Centre for Internet and Society

Fixing India’s anarchic IT Act

pranesh — 2012-11-30T06:33:58Z

Section 66A of the Information Technology (IT) Act criminalizes “causing annoyance or inconvenience” online, among other things. A conviction for such an offence can attract a prison sentence of as many as three years.

Pranesh Prakash's article was published in LiveMint on November 28, 2012.

How could the ministry of communications and information technology draft such a loosely-worded provision that’s clearly unconstitutional? How could the ministry of law allow such shoddy drafting with such disproportionate penalties to pass through? Were any senior governmental legal officers—such as the attorney general—consulted? If so, what advice did they tender, and did they consider this restriction “reasonable”? These are some of the questions that arise, and they raise issues both of substance and of process.

When the intermediary guidelines rules were passed last year, the government did not hold consultations in anything but name. Industry and non-governmental organizations (NGOs) sent in submissions warning against the rules, as can be seen from the submissions we retrieved under the Right to Information Act and posted on our website. However, almost none of our concerns, including the legality of the rules, were paid heed to.

Earlier this year, parliamentarians employed a little-used power to challenge the law passed by the government, leading communications minister Kapil Sibal to state that he would call a meeting with “all stakeholders”, and will revise the rules based on inputs. A meeting was called in August, where only select industry bodies and members of Parliament were present, and from which a promise emerged of larger public consultations. That promise hasn’t been fulfilled.

Substantively, there is much that is rotten in the IT Act and the various rules passed under it, and a few illustrations—a longer analysis of which is available on the Centre for Internet and Society (CIS) website—should suffice to indicate the extent of the malaise.

Some of the secondary legislation (rules) cannot be passed under the section of the IT Act they claim as their authority. The intermediary guidelines violate all semblance of due process by not even requiring that a person whose content is removed is told about it and given a chance to defend herself. (Any content that is complained about under those rules is required to be removed within 36 hours, with no penalties for wilful abuse of the process. We even tested this by sending frivolous complaints, which resulted in removal.)

The definition of “cyber terrorism” in section 66F(1)(B) of the IT Act includes wrongfully accessing restricted information that one believes can be used for defamation, and this is punishable by imprisonment for life. Phone-tapping requires the existence of a “public emergency” or threat to “public safety”, but thanks to the IT Act, online surveillance doesn’t. The telecom licence prohibits “bulk encryption” over 40 bits without key escrow, but these are violated by all, including the Reserve Bank of India, which requires that 128-bit encryption be used by banks. These are but a few of the myriad examples of careless drafting present in the IT Act, which lead directly to wrongful impingement of our civil and political liberties. While we agree with the minister for communications, that the mere fact of a law being misused cannot be reason for throwing it out, we believe that many provisions of the IT Act are prone to misuse because they are badly drafted, not to mention the fact that some of them display constitutional infirmities. That should be the reason they are amended, not merely misuse.

What can be done? First, the IT Act and its rules need to be fixed. Either a court-appointed amicus curiae (who would be a respected senior lawyer) or a committee with adequate representation from senior lawyers, Internet policy organizations, government and industry must be constituted to review and suggest revisions to the IT Act. The IT Act (in section 88) has a provision for such a multi-stakeholder advisory committee, but it was filled with mainly government officials and became defunct soon after it was created, more than a decade ago. This ought to be reconstituted. Importantly, businesses cannot claim to represent ordinary users, since except when it comes to regulation of things such as e-commerce and copyright, industry has little to lose when its users’ rights to privacy and freedom of expression are curbed.

Second, there must be informal processes and platforms created for continual discussions and constructive dialogue among civil society, industry and government (states and central) about Internet regulation (even apart from the IT Act). The current antagonism does not benefit anyone, and in this regard it is very heartening to see Sibal pushing for greater openness and consultation with stakeholders. As he noted on the sidelines of the Internet Governance Forum in Baku, different stakeholders must work together to craft better policies and laws for everything from cyber security to accountability of international corporations to Indian laws. In his plenary note at the forum, he stated: “Issues of public policy related to the Internet have to be dealt with by adopting a multi-stakeholder, democratic and transparent approach” which is “collaborative, consultative, inclusive and consensual”. I could not have put it better myself. Now is the time to convert those most excellent intentions into action by engaging in an open reform of our laws.

Pranesh Prakash is policy director at the Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/blog/livemint-opinion-november-28-2012-pranesh-prakash-fixing-indias-anarchic-it-act

Civil society & industry oppose India’s plans to modify ITRs

praskrishna — 2012-11-30T09:42:17Z

Industry fears ITU control over Internet; excessive content control and surveillance an issue for civil society.

Shalini Singh's article was published in the Hindu on November 23, 2012.

India’s proposal on International Telecommunications Regulations (ITRs), submitted last month to the International Telecommunications Union (ITU), the U.N. agency responsible for information and communication technologies, has drawn opposition from, and fears of content control among, civil society and the industry alike.

Sunil Abraham, Executive Director, Centre for Internet Society, told The Hindu: “The Indian government’s position on the ITRs can be improved, particularly with regard to the proposed definitions, approach to cyber security, scope of regulation.” However, he said, “we are confident that the Indian position will protect consumer and citizen interest once the government implements changes based on inputs from all… stakeholders.”

The National Association of Software and Services Companies (NASSCOM), which represents the $100-billion IT and BPO industry, has strong views against the Internet governance model of the Internet Corporation for Assigned Numbers and Names (ICANN), but favours self-regulation. Its president Som Mittal says: “NASSCOM does not favour oversight by an existing U.N. organisation like ITU. Internet and infrastructure have to be in the hands of expert organisations with proven experience.” NASSCOM has also expressed discomfort with the inclusion of “ICTs along with processing” in Section 21E of India’s proposal, since this would subject IT and BPO industries to inter-governmental regulation through the ITRs.

The Cellular Operators Association of India (COAI), which represents India’s largest mobile operators with nearly 700 million subscribers, has also opposed any role for ITU in the areas of international roaming and Internet governance, fearing a direct impact on domestic network architecture, costs and technology choices. COAI director-general Rajan Mathews said: “We are already regulated by the Department of Telecom (DoT) and the Telecom Regulatory Authority of India (TRAI). Placing the ITU’s jurisdiction over us — where we neither have voice nor recourse — is unacceptable.” The COAI’s position is consistent with the GSM Association (GSMA), the world’s largest association of mobile companies representing 800 operators spanning 220 countries. The COAI further alleges that most of its inputs “have been rejected without reasons assigned or even a meeting.” It has lodged a protest with the DoT.

The Internet Service Providers Association of India (ISPAI) has similarly protested against ITU’s jurisdiction over issues of Internet governance, architecture and cost.

Subho Ray, president, Internet & Mobile Association of India (IAMAI), said: “We represent a vast majority of Internet companies but have not been consulted by the DoT. We are completely opposed to ITU’s jurisdiction in any area related to Internet policy.”

The FICCI has also given detailed inputs on the dangers of allowing ITU’s jurisdiction, especially in areas of Internet policy and governance. It supports a bottom-up consultative and consensus-led multi-stakeholder approach, similar to the one propounded by Telecom Minister Kapil Sibal at the Internet Governance Forum, the world’s largest multi-stakeholder conference, held in Baku.

Several prominent civil society groups and members of academia involved in Internet governance also have apprehensions about expanding the ITU’s reach to Internet regulation through the ITRs. In a November 15, 2012 letter to Telecom Secretary R. Chandrashekhar, Society for Knowledge Commons, Internet Democracy Project, Free Software Movement of India, Delhi Science Forum, Media for Change and Software Freedom Law Center have complained about not having been consulted, while warning that India’s proposal “could have far reaching implications for the Internet.”

On the issue of cyber security, industry associations and several civil society groups are unanimously against any role for ITU, pointing out that including ill-defined terms such as ‘spam’ and ‘network fraud’ in a binding treaty is a terrible idea. Further, cyber security commitments can force India to cooperate with countries whose military and strategic interests are against it.

Kamlesh Bajaj, CEO, Data Security Council of India, and head of NASSCOM’s security initiatives, said: “Cyber security is sought to be taken over by ITU — an area in which it has little experience. Cyber security includes areas of application security, identity and access management, web security, content filtering, cyber forensics, data security, including issues such as cyber espionage and cyber warfare. The ITU has had no involvement in these matters over the last two decades, and should therefore stay out of them.”

Similar views have been expressed in varying degrees by the COAI, the IAMAI, the ISPAI and the FICCI. Dr. Ray of the IAMAI says: “cyber security is essentially a state prerogative and should not be part of an external treaty obligation. Any attempt to channel it through the ITU may be counter productive.”

Mr. Sibal, who has already been challenged by opposition to the domestic IT rules, is aware that if left unaddressed, opposition to India’s stance on ITRs will only escalate at a national and global level, and that if corrections have to be made in India’s position, those will have to be done consensually within the governance structure. Mr. Sibal confirmed that while cyber security was an area of discussion with the ITU, “the ITU does not have any role in Internet governance.”

According to him, either he or the Department will hold meetings on these issues with the industry to further evolve India’s position.

Mr. Chandrashekhar further confirmed that similar to several global national delegations, the government would include media and industry experts as part of its delegation to Dubai, the World Conference on International Telecommunications (WCIT-12) will be held from December 3 to 14. The final decisions on the ITRs and the composition of the delegation would be announced the coming week.

A deeply divided house in Dubai is a strong possibility, with countries which favour democracy and free speech taking a stance against those who, due to political compulsions, have proposed inter-governmental control through the ITRs by the ITU, not just on Internet policy, but also its traffic and content, most of which automatically fall under the definitions of the ICTs.

The 193-countries at THE WCIT may well spend 11 days discussing national proposals to separate issues that can be addressed nationally from those which require inter-governmental cooperation, while further debating which platforms may be best to address global cooperation.

It is equally clear that the existing Internet governance system is unacceptable to most countries, and therefore a more evolved democratic and internationally equitable system, which is managed through a multi-stakeholder process and yet with a definite role for countries like India, appears the only way forward.

Mr. Sibal, at meetings with global Internet governance bodies in Baku, is learnt to have bargained hard for India’s explicit role in the existing Internet governance processes.

For more details visit https://cis-india.org/news/the-hindu-nov-23-2012-shalini-singh-civil-society-and-industry-oppose-indias-plans-to-modify-itrs

India ranks second globally in accessing private details of users

praskrishna — 2012-11-19T04:49:23Z

According to the latest transparency report released by Google, India ranks second in the world for accessing private details of its citizens, only after the U.S. The Google report lists out requests it received from governments across the world to access details of users of its various services.

Kul Bhushan's blog post was published in thinkdigit on November 15, 2012. Pranesh Prakash is quoted.

Google's data reveals India had made 2,319 requests involving 3,467 users in the first six months. The U.S. made 7,969 requests, while Brazil, which ranks third, made 1,566 requests during the same period. Worldwide 20,938 requests were made during the January-June period. The report says the information shared included complete Gmail account, chat logs, Orkut profile and search terms among others.

The requests for accessing user data from India had grown two-fold from 1,061 in July-December 2009 to 2,207 in July-December 2011, the report points out.

According to the report, India has been consistently sending requests to remove content which it brands as defamatory and against national security. The court orders, however, to take down content has remained almost stagnant over the years; though requests from the executive and police have grown.

In the first six months this year, there were 20 court orders and 64 requests from executive/police that resulted in 596 items being taken down from the web. During the January-June 2010 period, there were only eight court orders and 22 executive/police requests, resulting in 125 items being taken down. Read about Google's previous transparency report here.

"Though India is a large country with a significant number of internet users, this data is nonetheless an indicator of growing surveillance," Times of India quotes Pranesh Prakash, policy director at Centre for Internet and Society ( CIS), a Bangalore-based organization looking at issues of public accountability, internet freedom and openness, as saying.

"India lacks a general privacy law that helps set guidelines for such user requests, despite privacy being a constitutional right as part of the right to life," added Prakash.

For more details visit https://cis-india.org/news/thinkdigit-internet-kul-bhushan-nov-15-2012-india-ranks-second-globally-in-accessing-private-details-of-users

Privacy in the Social Networked World

praskrishna — 2012-12-04T16:19:51Z

The Asian Privacy Scholars Network 2nd International Conference was hosted by the Centre for Business Information Ethics, Meiji University, Tokyo, Japan, on behalf of the Asian Privacy Scholars Network, November 19 - 20, 2012. Elonnai Hickok is speaking at the event.

Monday, November 19, 2012

09:00—09:30	Registration and Welcome
09:30—10:30	Keynote Speaker: Pirongrong Ramasoota (Chulalongkorn University, Thailand) The Future of Privacy in the World's Largest Democracy
10:30—11:00	Break
11:00—12:30	Whon-Il Park (Kyung Hee University, Korea) How to Protect, or Utilize, Personal Visual Information in Korea Sinta Dewi Rosadi (University Padjadjaran, Indonesia) Constitutional Privacy Protection: The Indonesian Experience Takato Natsui (Meiji University, Japan) Censorship, Burying and Mental Health in Business Office
12:30—14:00	Lunch
14:00—15:00	Lilian Edwards (Strathclyde University, UK) International Implications of the Proposed Revision of the EU Data Protection Directive Graham Greenleaf (UNSW, Australia and Meiji University, Japan) 100 Data Privacy Laws: Their Significance and Origins
15:00—15:30	Break
15:30—16:30	Kiyoshi Murata/Yohko Orito (Meiji University/Ehime University, Japan) Japanese Youngsters' Social Attitude towards Privacy Ryoko Asai/Iordanis Kavathatzopoulos (Meiji University, Japan/Uppsala University, Sweden) The Paradoxical Nature of Privacy
18:00—20:00	Conference Banquet (Salon San, 23rd Floor, Liberty Tower, Meiji University)

Tuesday, November 20, 2012

09:00—09:45	Keynote Speaker: Roger Clarke (Xamax Consultancy, UNSW and ANU, Australia) Consumer-Oriented Social Media as Market Opportunity
09:45—10:00	Video Presentation from David Lyon (Queens University, Canada)
10:00—10:30	Break
10:30—12:00	Daniel Trottier (Uppsala University, Sweden) Social Networking Sites and Crowd-sourced Surveillance Colin Bennett (University of Victoria, Canada) Social Networking and Privacy Jurisdiction Andrew Adams (Meiji University, Japan) Facebook Code: SNS Platform Affordances and Privacy
12:00—13:00	Lunch
13:00—14:30	Elonnai Hickok (Centre for Internet and Society, India) Transparency and Privacy in India Fumio Shimpo (Keio University, Japan) Current Developments in Japanese Data Protection Policy Panel: Chen, Greenleaf, Hickok, Shimpo
14:30—15:00	Break
15:00—17:00	Ian Brown (University of Oxford, UK) Data Protection and Social Networking Services Shirley Williams (University of Reading, UK) Do Computer Science Scholars Consider Issues of Privacy when Studying Large Twitter Data Sets? Final Panel: Adams, Bennett, Brown, Clarke, Williams

Organisers

Prof Andrew A. Adams, Meiji University, Tokyo, Japan
Prof Kiyoshi Murata, Meiji University, Tokyo, Japan
Prof Graham Greenleaf, UNSW, Sydney, Australia
(JSPS Visiting Fellow, Meiji University Sep-Dec 2012)

Read the original here

For more details visit https://cis-india.org/news/privacy-in-social-networked-world

Government Policy and Guidelines

snehashish — 2013-03-15T06:27:26Z

In this unit Snehashish dwells upon the four main policy guidelines that were formulated by the Government of India.

The above were the four main telecom policies formulated by the government.

One of the main functions of DoT is to issue guidelines with respect to issuing of licence, allocation of spectrum, interconnection, etc. These guidelines operate as additional conditions, laid down by DoT with respect to conduct and functioning of telecom operators. For example, the DoT issued guideline for radiation standards in respect of electromagnetic radiations (EMR) for mobile towers, which came into effect on September 1, 2012.

The DoT has issued numerous guidelines across the years. However, it is important to discuss the DoT guidelines with respect to issuance of telecom service licences.

Basic Telephone Services Licences (BTS)
Cellular Mobile Telephone Service Licence (CMTS)
Unified Access Service Licence (UASL)
National Long Distance (NLD) and
International Long Distance Licence (ILD)

Guidelines on issuing of Basic Telephone Services

DoT issued guideline for issuing of BTS licences in January, 2001. The key features of the guidelines are:

The applicant must be an Indian company. There was no restriction on the number of BTS licensees in a circle. The applicants were also required to have a minimum amount of paid up equity capital. This varied from circle to circle. There was a cap of 49 per cent foreign equity on companies applying for the BTS licence
BTS licences were issued for a period of 20 years on a non-exclusive basis
The licences had to pay an entry fee before the grant of the licence. Consequently, the basic telecom service operators had to pay an annual licence fee based on their annual gross revenue
The basic telecom service operators also had to submit two bank guarantee as an assurance to meet the contractual and roll out obligation under the BTS licence
The Guideline also laid down that the license holders can also provide limited mobility services, by using the spectrum allocated to them for last mile delivery. However, service operators provided limited mobility services had to pay additional 2 per cent fee.
The Guidelines declared that a CMTS licensee can also provide fixed services using GSM networks within their service area. *This was done to satisfy cellular operators who were protesting against permission given to the basic telephone operators to provide limited mobility services.
The basic operators could carry intra-circle long distance traffic. However, the operators had to provide the subscribers, the option to choose their own long distance carriers. For this purpose, BTS licensee could enter into an arrangement with the national long distance licensee.
Basic operators were required to make their own arrangements for the installation of infrastructure, network equipment and, right of way. They were also allowed to enter into agreements related to interconnection with other licensee in other service areas. The terms and conditions of such interconnectivity agreement were subject to TRAI regulations and directions.

Guidelines on issuing of Cellular Mobile Telephone Service Licences

The DoT issued Guidelines for CMTS licences along with guidelines for the issuing of the basic telecom licences. These two sets of guidelines are generally similar to each other but they vary in certain issues.

In the light of the criticism of the previous licensing policy, the DoT guidelines on issuing CMTS licence proposed “informed ascending bidding process”[1] for auctioning of CMTS licence.
The CMTS licence was issued for a period of 20 years on a non-exclusive basis, extendable by 10 years.
The licensee can transfer; assign the licence only with the permission of the DoT, the licensor.
The prospective cellular operator had to submit roll-out plans and financial arrangements with the application.
The licence period was set at 20 years, extendable by another 10 years.
The winning bidder had to pay an entry fee. They also had to pay an annual fee which is a percentage of the annual gross revenue.
The cellular operator also had to pay an additional sum for spectrum.
The cellular operator, were given freedom to use any kind of network equipment as long as they satisfied certain international and domestic standards.
The cellular operators were allowed to enter into any interconnection arrangements subject to TRAI regulations.
The guideline also laid down that cellular operators will fully co-operate with law enforcement and government agencies in providing access to their infrastructure.
The licensees have to make their own arrangement for installing infrastructure and equipment and for right of way.

Guidelines for issuing Unified Access Service Licences

The UASL Guidelines were issued in November, 2003. They were consistent with the TRAI recommendations. Option was given to the existing licensees to continue under their basic telecom and cellular mobile telecom licences or migrate to the new unified access service licence regime. The main highlights of the Guidelines on issuing of UASL were:

Cellular licensees can offer limited mobility service within their short distance coverage areas.
Basic telecom service operators had to pay an entry fee for the UASL which was equal to the entry fee paid by the fourth cellular operator for the specific service area or the entry fee paid by the basic telecom provider in that circle, whichever is higher.
No additional entry fee had to be paid by the cellular mobile service providers.
The basic telecom service operator, who choose not to completely migrate to full mobility regime may pay additional licence fee for providing services in wireless in local loop (WLL). However, such service will be restricted to the short distance charging areas.
There was no additional spectrum allotted to the licensee for migrating to the UASL regime.
The unified access service providers can use any technology without any restrictions.

Additional Entry fee to be paid by the existing Basic Service Operators for migration to Unified Access Service License[2]

S.No.	Name of the operator	Service Area of the basic service operator (BSO)	Date of signing of licence agreements	Entry fee paid by BSO (in crores)	Entry fee paid by 4^th cellular operator(in crores)	Additional entry fee to be paid for migration to UASL(in crores)
1.	Reliance Infocomm Ltd.	Rajasthan	20.7.2001	20	32.25	12.25
		UP(East)	20.7.2001	15	45.25	30.25
		Maharashtra	20.7.2001		189+203.66*
				115	392.66	277.66
		Karnataka	20.7.2001	35	206.83	171.83
		Punjab	20.7.2001	20	151.75	131.75
		Andhra Pradesh	20.7.2001	35	103.01	68.01
		Haryana	20.7.2001	10	21.46	11.46
		Kerala	20.7.2001	20	40.54	20.54
		Uttar Pradesh (West)	20.7.2001	15	30.55	15.55
		West Bengal	20.7.2001		0+78.01*
				25	78.01	53.01
		Madhya Pradesh	20.7.2001	20	17.4501	0
		Bihar	20.7.2001	10
		Himachal Pradesh	20.7.2001	2	1.1	0
		Orissa	20.7.2001	5
		Tamil Nadu	26.9.2001		79+154*
				50	233	183
		Delhi	20.7.2001	50	170.7	120.7
		Andaman & Nicobar **	20.7.2001	1		0
2.	RTL	Gujarat	18.3.1997	179.0859030	109.01	0
3.	Tata Teleservices Ltd.	Gujarat	31.8.2001	40	109.01	69.01
		Karnataka	31.8.2001	35	206.83	171.83
		Andhra Pradesh	4.11.1997	161.47(old)	103.01	0
		Tamil Nadu	31.8.2001		79+154*
				50	233	183
		Delhi	31.8.2001	50	170.7	120.7
4.	TTL (Mah.) Ltd.	Maharashtra	31.8.2001		189+203.66*	-
5.	Bharti Telenet Ltd.	Karnataka	29.10.2001	35	206.83	171.83
		Madhya Pradesh	28.2.1997	35.33 (old)	17.4501	0
		Tamil Nadu	29.10.2001	50	79+154*
					233	183
		Delhi	29.10.2001	50	170.7	120.7
6.	Shyam Telelink	Rajasthan	4.3.1998	29.29(old)	32.25	2.96
7.	HFCL Infotel Ltd.	Punjab	7.11.1997	177.59(old)	151.75	0

Guidelines on issuing of National Long Distance (NLD) Services Licence

The DoT issued guidelines for NLD operations along with the licences. The main aspects of the Guidelines are:

Unlimited entry for carrying inter-circle and intra-circle calls
Total foreign equity of the operator should not exceed 74 per cent.
Private operators had to enter into an agreement with fixed service providers with in a circle for traffic between long distance and short distance charging centres
A timeframe of seven years was set for rolling out services. This timeframe was divided into four phases. If in any of the phases the operator failed to achieve its network coverage target then it would result in encashment and forfeiture of the bank guarantee of that phase
Private operators had to pay an entry fee of 25 million and a financial bank guarantee of Rs. 200 million.
Under the revenue sharing agreement, the DoT would charge maximum 6 per cent revenue generated by the private operator.
Private operators were allowed to set up landing facilities for accessing submarine cables and make use of available excess bandwidth.

Guidelines on issuing of International Long Distance (ILD) Services licences

The DoT issued new guidelines for ILD licences in December, 2005. This was done to implement licence simplification measures and also to allow higher foreign investment. The key features of the Guidelines were:

The ILD service, under the Guidelines was defined as network carriage or bearer service which allows NLD licensees international connectivity to foreign networks
The ILD service provider was allowed to provide all kinds of bearer services from an integrated platform. However, a separate licence was required for satellite and global mobile personal communication services.
The terms for the license: (i) the applicant must be an Indian company; (ii) the company must have net-worth and paid up capital of 2.5 crores; (ii) the total foreign equity should not exceed 74 per cent
The ILD licence was issued for a period of 20 year on a non-exclusive basis, and it would be automatically renewed for another term of five year subject to satisfactory performance.
The entry fee for the ILD licence was Rs. 2.5 crores and an unconditional bank guarantee of the same amount has to be submitted, which could be forfeited subject to failure in fulfilling the roll out obligations. The licensee had to also submit an additional financial bank guarantee of Rs. 20 crores. The ILD operators also had to pay a 6 per cent of the annual adjusted gross revenue as annual licence fee. The Guideline also laid down that an additional fee will be charged for the universal service obligation and use of spectrum
The ILD operator has to submit to the DoT detailed plan of the rollout obligation and also commission at least one gateway switch in order to interconnect with NLD licensees. Such networks must be in conformity with the international and national standards.
For provide ILD services, the operator may obtain leased lines from other access providers.
The ILD operators can provide lower-than-toll quality service, provided that there is no degradation in the quality of services.
The gateway and landing stations may be established. However, this will be subject to security and monitoring requirements.
The ILD operator had to furnish detailed accounts periodically and furnish any such information requested by TRAI.
An ILD operator, must co-operate provide facilities to law enforcement and government agencies for monitoring and surveillance. However, the licensee must also ensure protection of privacy of communication.

[1]. The auction process consisted of three rounds of bidding. A minimum bid price was prescribed for each round. The highest bid in the first round was declared the minimum reserve price in the second round. Subsequently the highest bid in the second round was set as the reserve price in the third round. The lowest bidders in each round were rejected to participate in the next round of bidding.

[2]. Annexure 1, Guidelines for Unified Access (Basic and Cellular) Service Licence, November 11, 2003 available at www.dot.gov.in/uas/Guidelines-Unified_License111103.doc

For more details visit https://cis-india.org/telecom/resources/govt-policy-and-guidelines

India second in requesting user info: Google

praskrishna — 2012-11-15T09:40:10Z

India is at second place after the US in terms of the government requests for user data from Google

Karthik Subramanian's article was published in the Hindu on November 14, 2012. Pranesh Prakash is quoted.

The Indian government made the second largest demand for Web user information — next only to the United States government — to Google in the six-month period from January to June this year, according to the ‘Transparency Report’ published by the Web services major on Tuesday.

During the six-month period, the Indian government — both by way of court orders and by way of requests from police— requested Google to disclose user information 2,319 times over 3,467 users/accounts. Google fully or partially complied with the request to the tune of 64 per cent. Only the U.S. government requested more data during the period — 7,969 requests over 16,281 accounts, compliance rate: 90 per cent.

It is the sixth time Google has brought out the bi-annual report detailing its interactions with the world government agencies. It details two categories of interactions : requests to divulge user data; and requests to pull down content. India ranked seventh in the list of requests to pull down data; experts say that the possible reason could be the government not having such powers under the Constitution.

Pranesh Prakash, policy director with Bangalore-based Centre for Internet and Society, said that the Google report was a damning indictment of the country’s government exceeding its constitutional bounds by demanding removal of material for defamation, government criticism, etc., without a valid court order. "There are no laws in our country that allows the executive or the police to remove such material without a court order."

Substantial spike

In all, 33 countries figure in the report. There was a substantial spike when compared to previous reports with respect to the number of requests from various governments to pull down content.

"In the first half of 2012, there were 20,938 inquiries from government entities around the world. Those requests were for information about 36,614 accounts,” wrote Dorothy Chou, Google’s senior policy analyst, on the Official Google Blog while presenting the report. “The number of government requests to remove content from our services was largely flat from 2009 to 2011. But it’s spiked in this reporting period. In the first half of 2012, there were 1,791 requests from government officials around the world to remove 17,746 pieces of content."

Google is leading the cause for voluntary disclosure of the interactions it has with the governments. Other web services that put out similar transparency reports include micro-blogging site Twitter; cloud storage service Dropbox; and social networking site Linkedin.

Mr. Prakash said it was not enough if just the web services put out such reports. "The telecom service providers must voluntarily come out with such information," he added.

"There is a dearth of public information about the amount of legal interception and surveillance. This does not bode well in a democratic polity."

For more details visit https://cis-india.org/news/the-hindu-sci-tech-internet-karthik-subramanian-nov-14-2012-india-second-in-requesting-user-info-google

India second in keeping tabs on netizens

praskrishna — 2012-11-15T09:04:01Z

India ranks second globally in accessing private details of its citizens, next only to the US, if the latest data from Google is to be believed.

The article by Ishan Srivastava was published in the Times of India on November 15, 2012, Pranesh Prakash is quoted.

The transparency report by the internet search giant lists out requests it received from governments across the world to access information on the users of its various services.

In the first six months of 2012, India made 2,319 requests involving 3,467 users. In comparison, the US made 7,969 requests in the same period and Brazil, which comes third, sent 1,566 requests. Globally, there were 20,938 requests for user data during the January-June period. The data can include your complete Gmail account, chat logs, Orkut profile and search terms among others. These reports are prepared by Google every six months, and were started in July-December 2009.

The requests for user data from India doubled from 1,061 in July-December 2009 to 2,207 in July-December 2011.

"Though India is a large country with a significant number of internet users, this data is nonetheless an indicator of growing surveillance," said Pranesh Prakash, policy director at Centre for Internet and Society (CIS), a Bangalore-based organization looking at issues of public accountability, internet freedom and openness.

"India lacks a general privacy law that helps set guidelines for such user requests, despite privacy being a constitutional right as part of the right to life," said Prakash.

India also actively sends requests to take down content which it deems defamatory and against national security. While the number of court orders for taking down web content has remained almost stagnant over the years, there has been a rise in the number of requests by the executive and police. Between January and June this year, there were 20 court orders and 64 requests from executive/police that resulted in 596 items being taken down from the web. In comparison, there were only eight court orders and 22 executive/police requests in January-June 2010, resulting in 125 items being taken down.

"The government does not always specify the reason for which they want access. They just want access, what they do with the information is not known to us," said a legal adviser to an MNC. "These requests come with a threat to our continued operation in India."

Falsified court orders are also being employed to seek removal of content. Three such court orders were sent to Google "that demanded the removal of blog posts and entire blogs for alleged defamation." One order was said have been issued by a local court in Andheri, Mumbai while the other two by the Delhi high court. But all the three were found to be fake.

Google says a single court order was responsible for removal of 360 items this year as they "contained adult videos that allegedly violated an individual's personal privacy." While such orders have a positive impact like curbing pornography and violent content, governments at every level have also tried to use these requests to take down unfavourable content or criticism.

In January-June 2011 period, Google received "requests from state and local law enforcement agencies to remove YouTube videos that displayed protests against social leaders or used offensive language in reference to religious leaders". Google rejected a majority of these requests. It also received a request from a law enforcement agency to remove 236 communities and profiles from Orkut that were critical of a local politician. Google did not remove them either.

"Prior to 2009, government had limited powers of interception. However, after 26/11 they gave themselves huge powers to block and monitor content," said Supreme Court lawyer Pavan Duggal. "Data privacy is non-existent in India." He said that the A P Shah Committee, which was formed to recommend principles for a privacy law, has submitted its report to the Planning Commission and now it is up to the government to take it to the next stage.

Both Prakash and Duggal said that technology companies in India, including telecom players, should come out with similar transparency reports as Google. A report by international watchdog Privacy International says that Bharti Airtel, in its 2010-2011 annual report, said it had received 422 appreciation letters from law enforcement agencies for assistance in lawful interceptions. "The Indian IT Act requires electronic audit by firms but the law is silent on how this audit is filed," said Duggal.

Globally, Dropbox, LinkedIn, Sonic.net and Twitter release transparency reports apart from Google.

For more details visit https://cis-india.org/news/times-of-india-india-times-tech-tech-news-internet-ishan-srivastava-nov-15-2012-india-second-in-keeping-tabs-on-netizens

Q&A to the Report of the Group of Experts on Privacy

elonnai — 2012-11-09T10:20:48Z

In January 2012 Justice A.P. Shah formed a committee consisting of a group of experts to contribute to and create a report of recommendations for a privacy legislation in India. The committee met a total of seven times from January to September 2012. The Centre for Internet and Society (CIS) was a member of the committee creating the report. This blog post is CIS’s attempt to answer questions that have arisen from media coverage on the report, based on our understanding.

Executive Summary

The executive summary explains how the need for a horizontal privacy legislation that recognizes the right to privacy has come about in India in light of projects and practices such as the UID, NATGRID, and the changing nature of business and technology. The executive summary highlights the committee’s recommendations of what should be considered by legislatures while enacting a privacy legislation in India.

Q: What are the salient features of the committee’s recommendations?

A: In its report the committee recommended that any privacy legislation passed should:

Be technologically neutral and interoperable with international standards to ensure that the regulation can adapt to changing technology, and that business will be promoted.
Recognize the multiple dimensions of privacy including physical and informational privacy.
Apply to all data controllers both in the private sector and the public sector to ensure that businesses and governments are held accountable to protecting privacy.
Establish a set of privacy principles that can be applicable to different practices, policies, projects, departments, and businesses to create a uniform level of privacy protection across all sectors.
Create an enforcement regime of co-regulation, where industry has the choice of developing privacy principles and ensuring compliance at the sectoral level with regular oversight by the Privacy Commissioners.

Chapter 1: Constitutional Basis for Privacy

This chapter summarizes a number of decisions from the Indian Judiciary that demonstrate how the right to privacy in India has been defined on a case to case basis and has been defined as either a fundamental right or a common law right.

Q: What are the contexts of the cases covered?

A: This chapter covers cases that speak to the:

Right to privacy in the context of surveillance by the State
Balancing the ‘right to privacy’ against the ‘right to free speech’
The ‘right to privacy’ of HIV patients
Prior judicial sanctions for tapping telephones
The ‘search and seizure’ powers of revenue authorities

Chapter 2: International Privacy Principles

This chapter summarizes recent developments in privacy laws, international privacy principles, and privacy principles developed by specific countries. This review aided the Committee in forming its recommendations for the report.

Q: Privacy principles from which countries were reviewed by the Committee?

A: The Committee reviewed privacy principles from the following countries and international organizations.

EU Regulations of January 2012
US Consumer Privacy Bill of Rights
OECD Privacy Principles
APEC Privacy Framework
Australia
Canada

Chapter 3: National Privacy Principles, Rationales, and Emerging Issues

This chapter lays out the nine national privacy principles and describes the rationale for each principle along with emerging issues around each principle.

Q: What could the principles apply to?

A: The principles apply to the collection, processing, storage, retention, access, disclosure, destruction, sharing, transfer, and anonymization of sensitive personal information, personal identifiable information, and identifiable information by data controllers. The national privacy principles can also be applied to legislation, projects, practices, and policies to ensure that provisions and requirements are in compliance with the national privacy principles.

Q: Who could be brought under the scope of the principles?

A: The principles are applicable to every data controller in the private sector and the public sector. For example organizations and government departments that determine the purposes and means of processing personal information will be brought under the scope of the principles and will be responsible for carrying out the processing of data in accordance with sectoral privacy standards or the national privacy principles.

Q: How could the National Privacy Principles impact individuals?

A: The principles provide individuals with the right to 1. Receive notice before giving consent stating what personal information is being collected, the purposes for which personal information is being collected, the uses of collected personal information, whether or not personal information will be disclosed to third persons, security safeguards established by the data controller, processes available to data subjects to access and correct personal information, and contact details of privacy officers. 2. Opt in and out of providing personal information 3. Withdraw given consent at any point of time. 4. Access and correct any personal information held by data controllers 5. Allow individuals to issue a complaint with the respective ombudsman, privacy commissioner, or court.

Q: Would the National Privacy Principles be binding for every data controller?

A: Yes, but Self Regulating Organizations at the industry level have the option of developing principles for that specific sector. These principles must be approved by the privacy commissioner and be in compliance with the National Privacy Principles.

Chapter 4: Analysis of Relevant Legislation, Bills, and Interests from a Privacy Perspective

This chapter examines relevant legislation, bills, and interests from a privacy perspective. In doing so the chapter clarifies how the right to privacy should intersect with the right to information and the freedom of expression, and anaylzes current and upcoming legislation to demonstrate what existing provisions in the legislation uphold the privacy principles, what existing provisions are in conflict with the principles, and what provisions are missing to ensure that the legislation is compliant to the extent possible with the principles.

Q: How does the report understand the relationship between the Right to Information and the Right to Privacy?

A: When applied the Privacy Act should not circumscribe the Right to Information Act. Furthermore, RTI recipients should not be considered data controllers and thus should not be brought under the ambit of the privacy principles.

Q: How does the report understand the relationship between the freedom of expression and privacy?

A: Questions about how to balance the right to privacy with the freedom of expression can arise in many circumstances including: the right to be forgotten and data portability, journalistic expression, state secrecy and whistle blowers, and national security. Most often, public interest is the test used to determine if the right to privacy should supersede the freedom of expression or vice versa.

Chapter 5: The Regulatory Framework

This chapter outlines the committee’s recommendations for a regulatory framework for the Privacy Act.

Q: Who are the main actors in the regulatory framework?

A: The report recommends that a regulatory framework be comprised of one privacy commissioner at the central level and four commissioners at the regional level, self regulating organizations (SRO’s) at the industry level, data controllers and privacy officers at the organization level, and courts.

Q: What are the salient features of the regulatory framework?

A: The salient features of the regulatory framework include 1. A framework of co-regulation 2. Complaints 3. Exceptions to the Privacy Act 4. Offenses under the Act

Q: What are exceptions to the right to privacy? Are these blanket exceptions?

A: National security; public order; disclosure of information in public interest; prevention, detection, investigation and prosecution of criminal offences; and protection of the individual or of the rights and freedoms of others are suggested exceptions to the right to privacy. The committee has qualified these exceptions with the statement that before an exception can be made for the following circumstances, the proportionality, legality, and necessity in a democratic state should be used to measure if the exception applies and the extent of the exception. Thus, they are not blanket exceptions to the right to privacy

Historical and scientific research and journalistic purposes were also recommended as additional exceptions to the right to privacy that may be considered. These exceptions will not be subjected to the principles of proportionality, legality, and necessary in a democratic state.

Q: What are the powers and responsibilities of the privacy commissioners?

A: The powers and responsibilities of the Privacy Commissioners are the following:

Responsibilities:

Enforcement of the Act
Broadly oversee interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material.
Evaluate and approve privacy principles developed by SRO’s
Collaborate with stakeholders to endure effective regulation, promote awareness of the Act, and sensitize citizens to privacy considerations

Powers:

Order privacy impact assessments on organisations
Investigate complaints suomotu or based off of complaints from data subjects (summon documents, call and examine witnesses, and take a case to court if necessary )
Fine non-compliant data controllers

Q: How does Co-regulation work?

A: The purpose of establishing a regulatory framework of co-regulation is to ensure that appropriate policies and principles are articulated and enforced for all sectors. If a sector wishes to develop its own privacy standards, the industry level self regulating organization will submit to the privacy commissioner a sub set of self regulatory norms. If these norms are approved by the privacy commissioner the SRO will be responsible for enforcing those norms, but the privacy commissioner will have the power to sanction member data controllers for violating the norms. If a sector does not have an SRO or does not wish to develop its own set of standards, the National Privacy Principles will be binding.

Q: What are data controllers? What are privacy officers? What are ombudsmen?

A: A data controller is any entity that handles or process data. Privacy officers receive and handle complaints at the organizational level and may be appointed as part of a SRO’s privacy requirements for a sector. Ombudsmen are appointed at the SRO level and are also responsible for receiving and handling complaints. The objective of having ombudsman and privacy officers is to reduce the burden of handling complaints on the commissioner and the courts.

Q: When can an individual issue a complaint? Which body should individuals issue complaints to?

A: An individual can issue a complaint at any point of time when they feel that their personal information has not been handled by a data controller according to the principles, or that a data controller is not in compliance with the Act. When applicable complaints are encouraged to be issued first to the organization. If the complaint is not resolved, the individual can take the complaint to the SRO or privacy commissioner. The individual also has the option of taking a complaint straight to the courts. When a complaint is received by the commissioner, the commissioner may fine the data controller if it is found to be non-compliant. Data controllers cannot appeal fines issued by the commissioner, but they can appeal the initial decision of non-compliance.

Q: Can an individual receive compensation for a violation of privacy:

A: Yes. Individuals who suffer damages caused by non-compliance with the principles or any obligation under the Act can receive compensation, but the compensation must be issued by the courts and cannot be issued by a privacy commissioner. Actors that can be held liable by individuals include data controllers, organization directors, agency directors, and heads of Governmental departments.

Q: What offences does the report reccomend?

A: The following constitutes as an offence under the Act:

Non-compliance with the privacy principles
Unlawful collection, processing, sharing/disclosure, access, and use of personal data
Obstruction of commissioner
Failure to comply with notification issued by commissioner
- Processing data after receiving a notification
- Failure to appear before commissioner
- Failure to produce documents requested by commissioner
- Sending report to commissioner with false or misleading information

Chapter 6: The Multiple Dimensions of Privacy

This chapter gives examples of practices that impact privacy in India which the national privacy principles could be applied to. These include interception/access, the use of electronic recording devices, the use of personal identifiers, and the use of bodily and genetic material. The current state of each practice in India is described, and the inconsistencies and gaps in the regimes are highlighted. Each section also provides recommendations of which privacy principles need to be addressed and strengthened in each practice, and how the privacy principles would be affected by each practice.

Q: Does the report give specific recommendations as to how each practice should be amended to incorporate the National Privacy Principles?

A: No. Each section explains the current state of the practice in India, gaps and inconsistencies with the current practice, and recommends broadly what principles need to be addressed and strengthened in the regime, and how the National Privacy Principles may be affected by the practice.

Summary of Recommendations

This chapter consolidates and clarifies all of the Committee’s recommendations for a Privacy Act in India.

Q: Are the recommendations in this chapter different from chapters above?

A: No. The recommendations in this chapter reflect the recommendations made earlier. This chapter does clarify the recommended scope and objectives of the Privacy Act including:

The Act should define and harmonize with existing laws in force.
The Act should extend the right of privacy to all individuals in India and all data processed by any company or equipment locating in India, and all data that originated in India.
The Act should clarify that the publication of personal data for artistic and journalistic purposes in public interest, the use of personal information for household purposes, and the disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy.
The Act should not require a ‘reasonable expectation’ of privacy to be present for the right to be evoked.
If any other legislation provides more extensive protections than those set out by the Privacy Act, than the more extensive protections should apply.

Report of the Group of Experts on Privacy [PDF, 1270 Kb]

For more details visit https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy

Cloudy Jurisdiction: Addressing the thirst for Cloud Data in Domestic Legeal Processes

praskrishna — 2012-12-09T01:00:49Z

Elonnai Hickok was a panelist at this workshop held at the IGF in Baku, Azerbaijan on November 7, 2012. The workshop was co-organised by Electronic Frontier Foundation (Peru) and University of Ottawa.

The use of cloud services is rising globally. Cloud computing and storage are uniquely tailored to take full advantage of our increasingly networked environment. However, a move to the cloud also entails tangible challenges as vast repositories of information once kept within the sacrosanct safety of the home computer are placed on a remote server in the control of a third party. While the protections of home storage and processing can be replicated in the cloud, legal norms have been slow to adopt. Jurisdiction, the classic internet governance question, is raised in particularly stark contrast in the move to the cloud, as placing user data can subject that data to the legal access laws of any (or even many) jurisdictions in the world.

While there are indicators that such data is being accessed at increasing and alarming rates, globally, yet even the dimensions of the problem remain obscure. What is needed is a set of shared international norms relating to transparency, data sovereignty and lawful access to private information. In recent years, however, International forums have appeared much more eager to adopt international standards for data access (be it to combat cybercrime, secure critical infrastructure, or help intellectual property holders uncover alleged infringers of their rights) than for data sovereignty. Standards need to be developed that will provide a basis for the special challenges to cross-jurisdictional privacy that the move to the cloud highlights. This panel will examine the need for such a cross-jurisdictional framework, what one might look like, and, importantly, how one might bring such a framework about where the issue appears to be a low priority for many national governments.

Agenda
The objective of this panel is to attempt to resolve some of the trans-border threats to civil liberties that are posed by the move to the cloud. If a baseline of privacy protection can be assured at the international level, concerns over limiting data flows on the basis of jurisdiction will be alleviated. This panel will be divided into two parts. The first part will discuss some of the challenges raised by the cloud environment for traditional civil liberties paradigms. The discussion in part two will be solution-driven—what rules can be put in place at the international level to alleviate the heightened risk to privacy and other civil liberties raised by a cloud-centric model.

Part 1: Cloud-based threats to cross-border civil liberties (45 mins)
This part will discuss some of the challenges to civil liberties arising from a cross-border cloud-based environment. The panel will be further sub-divided into 25-30 minutes of panelist input, followed by 15-20 minutes of general discussion. Panelists will be asked to spend 3-5 minutes highlighting what they view as the most pressing of these challenges may be.

This might include specific recurring problems that have arisen in many comparable online contexts, as they relate to the cloud such as, for example:

legal obligations to build in intercept capacity into Internet services (compare CALEA 2.0 efforts in US, Lawful Access in Canada, and domestic server obligations such as those imposed on RIM by India and others in order to facilitate access to data that is encrypted in transit).
Concerns that many legal regimes permit voluntary conduct without adequate safeguards for political pressure on companies, particularly smaller businesses, to comply with requests.
Inability to challenge surveillance laws because the programs are shrouded in secrecy, because individuals are never made aware they have been surveilled, because of standing issues, etc.
Ability for ‘one-stop access’: cloud centralizes mass amounts of data in one place. This concentration as well as a general erosion of traditional criteria designed to ensure surveillance is targeted in a way that impacts minimally on the general populace.
Nascent suggestions of informal information sharing arrangements through MLATs and less transparent more informal arrangements.

Part 2: Adopting protections at the International level (45 mins.)
The discussion in Part 2 will focus on how some of these problems can be addressed at the international level by adoption of a set of principled protections designed to meet the realities of online and specifically cloud services. The focus is on problem resolution.

Format for Part 2 will mirror that of Part 1. Panelists will be provided with 3-5 minutes each and asked to present their views on one or two solutions that can be adopted at the international level to the problems presented in part 1. The remainder (20-25 minutes) will be dedicated to general discussion.

It is hoped that the discussion will explore specific protections that might be adopted at the international level, how to advance those solutions, and what strategies can generally advance these objectives, on the advocacy front, by use of transparency tools to increase awareness of some of the issues.

Questions to think about:

Historically, interception of communications received the strongest protection at law, but it relied to a great extent on the act of interception coinciding with the communication itself. Should we be expanding this to other means of communications?
Do we have effective mechanisms to immunize private organizations from political pressure to voluntarily share information? Particularly, a lot of small companies can now have a lot of information. Are they well equipped to resist political pressure
Does the content/traffic data distinction still hold? Do we need a new framework for analysing the types of data produced as a natural byproduct of our online activities?
Can the MLAT regime form the basis for ensuring fundamental rights are respected in legitimate cross-border surveillance activities? If so, what would it take to have it reflect a baseline of protections?
Is it feasible to develop and formally adopt detailed limitations on state access at the international or regional level?
Is cloud-based info susceptible to unauthorized state access in new ways? Is this something the law can fix (mandate encryption in storage or other safeguards)? Social engineering concerns?

Background Reading:

The Draft International Principles on Surveillance & Human Rights: http://necessaryandproportionate.org/
Global Network Initiative, "Principles on Freedom of Expression and Privacy", http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf
I. Brown & D. Korff, “Digital Freedoms in International Law”, GNI 2012, http://wsms1.intgovforum.org/sites/default/files/Digital%20Freedoms%20in%20International%20Law.pdf
J. McNamee, “Internet Intermediaries: The New Cyberpolice?”, GIS Watch, http://www.giswatch.org/sites/default/files/gisw_-_internet_intermediaries_-_the_new_cyber_police_.pdf
A. Escudero-Pascal & G. Hosein, "The Hazards of Technology-Neutral Policy: Questioning Lawful Access to Traffic Data", (2004) 47(3) ACM 77, http://web.it.kth.se/~aep/PhD/docs/paper6-acm-1905-reviewed_20021022.pdf
HRC, “Protect, Respect and Remedy: A Framework for Business and Human Rights”, April 2008, A/HRC/8/5, http://198.170.85.29/Ruggie-report-7-Apr-2008.pdf
HRC, “Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy” Framework”, March 2011, A/HRC/7/31, http://www.ohchr.org/Documents/Issues/Business/A-HRC-17-31_AEV.pdf
ACLU, “New Justice Department Documents Show Huge Increase in Warrantless Electronic Surveillance”, Sept 2012, http://www.aclu.org/blog/national-security-technology-and-liberty/new-justice-department-documents-show-huge-increase

Organiser(s) Name:

Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation (Peru)
Tamir Israel, Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC), University of Ottawa (Canada)

Previous Workshop(s):

Submitted Workshop Panelists:

Chair: Katitza Rodriguez, International Rights Director, Electronic Frontier Foundation; (US/Peru) (Civil Society) / Confirmed

Ian Brown, Senior Research Fellow, Oxford Internet Institute (EU) (Academic) / Confirmed
Bertrand de la Chapelle, Program Director at International Diplomatic Academy (EU) (Civil Society) / Confirmed
Marc Crandall, Global Compliance, Google (US) (Private Sector)
Elonnai Hickok, Policy Associate, Centre for Internet & Society (India) (Civil Society) /Confirmed
Sophie Kwasny, Head of Data Protection Unit, Data Protection & Cybercrime Division, Council of Europe (IGO) / Confirmed
Bruce Schneier, Chief Security Technology Officer of BT (US) (Private Sector) / Confirmed
Wendy Seltzer, Policy Counsel, W3C (US) (Technical Community) / Confirmed

Name of Remote Moderator(s): Paul Muchene, iHub Nairobi (Kenya) (Private Sector) Assigned Panellists: de La Chapelle - Bertrand Rodriguez - Katitza Brown - Ian Schneier - Bruce KWASNY - Sophie Seltzer - Wendy Crandall - Marc

For more details visit https://cis-india.org/news/cloudy-jurisdiction-addressing-the-thirst-for-cloud-data-in-domestic-legeal-processes

Report of the Group of Experts on Privacy

praskrishna — 2012-11-06T09:39:43Z

The report covers international privacy principles, national privacy principles, rationale and emerging issues along with an analysis of relevant legislations/bills from a privacy perspective.

For more details visit https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf

The Privatisation of Censorship: The Online Responsibility to Protect Free Expression

praskrishna — 2012-12-09T01:48:13Z

Pranesh Prakash was a panelist at this workshop organised on November 5, 2012. It was organized by Index on Censorship.

Much is known about state censorship, but increasingly private corporations are implementing censorship either at the behest of governments, or as part of a ‘walled garden’ approach. This censorship takes many guises: whether the proactive take-down of entirely legal material, the blocking of websites by overly zealous ISPs, mobile filters that cut access to websites such as Index on Censorship and the use of surveillance technology on behalf of autocratic states. The combination of state-led censorship with the privatisation of censorship requires a debate on the responsibilities of corporations and the framework needed to protect free expression online.

This side session will focus on two key areas:
1. Take-down, blocking and filtering of content
2. The export of surveillance technology, privacy

The panel will explore the ways in which the above can affect free expression online, and how civil society, governments and corporations can and should approach these issues, addressing the following questions:

1. Whether, why and in what ways censorship and surveillance is either as or more pervasive, intrusive and chilling than offline, and the impact on free speech and press freedom?
2. The inappropriate, intrusive or excessive use of filters and firewalls including how these impact directly and indirectly on access to media and the nature of news provision
3. Criminalisation of free speech and free expression – chilling use of takedown requests (impacting on public online debates, on media freedom including investigative journalism), and constraints on comment and debate (twitter, trolls, comment threads etc);
4. Excessive and blanket surveillance and data-gathering
5. Regulations and laws including intermediary responsibility that curtail digital free speech

Chair:
Michael Harris, Head of Advocacy, Index on Censorship

Panelists:

Dr Hosein Badran, Regional Chief Technology Officer, Cisco Systems International, covering MENA
Pranesh Prakash, Policy Director at the Centre for Internet and Society
Abhilash Nair, Northumbria University, UK
Camino Manjon Sierra, International Relations Policy Officer, Directorate General for Communications Networks, Content and Technology, European Commission
Andrew Puddephatt, Global Partners and Associates

For more details visit https://cis-india.org/news/privatisation-of-censorship

Privacy Perspectives on the 2012 -2013 Goa Beach Shack Policy

elonnai — 2012-10-25T10:23:50Z

CCTVs in India are increasingly being employed by private organizations and the government in India as a way to increase security and prevent/ deter crime from taking place. When the government mandates the use of CCTV’s for this purpose, it often does so by means of a blunt policy mandate, requiring the installation of CCTV systems, but without any further clarification as to who should oversee the use of the cameras, what bodies should have access to the records, how access should be granted or obtained, and how long the recordings should be retained.

The lack of clarity and specificity in these requirements, the fact that these technologies are used in public spaces to collect undefined categories and amounts of information, and the fact that the technology can cut through space – and does not distinguish between private and public and primarily captures information where it is directed to, give rise to privacy concerns and raises fundamental questions about the ways in which technologies can be used to effectively increase security while still protecting the rights of individuals and the promotion of business.

An example of a blanket CCTV installation requirement from the government is seen in the 2012-2013 Goa Beach Shack Policy.[1] This blog will examine the shack policy from a privacy perspective, and how identification requirements are evolving. The blog will explore different principles by which surveillance technologies like CCTVs can be employed in order to promote effectiveness and protect the rights of individuals.

To help understand the current status of the Shack Policy and the extent of CCTV use in Goa, I spoke with a number of shack owners, cyber café owners, the Ministry of Tourism, and the Police of Goa. In this blog I do not use any direct quotes and write only from the perspective of my personal observations.

Current Status of the Shack Policy

This year, for the 2012-2013 tourist season, the Department of Tourism of Goa is implementing the Beach Shack Policy for regulating the establishment and running of temporary shacks at beaches in Goa. The policy applies only to the licensing, construction, maintenance, and demolition of temporary shacks on beaches owned by the government. The policy lays out requirements that must be submitted by applicants for obtaining a license and requirements relating to the operation of the shacks including size, security, health and safety, and noise control. Shacks, huts, hotels, etc. built on private land do not come under the scope of the policy. The shacks can only be bars and restaurants that can run from November 1^st through May 31^st, after which they must be taken down until the next season. The licensing of these shacks is to enable local employment opportunities in Goa. This can be seen by the requirement in the policy that Shacks are to be granted to only one member of the family who is unemployed.[2] Currently, the Ministry of Tourism has almost completed the allotment of shack spaces on all beaches in Goa. The police will assist in the enforcement of the policy, but their exact role is in the process of being clarified. Before the 2012-2013 policy, shacks were regulated by annual beach shack policies, which are not available online, but can be accessed through an RTI request to the Department of Tourism. Resistance to the policy has been seen by some because of concerns that the shacks will take away business from local private owners, will block fishing boats, will cause trash and sewage problems, and create issues for free movement of people on the beach.

Inside the policy:

Application Requirements

To apply for a license for a temporary shack, every application must be turned in by hand and must be accompanied by a residence certificate in original issued by Village Panchayat Municipality, attested copy of ration card, four copies of a recent colored passport photos with name written on the back, attested copy of birth certificate/passport copy/Pan Card and any other information that the applicant desires to furnish, and affidavit. In addition individuals must provide their name, address, telephone number, name of the shack, name of the beach stretch, nationality, experience, and any other information they wishes to provide.[3] These requirements are not excessive and have been kept to what seems minimally necessary for providing a license, though the option for individuals to provide any additional information they wish – could be used to convey meaningful information or extraneous information to the government.

Operational Requirements

The policy has a number of operational requirements for shack owners as well. For example owners must clearly display a self identifying photograph on the shack[4] and they must agree to assist the Tourism Department and Police department in stopping any crime and violation of any law along the Beach.[5]

The policy also requires that any person handling food must take a course conducted by IHMCT, GTDC, or Porvorim,[6] shacks must also be made out of eco friendly material as much as possible and the use of cement is banned,[7] and the proper disposal of trash and waste water will be the responsibility of the shack owner.[8] Furthermore, foreigners working in the shacks must have a work visa,[9] and loud music is not allowed to be played after 10:30 p.m.[10]

As noted in the introduction, each shack must install a CCTV surveillance system that provides real-time footage with an internal looping system in a non-invasive form. [11] But I got to understand that the CCTV requirement will be slowly introduced and will not be implemented this year due to resistance from shack owners. When the requirement is implemented, hopefully different aspects around the use of CCTVs will be clarified including: the retention period for the recordings, access control to the recordings, the responsibilities of the shack owner, where the camera will be set up and where it needs to be directed to, etc.

Currently in Goa there are official requirements for CCTVs to be installed in Cyber Cafes under section 144 of the CrPc. This requirement only came into effect on October 1st 2012.[12]Some private hotels, huts, and restaurants run CCTV cameras for their own security purposes. When asked if CCTVs will also become mandatory for private areas, some said this will happen, while others said it would be difficult to implement.

Enforcement

The policy uses a number of measures to ensure enforcement. For examples, successful applicants must place a security deposit of 10,000 with Director of Tourism. If any term of the policy is violated, the deposited amount will be given to the Government Treasury and the individual is required to pay another Rs. 10,000 to continue operating.[13]The placement of deck beds on the beach without authorization will also be treated as an offense under the Goa Tourist Places (protection and maintenance) Act 2001 and will be punished with a term of imprisonment minimum three months, which may extend to 3 years, and a fine which may extend to Rs. 5,000 or both. All offenses under the Act are cognizable and non-refundable. [14] If the shack is not dismantled at the end of the season, the individual will have their application rejected for the next three years.[15] Shack owners will also be penalized of they are caught discriminating against who can and cannot enter into the shack.[16]

Interestingly, though CCTV cameras can be used to ‘catch’ a number of offenses, the offenses that are penalized under the Act do not seem to require the presence of a CCTV camera. Additionally, the policy is missing penalties for the tampering and misuse of these cameras and unauthorized access to recordings.

Other practices around security and identification in Goa

In 2011 Goa also issued a new ‘C’ form that must be filled out by foreigners entering hotels.[17]

The form requires twenty six categories of information to be filled out including: permanent address, next destination to be proceeded to, contact number in hotel, purpose of visit, whether employed in India, and where the foreigner arrived from. According to hotel owners, three copies of these records are made. Two are submitted to the police and one is kept with the hotel. The records kept with the hotel are often kept for an undefined time period. In 2011 the police also enforced a new practice where every shack, hut, hotel etc. must have an all night security guard to ensure security on the beach. It was noted that registration of migrant workers is now mandatory, and that non-registered or undocumented vendors are removed from working on the beaches.

Will the 2012 – 2013 Beach Shack Policy have new implications?

In its current form, especially taking into consideration that the CCTV requirement will not be implemented immediately, the 2012 – 2013 shack policy does not seem alarming from a privacy perspective. On the general policy, though the penalties, such as the possibility of three months in prison for having too many beach chairs, seems to be over-reaching, there are a number of positive requirements in the policy such as the use of eco-friendly material, noise control, and strict procedures for disposing of trash and sewage.

The privacy perspective could change when CCTVs are implemented. The amount of data that would be generated and the ambiguity around the employment of the cameras could raise a number of privacy concerns. Yet the fact that this part of the policy will only be implemented later down the road seems indicative of both the shack owners discomfort in using the technology, and perhaps the government’s recognition that a certain level of ground work needs to be done before CCTVs are made mandatory for every shack in the state. Hopefully before the requirement is implemented, the ground work will be set up either at a national level – in the form of a national privacy legislation, or at the state level – in the form of appropriate safeguards and procedures built into the policy.

At the macro level, and when examined in the context of the growing use of CCTVs by private owners, the implementation of the UID and NPR requirements in Goa, and the introduction of the new ‘C’ form for foreigners, the CCTV requirement found in the Shack Policy seems to part of a growing trend across the country where the government seems to seek to identify all individuals and their movements/actions for unclear and undefined purposes, and looks towards identification through the collection of personal information and use of technology as a means to solve security issues.

For example, Goa is not the only city to consider mandatory installation of CCTV’s. In Delhi, the Department of Tourism issued a similar requirement in a 2012 amendment to the “existing Guidelines for Classification/Reclassification of Hotels”. According to the amendment hotels applying for approval are required to provide documentation that security features including CCTV systems are in place.[18] Similarly, in 2011 the Delhi State Industrial and Infrastructure Development Corporation began implementing a plan to install CCTVs outside of government and private liquor shops, amounting to 550 shops in total. The goal was to use the CCTV cameras to catch individuals breaking the Excise Act on camera and use the recordings during trials. According to news coverage, the cameras are required to be capable of recording images 50 meters away and all data must be stored for a period of 30 days.[19]

The ambiguity that exists around the legal use of many of these security systems and technologies, including CCTV’s was recently highlighted in Report of the Group of Experts on Privacy headed by Justice A.P Shah.[20] The report noted that the use of CCTV cameras and more broadly the use of electronic recording devices in India is an area that needs regulation and privacy safeguards. The report describes how the nine proposed national privacy principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, and openness, could be applied and will be affected by the use of these technologies.[21]

Conclusion

In India and elsewhere, the police are faced on a daily basis with the challenge of preventing and responding to all types of crime, and from this perspective – any information, clue, or lead is helpful and necessary, and the potential usefulness of CCTVs in identifying criminals and to some extent deterring crime is clear. On the other hand when CCTVs are employed without safeguards and regulations it could result in infractions of privacy and rights or could simply move the crime away from the surveilled area to an unsurveilled area.

Finding a way to ensure that police have access to the information that they need and that crime is prevented, while at the same time ensuring that the rights of individuals are not compromised, and the private sectors ability to easily do business is not limited by unrealistic security requirements, is an important discussion that governments, policy makers, and the public should be having. The answer hopefully is not found in a binary game of all or nothing, surveillance or no surveillance – but instead is found through mechanisms and principles that apply to both security and privacy such as transparency, oversight, proportionality, and necessity. For example, practices around what access the police legally have via surveillance systems, retention practices, cost of implementing surveillance, and amount of surveillance undertaken each year could be made transparent to the public to ensure that the public is informed and aware of the basic information around these systems. Furthermore, clear oversight over surveillance systems including distinction between the responsibilities and liabilities can ensure that unreasonable requirements are not placed. Lastly any surveillance that is undertaken should be necessary and proportional to the crime or threat that it is being used to prevent or detect. These principles along with the defined National Privacy Principles could help measure what amount and what type of surveillance could be the most effective, and ensure that when surveillance is employed it is done in a way that also protects the rights of individuals and the private sector.

Notes
[1].Ministry of Tourism. Goa Government. 2012-2013 Beach Shack Policy. Available at: http://bit.ly/Xk18NH. Last accessed: October 24th 2012.
[2]. Id. Section 2.
[3]. Id. Application Requirements 1-8. Pg 1&2.
[4]. Section 33.
[5].A part of the affidavit
[6].Id. Section 4.
[7]. Id. Section 17.
[8].Id. Section 28.
[9]. Id. Section 35.
[10].Id. Section 37.
[11]. Id. Section 38.
[12]. Order No. 38/10/2006. Under Section 144 of the Code of Criminal Procedure, 1973. Available at: http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf
[13]. Beach Shack Policy 2012 - 2013, Section 16.
[14]. Id. Section 18.
[15]. Id. Section 22.
[16]. Id. Section 32.
[17]. Arrival Report of Foreigner in Hotel.”Form C” . Available at: http://bit.ly/TbUO4S
[18]. Government of India. Ministry of Tourism. Amendment in the existing Guidelines for Classification / Reclassification of Hotels. June 28^th 2012. Available at: http://bit.ly/RXtgBg. Last Accessed: October 24th 2012.
[19]. Bajpaj, Ravi. CCTV shots to check drinking outside city liquor vends. The Indian Express reproduced on the website of dsidc. December 20^th 2011. Available at: http://bit.ly/VHwCzd. Last accessed: October 24th 2012.
[20]. GOI. Report of the Group of Experts on Privacy. October 2012. Available at: http://bit.ly/VqzKtr. Last accessed: October 24th 2012.
[21]. Id. pg. 61-62.

For more details visit https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy

Draft Annual Report (2010-11)

praskrishna — 2014-10-21T23:55:55Z

This is the draft of the 2010-11 Annual Report.

For more details visit https://cis-india.org/about/reports/annual-report-2010-2011.pdf

Annual Report (2011-12)

praskrishna — 2014-10-22T00:15:01Z

Draft Annual Report of 2011-12 from the Centre for Internet and Society

For more details visit https://cis-india.org/about/reports/annual-report-2011-2012.pdf

The Public Voice: Privacy Rights are a Global Challenge

praskrishna — 2012-10-22T14:28:09Z

October 21, 2012 is an important day for global civil society defending privacy and free speech. The Public Voice coalition will be hosting a global conference in Punta del Este, Uruguay, and you are invited to take part in the conversation and interact with the panelists. Malavika Jayaram is speaking at this event.

You can follow the live conversation here, and join the conversation by using #thepublicvoice hashtag, ask questions, participate in polls and interact with those covering the event in several languages. The conference aims to assess cultures and privacy perspectives from around the World, and members of civil society wil discuss the spread of Surveillance Technologies and its implications in societies, experts will explore Latin American policy, law, and technology perspectives on privacy governance and suggest to governments and private sector to safeguard citizens privacy.

You can read the program and follow the live Webcast in English and Spanish.

During the day the panelists will assess cultures and privacy perspectives from around the world. They will raise public awareness of surveillance technology and its consequences to consumers, for freedom of expression and human rights, and they will explore Latin American policy, law, and technology perspectives. It is the small window civil society has before the 34th International Conference of Data Protection and Privacy Commissioners comprising all the governmental agencies all over the World, webcast available here. It certainly can bring the relevant topics for citizens to the discussion table. I hope you join us.

For more details visit https://cis-india.org/internet-governance/events/privacy-rights-are-a-global-challenge