of the indeterminacy in the grounds listed thereunder, intermediaries tasked with enforcing the law will tend to err on the side of caution and censor, rather than keep speech accessible online. There is empirical evidence to show that cautious intermediaries will over-censor and over comply with complaints in order to avoid liability under Section 79 of the IT Act.[13]

(d) Contravention of International Human Rights Norms & Horizontal Application

The censorship regime constructed by the Intermediary Guidelines is non-compliant not only with domestic requirements under the Constitution, but also with India’s obligations under international human rights law under Articles 19 of the Universal Declaration of Human Rights (‘UDHR’) and the International Covenant on Civil and Political Rights (‘ICCPR’), under the UN Human Rights Council’s Report of the Special Rapporteur Frank La Rue on the Promotion and Protection of the Right to Freedom of Opinion and Expression (2011)[14](‘Special Rapporteur’s Report’) and the UN Human Rights Council Resolution on Internet Freedom (2012)[15] (‘UN Internet Freedom Resolution’).

While the ICCPR as well as the UDHR guarantee a right to free speech “through any…media of…choice” in their respective Articles 19, the Special Rapporteur’s Report and the UN Internet Freedom Resolution recognize the need for special efforts to be undertaken by states to preserve free speech on the internet. The former document justifies censorship only in the most limited circumstances and makes specific mention of the commercial interests that may be implicated in delivering free speech.

Through the Intermediary Guidelines, the Indian state creates a system by which the right to free speech can be systematically violated by private and undisclosed entities and even empowers them to do so, without imposing any constitutional safeguards whatsoever. Thus, egregious violations of the right to free speech and expression are a direct and inevitable consequence of the Intermediary Guidelines. To the degree that the Indian Supreme Court has enagaged with free speech online, it appears from Ajay Goswami that it would apply standards consistent with international law obligations to rectify the Intermediary Guidelines to meet them.

Further, the Indian Supreme Court has held, where necessary for their true enjoyement, that fundamental rights may involve a degree of horizontality in their application. In other words, private action could be guided by fundamental rights, such as in Vishaka v. State of Rajasthan[16] which evidences the Supreme Court’s willingness to hold that private entities could be held to constitutional and international human rights law standards where that is necessary for the real rather than illusory enjoyment of fundamental rights.

As a result, the Intermediary Guidelines are also liable to be struck down for their failure to recognize and account for the role of private interests while empowering them with the right to curtail fundamental rights.

Compatibility with Article 21

(a) Adverse Impact on Privacy (and consequently on Free Speech)

A constitutional right to privacy has been read into Article 21’s guarantee of life and personal liberty in several instances by the Supreme Court. The State is consequently under an obligation to refrain from interfering, whether by itself or through any of its agencies, with private lives and spaces. By the same coin, laws which encourage unwarranted state or societal intrusions into private life will contravene the victim’s Article 21 right. In People’s Union for Civil Liberties v. Union of India,[17] the Supreme Court held that Article 21 privacy protected individuals against the interception and monitoring of private communications by the state in the absence of sufficient safeguards.

Also, an individual’s privacy interests in information relating to him are not dissolved merely because information is not confidential or because another entity has some property interest in that information. In District Registrar and Collector, Hyderabad v. Canara Bank[18], the Supreme Court recognized that even where the search of private documents was concerned, Article 21 protected “persons not places”, i.e., that the privacy interest did not vest in property or communications but, rather, in the rightsholder himself.

The Intermediary Guidelines include no limits whatsoever on the scope of disclosures that government agencies can demand or expect to retain, in contravention of Article 21.

Specifically, Rule 3 (4), which requires data retention for a statutory minimum of ninety days of content taken down as well as “associated records”, violates users’ rights to privacy. In addition to the financial and technical burden (in storing and securing data) imposed by the Intermediary Guidelines in requiring potentially unlimited data retention by intermediaries, there is no clarity as to what or how much information precisely must be held in the form of “associated records”. Instead of subjecting data to limited and closely qualified retention by private intermediaries, and thus limiting the impairment of the fundamental right to privacy to the minimum possible degree necessary, Rule 3 (4) imposes blanket data retention requirements.

Further, Rule 3 (7), which makes any information held by an intermediary subject to being disclosed to the government upon request is also inconsistent with the requirement that the right to life and personal liberty be violated only in accordance with fair, just and reasonable procedures. Notwithstanding that Rule 3 (7) is consistent with Section 67C of the IT Act and specific rules framed in regard to the surveillance of communications, it is also unconstitutional because it fails to include any safeguards whatsoever in the process of surveillance. These would include, as minimum obligatory conditions in light of PUCL, the requirement that the surveilled be informed of the surveillance and be allowed to challenge its propriety ex ante or its procedural regularity ex post, or atleast administrative or judicial review ex parte.

(b) Non-compliance with Due Process and Natural Justice Requirements

Article 21 explicitly includes a due process guarantee. This means that the right to life and personal liberty, and its constituent rights, can be interfered with only through constitutionally consistent procedures. A cornerstone of fair procedure, compliant with the rule of law, is the notion of natural justice. Consequently, Article 21 contemplates that the procedure by which fundamental rights are curtailed will satisfy natural justice principles.

In Maneka Gandhi v. Union of India,[19] the Supreme Court held that natural justice was not a rigid or mechanical term, but one that referred to those practices and principles that would ensure “fair play in action”. In addition the Court held that all deviations from natural justice requirements must be supported by a sufficiently justificatory “compelling state interest”. Specifically, in Union of India v. Tulsiram Patel[20], the Supreme Court held that the principle of natural justice required the satisfaction of the audi alteram partem rule, which consisted of several requirements, including the requirement that a person against whose detriment an action is taken be informed of the case against him and be afforded a full and fair opportunity to respond. Finally, in M.C. Mehta v. Union of India[21] the Supreme Court held that the absence of due notice and a reasonable opportunity to respond would vitiate any holding to the rightsholder’s detriment.

The Intermediary Guidelines fail to satisfy the requirement of natural justice, and particularly the rights to prior notice as well as that of the affected party to a hearing:

By requiring that content be taken down swiftly (within 36 hours of complaint, under Rule 3 (4)) and by failing to require the author of the content to be informed of the complaint and its contents, the Intermediary Guidelines violate the author’s right to notice and consequently affect his/her right to prepare and present a defence at all. In practice, authors of content which is the subject of a complaint may never know of the complaint or even of the fact of the take down, given the absence of any mechanism under the rules by which they could have been informed. In a scheme for silent, invisible censorship, authors are never afforded an opportunity to challenge the take down, just as they have no opportunity to rebut the initial complaint. In addition, at any event, it is the intermediary, a biased private entity whose immunity under Section 79 of the IT Act could be called into question based on the outcome, who must make the determination as to the legality of the content.

While there is nothing to prohibit intermediaries from informing authors on the receipt of a complaint, the limited time within which action must be taken means that such intermediaries would risk liability for non-compliance with the compliant and a waiver of their Section 79 immunity, where the content is not taken down, whether because communication does not occur within the 36 hour timeframe or because an author elects to resist takedown. By creating a system in which takedowns necessarily occur in response to complaints, irrespective of their legitimacy, the Intermediary Guidelines presume and rule in favour of the complainants and in favour of (private) censorship instead of presuming in favour of the preservation of the fundamental right to free speech, or even maintaining neutrality between the two ends.

Compatibility with Article 14

The guarantee of “equal protection of laws” requires equality of treatment of persons who are similarly situated, without discrimination inter se. It is a corollary that that persons differently situated cannot be treated alike. In E. P. Royappa v. State of Tamil Nadu[22] the Supreme Court held that arbitrary or unfair actions necessarily run counter to Article 14. The Supreme Court explained in M/S Sharma Transport v. Government of Andhra Pradesh[23] that arbitrary actions are actions which are unreasonable, non-rational done capriciously or without adequate determining principle, reason or in accordance with due judgment. In addition, Article 14 also requires that state action be reasonable. In Mahesh Chandra v. Regional Manager, U.P. Financial Corporation[24] it was held that discretion must be exercised objectively, and that what is not fair or just will be unreasonable, and subject to being struck down as unconstitutional.Additionally, Article 14 also requires that the basis upon which classifications are undertaken for the purposes of same or differential treatment be reasoned and fair. The Supreme Court held in Sube Singh v. State of Haryana[25] that the state’s failure to support a classification on the touchstone of reasonability, with the existence of intelligible differentia or the rational basis of achieving a stated object, will be ground for it to be held arbitrary and unreasonable. Finally, all state action having the potential to curtail Article 14 must be reasonable, justifiable, undertaken in exercise of constitutional powers and be informed and guided by public interest. The Supreme Court held to this effect in Kasturi Lal Lakshmi Reddy v. State of Jammu and Kashmir[26].

The Intermediary Guidelines contravene Article 14 on the following grounds:

First, intermediaries who are not similarly situated are treated alike. Rule 2 (i) imports the IT Act’s omnibus definition of the term “intermediary”, such that all classes of intermediaries, ranging from intermediaries which control the architecture of the internet and the hardware which enables it to run (such as ISPs and DNS providers) to intermediaries that enable content creation, sharing and communications online (such as email clients, content aggregators, social networking services and content hosts), are empowered to censor and are required to comply with complaints regarding content. Intermediaries, for the purposes of the IT Act and the Intermediary Guidelines, thus refer to a large and disparate group of providers of services enabling access to as well as use of the Internet. Reasoned state action must recognize that their liabilities must necessarily vary with the specific type of service that each provides. The Intermediary Guidelines fail to do so, and are consequently incompatible with Article 14.

Second, the Intermediary Guidelines treat the same or similar content across media differently, without apparent justification. More specifically, users of the internet are unfairly discriminated against. All of the Rule 3 (2) grounds which are not explicitly mentioned in Article 19 (2) in particular reflect this discriminatory, unreasoned treatment. To illustrate, the prohibition under Rule 3 (2) on the display of any content online when it relates to gambling treats speakers using the internet differently from speakers communicating this content via any other medium of communication. Given that nothing in the nature of the medium itself attaches a new or different character to the content, criminality or liability must attach to such content in a medium-neutral fashion. So, while content qualifying as seditious under law remains so across media, whether it be print, audio or video broadcast or online, the same as not the case for communications on the internet. In other words, while gambling itself may be prohibited under law, speech or expression involving it is nowhere prohibited under law. While such content is legal and protected across print and broadcasting media, the same content is liable to take down online. This would amount to discriminatory treatment of equal content merely because speakers choose the internet, and the speech occurred online.

Third, the Intermediary Guidelines accord unrestrained discretion in the curtailment of fundamental rights to private functionaries, without any guidance whatsoever. This should have been the sole reserve of the state. In addition to the lack of guidance, the breadth of the grounds for censorship in Rule 3 (2), some of which are themselves incapable of precise and non-subjective application, means that private censorship can occur to an arguably unlimited degree. Expecting compliance with such terms, and attaching liability (for intermediaries) or a curtailment of fundamental rights (for generators of content), without the provision of a right to challenge or even, more fundamentally, be informed is both unreasonable and arbitrary.

Similarly, Rules 3 (4) and 3 (5) empower intermediaries to take down content without providing any realistic opportunity of hearing to its author. Intermediaries are accorded an adjudicatory role to the intermediary in deciding questions whether or not authors can access their fundamental right to free speech in the process. This role is ordinarily reserved for competent courts or administrative authorities, which are subject to constitutional checks and balances and a general obligation to preserve and promote fundamental rights. Assigning such functions to a self-interested private entity without any accountability whatsoever is both unreasonable as well as arbitrary.

Finally, the Intermediary Guidelines fail to account for the public interest because they directly restrict the public’s freedom of speech and expression, without any justifiable reason, and privilege the personal and not necessarily constitutional sensitivities of private complainants instead. Rule 3(3) in effect vests an extraordinary power of censorship in intermediaries, entities which operate on the basis of private interest and outside the limits of administrative or even the most basic human rights control. Safeguards must apply to power-bearers to the degree and in the manner required in relation to the nature of the power, rather than its holder, if fundamental rights are to be legislatively preserved. While the Supreme Court in A.K. Kraipak v. Union of India[27] extended the applicability of natural justice principles from judicial bodies alone and quasi-judicial bodies to administrative bodies as well, the applicability of such principles still remains limited to state entities. In other words, there is an acknowledged difficulty in applying public law standards to private, commercial entities.

The Intermediary Guidelines thus vest the right to abridge core fundamental rights (under Articles 14, 19 and 21) in private delegates operating outside public law controls that constrain the scope in which the power can be exercised and ensure that citizen interest can be preserved. In the alternative, they also failed to provide for other safeguards to prevent abuse to the detriment of fundamental rights private delegates of governmental power, even as they granted such powers in unlimited terms. As a result, the Intermediary Guidelines evidence thoughtless, arbitrary, unreasoned and unjust state action.

Vires vis á vis the Parent Act

While it is permissible within the constitutional scheme for legislative functions of the Parliament to be delegated to a degree, they may be struck down on several grounds. In general, per Indian Express Newspapers (Bombay) Pvt. Ltd. v. Union of India,[28] subordinate legislation can be challenged not only on any of grounds on which the parent legislation is vulnerable to challenge, but also on the grounds that it does not conform to parent statute, that it is contrary to other statutes or that it is unreasonable, in the sense that it is manifestly arbitrary. Notably, the Court also held here that subordinate legislation is liable to being struck down where it fails to conform to constitutional requirements, or, specifically that “it offends Article 14 or Article 19 (1) (a) of the Constitution”.

It is a well-accepted proposition that delegated legislation which travels outside the scope of its enabling law will not stand as valid. It was held in Agricultural Market Committee v. Shalimar Chemical Works Ltd [29] that a delegate cannot alter the scope of the act under which it has been it has been empowered to make rules, or even of a provision or principle included there under. In State of Karnataka v. Ganesh Kamath[30] the Supreme Court held that “it is a well settled principle of interpretation of statutes that the conferment of rule-making power by an Act does not enable the rule-making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent there with or repugnant thereto”. Similarly, in KSEB v. Indian Aluminium Company[31], it held that“subordinate legislation cannot be said to be valid unless it is within the scope of the rule making power provided in the statute”.

The Intermediary Guidelines were enacted under Sections 79(2) and 87(2)(zg) of the Information Technology Act, 2000 (as amended). While the latter provision explicitly grants the Central Government rule-making powers by which it can lay out guidelines to be followed by intermediaries in order to comply with Section 79(2), it appears that the rules in their current form appear to have been drafted based on a misunderstanding of Section 79.

Section 79(2) itself merely clarifies the circumstances in which intermediaries can claim that intermediaries are not liable for content where they do not initiate the transmission of potentially actionable content or select its recipient, modify its contents and observe all necessary “due diligence” requirements under the IT Act and rules.

The extent to which the Intermediary Guidelines alter the intent and scope of section 79 (or other provisions of the IT Act, in some cases) clearly leaves them ultra vires the parent statute. The specific instances of deviation by the Intermediary Guidelines from the IT Act are listed below:

First, Rule 3 (3) is ultra vires section 79 of the IT Act. Where this rule expressly prohibits the hosting, publication or initiation of transmission of content described in Rule 3 (2), section 79 does not intend any prohibition. All that it does is to waive the immunity otherwise accorded to intermediaries where the conditions specified are not satisfied. In other words, the section is optional, rather than mandatory and punitive: whether or not an intermediary can claim immunity will depend on whether it chooses to comply with section 79 (2).

Second, Rule 3 (4) requires intermediaries to take steps to disable access to within 36 hours of receiving a complaint in relation thereto. This is inconsistent with section 69B of the IT Act, which lays down in detail, the procedure to be followed to disable access to information. Since section 69B is statutory law, Rule 3 (4), being mere delegated legislation, will have to yield in its favour.

Third, Rule 3 (7) is ultra vires sections 69 and 69B, and falls outside the scope of section 79 (2). Rule 3 (7) provides that intermediaries must comply with requests for information or assistance when required to do so by appropriate authorities. This provision has no relation to the contents of section 79, which regulates intermediaries’ liability for content, and under which these rules were notified. In addition, rules have already been issued under the properly relevant sections, namely sections 69 and 69B, to provide a procedure to be followed by the government for the interception, monitoring, and decryption of information held by intermediaries. Rule 3 (7) is not consistent with the rules under sections 69 and 69B, as it removes all safeguards that those rules included. Under the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption) Rules 2009, for instance, permission must be obtained from the competent authority before an intermediary can be directed to provide access to its records and facilities while Rule 3 (7) makes intermediaries answerable to virtually any request from any government agency.

[1]. Rule 3 (2) (a).

[2]. Rule 3 (2) (d).

[3]. Rule 3 (2) (b)

[4]. Section 499, Indian Penal Code, 1860 (“Defamation” is defined to include both written and spoken words).

[5]. AIR 1950 SC 124.

[6]. AIR 1958 SC 578.

[7]. AIR 1995 SC 1236.

[8].(2007) 1 SCC 170.

[9]. AIR 1973 SC 106.

[10]. (2011) 8 SCC 372.

[11]. AIR 1962 SC 305, ¶31.

[12]. Supra, n.5.

[13]. Centre for Internet & Society, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet 2011 available at cis-india.org/internet-governance/chilling-effects-on-free-expression-on-internet/intermediary-liability-in-india.pdf.

[14]. UN Document no. A/HRC/17/27.

[15]. UN Document no. A/HRC/20/.13.

[16]. AIR 1997 SC 3011.

[17]. AIR 1997 SC 568.

[18]. (2005) 1 SCC 496.

[19]. 1978 SCR (2) 621.

[20]. AIR 1985 SC 1416.

[21]. AIR 1999 SC 2583.

[22]. AIR 1974 SC 555.

[23]. AIR 2002 SC 322.

[24]. AIR 1993 SC 935.

[25]. (2001) 7 SCC 545, 548, ¶10.

[26].1980 AIR 1992.

[27]. AIR 1970 SC 150.

[28]. AIR 1986 SC 515.

[29]. AIR 1997 SC 2502.

[30]. (1983) 2 SCC 40.

[31]. AIR 1976 SC 1031.

For more details visit https://cis-india.org/internet-governance/constitutional-analysis-of-intermediaries-guidelines-rules

Consilience 2013 Report

praskrishna — 2013-11-20T06:14:01Z

For more details visit https://cis-india.org/internet-governance/blog/consilience-2013.pdf

Consilience – 2013

praskrishna — 2013-11-20T06:15:15Z

The Law and Technology Committee of National Law School of India University, Bangalore is organising ‘Consilience – 2013′, an annual conference on law and technology, to be held on May 25 and 26, 2013. The Centre for Internet and Society is a co-partner for this event.

Theme: Data Protection and Cyber Security in India. Click to read the report here.

Topics:
Frameworks for Data Protection in India: The J. A.P. Shah “Report of the Group of Experts on Privacy”

a. What is the scope of the principles/framework?

b. What could be the strengths and limitation of their application?

c. How does Report define privacy for India?

d. Would an alternative framework for privacy in India be better? If so, what would this framework look like?

India and the EU: The Privacy Debate

a. How does the Indian data protection regime differ from the EU regime?

b. Was the EU is justified in not accepting India as a data secure country? Reason for or against.

c. In what way does the Indian regime on data protection not meet the requirements of EU’s data protection directive?

d. What changes need to be made in the Indian regime to become EU compliant? Are these changes feasible? Should India make these changes?

Governmental Schemes, Data Protection, and Security

a. In India, do private public partnerships between government and the private sector adequately incorporate data protection standards?

b. What have been concerns related to data protection and security that have arisen from government schemes? (Please use two governmental schemes as case studies)

c. Are these concerns related to the policy associated with the project – the architecture of the project as well as the implementation?

d. Should the larger question of data protection for governmental schemes be incorporated into a privacy legislation? If yes, how so?

Contracts and Data Protection in India

a. How are contracts used to ensure data protection in India? What actors use contracts?

b. Are there weaknesses in using contracts to ensure data protection standards?

c. Do contracts address questions brought about from technology like the cloud?

Cyber security in India

a. What are the perceived challenges and threats to cyber security in India?

b. Are these currently being addressed through policy/projects? If yes, how so?

c. How does India’s cyber security regime compare to other countries?

Surveillance and Cyber Security

a. Does policy in India enable the Government of India to surveil individuals for reasons related to cyber security?

b. If so – through what policy, projects, legislation?

c. Do the relevant policies, projects, and legislation impact privacy? How so?

The Draft National Cyber Security Policy

a. What is the scope of the National Cyber Security Policy of India? Does the draft policy adequately address all of the concerns within the ambit of cyber security?

b. Would the Draft National Cyber Security Policy of India be effective in meeting the goal of enhancing cyber security levels in India?

c. How does the Draft National Cyber Security Policy compare to other countries cyber security policies?

Word Limit:

Abstract: 750-800 words

Paper: 2,500 words

Deadlines:

Abstract Submission: April 30, 2013

Paper Submission: May 15, 2013

Contact Details:

consilience2013[at]gmail[dot]com

Mohak Arora: +91-90359-21926

Shivam Singla: +91-99167-08701

Each participant is required to submit an abstract on any one of the seven topics above and can choose the specific issue within the selected topic to discuss.

For additional details, click here.

For more details visit https://cis-india.org/internet-governance/events/consilience-2013-law-technology-committee-nls-bangalore

Connecting the Next Two Billion: The Role of FOSS

praskrishna — 2014-09-10T05:04:58Z

Sunil Abraham was a speaker at this event organized by ICFOSS at the APrIGF in Noida on August 4, 2014.

Specific Issues of Discussions & Description

Connecting the next two billion users on the Internet poses unique challenges that must be addressed. The next two billion users will have very different profiles as compared to the first billion in terms of factors such as geography, demography, gender, disability, technology access, language access, and connectivity devices. In addition, with the coming of the Internet of Things, the users of the Internet may also include devices, sensors and sensor networks. Further, the context of the Internet itself may be changing, particularly in relation to efforts by various State and non-State actors to restrict freedom of access to the Internet and freedom of expression on it.Free & Open Source Software (FOSS) has now assumed greater significance in the light of revelations related to arbitrary surveillance conducted by states. This issue highlights the need to use audited technology and infrastructure to prevent the wanton violation of privacy of citizens. FOSS can be used to build shared community infrastructure that will protect users from privacy abuses. As most of the online applications run on top of free software, there is also a need for greater collaboration between the industry and free software community to ensure security and robustness of software to prevent incidents like the heartbleed bug vulnerabilities. As the next two billion comes online, FOSS assumes great significance for building a safe and secure Internet and robust communication platforms.The panel will discuss the following issues:• Relevance of FOSS as an access enabler and source of robust, cost-effective andfreedom-preserving software• The importance of FOSS in preventing arbitrary surveillance• Co-operation among businesses and free software community to develop secure.

Building community communication infrastructure using FOSS to restrict the dependence on centralised services.

Moderator and Speakers

Moderator: Ms. Mishi Choudhary, Executive Director, SFLC.IN, New Delhi
Dr. Rahul De, IIM Bangalore (Remote)
Dr. G. Nagarjuna, Free Software Foundation of India (Remote)
Mr. Prasanth Sugathan, Counsel, SFLC.in
Mr. Satish Babu, Director, ICFOSS
Mr. Sunil Abraham, Executive Director, Centre for Internet and Society, Bangalore
Mr. S. Ramakrishnan, Media Lab Asia/Govt. of India

Workshop Organizer

This workshop will be jointly organised by International Centre For Free and Open Source Software (ICFOSS), an autonomous institution under the Government of Keralamandated with the objectives of co-ordinating FOSS initiatives within Kerala, as well as linking up with FOSS initiatives in other parts of the world and SFLC.IN, a donor supported legal services organisation that works to protect freedom in the digital world.The details of the contact person for the workshop is given below:Name: Mr.Satish BabuDesignation: DirectorOrganisation: International Center for Free and Open Source Software (IC-FOSS).

For more details see the APrIGF website.

For more details visit https://cis-india.org/openness/news/apr-igf-delhi-2014-connecting-the-next-two-billion-the-role-of-foss

Connaught Summer Institute on Monitoring Internet Openness and Rights

praskrishna — 2013-07-26T09:17:45Z

Malavika Jayaram is a speaker at this event being held at the Munk School of Global Affairs, Bloor Street West.

Click to read the original posted on Citizen Lab website

Monday, July 22, 2013

Location: Munk School of Global Affairs (Observatory Site), 315 Bloor Street West (map)

14:00 - 17:00	Meet and Greet at the Citizen Lab Participants are free to drop by the Lab between 2:00-5:00 pm to see the space and meet with Citizen Lab researchers. Participants should go to the reception desk on the first floor and have the receptionist call the Lab.

Tuesday, July 23, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 09:15	Opening Remarks
09:15 - 10:45	Tutorial "Welcome to Oz: Beyond a Black and White Debate on Internet Regulation (and Control)" – Jon Penney (Berkman Centre/Oxford Internet Institute/Citizen Lab) and Ryan Budish (Berkman Centre/Herdict)
10:45 - 11:00	Break
11:00 - 12:00	Commercialization of Information Controls "Regulators, Politicians, and Deep Packet Inspection: Who's Driving What and Why" – Chris Parsons (University of Victoria) "Fingerprinting Internet Filtering Products" – Jakub Dalek (Citizen Lab) "Cash Rules Everything Around Me: The Commercialization of Online Spying" – Bill Marczak (UC Berkeley)
12:00 - 13:45	Lunch
13:45 - 14:45	Circumvention / Attacks 1 "Collateral Freedom" – David Robinson (Robinson + Yu) "Remedy: Relays Monitoring and Deployment" – KheOps (Telecomix) "Fake Domain Attacks on Civil Society Groups" – Michael Carbone (Access)
14:45 - 15:45	Characterization / Measurement 1 "Iran through the Eyes of Big Data" – Collin Anderson (Independent Researcher) "Measurement, Detection, and Comparison of Surveillance Data" – Praveen Selvasekaran (Simple Tech Life) "Filbaan: What is Filtered Today?"
15:45 - 16:00	Break
16:00 - 16:45	Identity Systems and Monitoring "Desperately Seeking the Names: Examining the Historical Progression of Real Name Policies on the Chinese Internet" – Lianrui Jia (Carleton University) "India's Civil Liberties Crisis: Digital Free Will in Free Fall" – Malavika Jayaram (Centre for Internet and Society, Bangalore)
17:00 - 18:30	Poster and Demo Session Light refreshments will be served "User-side Approach for Censorship Detection: Home-router and Client-based Platforms" – Giuseppe Aceto (University of Naples Federico II) "The Cyber Losers" – Aaron Brantly and Katrin Verclas (National Democratic Institute) "What is the Impact of Internet Censorship in China?" – Carlotta James (Psiphon Inc.) "Open Integrity Index" – Jun Matsushita "M-Lab: Exploring the Possibilities for Open, Global Censorship and Surveillance Detection" – Stephen Soltesz (Open Technology Institute) and Meredith Whittaker (Google Research) "Mapping Google: Global Business Infrastructure and Implications for Openness " – John Harris Stevenson (University of Toronto) "Chat Program Censorship and Surveillance in China: Tracking TOM-Skype and Sina UC" – Greg Wiseman (Citizen Lab) "The Growth and Spread of Cyberspace Controls" – Benjamin Zaiser (Free University of Berlin)

Wednesday, July 24, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 10:20	Characterization / Methodology 2 "Refining the Tor Censorship Detector" – Sam Burnett (Georgia Tech) "From Internet Security to Internet Freedom: The case of the RPKI" – Sharon Goldberg (Boston University) "Running Software in Albuquerque to Measure Censorship Anywhere" – Jeffrey Knockel (University of New Mexico) "Social Media as Labratory: What We Can Learn about Chinese Politics from Sina Weibo Censorship and Online Discussion" – Jason Q. Ng (Citizen Lab)
10:20 - 11:00	Break
11:00 - 12:00	Circumvention 2 "VPNthnography: Hacking the Great Firewall for Fun and Profit" "Economics of Web Proxy Networks" – Bennett Haselton (Peace Fire/Citizen Lab) "Censors Working Overtime" – Karl Kathuria (Psiphon Inc.)
12:00 - 14:00	Lunch
14:00 - 15:30	Tutorial "Network Censorship Techniques, Detection, and Localization" – Nick Weaver (ICSI)
15:30 - 16:00	Break
16:00 - 17:30	Panel: Bridging Activism and Research (5 minute talks + discussion) Ali Bangi (ASL19 / Citizen Lab) Stefania Milan (Tillburg University) Deji Olukotun (PEN) John Scott-Railton (Citizen Lab / UCLA) 'Gbenga Sesan (Paradigm Initiative Nigeria)

Thursday, July 25, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 10:20	Jurisdictions and Borders Online "Cyberconflict and the Legal-Territorial Paradox" – Cameran Ashraf (UCLA) "Beyond Borders: Legislative Challenges to the Management of Records in the Cloud" – Elaine Goh (University of British Columbia) "Civil Society 2.0: The Global Struggle to Govern the Democratic Impacts of ICTs" – Muzammil M. Hussain (University of Michigan) "The Anti-Counterfeiting Trade Agreement and the Networked Public Sphere: How to avoid a Convergent Crisis" – James Losey (Open Technology Institute)
10:20 - 10:40	Break
10:40 - 12:10	Tutorial "Ranking Companies on Digital Rights: Challenges and Synergies" – Rebecca MacKinnon (New America Foundation)
12:10 - 14:00	Lunch
14:00 - 15:30	Surveillance and Monitoring "Revisiting Webtapping: Learning From Five Years’ of U.S. Cyber and Intel Policy" – Chris Bronk (Rice University) "Who Watches the Watchmen?: Detecting Stealth and Unattributed Information Controls" – Herve Saint Louis (University of Toronto) "IX Maps" – Andrew Clement (University of Toronto) "Technologies of Control, ‘National Security’ and Systemic Abuse of Minorities in the East and Horn of Africa" – Clara Gutteridge (Equal Justice Forum)
15:30 - 15:45	Break
15:45 - 16:30	Closing Discussion on Interdisciplinary Research and Information Controls

Friday, July 26, 2013

Location: Rooms 108, 208 and Basement, North House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

10:00 - 14:00

Breakout Sessions

Light refreshments will be served

The half day will be dedicated to giving participants the opportunity to break into small groups to further discuss, share, and hack on topics raised during the workshop.

Sponsor

The workshop is sponsored by University of Toronto's Connaught Fund. Since it was founded in 1972, the fund has invested more than $1 million in projects that span across the disciplines.

For more details visit https://cis-india.org/news/citizenlab-summer-institute-on-monitoring-internet-openness-and-rights

Concerns over central snoop

praskrishna — 2013-07-01T09:33:27Z

Eyebrows have been raised at the Centre’s single-window system to intercept phone calls and internet exchanges — the desi version of the US’s surveillance programme, PRISM — that is expected to roll out this year-end.

The article by Aloke Tikku was published in the Hindustan Times on June 28, 2013. Sunil Abraham is quoted.

The Rs. 400-crore project — tentatively called the Central Monitoring System (CMS) — will not only allow the government to listen to a target’s phone conversation but also track down a caller’s precise location, match his voice against known suspects’ before the call is completed and see what people have been up to on the internet.

And then, it can also use analytics to discover possible links — between suspected terrorists, criminals or just about anybody — from the internet and phone data. All this will be done from one place without keeping the internet or phone service provider in the loop — something the telecom and home ministries insist will enhance citizens’ privacy.

Both ministries also insist that the CMS won’t change the rules of the game. “The process to seek authorisation for interception will not be diluted,” a home ministry official promised.

So is everything hunky dory?

Hardly. But technology — in this case, the CMS — is a smaller part of the problem.

The bigger chunk is the process of approving “lawful interception” orders and the lack of transparency around it.

It was in December 1996 that the Supreme Court held that the State could spy on its citizens in extraordinary circumstances but, as an interim measure, made it mandatory for the home secretary to approve each and every such request. Telecom minister Kapil Sibal, who appeared in this case in the mid-1990s, convinced the court that it didn’t have the powers to order that a judge decide each phone-tapping case. Instead, Sibal suggested that this power remain with the executive on lines of the law in the UK. A former home secretary, however, conceded that they hardly have the time to apply their mind before signing a wiretap order.

That isn’t surprising. The home secretary approves around 7,500-9,000 interception orders every month. That means he or she has to sign an average of 300 orders every day without a break.

If he were to spend just 30 seconds on each case, he would have to keep aside four-and-a-half hours just approving interception orders every day.

An official said the ministry was considering a suggestion to pick up a fixed number of cases at random for closer scrutiny before approval.

Many believe this might not be enough. It is argued that the government — which was trying to replicate surveillance technology from the west — needs to adopt their safeguards and transparency norms too.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, said he didn’t have a problem with CMS as long as it didn’t go for blanket surveillance.

“But there is no reason why the executive — and not a judge — should have the powers to decide on phone-tapping requests,” he said. Or for that matter, why shouldn’t there be an independent audit of phone-tapping decisions, their implementation and outcome?

“The aggregated data should be put in the public domain,” Abraham said. The US has such provisions. So does Britain, which inspired Sibal to argue for retaining interception powers with the executive in the mid-1990s. It is time to follow-up on that model.

For more details visit https://cis-india.org/news/hindustan-times-aloke-tikku-june-28-2013-concerns-over-central-snoop