Centre for Internet and Society

Privacy & Sexual Minorities

Danish Sheikh — 2013-09-20T09:22:44Z

Danish Sheikh examines the status of sexual minorities in the light of privacy framework in India. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, the research brings to light the privacy violations being committed by both individuals as well as state authorities. The research concludes by saying that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers.

Defining Privacy

In examining the status of sexual minorities vis-à-vis the privacy framework in India, this research takes into account a definition of privacy that encompasses protection against physical interference with a person and their property as well as the state of being free from intrusion in one’s private life or affairs.[1] This involves an understanding of privacy violations being committed by both an individual as well as the State. On the one hand is the extent to which a private individual is entitled to personal information about another individual and on the other is the extent to which government authorities can intrude into the private life of a citizen to keep watch over his or her movements or exercise control over personal choices.[2]

No mention of sexuality and privacy in India can stand without a nod to Section 377 of the Indian Penal Code (IPC). In 1860, with the institution of the IPC by Lord Macaulay, section 377 criminalized homosexuality by putting forth that, "carnal intercourse against the order of nature"[3] was to be punishable by law. While this archaic law stands even today, it was read down significantly in a landmark Delhi High Court judgment in 2009[4] which will be referred to later. As stated in an open letter by Vikram Seth and a host of others and endorsed by Amartya Sen, the law has been used to "systematically arrest, prosecute, terrorize and blackmail sexual minorities. It has spawned public intolerance and abuse, forcing tens of millions of gay and bisexual men and women to live in fear and secrecy at tragic cost to themselves and their families."[5] When understood in its conception as non-interference by the State, as the right to be left alone,[6] privacy isn’t necessarily an empowering right for lesbian, gay, bisexual and transgender (LGBT) persons. For one, the claim to privacy when it comes to same-sex acts tends to get construed as a claim for secrecy: it is to carry out purportedly "clandestine" acts that the sexual minority community wants refuge from the State. The same strategy can further backfire when claims for heightened scrutiny might in fact be requested, such as in discrimination actions.[7] A zonal understanding of privacy also subverts the fact that many instances of expression of identity happen in the public sphere.[8]

For a while, privacy jurisprudence hinged on this idea of privacy as a negative right by disallowing infringement of a person’s right to a private life by the State. This understanding may be located in an international regime which has for a while insisted on dividing civil and political rights at one side, and social and economic rights on the other. With this split, what was institutionalized was the idea that civil and political rights were as such "negative" rights, while social and economic rights were "positive" in their content. In effect, the presumption that stood was that while states needed to expand resources to uphold social and economic rights, no such correlative obligation required observance in respect of civil and political rights.[9] Recent human rights conventions such as the Convention on the Rights of Persons with Disabilities acknowledge the flaw in this understanding, based on the reasoning that both civil and political rights and social and economic rights give rise to positive and negative duties.[10] The Naz Foundation[11] judgment propels the understanding of privacy as a positive right. It’s easy enough to split the analysis in this study neatly with the judgment which, in the course of declaring unconstitutional the aforementioned IPC provision, discussed at length the right to privacy, exploring it as a function of dignity. To divide what the Delhi High Court said about the right into three parts — first, they discussed privacy as dealing with persons and not places,[12] implying that the right to privacy is not only a claim to space from state intervention but that it protects the autonomy of the private will and a person’s freedom of choice and action, second, they tied it in with dignity and connected it with the value and worth of all individuals,[13] and third, they talked of the right to privacy as being based on one’s autonomous identity. In the context of privacy, this means that it is "the inner sanctum of the person such as his/her family life, sexual preference and home environment which is shielded from erosion by conflicting rights of the community."

While there will be a bit of a before-Naz/after-Naz tint to the analysis, it is important to appreciate that the nature of privacy discourse when it comes to sexual minorities remains somewhat murky even after the grand affirmation that the judgment provided. A large part of this of course is concerned with society struggling to catch up with the developments in the law.

Before moving on to the next chapter, I’ll unpack the term "sexual minority" to delineate the different communities that will feature in the course of this paper, whilst also attempting to renegotiate the idea of privacy contextually. Using Arvind Narrain’s seminal monograph Queer as a template,[14] the term gay will be employed to describe a man who is attracted to another man emotionally, sexually or physically; a lesbian woman is attracted to women emotionally, sexually or romantically; while someone who is bisexual maintains that attraction towards members of both sexes. A transgender person assumes the gender identity of the opposite sex; within Indian discourse they are called as hijras, constituted of a transgender person who is biologically male and takes on the gender role of a female. The hijra community in India maintains a unique form of social organization within its parallel society. We then have the term "eunuch", used in a more derogatory fashion, which medically refers to a castrated male, and is sometimes employed in India to refer to the hijras. Another South Asian constructed identity is that of the kothi — a male homosexual who is feminized and takes a passive/receptive role in sex.

The next section of this study will look at a string of privacy concerns of sexual minorities in India as sourced from various studies and media reports. The analysis pauses at the interplay of rights surrounding the transgender community in particular: how do issues of recognition of their particular category impact members of the community? The subsequent section jumps past the timeline of the Naz Foundation judgment to understand the kind of changes – if at all – that the high court’s words have effected when it comes to this idea of privacy.

Privacy Rights and Wrongs

The incidents highlighted in this chapter took place before the Delhi High Court altered the way we conceived of queer rights in general and privacy in particular. Two issues permeate this analysis: one, the notion of criminality hovering above queer identity, and two, the somewhat one-dimensional idea of privacy that existed then. A third, more complex issue in the context of the hijra community becomes the idea that one conception of privacy may not always be the most empowering for a community, and the subsequent negotiations that have to be made in that sphere.

Entrapment: The Lucknow Incidents

In July of 2001, a set of raids: first on a public park frequented by the men who have sex with men (MSM)[15] community, and next on the offices of two NGOs working on safe sex issues led to the arrests of ten people. The operation was conducted on the basis of an FIR filed with a Lucknow police station wherein it was alleged that a certain Suresh had sodomized the complainant. Notable in the incident was the climate of homophobia stoked by the media which indulged in sensationalizing headlines,[16] with the magistrate concerned further refusing bail to the men. In denial of bail, instead of siding with the relevant law, the magistrate clearly proceeded on the basis of his perceptions regarding homosexuality: "they…are polluting the entire society by encouraging the young persons and abetting them for committing the offence of sodomy."[17]

If we were to extend the Supreme Court’s reasoning in the catena of surveillance cases vis-a-vis privacy starting from Kharak Singh v. State of U.P., [18] it is clear that the NGO members’ right to privacy was violated by the way of unwarranted search and seizure operations carried out by the police. As the court said in Govind v. State of M.P.,[19] domiciliary visits and picketing by the police should be reduced to the clearest cases of danger to community security. While the judges were referring to matters relating to follow-up from a conviction/release from prison, it seems evident that a higher standard should be given to cases where such prior conviction itself hasn’t taken place.

As for the accused, Narrain notes how the response of the State and media ended up harming them, regardless of the final judicial decision. [20] The public hearings meant that in Lucknow, their sexual identities became public, with a definite impact on their future prospects and present perceptions. The question, as Narrain poses, is the issue of the suitability of the courts to protect the rights of people who are still in the closet. If approaching the courts means compulsory 'outing' with all its attendant negative outcomes, how does one articulate the rights of such a minority?[21]

There are thus three major facets of privacy violation here: the police’s lawlessness resulting in the primary intrusion; the media’s sensationalization which harshly exposed the accused to the public glare; and finally, the magistrate’s bias which legitimized these privacy violations.

Yet another set of arrests took place in the city, this time in 2006, with the police in Lucknow arresting four men under section 377 for allegedly having sex in a public park. News reports revealed pictures of all the four men with their names and home addresses.[22]

The first information report (FIR) here contradicted the investigation of a fact finding team of activists and lawyers: it emerged that none of the men were actually involved having public sex, with the story by the police being a completely fabricated one. It turned out that one of the men had been arrested by the police on their knowledge about his homosexuality, following which his contacts were tapped to stage an entrapment of the other three men.[23]

This notion of raiding homosexual gatherings was taken to its extreme by a police raid on a gay party in the outskirts of Mumbai in 2008, in the course of which six persons were detained. "…. neither was he able to give a satisfactory explanation for organizing the party," said the API on questioning the event organizer.[24]

In these instances of interplay between criminal procedure, media ethics and judicial process, it is worth questioning whether general reforms in those areas will positively affect privacy rights of sexual minorities in particular. Unwarranted searches and arrests are barely an uncommon occurrence in the country, neither is the fact of accounts of people’s sexual behaviour finding themselves very publicly outed in the media, and nor, again, are accounts of judges overlooking police excesses rare. It’s a bit difficult to make an exact value judgment over what kinds of privacy violations is more damning, in a society that takes its sexual mores quite seriously, be they with regard to hetero or homosexual sex. More than anything though, that just makes the need for across the board reforms in these areas more urgent, and sharpens the kind of alliances across communities that would be required to effect change. Of course, this kind of advocacy can only happen in an atmosphere where homosexuality continues to be decriminalized – the fate of the Naz Foundation appeal before the Supreme Court is of paramount importance.

Gender Identity and Transgender Issues

A survey of the situation regarding the transgender community in India throws up a fascinating picture of instances where seemingly positive sounding regulation doesn't always serve its intended effects – when such "positive sounding" regulation does happen at all. To start with, there is the question of the status of the transgender community in India itself – a PUCL report[25] notably documented, and numerous reports and articles[26] have affirmed, the reality of the transgender community today as one of harassment, abuse, and sexual violence. These accounts reveal a deep-rooted fear inculcated by mainstream society of sexual and gender non-conformity, which manifests itself in the refusal of basic citizenship rights to these communities.

The PUCL report gives a detailed account of harassment by the police in public places, at home, in police stations, and instances of entrapment similar to the Lucknow cases. Instead of reiterating that aspect which would simply involve repeating the above analysis, this section will look into other gender-specific issues that arise with respect to the community and the multiple questions these give rise to:

Transgender Toilets

The first example relates to efforts by the Chennai Municipal Corporation to build toilets specifically for the transgender population,[27] in a move stated as being part of a pilot project to recognize the considerable community in South and Central Chennai. Each lavatory in these toilets was to contain male, as well as female urinals. In the words of the municipal commissioner, the scheme was aimed at "extending recognition to the community and mainstreaming them", and more facilities could be built if the public responded well to the idea.

The reaction from the community was mixed at best: sure, it was regarded as a positive move to the extent that not every person who identified themselves as transgender had undergone sex change; simultaneously, the city saw one section of the community fearing the move as a step towards discrimination and isolation. "I don’t agree with this. We want to mingle with the mainstream. We don’t want to be separated like this," said Aasha Bharati, president of the Aravanigal Association. The idea of privacy here is at odds with something else the community is striving for: inclusion. The fear then was of one kind of recognition trumping another. What would a policy maker then privilege? Would this possibly be a better short-term move, as we move towards a future understanding of not being disabled by difference, or would the ideal of privacy trump even that?

The way this issue has played out in the Indian context stands in interesting contrast to cases in America. A bill in Maine which would allow restroom owners in business establishments and institutions from mandating what gender persons would use what washroom was met with sharp opposition from the transgender community on claims of dignity and privacy.[28] For a person who, say, externally had strongly masculine features, but identified as a woman, two options existed: either break the law and walk discreetly into the male compartment – or risk the outrage of other women as she walked into their compartment and was faced with their indignation of having a "man" use their toilet. In such an instance, there stand two rival conceptions of privacy: one in which respecting privacy would, somewhat ironically, stand as a transgender person’s right to assert their distinct identity in public without fear, versus a conception of privacy as anonymity – their right not to be compelled to make a political statement in the course of going about their daily lives.

Now that kind of issue wouldn’t come up in the Indian context for a large section of the transgender community simply owing to the hyper-visibility of the hijras. For all its contemporary stigmatization, the hijra community is a discernible one in public with an acknowledged history. Hijras have won elections in India, and are very much an acknowledged part of public space.[29] To that extent, privacy isn’t quite the overriding concern here in the way that it might be in the West – one might even say that the lack of such a conception can in this particular case be somewhat empowering.

Passport Forms

The next example concerns gender-sensitivity when it comes to passport forms.[30] The Ministry of External Affairs moved to allow for the option of entering a person's sex as "E" instead of either "M" or "F", the "E" then standing for "Eunuch". At the time of introduction of this category there was a degree of ambivalence: it was not available on the form itself, instead being listed as an option only in the rules. As activists noted however, it was a victory in the sense of being the first official recognition of the community. The particular category of recognition was problematic: for one the term "eunuch" would only reasonably represent one part of the transgender population; for another, large sections of the community would consider that term insulting. The government subsequently made an ameliorative measure by changing the category to "Other".[31] Again, the logical privacy question that would arise here would be regarding one's desire to be identified as transgendered in the first place. Similar to the toilets example, the issue would play out differently in India in many cases, given the hyper-visibility of the hijra community which provides an instant marker for a hijra, and subsequently ensures that there isn’t really a privacy violation when it comes to such kind of identification.

Of course, this declaration of otherness leads to issues for someone uncomfortable with disclosing transgender identity as such, and wanting to perform maleness or femaleness specifically. Would marking either the "M" or "F" column be considered an illegality?

Recognition – and Resolving Privacy

Where official recognition is clearly ameliorative, it doesn't always stay. Following years of struggle, the community was given recognition in Andhra Pradesh under the Minorities Welfare Department. It was short-lived, however: protests by religious minority groups forced the government to go back on its decision.[32] The kind of privacy violations that the hijra community suffers in India are thus in stark contrast to the kinds suffered by members of the gay and lesbian community: where one side deals with its invisibility, the other contends with the problems of its hyper-visibility. Hijras walk about as constant targets of police intrusion. A gay man or lesbian woman wouldn’t necessarily face those issues at the same level, except in instances where public sex is involved. The exceptions to even that are incidents of entrapment such as the Lucknow case, but it is evident that it is the hijra community which deals with such police action much more than the others. What is also uniquely empowering for the community is this very aspect of their identity, this ever-present identification. The kind of fears of disclosure and blackmail that someone who fears outing might face fizzle out in the case of the hijras.

The discourse gets complicated when you take up the identities of non-hijra transgendered persons: there are the female-to-male transgendered identities of Thirunambigal in Tamil Nadu, Magaraidu in Andhra Pradesh and Gandabasaka in Karnataka – as well as male to female identities such as the Jogappas in Northern Karnataka, and Jogathas in Andhra Pradesh.[33] The idea of hyper-visibility which is so crucial to locating a sense of empowerment for the hijra community in their lack of loss of privacy disappears here. The discussion here then springs back to the U.S. example of transgender toilets, and the complications that arise when external identity doesn’t necessarily match the internal one.

The Medical Establishment[34]

Relevant to this section of the study is the understanding of privacy under the ambit of autonomy. Referring to Naz Foundation, instead of using liberty to describe and support privacy as under Article 21 of the Constitution of India, the court refers to autonomy holding that "exercise of autonomy enables an individual to attain fulfillment, grow in self-esteem and form relationships of his or her choice and fulfill all legitimate goals that he/she may set."[35];

The medical establishment in India constantly undermines that autonomy by its treatment of homosexuality as a disease, and of LGBT persons as "others". LGBTs in India have often been detained in clinics against their will and subjected to treatment including shock therapy aimed at curing them.[36]

In 2001, the National Human Rights Commission (NHRC) admitted a complaint from a patient at the All Indian Institute of Medical Sciences, alleging psychiatric abuse at the hands of the consulting doctor, having been put on a four year course of drugs and told he had to be "cured" of his homosexuality. The NHRC finally chose to reject the complaint, with informal conversations with the chairman showing his belief that till section 377 was read down, nothing could be done. [37]

According to Vinay Chandran, Executive Director of the Swabhava Trust, medicine in India continues to be obsessed with curing homosexuality, with health professionals in many places still offering behavioural therapy including electric shock treatment as well as psychiatric drugs and hormones in order to "cure" patients of homosexual desire. Vinay reports that a couple of psychiatrists in Bangalore mentioned that there were possibilities of discovering which gene determines sexual preference and scientifically suppressing it.[38]

Of course quacks exist across the spectrum, and medicinal malpractice is barely limited to serving disastrous advice/ treatment to persons "afflicted" with homosexuality. For understanding how the debate moves beyond merely unqualified doctors, we have to factor in the category of ego-dystonic homosexuality, which is endorsed by the WHO. Here, the gender identity or sexual preference of the individual is not in doubt, but the individual wishes it were different and seeks treatment.[39]

The way a number of psychiatrists’ engage with the situation is summed up by the statement: "it’s not my job to tell him that it’s okay to be gay." No, the psychiatrist’s job it seems is to attempt to "cure" the oft-acknowledged incurable.

The fundamental factor not taken into account is that it is very often the environment that surrounds expression of homosexual identity that the patient is concerned about, as opposed to merely the idea of being LGBT. The relationship between patient and doctor is a fiduciary one, premised on absolute trust. In consulting a doctor, the patient entrusts fundamental decision making powers to the practitioner. The medical professional is often unable to comprehend the question of choice. This in turn results in effectively infringing the patient’s autonomy: the component of attaining fulfillment, the growth in self-esteem that the Delhi High Court elaborated on is robbed in the process of stifling sexuality, even when it is something the patient specifically requests the doctor for.

Lesbian Unions

Maya Sharma, in her book Loving Women locates the stories of a number of working-class lesbian women struggling to be with each other against the odds.[40] In a vein that parallels the reaction elicited to inter-religious or inter-caste marriages in a number of regions, it is often the honour of a family/village that is invoked in opposition to the demands of two people who want to be each other. One incident involves a woman who "dares" to elope with another being beaten and stripped, having her face blackened and being paraded around a village with a garland of shoes on her neck. Sahayatrika, a lesbian women's collective in Kerala has documented 24 cases of lesbian couple suicides in Kerala during the period between 1996 and 2004.[41] Earlier this year, two sets of lesbian couples committed suicide within a month of each – one in Sonarpur,.[42] and the other in Nandigram.[43]

Sexuality has often been used as a means for controlling women. The immoral/ tainted woman when placed in contrast with the idealized image of the model Indian woman is an image played out in various daily social interactions. In carrying out the agenda of control, the act of agency displayed by women who choose to step out of the heterosexual woodwork is a direct threat to that very system. The acts of family members in attempting to separate lesbian unions display a lack of respect for autonomy and for the private decisions of the women concerned. The feelings of fear, shame and isolation experienced by women who dare to explore their sexuality are compounded by instances of persecution by the family. The state is further complicit in numerous documented instances with the police often working with the family to track down the runaway brides and get them back home to familial watch under lock and key.

Privacy again battles with privacy in this realm: an oft-heard feminist critique of privacy hinges on the idea that privacy can be dangerous for women when it is used to cover up repression and physical harm to them by creation of the public/private divide.[44] The private realm is premised on non-intervention by the State. In this instance however, it is another aspect of privacy that needs to be valued, and one that even calls for state intervention: the aforementioned act of autonomy.

Privacy in the Time of Naz

The examples up until now have been coloured with a pre-Naz conception of privacy and queer rights – this chapter takes up two incidents post the judgment that captured the public imagination. First is the sting operation carried out on an Allahabad Muslim University professor that began a chain of events leading to his death; the second is an "expose" on the gay community carried by TV9. In both incidents, the "Spectre of Naz" [45] looms in the background, in many ways acting as an empowering, legitimizing force.

The Allahabad Muslim University Sting Operation

In February 2010, newspapers widely reported the story of Dr. Shrinivas Ramchandra Siras a 64 year-old Reader & Chairman, Department of Modern Indian Languages, Aligarh Muslim University (AMU) being filmed having consensual sex with another adult male. When the video was made public, AMU suspended Siras for immoral sexual activity.[46] The implications of the suspension both in terms of the perception of homosexuality as immoral despite the judgment of the Delhi High Court as well as the disturbing nature of the occurrence of the filming of Dr. Siras in the privacy of his home prompted a nationwide outrage.[47]

On April 1 of the same year, the Allahabad High Court ordered AMU to reinstate Siras, holding that his right to privacy had been violated, stating "the right of privacy is a fundamental right, needs to be protected and that unless the conduct of a person, even if he is a teacher is going to affect and has substantial nexus with his employment, it may not be treated as misconduct."[48]

Then comes the news that Uttar Pradesh police had arrested two of those who broke into Siras’ house and filmed him. Many university officials were also charged with criminal offences. As Vinay Sitapati notes, none of this could have happened in a context where gay sex was illegal. In that context, it would have been Siras who was the criminal, and the additional wrongs done simply irrelevant – "this is not how the story was supposed to pan out. Those who broke into Siras’s house and AMU (and there are allegations that they are one and the same) assumed that Siras’s transgressions were so repellent, that their own would be forgiven." The judicial narrative — of a victimized Siras, a callous administration and criminal house-breakers — owes much to the Delhi High Court’s view that Siras’s sexual choice was legitimate.[49]

Going back to the understanding that the right to privacy is integrally linked to the notion of autonomy and the right to live with dignity ‒ it is this most fundamental of Constitutional safeguards that the AMU authorities clearly colluded in negating by being complicit in the sting operation and subsequently suspending Dr. Siras. A press release by the AMU authorities demonstrated a continuing disrespect for privacy: "the university respects the privacy of a teacher living in its premises but it also expects everyone to behave in a respectful manner giving due regard to its valued cultural ethos and the campus sensitivity including their neighbours concerns and to the great moral credentials that AMU has been nurturing since its inception."[50]

The TV9 “Expose”

In February of 2011, the news channel TV9 aired what it called an expose on the Hyderabad gay community titled "Gay Culture in Hyderabad". The video starts by worrying about how gay culture in Hyderabad is "increasing drastically". Following this, footage of a gay club is shown, without any attempt to blank out faces. The show then puts itself in the mode of investigative journalism, as TV9 sets itself the target of exposing the "truth" about gay culture in the city.

Next, viewers are informed about gay dating websites, with the anchor taking special care to inform viewers that it is software employees and students who mostly "fall prey" to this gay culture. Then, in an astonishingly blunt violation of privacy, pictures of men on one dating site are flashed on the screen, accompanied by conversations between the concerned man and a TV9 journalist soliciting sex. "While some do it for new pleasures, some get spoilt by friends, others do it for the crave of money and the remaining are vowed by the lust some of them have changed it into a business by capturing teenager's mind and get them into hell."

The video recording of the telecast on YouTube was taken off the site following a sustained protest from users of the site. Notices for legal action were sent to TV9 offices, including a detailed petition from Adhikaar, a Delhi based NGO. Two questions were primarily asked on LGBT mailing lists across the country[51]: first, regarding how safe establishing one’s homosexual identity online, or attending gay parties would be anymore, and secondly, whether a protest should take place, and what the nature of the same should be.

As highlighted by the petition drafted by Adhikaar, a Delhi-based NGO, this act of TV9 was violative of Code 6 of the News Broadcasters Association Code which deals with matters of privacy, and states:[52]

"As a rule channels must not intrude on private lives, or personal affairs of individuals, unless there is a clearly established larger and identifiable public interest for such a broadcast. The underlying principle that news channels abide by is that the intrusion of the private spaces, records, transcripts, telephone conversations and any other material will not be for salacious interest, but only when warranted in the public interest."

By way of entrapping a set of gay men through calling them and asking them pointed personal questions about their sexual lives, TV9 was further in violation of Code 9 (Self-Regulation Section) of the News Broadcasters Association which deals with sting operations and which states:[53]

"As a guiding principle, sting and undercover operations should be a last resort of news channels in an attempt to give the viewer comprehensive coverage of any news story. News channels will not allow sex and sleaze as a means to carry out sting operations, the use of narcotics and psychotropic substances or any act of violence, intimidation, or discrimination as a justifiable means in the recording of any sting operation."

A month later, the News Broadcasting Standards Authority, New Delhi censured TV9 and ordered it to pay a fine of Rs.1,00,000 and broadcast an apology in prime time both in English and in Telugu. The Authority determined that TV9 has violated the codes of ethics and broadcasting standards.[54]

Justice JS Verma called the story a sensationalized depiction of gay culture in Hyderabad and the story needlessly violated the privacy of individuals, with possible alternate sexual orientation. He also pointed out that alternate sexual orientation is no longer considered as a taboo or a criminal act. The channel was directed to run an apology for three consecutive days beginning the Monday next, in prime time with the following text:

"TV9 apologizes for the story “Gay Culture Rampant in Hyderabad” telecast on this channel on 22 February, 2011 from3.11 p.m. to 3.17 p.m. particularly since the story invaded the privacy of certain persons and was in violation of the Code of Ethics & Broadcasting Standards of the News Broadcasters Association. Any hurt or harm caused to any person thereby is sincerely regretted."

Again, it must be noted that the order of the NBSA would not have been possible in a context where gay sex was illegal: it is that very notion that allowed the Authority to move past the issue of homosexuality and instead delve into the merits of the actual harm done here.

Conclusion

It is possible to mount an argument that nothing has really changed post-Naz. The AMU’s attitude even in the face of the flak it received after the sting operation was phlegmatic at best: a summary statement saying that while it respected his privacy, it also expected a certain degree of behavior keeping in line with its "valued cultural ethos". Reactions like this threaten to lock the idea of privacy into a closed epistemic loop of judicial discourse: the courts might go hoarse extolling the significance of privacy, but it is for nought if the AMU decides it can still walk away with its flagrant violation of basic civil liberties. Or perhaps the frenzy generated by the incident will work as a deterrent factor to future institutions fixing their moral gaze upon their members. The strength of an incident as precedent can only be gauged effectively by how its future echoes use it as a reference point.

Meanwhile, what do these stories tell us about privacy?

The issues faced by the transgender community tell us that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers. The issues faced by the Lucknow NGOs narrate a tale of institutionalized disrespect for privacy that has marginally more devastating consequences for the homosexual community by the spectre of outing. The issues faced by lesbian women evidence yet another need for breaching the public/private divide, demonstrating how the protection of the law might be welcome in the family sphere regardless of the bull-in-a-china-shop[55] prophecies of doom. Alternate sexual orientation and gender identity might bring the community under a common rubric, but distilling the components of that rubric is essential for engaging in any kind of useful understanding of the community and the kind of privacy violations it suffers – or engage with situations when the lack of privacy is empowering.

Selected incidents reported from 2001-2011

1	NGO charged with running gay club	8 July 2001	Times of India	http://goo.gl/MNHzw
2	Homosexuality okay if practiced in private	14 September 2011	Sify News	http://goo.gl/iF3PQ
3	Male callers harass lesbian helpline	26 October 2003	Mid Day Mumbai	http://goo.gl/Xf0fj
4	Lesbian marriages, born of a legal loophole, stir debate in India	4 February 2005	DesPardes	http://goo.gl/O30Hf
5	Third sex finds a place on Indian passport forms	10 March 2005	Telegraph	http://goo.gl/nBQIt
6	Lesbian couple sparks debate in Uttar Pradesh state	9 April 2005	Sify News	http://goo.gl/9GxuF
7	The Indian city of Chennai is set to build toilets for trans people	July 2005	Pink News	http://goo.gl/52Llq
8	Homosexual gangs	3 January 2006	Pioneer	http://goo.gl/NX2NP
9	Nihal was used to homosexual sex since 1986	4 January 2006	Dainik Jagran	http://goo.gl/NX2NP
10	Ain’t no cure for love	6 June 2006	India Together	http://goo.gl/V9Vjn
11	Police bust gay party	4 February 2008	Times of India	http://goo.gl/n2nyz
12	Aligarh Muslim University professor suspended for being gay	18 February 2010	Times of India	http://goo.gl/D8LuD
13	Class monitors	8 March 2010	Outlook	http://goo.gl/Q2dkV
14	Aligarh gay professor found dead, may have killed self	8 April 2010	Times of India	http://goo.gl/FyeIz
15	AMU professor a victim of clash between ‘tradition’ and privacy	25 February 2010	The Hindu	http://goo.gl/AtiJW
16	Criminal case registered against six in gay professor case	10 April 2010	India Today	http://goo.gl/LfwDI
17	AMU Prof promised money for sex: Rickshaw-puller	19 April 2010	Times of India	http://goo.gl/aXmBz
18	Varsity paid for sting on gay professor	19 February 2010	India Today	http://goo.gl/cyQxL
19	TV channel outs gay men, women in Hyderabad	24 February 2010	NDTV	http://goo.gl/w6NG4
20	News Broadcasting Standards Authority censures TV9 over privacy violations	25 March 2011	Privacy India	http://goo.gl/rY7bT
21	In a first, Gurgaon Court recognizes lesbian marriage	29 July 2011	Times of India	http://goo.gl/70KPr

Notes

[1].Madhavi Goradia Divan, Facets of Media Law, Eastern Book Company, Lucknow, 2006.

[2].For instance, an HIV positive man’s right to marry as discussed in Mr. X v. Hospital Z, 1998 (8) SCC 296.

[3].Section 377, Indian Penal Code.

[4].(2009) 160 DLT 277.

[5].http://www.openletter377.com/, last accessed 20 October 2007.

[6].Olmstead v. U.S., 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting).

[7].Cathy Harris, Outing Privacy Litigation: Towards a Contextual Strategy for Lesbian and Gay Rights, 65 Geo. Wash. L. Rev. 248.

[8].Ibid.

[9].Amita Dhanda, Constructing a New Human Rights Lexicon : Convention on the Rights of Persons with Disabilities, Year 5 No. 8 Sao Paulo June 2008.

[10].See Henry Shue, Basic Rights Subsistence Affluence and US Foreign Policy, Princeton University Press, 2nd ed. 1996.

[11].Naz Foundation v. Government of NCT, Delhi, 160 (2009) DLT 277.

[12].Ibid., 47.

[13].Ibid., 26, 83, 113.

[14].Arvind Narrain, Queer: Law and Despised Sexualities in India, Books for Change, 2004.

[15].Men who have sex with men.

[16]."Gay Club Supplied Boys to Politicians"; "Gay Culture Started in UP in 1998 Itself", The Times of India.

[17].Criminal Misc. Case No. 2054/2001, as taken from Arvind Narrain, Queer: Law and Despised Sexualities in India.

[18].AIR 1963 SC 1295; it was Justice Subba Rao’s minority decision here that laid the foundation for the right to privacy in India.

[19].1975 (2) SCC 148.

[20]. Arvind Narrain, Queer: Law and Despised Sexualities in India, Books for Change, 2004.

[21].Ibid.

[21].Alok Gupta, Section 377 and the Dignity of Indian Homosexuals, http://www.iglhrc.org/binary-data/ATTACHMENT/file/000/000/15-1.pdf, last accessed on 9 August 2011.

[22].Ibid.

[23].http://timesofindia.indiatimes.com/Mumbai/Police_bust_gay_party/articleshow/2753740.cms, last accessed on 8 August 2011.

[24].Human Rights Violations in the Transgender Community: A Report by PUCL-K, 2nd ed. 2005.

[25].http://www.guardian.co.uk/world/2008/jul/04/india-gender, last accessed on 9 August 2011.

[26].http://www.pinknews.co.uk/news/articles/2005-11518.html, last accessed on 10 August 2011.

[27].Transgender people deserve privacy, dignity, in public bathrooms, Maine Opinion, available at http://bangordailynews.com/2011/05/17/opinion/transgender-people-deserve-privacy-dignity-in-public-bathrooms/, last accessed on 20 August 2011.

[28].Transgender people deserve privacy, dignity, in public bathrooms, Maine Opinion, available at http://bangordailynews.com/2011/05/17/opinion/transgender-people-deserve-privacy-dignity-in-public-bathrooms/, last accessed on 20 August 2011.

[29].Siddharth Narrain, Being a Eunuch, available at http://www.countercurrents.org/gen-narrain141003.htm, last accessed on 20 August 2011.

[30].http://webcache.googleusercontent.com/search?q=cache:gLqrElQbWboJ:infochangeindia.org/human-rights/news/-third-sex-finds-a-place-on-indian-passport-forms.html+PASSPORT+APPLICATION+INDIA+gender&cd=4&hl=en&ct=clnk&gl=in&source=www.google.co.in, last accessed on 9 August 2011.

[31].http://passport.gov.in/cpv/ppapp1.pdf, last accessed on 9 August 2011.

[32].http://www.ndtv.com/article/india/andhra-pradesh-government-gives-in-to-sexuality-bias-71454, last accessed on 8 August 2011.

[33].Gee Ameena Suleiman, Non-Hijra Transgenders Struggle for Identity, Daily News and Analysis, available at http://www.dnaindia.com/lifestyle/report_non-hijra-transgenders-struggle-for-identity_1588421, last accessed on 25 August 2011.

[34].Arvind Narrain and Vinay Chandran, It’s Not My Job to tell you It’s okay to be Gay – Medicalisation of Homosexuality: A Queer Critique, available at http://www.altlawforum.org/gender-and-sexuality/publications/medicalizationfinal.rtf/at_download/filehttp://www.altlawforum.org/gender-and-sexuality/publications/medicalizationfinal.rtf/at_download/file, last accessed on 20 August 2011.

[35].160 (2009) DLT 277.

[36].http://www.unhcr.org/refworld/pdfid/4b6fe2110.pdf, last accessed 9 August 2011.

[37].Arvind Narrain. and Tarunabh Khaitan, Medicalisation of Homosexuality : A Human Rights Approach, as taken from Bina Fernandez (ed.), Humjinsi: A Resource Book on Lesbian, Gay and Bisexual Rights in India (New Delhi : India Centre for Human Rights and the Law, 2002).

[38].Vinay Chandran, Ain’t no cure for love, India Together, last accessed on 8 August 2011.

[39].Supra n. 32.

[40].Maya Sharma, Loving Women: Being Lesbian in Unprivileged India, Yoda Press, 2006.

[41].India: Second NGO Shadow Report on CEDAW, November 2006, available at http://www.iwraw-ap.org/resources/pdf/India%20Shadow%20report.pdf, last accessed on 10 September 2011.

[42].http://articles.timesofindia.indiatimes.com/2011-01-24/kolkata/28367047_1_girls-suicide-lesbian-couple, last accessed on 10 September 2011.

[43].http://articles.timesofindia.indiatimes.com/2011-02-22/kolkata/28624865_1_lesbian-couple-suicide-field, last accessed on 10 September 2011.

[44].Saptarshi Mandal, Right to Privacy in Naz Foundation: A Counter-Heteronormative Critique, 3 NUJS L. Rev. 2009.

[45].Vinay Sitapati, The Spectre of Naz, as available at http://www.indianexpress.com/news/the-spectre-of-naz/609695/0, last accessed on 9 August 2011.

[46].http://articles.timesofindia.indiatimes.com/2010-02-18/india/28118769_1_shrinivas-ramchandra-siras-rickshaw-puller-amu-campus, last accessed on 11 August 2011.

[47]. Arvind Narrain, et al, Policing Morality at AMU: An Independent Fact-Finding Report, available at http://www.fridae.com/newsfeatures/2010/03/10/9724.policing-morality-at-amu-an-independent-fact-finding-report?n=sea&nm=amu, last accessed on 11 August 2011.

[48].Dr. Shrinivas Ramchandra Siras & Ors v. The Aligarh Muslim University & Ors, Civil Misc. Writ Petition No.17549 of 2010.

[49].Vinay Sitapati, The Spectre of Naz, as available at http://www.indianexpress.com/news/the-spectre-of-naz/609695/0, last accessed on 9 August 2011.

[50]. Supra n. 32

[51].Lgbt-india@yahoogroups.com. This is possibly the most prolific mailing list for LGBT persons in the country, and is constantly active with atleast 4-5 mails being exchanged per day.

[52].Code of Ethics and Broadcasting Standards of the News Broadcasters Association.

[53].Code 9, Code of Ethics and Broadcasting Standards of the News Broadcasters Association.

[54].TV9 Ordered to Air Apology for Sting available at http://www.dnaindia.com/lifestyle/report_tv9-ordered-to-air-apology-for-sting_1527622, last accessed on 10 September 2011.

[55].“Introduction of constitutional law in the home … is like introducing a bull in a china shop. It will prove to be a ruthless destroyer of the marriage institution”, Rohatgi, J. in Harvinder Kaur v. Harmander Singh Choudhry, AIR 1984 Del 66.

* The author, Danish Sheikh works with the Alternative Law Forum in Bangalore, India.

For more details visit https://cis-india.org/internet-governance/privacy-sexual-minorities

September 2011 Bulletin

praskrishna — 2012-07-30T06:34:19Z

Greetings from the Centre for Internet and Society! In this issue we are pleased to present you the latest updates about our research, upcoming events, and news and media coverage that happened in the month of September 2011.

Researchers@Work

RAW is a multidisciplinary research initiative. CIS believes that in order to understand the contemporary concerns in the field of Internet and society, it is necessary to produce local and contextual accounts of the interaction between the Internet and socio-cultural and geo-political structures. To build original research base, the RAW programme has been collaborating with different organizations and individuals in order to focus on its two year thematic of Histories of the Internets in India. Five monographs were recently launched at a workshop, Locating Internets: Histories of the Internet(s) in India — Research Training and Curriculum held in Ahmedabad from 19 to 22 August 2011.

Re:Wiring Bodies by Asha Achuthan
The Last Cultural Mile by Ashish Rajadhyaksha
Porn: Law, Video, Technology by Namita A Malhotra
Archives and Access by Aparna Balachandran and Rochelle Pinto
Internet, Society and Space in Indian Cities by Pratyush Shankar

Digital Natives with a Cause?

Digital Natives with a Cause? is a knowledge programme initiated by CIS, India and Hivos, Netherlands. It is a research inquiry that seeks to look at the changing landscape of social change and political participation and the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who want to critically engage with the dominant discourse on youth, technology and social change, in order to look at the alternative practices and ideas in the Global South. It also aims at building new ecologies that amplify and augment the interventions and actions of the digitally young as they shape our futures.

Featured Publication

Digital AlterNatives with a Cause? - This collaboratively produced collective, edited by Nishant Shah and Fieke Jansen, asks critical and pertinent questions about theory and practice around ‘digital revolutions’ in a post MENA (Middle East - North Africa) world. It works with multiple vocabularies and frameworks and produces dialogues and conversations between digital natives, academic and research scholars, practitioners, development agencies and corporate structures to examine the nature and practice of digital natives in emerging contexts from the Global South.

Book Review

Digital (Alter)Natives with a Cause? — Book Review by Maarten van den Berg - The books come in a beautifully designed cassette and are accompanied by a funky yellow package in the shape of a floppy disk containing the booklet ‘D:coding Digital Natives’, a corresponding DVD, and a pack of postcards portraying the evolution of writing - in the sentence ‘I love you’, written with a goose feather in 1734, to the character set ‘i<3u’ entered on a mobile device in 2011, writes Maarten van den Berg. The review was published in "The Broker" on 19 September 2011.

Event Organised

Digital AlterNatives book launch – CIS and Hivos launched this book at the Museum for Communication, Hague on 16 September 2011.

Accessibility

Estimates of the percentage of the world's population that is disabled vary considerably. But what is certain is that if we count functional disability, then a large proportion of the world's population is disabled in one way or another. At CIS we work to ensure that the digital technologies, which empower disabled people and provide them with independence, are allowed to do so in practice and by the law. To this end, we support web accessibility guidelines, and change in copyright laws that currently disempower the persons with disabilities.

Event Participated

Stakeholders Meeting of the USOF on Facilitating ICT Access to Persons with Disabilities in Rural Areas, on 7 September 2011. Nirmita Narasimhan made a presentation.

Access to Knowledge

Access to Knowledge is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents, and trademarks, which are an important part of the digital landscape. CIS believes that access to knowledge and culture is essential, and such access promotes creativity and innovation, and helps bridge the differences between the developing and developed worlds in a positive manner. Towards this end, CIS is campaigning for an international treaty on copyright exceptions for print-challenged people, advocating against laws (such as the PUPFIP Bill) that privatize public-funded knowledge, call for the WIPO Broadcast Treaty to be restricted to broadcast, question the demonization of 'pirates', and support endeavours that explore and question the current copyright regime.

New Blog Entries

Copyright Amendment Bill in Parliament by Nirmita Narasimhan, 30 August 2011.
Photocopying the past by Sunil Abraham in the Indian Express, 2 September 2011.
Calling Out the BSA on Its BS by Pranesh Prakash, 9 September 2011.

Internet Governance

Internet technologies have fundamentally questioned the notion of governance, not only at the level of administration but also at the level of mechanisms of control, regulation and shaping of the individual. e-Governance initiatives, in combination with other regimes of surveillance, control and censorship, are redefining what it means to be a citizen, a subject, and an individual. We look at questions of governance — at the micro level of the individual and the private (family, relationships, community structures, etc.) as well as the level of governmentality — at the macro level of nation state, citizenship, market economies, and the public (spaces of consumption, work, leisure, political engagement, etc.) under the umbrella of digital governance.

New Blog Entry

Understanding the Right to Information by Elonnai Hickok, 28 September 2011.

Events Organised

Using the Internet as a Tool for Political Change: Lessons Learned and Way Forward, IGF, Nairobi, 27 September 2011.

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions. Both require effective and efficient use of networks and resources, including spectrum. It is imperative to resolve these issues in the common interest of users and service providers.

Articles by Shyam Ponappa

Shyam Ponappa is a Distinguished Fellow at CIS. He writes regularly on Telecom issues in the Business Standard and these articles are mirrored on the CIS website.

Reviving Growth, published in the Business Standard on 1 September 2011.

Event Organised

Open Spectrum for Development in the Context of the Digital Migration, IGF, Nairobi, 29 September 2011.

Miscellaneous

Film Screening

Screening of Partners in Crime, Vikalp@Smriti Nandan along with CIS screened the film and followed it with a discussion with the director of the film, Paromita Vohra, Smriti Nandan Cultural Centre, 9 September 2011.
Prime Security: The Mathematics of RSA Encryption, a one-day workshop with Rohit Gupta, a leading Mathematician.

News & Media Coverage

India's social media "spring" masks forgotten protests [Alistair Scrutton in Reuters, 25 August 2011].
Social media holds the key to Hazare's campaign success [Alistair Scrutton in NEWS.scotsman.com, 26 August 2011].
Digital divide: Why Irom Sharmila can’t do an Anna [FirstPost.Ideas, 25 August 2011].
When revolutions go viral [Times of India (Crescent Edition), 27 August 2011].
IBSA Seminar on Global Internet Governance, organised by the Brazilian Ministry of External Relations, with support from the Brazilian Internet Steering Committee (CGI.br) and the Center for Technology & Society (CTS/FGV) and governmental and non- governmental actors from India, Brazil and South Africa, 1 to 2 September 2011, Fundacao Getulio Vargas (FGV) - Rio de Janeiro, Brazil. Pranesh Prakash participated in this event.
Copyrights Amendment Bill to Be Tabled in Indian Parliament – Parallel Import provisions have Been Removed [Mike Palmedo in infojustice.org, 5 September 2011]
The Power of Information: New Technologies for Philanthropy and Development [Indigo Trust, 15 September 2011]. Sunil Abraham participated in this event. A video of his speech is now available on YouTube.
Planning Commission, Census 2011 and India Post using social media to understand people's pulse better [Vikas Kumar in the Economic Times, 20 September 2011]
The Impact of Regulation: FOSS and Enterprise, organised by FOSSFA and ICFOSS, IGF, Nairobi, 28 September 2011.
Privacy, Security, and Access to Rights: A Technical and Policy Analyses, organised by Expression Technologies, IGF, Nairobi, 29 September 2011.
Putting Users First: How Can Privacy be Protected in Today’s Complex Mobile Ecosystem?, organised by GSM Association, 29 September 2011.
The Truman Show, in Kerala [Times of India, posted on CIS website on 23 September 2011].
Making a difference, online and offline [LiveMint, 27 September 2011].

Follow us elsewhere

Get short, timely messages from us on Twitter
Follow CIS on identi.ca
Join the CIS group on Facebook
Visit us at www.cis-india.org

CIS is grateful to Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/september-2011-bulletin

IISc students boycott UID, don’t want Big Brother to keep watch

praskrishna — 2011-08-23T08:24:14Z

The programme doesn’t have statutory backing. It is still in parliament

Nandan Nilekani may be Bangalore’s blue-eyed boy making waves at the national level with his Unique Identification Number (UID), but there’s one part of the city that’s not impressed: A section of students and faculty of Indian Institute of Science (IISc).

While many Bangaloreans have started enrolling for UID, the students are in boycott mode and say they will never do so.

Professor Shiv Sethi, astrophysics department, Raman Research Institute, said, “They (the authorities) have moved faster than us by starting the enrolment. It was during the discussion phase that we tried to impress upon them the loopholes of UID. Now that they have started the enrolment, it’s our turn to protest. We will meet and discuss with other like-minded people.”

IIScians say they don’t want to be under surveillance and that they are not comfortable with giving away their personal details since studies have proved how unsafe electronic data can be. The programme has been scrapped in the UK, they said.

In fact, when Nilekani visited IISc a few months back to deliver a lecture, the anti-UID group protested with placards and banners that read, ‘Beware, Big Brother is watching you’ and ‘Secure electronic archive is a myth’.

And now, apart from not signing up, some students are even considering burning copies of UID forms, a la team Anna burning copies of the draft Lokpal bill.

Prathamesh, a scholar, said: “UID is not going to solve problems of leakages. The government should universalise the PDS system to control misuse of subsidised foodgrain that find their way to restaurants. The project is fraught with loopholes and doesn’t have statutory backing. I will burn copies of the forms.”

Prathamesh added that the UID project was the brainwave of software companies who do not have a regular stream of revenue.

Even IISc alumni are putting up a fight. One of them who participated in the protest said, “I will not register. The programme does not have statutory backing. It is still in parliament. First, they said it was voluntary. Now, they are trying to link it to banks, LPG connections and other utilities.”

Sethi added, “A few people have approached the court. We will decide the next course of action.”

There are others who have doubts. Consumer activist Chandrasekhar of Malle-swaram feels that he needs to clarify all his doubts before enrolling. “I spoke with the officials. They told me it was voluntary. But now, it looks like they are linking it with other utilities.”

Nishant Shah, director, research, Centre for Internet Society, said, "We need to check for three issues: data retention, data protection and data privacy. Only after these issues are resolved can we have a UID for every citizen."

This article by Sameer Ranjan Bakshi was published in the Bangalore Mirror on August 23, 2011. The original story can be read here.

For more details visit https://cis-india.org/news/iisc-students-boycott-uid

IP Addresses and Expeditious Disclosure of Identity in India

Prashant Iyengar — 2012-12-14T10:20:59Z

In this research, Prashant Iyengar reviews the statutory mechanism regulating the retention and disclosure of IP addresses by Internet companies in India. Prashant provides a compilation of anecdotes on how law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Over the past decade, with the rise in numbers of users, the internet has become an extremely fraught site that has been frequently used in India for the perpetration of a range of 'cyber crimes' — from extortion to defamation to financial fraud. In a revealing statistic, in 2010, the Mumbai police reportedly "received 771 complaints about internet-related offences, 319 of which were from women who were the victims of fake profiles, online upload of private photographs and obscene emails."[1]

Law enforcement authorities in India have not exactly lagged behind in bringing these new age cyber criminals to book, and have installed special ‘Cyber crime cells’ in different cities to combat crimes on the internet. These cells have been particularly adept at using IP Addresses information to trace individuals responsible for crimes. Very briefly, an Internet Protocol address (IP address) is a numeric label – a set of four numbers (Eg. 202.54.30.1) - that is assigned to every device (e.g., computer, printer) participating on the internet. [2] Website operators and ISPs typically maintain data logs that track the online activity of each IP address that accesses their services. Although IP Addresses refer to particular computers – not necessarily individual users – it is possible to trace these addresses backwards to expose the individual behind the computer. [3] As even a casual Google search with the phrase “IP, police, India” would reveal, police authorities in different cities in India have been quite successful in employing this technology to trace culprits.

However, along with its utility in the detection of crime, the tracking of persons by their IP addresses is potentially invasive of individuals’ privacy. In the absence of a culture of strict adherence to the ‘rule of law’ by the police apparatus in India, the unbridled ability to track persons through IP addresses has the potential of becoming an extremely oppressive tool of surveillance.

In this short note, we review the statutory mechanism regulating the retention and disclosure of IP addresses by internet companies in India. In order to provide context, we begin with a compilation of anecdotes on how various law enforcement authorities in India have used IP address information to trace individuals responsible for particular crimes.

Examples of use and abuse by Indian authorities

As mentioned above, the online media has been humming with stories which indicate the extent to which IP Addresses has become a useful and frequently deployed weapon in the arsenal of law enforcement agencies:

In May 2010, an Army officer stationed in Mumbai was arrested for distributing child pornography from his computer. [4] He was traced by the Mumbai Police after the German Federal Police alerted Interpol that objectionable pictures were being uploaded from the IP address he was using.
In February 2011, Cyber Crime Police in Mumbai sought IP address details of a user who had posted ‘Anti Ambedkarite’ content on Facebook – the popular social networking site. [5]
In February 2008, internet search company Google was ordered by the Bombay High Court to reveal "particulars, names and the address of the person" who had posted defamatory content against a company on Google’s blogging service Blogger.[6]
In September 2009, a man was arrested by the Delhi Police in Mumbai for blackmailing classical musician Anoushka Shankar. The culprit had allegedly hacked into her email account and downloaded copies of personal photographs. He was traced by using his IP address.[7]
In April 2010, Gurgaon Police arrested a teenage boy for allegedly posting obscene messages about an actress on Facebook. The newspaper account reports that "During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer." [8]
In February 2011, the police traced a missing boy who had run away from home, by following the IP address trail he left when he updated his Facebook profile status. [9]

What is clearly evident from these accounts is a growing awareness and enthusiasm on the part of Indian law enforcement agencies to use IP address trails as a routine part of their criminal investigative process. While this is not unwelcome, considering the kinds of grievances listed above and the backdrop a dismal record of criminal enforcement in India, there is also a flip side. In a shocking incident in August 2007, Lakshmana Kailash. a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. [10] The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and jailed for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages.[11] This incident sounds a cautionary note, amidst so many celebratory accounts, signalling that grave human rights abuses could result from the unchecked use of this technology.

These are just seven out of scores of instances of Indian investigative authorities tracing culprits using IP addresses. The crimes range from blackmail to impersonation, to defamation to planning terror attacks. Seldom in these cases has a court order actually been required by the agency that discloses the IP address of the individual.[12] Clearly there seems to be a very easy relation between law enforcement agencies in India one the one hand, and Internet Service Providers and online services such as Google and Facebook on the other.

Google’s own ‘Transparency Report’[13] which provides statistics on the number of instances where Governments agencies have approached the company demanding information or take-down, states that that it received close to 1700 ‘data requests’ from Indian authorities between January to June 2010 – ranking India 3rd globally in terms of such requests behind the United States and Brazil. That a high percentage – 79% - of these requests have been complied with indicate that within a short span of time, ‘Indian authorities’ have discovered in Google, a reliable and pliable ally in seeking information about their subjects. In 2007, Orkut -a social-networking site owned by Google- even entered into a co-operation agreement with the Mumbai police in terms of which “'forums' and 'communities'” which contained “defamatory or inflammatory content” would be blocked and the IP addresses from which such content has been generated would be disclosed to the police. [15]

Although similar transparency reports are not forthcoming from the other Internet giants such as Yahoo or Facebook, one may presume that this co-operation has not been withheld by them. [16]

In the sections that follow, we outline the legal framework that facilitates this co-operation between law enforcement authorities and web service providers.

Lawful disclosure of IP Addresses

In this section, we are seeking a legal source for the compulsion of ISPs and intermediaries (including websites) to disclose IP Address data. Are there guidelines in Indian law on how much information must be disclosed, under what circumstances and for how long?

Broadly, there are four sources to which we may trace this regime of disclosure and co-operation. Firstly, ISPs are required, under the operating license they are issued under the Telegraph Act, to provide assistance to law enforcement authorities. Secondly, the Information Technology Act contains provisions which empower law enforcement authorities to compel information from those in charge of any ‘computer resources’. Reciprocally, ‘intermediaries’ – including ISPs and websites - are charged under new Rules under the IT Act with co-operating with government agencies on pain of exposure to financial liability. Thirdly, the Code of Criminal Procedure defines the scope of police powers of investigation which include powers to interrogate and summon information and Fourthly, individual subscribers enter into contracts with ISPs and web services which do not offer any stiff assurances of privacy with regard to the IP Address details.

The sections that follow offer greater detail on each of these areas of the law.

Monitoring of internet users under the ISP licenses

ISPs are regulated and operate under a license issued under the Telegraph Act 1885. Section 5 of the Telegraph Act empowers the Government to take possession of ‘licensed telegraphs’ and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence."

Although the statute governs the actions of ISPs in a general way, more detailed guidelines regulating their behaviour are contained in the terms of the licenses issued to them which set out the conditions under which they are permitted to conduct business. The Internet Services License Agreement (which authorizes ISPs to function in India) contains provisions requiring telecom operators to safeguard the privacy of their consumers or to co-operate with government agencies when required to do so. Some of the important clauses in this agreement are:

Part VI of the License Agreement gives the Government the right to inspect/monitor the ISPs systems. The ISP is responsible for making facilities available for such interception.
Clause 32 under Part VI contains provisions mandating the confidentiality of information held by ISPs. These provisions hold ISPs responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place. Towards this, ISPs are required:

to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavours to secure that :
to ensure that no person acting on behalf of the ISPs divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and
This safeguard however does not apply where (i) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or (ii) The information is already open to the public and otherwise known.
To take necessary steps to ensure that any person(s) acting on their behalf observe confidentiality of customer information.

Clause 33.4 makes it the responsibility of the ISP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.
Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.
Clause 34.12 and 34.13 requires the ISP to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.
Clause 34.16 requires the ISP to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.
Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.
Clause 34.23 mandates that the ISP maintain "all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor".
Clause 34.28 (viii) forbids the ISP from transferring the following information to any person/place outside India:

Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and
User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

Clause 34.28(ix) and (x) require the ISP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.
Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well).

From the list above, it is very clear that by the terms of their licenses, ISPs are required to maintain extensive logs of user activity for unspecified periods. However, it is unclear, in practice, to what extent these requirements are being followed by ISPs. For instance, an article in the Economic Times in December 2010 [18] reports:

"The Intelligence Bureau wants internet service providers, or ISPs, to keep a record of all online activities of customers for a minimum of six months. Currently, mobile phone companies and internet service providers do not keep online logs that track the web usage pattern of their customers. They selectively monitor online activities of only those customers as required by intelligence and security agencies, explained an executive with a telecom company." (emphasis added)

The news report goes on to disclose the ambitious plans of the Intelligence Bureau to “put in place a system that can uniquely identify any person using the internet across the country” through “a technology platform where users will have to mandatorily submit some form of an online identification or password to access the internet every time they go online, irrespective of the service provider.” Worryingly, the report goes on to discuss the setting up by the telecommunications department of “India's indigenously-built Centralised Monitoring System (CMS), which can track all communication traffic—wireless and fixed line, satellite, internet, e-mails and voice over internet protocol (VoIP) calls—and gather intelligence inputs. The centralised system, modeled on similar set-ups in several Western countries, aims to be a one-stop solution as against the current practice of running several decentralised monitoring agencies under various ministries, where each one has contrasting processing systems, technology platforms and clearance levels.” Although as of this writing, this CMS is not yet fully functional, its launch seems to be imminent and will inaugurate with it, an era of constant and continuous surveillance of all internet users.

Provisions under the IT Act 2000

The IT Act enables government agencies to obtain IP Address details from intermediaries, including ISPs, by following a stipulated procedure. In addition, it enjoins intermediaries to co-operate with law enforcement agencies as a part of their due-diligence behaviour.

In a parallel, seemingly conflicting move, the IT Act also requires intermediaries to observe stiff Data Protection norms. In the sub-sections that follow, we look at each of these various provisions under the IT Act.

Interception and Monitoring of computer resources

There are two regimes of interception and monitoring information under separate sections the Information Technology Act. Both would seem capable of authorising access of IP Addresses, among other information to government agencies.

Section 69 deals with “Power to issue directions for interception or monitoring or decryption of any information through any computer resource”.

In addition, the Government has been given a more generalised monitoring power under Section 69B to “monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource”. This monitoring power may be used to aid a range of “purposes related to cyber security.”[19] “Traffic data” has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.”

Rules have been issued by the Central Government under both these sections which are similar, although with important distinctions. These rules stipulate the manner in which the powers conferred by the sections may be exercised.

The important difference between the two sections is that while Section 69 provides a mechanism whereby specific computer resources can be monitored in order to learn the contents of communications that pass through such resource, Section 69B by contrast provides a mechanism for obtaining ‘meta-data’ about all communications transacted using a computer resource over a period of time – their sources, destinations, routes, duration, time etc without actually learning the content of the messages involved. The latter type of monitoring is specifically in order to combat threats to ‘cyber security’, while the former can be invoked for a number of purposes such as the securing of public order and criminal investigation. [21]

However, this distinction is not very sharp – an interception order under Section 69 directed at a computer resource located in an ISP can yield traffic data in addition to the content of all communications. Thus for instance, if a direction was passed ordering my ISP to intercept “all communications sent or received by Prashant Iyengar”, the information obtained by such interception would include a resume of all emails exchanged, websites visited, files downloaded etc. In such a case, a separate order under Section 69B would be unnecessary. An important clue about their relative importance may lie in the different purposes for which each section may be invoked coupled with the fact that while directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. [22] This indicates that the collection of traffic data by the government under Section 69B is intended to facilitate the securing of India’s ‘cyber security’ from possible external threats – a Defence function – while the interception powers under Section 69 are to be exercised for more domestic purposes as aids to Police functions.

The rules framed under Section 69 and Section 69B contain important safeguards stipulating, inter alia, to a) Who may issue directions b) How are the directions to be executed c) The duration they remain in operation d) to whom data may be disclosed e) Confidentiality obligations of intermediaries f) Periodic oversight of interception directions by a Review Committee under the Telegraph Act g)maintenance of records of interception by intermediaries h) Mandatory destruction of information in appropriate cases.

Although these sections provide powerful tools of surveillance in the hands of the state, these powers may only be exercised by observing the rather tedious procedures laid down. In the absence of any data on interception orders, it is unclear to what extent these powers are in fact being used in the manner laid down. Certainly, from the instances cited in the beginning of this paper, the police departments in the various states do not seem to need to invoke these powers in order to obtain IP Address information from ISPs or websites. This information appears to be available to them merely for the asking. How do we account for this unquestioning pliancy on the part of the ISPs?

In February 2011, Reliance Communications, a large telecom service provider disclosed to the Supreme Court that over a hundred and fifty thousand telephones had been tapped by it between 2006 and 2010 – almost 30,000 a year. A majority of these interceptions were conducted based on orders issued from state police departments whose legal authority to issue them is suspect. New rules framed under the Telegraph Act in 2007 required such orders to be issued only by a high-ranking Secretary in the Department/Ministry of Home Affairs. [23] The willing compliance by Reliance with the police’s requests indicates both their own as well as the police’s blithe unawareness about the change in the regime governing tapping. Things seem to have continued just as before through pure inertia.

To return to the question about why ISPs comply with police requests, it is conceivable that this same inertia, and an intuitive confidence both on the part of the police and the ISPs that they would not be made to answer for their disclosures, is what explains the ready and expeditious access that ISPs give police departments to IP Address details. In the next sub-section we examine intermediary liability rules which require intermediaries to positively disclose personal information to law enforcement authorities.

Data Protection Rules

Section 43A of the IT Act obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which, they would be liable to compensate those affected by any negligence attributable to this failure.

In April 2011, the Central Government notified rules under section 43A of the Information Technology Act in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold. Since traffic data including IP Address data is one kind of personal information that ISPs hold, and since all ISPs are ‘body corporates’, these rules apply to them equally and define the terms on which they may deal with such information.

Rule 3 of these Rules designates various types of information as ‘sensitive personal information’ including passwords, medical records etc.[25] Significantly, for the purposes of this paper, IP address details are not included in this list.

Body Corporates are forbidden from collecting any information without prior consent in writing for the proposed usage. Further, Sensitive personal information may not be collected unless - (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and (b) the collection of the information is necessary for that purpose. [Rule 5]

Rule 4 enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” including on a website. The policy must provide the following details:

Clear and easily accessible statements of its practices and policies;
Type of personal or sensitive information collected;
Purpose of collection and usage of such information;
Disclosure of such information as provided in rule 6 [27]
Reasonable security practices and procedures as provided under rule 8.

Rule 6 enacts as a general rule that disclosure of information “by the body corporate to any third party shall require prior permission from the provider of such information”. Consent is, however, not required, “where disclosure is necessary for compliance of a legal obligation”. This is further fortified by a proviso to the rule which stipulates the mandatory sharing of information “without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.” In such a case, the Government agency is required to “send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information.” The government agency is also required to “state that the information thus obtained will not be published or shared with any other person.” [28]

Sub Rule (2) of Rule 6 requires “any Information including sensitive information” to be “disclosed to any third party by an order under the law for the time being in force.” This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

Rule 8 requires body corporates to implement documented security standards such as the international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System”.

What is curious about these rules is that its provisions, particularly those relating to lawful disclosure, appear to go much further than the limited purpose authorised by section 43A under which they are framed. Section 43A is intended only to fix liability for the negligent disclosure of information by body corporates which results in wrongful loss. It is not intended to inaugurate a regime of mandatory disclosure, as the Rules attempt to do. In positively requiring, body corporates to disclose information upon a mere request by any ‘government agency’, these rules attempt to create a parallel, much softer mechanism by which the same information that is dealt with under Sections 69 and 69A and rules framed under them can be accessed by a far wider range of governmental actors.

Even more curious is the fact that the only legal consequence to the ISP for its negligence in disclosing information to government agencies as stipulated in the rules is that it exposes itself to possible civil liability from the ‘person affected’. [29] Thus, conceivably, if an ISP failed to disclose IP Address data of its users to the police at the instance of, say, targets of online financial fraud, they can be sued by the victims of such fraud. With no incentive to assume this ridiculous burden, it is foreseeable that ISPs would hasten to comply with every request for information from a government agency– however whimsically issued.

Intermediary Due Diligence

Section 79 of the IT Act makes intermediaries, including ISPs liable for third party content hosted or made available by them unless they observe ‘due diligence’, follow prescribed guidelines and disable access to any unlawful content that is brought to their attention. Rules were notified under this section in April 2011 which defined the ‘due diligence’ measures they were required to observe. [30]

Accordingly, ISPs are required to forbid users from publishing, uploading or sharing any information that:

belongs to another person and to which the user does not have any right to;
is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
harm minors in any way;
infringes any patent, trademark, copyright or other proprietary rights;
violates any law for the time being in force;
deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
impersonates another person;
contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

Upon being notified by any ‘affected person’ who objects to such information in writing, the ISP is required to “act within thirty six hours and where applicable, work with user or owner of such information to disable such information”. [31]

Further, “when required by lawful order”, the ISP, website or any other intermediary “shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.”

Visible here is the same attempt at subversion of Sections 69 and 69B as discussed in the previous section under the Data Protection Rules. Failure to observe these ‘due diligence’ measures – including disclosure of IP Address details – would expose ISPs and web-services like Google and Facebook to civil liability under Section 79, a risk they would not likely or lightly wish to assume.

Police powers of investigation

Apart from the provisions under the IT Act, to what extent are the police in India empowered under the Criminal Procedure Code to simply requisition information - including IP Addresses of suspects - from ISPs and Websites? In the course of routine investigation into other offences, the police have wide powers to summon witnesses, interrogate them and compel production of documents. Can these powers be invoked to obtain IP Address information? Are ISPs and Websites somehow immune from complying with these requirements?

Section 91 of the Code of Criminal Procedure empowers courts or police officers to call for, by written order, the production of documents or other things that are “necessary or desirable” for the purpose of “any investigation, inquiry, trial or other proceeding under the Code”.

Sub-section 3 of this section however limits the application of this power by exempting any “letter, postcard, telegram, or other document or any parcel or thing in the custody of the postal or telegraph authority.” Such documents can only be obtained under judicial scrutiny by following a more rigorous procedure laid down in Section 92. Under this section, it is only if a “District Magistrate, Chief Judicial Magistrate, Court of Session or High Court” is of the opinion that “any document, parcel or thing in the custody of a postal or telegraph authority is.. wanted for the purpose of any investigation, inquiry, trial or other proceeding under this Code” that such document, parcel or thing can be required to be delivered to such Magistrate or Court.

However the same section empowers lesser courts and officers such as “any other Magistrate, whether Executive or Judicial, or of any Commissioner of Police or District Superintendent of Police” to require “the postal or telegraph authority, as the case may be .. to cause search to be made for and to detain such document, parcel or thing” pending the order of a higher court.

Section 175 makes it an offence for a person to intentionally omit to produce a document which he is legally bound to produce. In case the document was to be delivered to a public servant or police officer, such omission is punishable with simple imprisonment of up to one month, or with fine up to five hundred rupees or both. If the document was to be delivered to a Court of Justice, omission could invite simple imprisonment up to six with or without a fine of one thousand rupees.

In the context of our discussion on IP Addresses, the following questions emerge:

Are ISPs “telegraph authorities” so that the police are ordinarily prohibited from requisitioning information from them without obtaining orders from a court.
Similarly are Webmail and social networking sites “telegraph or postal authorities” so that securing information from them requires the following of the special procedure laid down in Section 92

Section 3(6) of the Indian Telegraph Act, 1885 defines "telegraph authority" as “the Director General of [Posts and Telegraphs], and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act”. This would seem to exclude all private sector ISPs from the definition, presumably opening them up to ordinary summons issued under Section 91.

However, Section 3(2) defines a "telegraph officer" to mean “any person employed either permanently or temporarily in connection with a telegraph established, maintained or worked by [the Central Government] or by a person licensed under this Act;” Under this section, employees of private ISPs such as Airtel would also be regarded as “telegraph officers” and if we can extend this logic, with some interpretative work, the ISPs themselves might be regarded as “telegraph authorities”. In the absence of definite rulings by the judiciary on this question, however, the ordinary presumption would be that private ISPs are not “telegraph authorities” and are answerable, like all private companies, to requisitions made under Section 91.

This leaves open the question of whether a government company like BSNL would count as a ‘telegraph authority’. If it is, then it would put internet communications conducted through BSNL on a more secure footing than through other ISPs. As things stand, however, it appears that BSNL seems to be extending its co-operation to the police in tracking mischief online , in the same manner as other ISPs.

The second question is relatively more straightforward. The definition of “Post Office” in the Indian Post Office Act 1898 restricts its meaning to “the department, established for the purposes of carrying the provisions of this Act into effect and presided over by the Director General [of Posts and Telegraphs]” (Section 2k). Despite their primary functions as email providers, it seems unlikely that any magistrate would interpret webmail providers like Hotmail and Google as “postal authorities” so as to be immune from police summonses under Section 91. Such an interpretation would, nevertheless, be in keeping with the spirit of the postal exemptions, since these sections seem to be aimed at requiring judicial oversight before the privacy of communications may be disturbed. It would be fitting for an amendment to be introduced to the Code of Criminal Procedure to update these sections in line with new technological developments.

Before parting with this section, it must be asked whether the procedure under the IT Act or the CrPC must be followed. Section 81 of the Information Technology Act unequivocally declares that act to have “overriding effect” “notwithstanding anything inconsistent therewith contained in any other law for the time being in force.” This seems to suggest that at least with respect to interception of electronic communications and obtaining traffic data, the provisions of the CrPC would be overridden by the procedure laid down by the rules under the IT Act. The evidence from the practice of the Indian police routinely obtaining IP Address from web service providers and ISPs seems to suggest that the IT Act has not been invoked in these transactions. This is a trend that is likely to continue until their legality is questioned in a court of law.

Subscriber Contracts with web service providers

In addition to statutory provisions mandating the disclosure of IP Address information, such disclosure may also be permissible by the terms under which individual websites provides their services. Two examples would suffice here:

Google’s privacy policy which governs its full range of services from its popular search service to Gmail, as well as the groups and blogging services, states that the company will disclose personal information inter alia if

"We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law."

Information collected by Google includes server logs which include the following information: "your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account." [34]

Similarly, social networking site Facebook contains an equally expansive ‘lawful disclosure’ clause in its Privacy Policy [35] which states that the company will disclose information:

"To respond to legal requests and prevent harm. We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."

Information collected by Facebook includes information about the device (computer, mobile phone, etc) about your browser type, location, and IP address, as well as the pages visited. [36]

Examples of such clauses abound and it would be fair to assume that almost every corporate website one visits has analogously worded terms of service permitting ‘lawful disclosure’. This contractual backdoor negatives any expectation of absolute privacy of IP Address details that one might mistakenly have harboured.

Conclusion

As indicated in the introduction, IP addresses have proven to be a dependable way for the police in India to track down a range of cyber-criminals – from financial frauds, to vengeful spurned-lovers, to blackmailers and terrorists. The novelty of ‘cyber crimes’, as well as the relative high-tech ease of their resolution makes for attractive press, and offers an inexpensive way for police departments to accrue some credibility and goodwill for themselves. So long as the police track down genuine culprits, the question of privacy violations will necessarily remain suppressed since, in the words of the Supreme Court “the protection [of privacy] is not for the guilty citizen against the efforts of the police to vindicate the law." [37] However it is the possibility of an increase in egregious cases such as those of Lakshmana Kailash, mentioned above, wrongfully jailed for 50 days on account of a technical error, that reveals the pathologies of the unchecked system of IP Address disclosure that prevails today.

Legal regimes in the West have largely been indecisive about whether to characterize the maintenance of IP Address logs as handmaids for Orwellian thought-policing, or merely as implements that aid the apprehension of cyber criminals who have no legitimate expectation of privacy. Their laws typically come with procedural safeguards such as mandatory notices to affected persons [38], and judicial review which greatly mitigate the severity of these disclosures when they do occur.

Far from incorporating such safeguards, the various layers of Indian law create an atmosphere that is intensely hostile to the withholding of such information by ISPs and intermediaries. Overlapping layers of regulation between the Telegraph Act and the IT Act, and the conflict among various rules under the IT Act have created a climate of such indeterminacy that immediate compliance with even the most capricious of information demands by any government agency is the only prudent recourse for ISPs and other intermediaries. The DoT has issued a circular requiring the registration of public and domestic wifi networks to facilitate greater precision in tracking individuals behind IP Addresses. [39] For the same purpose, new Cyber Café Rules under the IT Act require extensive registers and logs to be maintained that track the identity of every user and the websites they have visited. [40] And if the full ambitions of the Unique Identity Numbering Scheme and the Centralised Monitoring System are realized, we will shortly be headed for exactly the kind of persistent surveillance society that Orwell wrote so fondly about.

The Indian judiciary, which could have played a counterbalancing role to the legislature’s apathy towards privacy and the executive’s increasingly totalitarian tendencies, has so far not risen to the challenge. The Supreme Court has repeatedly condoned the obtaining of evidence through illegal means, [41] and this has rendered the requirement of adherence to procedural due process by the police merely optional. This guarantee of judicial inaction in the face of executive illegality will be the biggest stumbling block to the securing of privacy – despite the occasionally good intentions of the legislature.

So, in the absence of a general assurance of privacy of our internet communications, where does one look to for hope? I would venture to suggest that there are four sources of optimism:

Notwithstanding the iron determination of the Central Government to install a panoptic communication surveillance system, the realization and smooth functioning of these technocratic fantasies will depend on the reconfiguration of the relative powers of various ministries at the Central Level– chiefly the Ministry of Communications and Information Technology and the Home Ministry – and between the Centre and the State. One can rely, one feels, on the unwillingness of various ministries to cede their powers to forestall or at least delay or diminish the execution of this project. The success of the technology, in other words, is not as much in doubt as the success of the politics. Privacy will triumph in this ‘failure’ of politics. I advance this point naively and with only the slightest sense of irony.
Another ironic point : I suggest the ingenious and very Indian phenomena of inefficiency and ignorance as robust privacy safeguards. How does one account for the fact that despite heavily worded and repeated invocations of disclosure requirements in the ISP licenses for almost a decade, it was not until December 2010 that the Home Ministry tentatively suggests to ISPs that IP records must be kept for a minimum of six months? This despite the fact that the ISP license itself requires that such records be kept for one year. How does one explain the unanimous blinking astonishment of the industry at this suggestion, other than they expected never to have to implement it? Or that the extensive logs that cyber café owners are required to maintain about their clientele are seldom checked? [43] In India it seems to be an unstated element of the business climate that one can reliably depend on the non-enforcement of contractual clauses. Sometimes this inefficiency on the part of the state has inadvertent privacy-preserving effects.
The power of the state to rely on IP Addresses depends on the availability of global internet behemoths such as Microsoft, Google, Facebook and Yahoo who are vulnerable to bullying in order to maintain their transnational empires. In each of the success stories mentioned at the start of this paper, IP Address details were obtained from one of the big companies named, from which the lesson that emerges is that our ability to retain our anonymity will depend on our ability to find smaller, non-Indian substitutes who have nothing to fear from Indian authorities. In June 2010, for instance, the Cyber Crime Police Station, Bangalore sent a notice under Section 91 of the CrPC to the manager of BloggerNews.Net (BNN) seeking the IP Address and details of a user who had allegedly posted “defamatory comments” on BNN about an Indian company called E2-Labs. The manager of BNN bluntly refused to comply stating: “our policy is not to give out that information, BNN holds peoples privacy in high esteem.”[44] The lesson here is that in the future, the ability of Indians to preserve their online ‘privacy’ and freedom of speech will depend on their being able to find sufficiently small overseas clients to host their speech. Conflict of Laws rather than domestic legislation is a more reliable guarantor of privacy.

Notes

[1].Hafeez, M., 2011. A tangled web of vengeance. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-03-28/mumbai/29353669_1_boyfriend-social-networking-police-officer [Accessed June 21, 2011].

[2].Adapted from the Wikipedia entry on IP Address.

[3].McIntyre, Joshua J., Balancing Expectations of Online Privacy: Why Internet Protocol (IP) Addresses Should be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011. Available at SSRN: http://ssrn.com/abstract=1621102 [Accessed June 21, 2011] .

[4].Anon, 2010. Army officer held in city for child porn -. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-05-08/mumbai/28292650_1_hard-disks-obscene-clippings-downloading [Accessed June 15, 2011].

[5].Anon, 2011. Anti-Ambedkar page on Facebook blocked. Hindustan Times. Available at: http://www.hindustantimes.com/Anti-Ambedkar-page-on-Facebook-blocked/Article1-663383.aspx [Accessed May 24, 2011].

[6].Sarokin, David. Google Ordered to Reveal Blogger Identity in Defamation Suit in India:Gremach Infrastructure vs Google India [Internet]. Version 5. Knol. 2008 Aug 15. Available from: http://knol.google.com/k/david-sarokin/google-ordered-to-reveal-blogger/l9cm7v116zcn/7.

[7].Anon, 2009. Mumbai: Man held for blackmailing Anoushka Shanka. Rediff.com. Available at: http://news.rediff.com/report/2009/sep/20/police-arrest-man-for-blackmailing-anoushka-shankar.htm [Accessed May 24, 2011].

[8].Anon, 2010. Cyber cell nets Delhi teen for lewd online posts - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011].

[9].Hafeez, M., 2011. Police find runaway student “online” - Times Of India. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2011-02-17/mumbai/28554314_1_social-networking-networking-site-sim-card [Accessed June 21, 2011].

[10].Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article§id=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[11].Ibid.

[12].This is not atypical. In the US, for instance, as Joshua McIntyre writes, “While various federal statutes protect similar data such as telephone numbers and mailing addresses as Personally Identifiable Information (PII), federal privacy law does not generally regard IP addresses as information worthy of protection. It has, therefore, become commonplace for litigants to subpoena ISPs to unmask online speakers. Many ISPs have no reason to fight these subpoenas and readily give up their subscribers’ names, addresses, telephone numbers, and other identifying data without demanding any court oversight or providing any notice to the subscriber. Even when courts become involved, a full consideration of the online speaker’s privacy interests is far from certain” Joshua McIntyre, supra note 3 at p.5.

[13].Anon, 2011. User Data Requests - India. Google Transparency Report. Available at: http://www.google.com/transparencyreport/governmentrequests/IN/?p=2010-12&p=2010-12&t=USER_DATA_REQUEST&by=PRODUCT [Accessed June 29, 2011].

[14].Ibid.

[15].Anon, 2007. Orkut’s tell-all pact with cops. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2007-05-01/news/28459689_1_orkut-ip-addresses-google-spokesperson [Accessed June 15, 2011].

[16].In June 2011, Hotmail supplied IP Address details which enabled Delhi Police to trace, with further assistance from Airtel, the sender of obscene emails to a noted actress. Sharma, M., 2011. Priyanka Chopra’s cousin harrassed in Delhi. Mid-Day. Available at: http://www.mid-day.com/news/2011/jun/100611-news-delhi-priyanka-chopra-cousin-Meera-Chopra-harrassed.htm [Accessed June 28, 2011].

[17]. In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.

[18].Thomas Philip, J., 2010. Intelligence Bureau wants ISPs to log all customer details. Economic Times. Available at: http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps [Accessed June 28, 2011].

[19].The Monitoring Rules list 10 ‘cyber security’ concerns for which Monitoring may be ordered: (a) forecasting of imminent cyber incidents; (b) monitoring network application with traffic data or information on computer resource; (c) identification and determination of viruses/computer contaminant; (d) tracking cyber security breaches or cyber security incidents; (e) tracking computer resource breaching cyber security or spreading virus/computer contaminants; (f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security; (g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force; (i) any other matter relating to cyber security.

[20].Respectively the INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR INTERCEPTION, MONITORING AND DECRYPTION OF INFORMATION) RULES, 2009, G.S.R. 780(E) (2009), http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/Itrules301009.pdf (last visited Jun 30, 2011). and INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARDS FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009, G.S.R. 782(E) (2009), http://cca.gov.in/rw/resource/gsr782.pdf?download=true (last visited Jun 30, 2011).

[21].Section 69 lists the following grounds for which interception may be ordered : a) sovereignty or integrity of India, b) defense of India, c) security of the State, d)friendly relations with foreign States or e)public order or f)preventing incitement to the commission of any cognizable offence relating to above or g) for investigation of any offence.

[22].Rule 2(d) of the Monitoring and Collecting of Traffic Data Rules 2009.

[23].Telegraph (Amendment) Rules 2007, Available at: http://www.dot.gov.in/Acts/English.pdf [Accessed June 28, 2011].

[24].INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION), (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[25].The full list under Rule 3 includes : password; financial information such as Bank account or credit card or debit card or other payment instrument details ; physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

[26].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[27].This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6..

[28].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?.

[29].The consequence of disobeying the rules is that the ‘body corporate’ is legally deemed not to have observed ‘reasonable security practices’. Section 43A penalizes such failure if it causes wrongful loss due to the disclosure.

[30].INFORMATION TECHNOLOGY (INTERMEDIARIES GUIDELINES) RULES, (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[31].The easily-affronted have thus been provisioned with a cheaper, swifter and more decisive means of curtailing free speech, where courts in India might have dithered ponderously instead Or they might not have. As of this writing, an obscure court in a Silchar, Assam issued an ex-parte injunction prohibiting the online publication of a highly-acclaimed biopic about Arindam Chaudhuri – a self-proclaimed ‘management guru’ who has gained notoriety in India due the questionable nature of a management institute that he runs. The choice of this particular court as the venue to file the suit, rather than one in New Delhi where both the plaintiff and the publisher reside, coupled Chaudhuri’s consistent success in obtaining such plenary gag-orders from this judge against any content he deems unflattering to himself, strongly suggests foul-play. Although this is not a typical case, it does caution against placing too much optimism on supposed judicial restraint and conservativeness. Anon, 2011. IIPM’s Rs500-million lawsuit against The Caravan. The Caravan, 3(6). Available at: http://caravanmagazine.in/Story/950/IIPM-s-Rs500-million-lawsuit-against-The-Caravan.html [Accessed June 28, 2011].

[32].See Ali, S.A., 2010. Cyber cell nets Delhi teen for lewd online posts. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2010-04-29/mumbai/28116011_1_cyber-cell-cyber-police-abusive-messages [Accessed March 23, 2011]. (“During investigations, the police browsed through several service providers and finally zeroed in on BSNL, which helped them trace the sender's IP address to someone called 'Manoj Gupta' in Gurgaon. A team of policemen were sent to Gurgaon but the personnel found out that Manoj Gupta was fictitious name which the teenager was using in his IP address. The police arrested the accused as well as seized the hardisk of his personal computer.”); See also Rehman, T., 2008. A Case For Fools? Tehelka. Available at: http://www.tehelka.com/story_main40.asp?filename=Ws181008case_fools.asp [Accessed June 30, 2011].(“ The state police reportedly traced the email to the cyber café through its IP address. “We traced the email to a BSNL line. The BSNL has a cell in Bangalore to track such details. They traced the number to that particular cyber café in Shillong,” S.B. Singh, IGP (special branch) Meghalaya police told TEHELKA”)..

[33].Anon, 2010. Privacy Policy. Google Privacy Center. Available at: http://www.google.com/privacy/privacy-policy.html [Accessed June 28, 2011].

[34].Ibid.

[35].Anon, 2010. Privacy Policy. Facebook. Available at: http://www.facebook.com/policy.php [Accessed June 28, 2011].

[36].Ibid.

[37].R. M. Malkani v State Of Maharashtra AIR 1973 SC 157, 1973 SCR (2) 417.

[38].Eg. Title 18 US Code § 2703 provides for mandatory notice in case of wiretapping with a provision of ‘delayed notice’ where an ‘adverse result’ is apprehended such as (A) endangering the life or physical safety of an individual; (B) flight from prosecution; (C) destruction of or tampering with evidence; (D) intimidation of potential witnesses; or (E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. Title 18,2705., Available at: http://www.law.cornell.edu/uscode/18/usc_sec_18_00002705----000-.html [Accessed June 28, 2011].

[39].Ministry of Communications & IT. Letter to All Internet Service Providers. “Instructions under the ISP License regarding provisioning of Wi-Fi internet service under delicenced frequency band”, February 23, 2009. http://www.dot.gov.in/isp/Wi-%20fi%20Direction%20to%20ISP%2023%20Feb%2009.pdf (last visited Jun 30, 2011). Internationally, this does not appear to be an uncommon move. See Thompson, C., 2011. Innocent Man Accused Of Child Pornography After Neighbor Pirates His WiFi. Huffington Post. Available at: http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html [Accessed June 30, 2011]. (“In Germany, the country's top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party.”).

[40].INFORMATION TECHNOLOGY (GUIDELINES FOR CYBER CAFE) RULES, 2011., G.S.R. 315(E) (2011), www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf (last visited Jun 30, 2011).

[41].See State Of Maharashtra v. Natwarlal Damodardas Soni AIR 1980 SC 593 , 1980 SCR (2) 340.

[42].Supra note 15.

[43].Manocha, S., 2009. Cops no more interested in checking cyber cafes. Times Of India. Available at: http://articles.timesofindia.indiatimes.com/2009-08-03/lucknow/28172232_1_cyber-cafe-proper-records-ip-address [Accessed June 28, 2011]. (The cyber cafe owners claim that the registers which they maintain are seldom checked by the police. "I maintained the records properly which included recording of the name and address of the visitors and a photocopy of their identification proofs but not even once any cop had checked my records," said Rajeev, a cyber cafe owner in Aliganj. "It is this carelessness on the part of cops that gives those not maintaining proper records to carry on their business without any fear of the law," he added).

[44].Barrett, S., 2010. Blogger News Censored In India. Blogger News Network. Available at: http://www.bloggernews.net/124890 [Accessed June 28, 2011].

For more details visit https://cis-india.org/internet-governance/ip-addresses-and-identity-disclosures

CCTV in Universities

merlin — 2011-09-01T09:50:09Z

Basic Closed Circuit Television (CCTV) Infrastructure is used to observe movements from a central room, and consists of one or more video cameras that transmit video and audio images to a set of monitors or video recorders.

A Brief History of CCTV's

Video surveillance as a means of policing gained prominence in the 1950s when the UK police installed two pan-tilt cameras on traffic lights to monitor traffic near the Parliament. Since then the United Kingdom has become the country with the most number of surveillance cameras.[1]

The proliferation of CCTVs has been attributed to the growing radicalization of human behaviour wherein organized groups terrorized entire nations and threatened their internal security. The 1985 terror attack on the then Prime Minister of Britain by the IRA and many such instances thereafter have led many countries to adopt CCTV as a means of policing. In India, terror attacks on the Mumbai stock market and successive instances have pushed the Indian Government to install CCTVs in prominent public areas so that it is possible to monitor suspicious movements.[2]

CCTVs and Public Perspective

Since the 1950'sCCTVs have become ubiquitous and ever present, monitoring our daily movements, and infringing into our personal space. Though governments believe CCTVs are essential security instruments, the public is less convinced. The early anxiety to be safe from an unseen danger has given way to a new unease amongst the people, that of constantly being watched by an unseen eye.

CCTVs in Educational Institutions

CCTVs are typically used by the government or private agencies for surveillance in areas frequented by the public that need monitoring. Recently though, universities across the length and breadth of the country have resorted to the use of CCTVs for policing campus activities and to keep the students in check and under control. Huge budgets are set to wire campuses with CCTV infrastructure, t causing students to protest as well as laud the initiative by the administration. The debate on CCTVs has gained momentum in recent years with students staging huge rallies both in support of and against it.

Example 1:

The most prominent of the agitations against CCTVs was staged by the students of Jadavpur University in Kolkata on the administration’s decision to install 16 CCTVs on the four main exit points of the campus and other strategic locations.[3] The installation cost Rs.20 lakh. The students protested loudly against the decisions and ‘gheraoed’ the office of the vice chancellor for 52 hours. The students claimed that the administration was curbing their individual freedom and robbing the campus of it’s democratic atmosphere. The administration refused to remove the cameras, and claimed that the move was necessitated for the security of the students and to prevent any unforeseen incident.

Example 2:

The girl’s residing in the Women’s Hostel of The University of Pune protested against the setting up of CCTV cameras’ in the entrances of the hostel to check for unauthorized visits from boyfriends and friends. The girl’s vandalized the camera and claimed that they were an infringement to their privacy. The hostel authorities insisted that the cameras did not infringe on the privacy of the women, and were only installed at the entrance gates to keep a tab on visitors.[4] The authorities claimed that this step was taken in congruence with the hostel’s policy of not allowing visitors to stay the night.

Example 3:

The girls of the Churchgate’s Government Law College succeeded in getting the CCTV camera removed from the Girl’s Common Room, as it was seen as an infringement to their privacy. The MNS stepped up the agitation in favor of the students which led the college administration to finally take notice and remove the camera from the common room.[5]

The Flip Side

The issue of CCTVs in campuses takes an interesting turn when the students support the move to install cameras in campuses.

Example 1:

Delhi University installed CCTV cameras in their campuses after the Delhi Police issued an advisory for the same. They claimed that the advisory issued was to monitor the instances of on campus ragging. The Delhi Police also helped fund the setting up of CCTVs in the college. This move was lauded by the students, and the colleges took instant measures to wire their campuses.[6]

Example 2:

Recently, after the murder of a Delhi University student named Radhika Tanwar in broad day light, many student union groups assembled for a candle light vigil. They demanded CCTV cameras near the Satya Niketan bus stop where Radhika was killed which is an isolated stretch of a road. The massive agitation of almost a week brought the National Commission of Women into the foray who seconded the demand put forth by the student body.[7]

Example 3:

The recent instance of an RTI exposing inflated bills for setting up CCTVs in the Punjab University Campus also throws light on an interesting facet to this debate as the students do not mind the CCTVs in their campus. The student’s union of the university demanded the authorities to look into the discrepancies of the budget, and also expressed anger as the CCTVs installed did not work. The students claimed that the rising violence in the campus is because of disinterested security men and non working CCTV cameras.[8]

Conclusion

The decisions to use CCTVs as a means of surveillance evokes mixed responses. On one side of the debate they are seen as a deterrent to crime while on the other side of the debate they are seen as beinggross infringements on privacy. CCTV surveillance remains as a bone of contention amongst students. If they feel that their personal space is being invaded by these cameras then it needs to be addressed by the administration in a manner which appeases their fear. Universities randomly adopt the policy of CCTV surveillance, disregarding any voice of dissent. Kashmir University put up CCTVs in it’s campus to shoo away lovebirds and the Aligarh Muslim University has installed 57 CCTV cameras in it’s campus to keep a check on students. The rise of the CCTVs in colleges relates to not the actual crime but to the fear of crime. Therefore, CCTVs have become a tool of re-assurance [9]which feeds a notion of safety and security to the authority in charge.

There is no black and white regarding the implementation of CCTVs in universities. A policy can only benefit both sides when decisions are taken with the students, and not on behalf of them. Indian Universities have no guidelines and policies regarding the implementation of CCTVs and students remain unaware of any decisions in this regard. The Universities should clearly spell out their take on CCTVs including:

University policy regarding CCTVs policies
The reasons for introducing CCTVs
The proposed uses of CCTV infrastructure
Which areas in the campus will be kept under surveillance
How will the data collected be stored
How long will the data be retained
How will the data be deleted[10]

The Universities should address all these issues to dispel fear from the minds of the students, and the student unions should be included in the discussions regarding the implementation of CCTVs.

Notes

[1].Webster,William; CCTV policy in the UK: Reconsidering the evidence base; sueveillanceandsociety.org.

[2].Norris, Clive;MC Cahill, Mike;Wood, David; The Growth of CCTV: A Global Perspective on the international diffusion of video surveillance in publically accessible space; surveillance-and-society.org.

[3].Timesnow.tv/jadavpuruniversity, www.haata.com.

[4].http://www.ndtv.com/article/cities/female-hostellers-damage-cctv-cameras-to-protect-privacy-83889, http://toostep.com/debate/is-it-right-to-install-a-cctv-in-girls-hostel-to-stop-unauth.

[5].http://www.mumbaimirror.com/index.aspx?page=article§id=2&contentid=201101212011012104560935753ecb888, http://ibnlive.in.com/news/cctv-cameras-in-hostel-rob-pune-women-of-freedom/142681-3.html.

[6].http://www.expressindia.com/latest-news/after-delhi-police-advisory-du-to-install-cctv-cameras/761421/.

[7].http://www.indianexpress.com/news/women-constables-cctv-cameras-in-girl-stude/766083/.

[8].http://www.punjabcolleges.com/5526999-itemdisplay-Misappropriation-of-funds-on-CCTV,-RTI-exposed-it-Chandigarh.htm.

[9].www.surveillance-and-society.org/ojs/index.php/journal/article/view/prozac/prozac.

[10].www.ucl.ac.uk/estates/security/documents/cctvpolicy.doc, http://www.wustl.edu/policies/cctv-monitoring-and-recording.html.

For more details visit https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities

Govt wants to monitor Facebook, Twitter

praskrishna — 2011-08-09T09:21:55Z

The Union home ministry has written to the department of telecom asking it to "ensure effective monitoring of Twitter and Facebook".

Milind Deora, minister of state for communications and information technology, said in written reply to a question on Friday in the Rajya Sabha that DoT has received a letter from MHA to ensure monitoring of social networking websites like Facebook and Twitter in order to "strengthen cyber security paraphernalia".

He said that in cases where the data is encrypted, the department works with all concerned parties to obtain lawful access to it.

Citing security a reason, India in the recent months has sought more surveillance and monitoring from internet service providers as well as companies like Research In Motion, which sells BlackBerry phones capable of encrypted emails and messaging.

In April the government notified a new set of IT rules, virtually making intermediaries like internet service providers and web hosts and websites like Facebook and Twitter responsible for any wrongdoings on their networks. The rules were widely criticized by privacy activists.

Sunil Abraham, executive director of Centre for Internet and Society said these "blanket surveillance practices" are counterproductive.

"People advocating greater surveillance don't understand how the web works. In some cases, if there is evidence, targeted monitoring can be done but if governments wants to go through each tweet and every status update, it's just waste of money and resources. Agencies involved in monitoring can do better work by focusing on core issues. This will also save ordinary law-abiding citizens from unnecessary harassment," said Abraham.

According to their policies, Twitter and Facebook don't share any private information available on their servers without valid court order or subpoena. Twitter had said in the past that even if there was a court order, it would first inform the users in question before sharing information related to them.

This article was published in the Times of India on August 8, 2011. The original can be read here.

For more details visit https://cis-india.org/news/govt-to-monitor-facebook-twitter

Nothing unique about this identity

praskrishna — 2011-08-09T09:12:55Z

Relying on the government to protect your privacy is like asking peeping tom to install your window blinds, opined, not long ago, the American poet and novelist John Perry Barlow once. The statement attains significance in the context of Unique Identification (UID) project which is being touted as a milepost in inclusive politics. Liberalisation evangelists see UID project as the most virtuous thing that can ever happen to the Indian people who find themselves excluded from the system.

So, their ingenious solution is a 12-digit Aadhaar number — a super identity — to help the common man in opening a bank account or ordering a cylinder refill. This is, besides, the existing identities like ration card, the driving license, PAN card and passport to mention a few.

Prima facie, it may all appear euphemistic initiative; for some even very bright and attractive. For, its proclaimed purpose supposedly is to deepen the democratic process.

However, when one talks to civil rights activists who’ve gone hammer and tongs against the project, one will realise the truthfulness of Shakespeare’s observation that ‘a fair exterior may hide a corrupt mind!’

This becomes evident from the fact that the UID project has become the biggest industrial collector of personal information which should frighten up any person still in sensibilities.

The project has already proved disastrous since the unfolding events prove its advocates have not applied much thought to the dangers posed by centralised data collection considering India’s heterogenic population.

In fact, head of Unique Identification Authority of India (UIDAI) Nandan Nilekani had maintained UID enrolment was voluntary.

However, Chief Minister Oommen Chandy some two months back asserted his government would make UID mandatory unlike his predecessor V.S. Achuthanandan.

"Even in this basic thing, there’s so much confusion. But, the truth is that it’s voluntary. You can’t be coerced into it", confirms a prominent anti-UID campaigner Usha Ramanathan.

She alleged personal information passed onto UIDAI passes through various outsourcing layers compromising safety. It recently happened in Bangalore where a delivery boy demanded a customer’s fingerprint while delivering gas refill!

"Why should anyone give it to an unknown person? It shows the level to which your personal information could get disseminated", she says.

UID, in fact, is supposed to be foolproof. However, again in Bangalore, miscreants could easily fake an Aadhar number in the name of none other than Nandan Nilekani himself!

The fraud came to light when miscreants offered franchisee for UID enrolment for `2.5 lakh.

"Fake UIDs rackets confirm there’s no monitoring. So, how can UIDAI protect your information?" wonders Usha. Nandan Nilekani wants to enroll 60 per cent Indian population by 2014 into UID. However, it’s fast proving a chimerical target as the process involving agency-UIDAI-de-duplicating agency has started taking its toll.

"Initially, Aadhaar number was promised within a week. Now, it’s taking anywhere between three to six months", pointed out executive director, Bangalore-based Centre for Internet and Society (CIS) Sunil Abraham.

The project faces problems on cash transfer whose aim is to dismantle public distribution shops (PDS) which once done would put the farmer and customer at the mercy of market for their selling/procurement needs.

For, the farmer won’t be assured of a minimum support price (MSP) while for the customer there is no guarantee that the price would hold good till such time his account gets credited. Further, experts warn the Aadhar number-linked cash transfer will compromise safety. “Cash transfer using bio-metric is not safe. If it were otherwise, ATMs would’ve gone for it. Why didn’t they do it?” asks Sunil Abraham.

Interestingly, a group of students recently did a research on the efficacy of PDS. The research covering nine States cautioned prime minister Manmohan Singh that PDS was better than cash, except in Bihar.

Professor Sridhar Krishnaswamy W.B. University of Jurisdical Sciences fears the Corproates could link one’s Aadhar number to bank account to judge his or her behavioural pattern.

"It’s not right. Instead of resorting to blanket surveillance, government should go in for targeted surveillance," Sunil said.

This article by T. S. Sreenivasa Raghavan was published in the Deccan Chronicle on August 5, 2011. The original can be read here.

For more details visit https://cis-india.org/news/nothing-unique-about-identity

Re-thinking Key Escrow

natasha — 2011-08-22T11:44:21Z

Would you make duplicates of your house keys and hand them over to the local police authority? And if so, would you feel safe? Naturally, one would protest this invasion of privacy. Similarly, would it be justified for the government to have a copy of the private key to intercept and decrypt communications? This is the idea behind key escrow; it enables government ‘wiretapping’.

The evolution of technology has allowed for increased communication and interconnectedness among people, markets and institutions all over the globe. This has increasingly facilitated the transaction and exchange of all kinds of information. However, this has raised major ethical concerns surrounding the privacy of communication and security of information. Key encryption is an important tool developed to preserve an individual’s privacy. It involves transforming information, so as to ensure that it is unreadable. The need for encryption is irrefutable.

Governments and authorities are concerned with the difficulties associated with accessing and intercepting the encrypted communication. For lawful interception a recovery key is escrowed with a trusted third party. Key escrow is controversial as it is vulnerable to lawful interception and has the potential to threaten the security of sensitive and personal data. In India, key escrow is a requirement under the Indian Internet Service Provider (ISP) license. This means that an ISP, a law enforcement agency, or other party has the potential to partake in covert surveillance and maliciously use the key, thereby compromising the data.

In a short video Jim X. Dempsey, Vice President of Public Policy at the Centre for Democracy and Technology in Washington, DC reviews the public policy battle over key escrow in the United States that took place in the 1990's. At the time the U.S government’s approach to encryption technology involved the use of key escrow in communication devices. One danger of using key escrow in this way was that it allowed for the commercial use of encryption technology, provided that a copy of the private key is held in escrow by the U.S. government. The use of key escrow also permitted the U.S. government to decrypt all data transmitted across communication networks. The risks associated with the use of key escrow led to widespread dissatisfaction from the private sector in the U.S., which ultimately led to the rejection of encryption technology by the President and Congress. In response to the strong negative feedback given by different stakeholders, the US government lifted the controls on encryption technology thereby allowing it to become widely available.

The use of key escrow in India should be seriously reconsidered. Foremost, it subverts basic constitutional practices by violating various freedoms and civil liberties guaranteed in the fundamental rights. Secondly, it threatens the security of personal information. Lastly, it could significantly hinder the growth of e-commerce, transactions, and purchases made over the Internet. The Indian government should take into consideration the failed attempt in implementing the system of key escrow in the United States when deciding on whether or not to implement the use of key escrow in India.

Please see Jim Dempsey’s account on the Short History of Key Escrow.

For more details visit https://cis-india.org/internet-governance/blog/privacy/key-escrow

Better Understanding of the Idea of Privacy Sought

praskrishna — 2011-08-08T07:40:18Z

Understanding the ways in which an individual's privacy is violated will help provide a better definition of privacy in India. At a public conference called ‘Privacy Matters' held at the Madras Institute of Development Studies (MIDS) here on Saturday, speakers underscored the need for discussions surrounding the privacy bill.

Prashant Iyengar from Privacy India said, "In India, we do not have a set view on privacy. There is a lot of articulation around privacy in law, yet we do not have an omnibus concept." He stressed the importance of bringing about discussions around the adequacy of safeguards.

Post 26/11 terror attacks, the country has seen an enhancement of electronic surveillance and the proliferation of databases that collect information from individuals, said Santhosh Babu, Secretary, Information Technology Department.

"The problem arises when these databases are misused for political or other reasons. In a legal framework, we have to figure out what information can be given out, what cannot and what can be misused," he said. He stressed the importance of databases going through a software development lifecycle to make them more secure.

Speaking from a media practitioner's perspective, Sashi Kumar, Chairman, Media Development Foundation, said it is the business of the media to conduct sting operations especially when people in power are obfuscating information. “Sting operations are legitimate when larger public good is at stake. We have to be aware of this when we discuss the privacy bill. It should not protect people in power and keep exposure at bay,” he said. He also stressed that privacy is closely linked with the dignity of the person. R. Ramamurthy, Chairman, Cyber Society of India said, “The definition of privacy varies from what it was twenty years ago to what it is today. A lot has changed since the internet came to India.” The statutes that govern all forms of communication in India should be revamped, he said. Discussions around privacy in relation to telecommunications, financial transactions, consumer rights and basic rights followed. The conference was a collaborative effort between Privacy India, Citizen Consumer and Civic Action Group, Chennai and MIDS.

A staff reporter from the Hindu covered the event. The original can be read here

For more details visit https://cis-india.org/news/better-understanding-of-privacy

July 2011 Bulletin

praskrishna — 2012-07-30T07:00:26Z

Greetings from the Centre for Internet and Society! In this issue we are pleased to present you the latest updates about our research, upcoming events, and news and media coverage:

Researchers@Work

RAW is a multidisciplinary research initiative. To build original research knowledge base, the RAW programme has been collaborating with different organisations and individuals to focus on its three year thematic of Histories of the Internets in India. Five monographs: Re: Wiring Bodies by Asha Achuthan, Archive and Access by Aparna Balachandran and Rochelle Pinto, Pornography and the Law by Namita Malhotra, The Leap of Rhodes or, How India Dealt with the Last Mile Problem – An Inquiry into Technology and Governance by Ashish Rajadhyaksha and Internet, Society and Space in Indian Cities by Pratyush Shankar were sent for peer review.

Upcoming Event in CEPT, Ahmedabad

Locating Internets: Histories of the Internet(s) in India — Research Training and Curriculum Workshop: Call for Participation [Deadline for submission – 26 July 2011; Participants to be selected by 30 July 2011; Workshop from 19 to 22 August 2011]

Digital Natives with a Cause?

Digital Natives with a Cause? is a knowledge programme initiated by CIS and Hivos, Netherlands. It is a research inquiry that seeks to look at the changing landscape of social change and political participation and the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who want to critically engage with the dominant discourse on youth, technology and social change, in order to look at the alternative practices and ideas in the Global South. It also aims at building new ecologies that amplify and augment the interventions and actions of the digitally young as they shape our futures.

The Digital Natives Newsletter

"Links in the Chain" is a bi-monthly publication which highlights the projects, ideas and news of the "Digital Natives with a Cause?" community members. It includes opinion posts by participants from the three workshops — Talking Back (Taipei, 15 – 18 August 2010), My Bubble, My Space, My Voice (Johannesburg, 6 – 9 November 2010) and From Face to the Interface (Santiago, 8 – 10 February 2011) as well as the facilitators, interviews with them, comics and cartoons highlighting current issues affecting the community, as well as current news and discussions happening at the project website, www.digitalnatives.in.

The Digital Dinosaurs [Links in the Chain, Volume 7]
Special Mid Year Edition [Links in the Chain, Volume 8]

Accessibility

Featured Research

Accessibility Policy Making: An International Perspective (Revised Edition 2011) [A G3ict White Paper researched and edited by the Center for Internet and Society, Bangalore, India. Editor: Nirmita Narasimhan, Revised edition: May 2011]

Access to Knowledge (previously IPR Reform)

CIS believes that access to knowledge and culture is essential as it promotes creativity and innovation and bridges the gaps between the developed and developing world positively. Hence, the campaigns for an international treaty on copyright exceptions for print-impaired, advocating against PUPFIP Bill, calls for the WIPO Broadcast Treaty to be restricted to broadcast, questioning the demonization of 'pirates', and supporting endeavours that explore and question the current copyright regime.

Featured

Don't Shoot the Messenger: Speech on Intermediary Liability at 22nd SCCR of WIPO (speech by Pranesh Prakash at a side-event co-organized from 15 to 24 June 2011, by WIPO and the Internet Society on intermediary liability).

Openness

CIS believes that innovation and creativity should be fostered through openness and collaboration and is committed towards promotion of open standards, open access, and free/libre/open source software.

Documentary

People are Knowledge – Experimenting with Oral Citations on Wikipedia (co-produced by CIS in association with the Wikimedia Foundation, on Oral Citations in India and South Africa)

Featured

Opening Government: A Guide to Best Practice in Transparency, Accountability and Civic Engagement across the Public Sector (published by Transparency & Accountability Initiative, CIS contributed the section on Open Government Data).

Internet Governance

Although there may not be one centralized authority that rules the Internet, the Internet does not just run by its own volition: for it to operate in a stable and reliable manner, there needs to be in place infrastructure, a functional domain name system, ways to curtail cyber crime across borders, etc. The Tunis Agenda of the second World Summit on the Information Society (WSIS), paragraph 34 defined Internet governance as “the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.” Its latest endeavour has resulted into these:

New Blog Post

RTI and Third Party Information: What Constitutes the Private and Public? [by Noopur Raval]

Events Organised

Socio-financial Online Networks: Globalizing Micro-Credit through Micro-transactional Networked Platforms – A Public Lecture by Radhika Gajalla [at CIS, Bangalore on 8 July 2011]
Internet Surveillance Policy: “…the second time as farce?” – A Public Lecture by Caspar Bowden [at TERI, Bangalore on 27 June 2011]

CIS is doing a project, ‘Privacy in Asia’. It is funded by Privacy International (PI), UK and the International Development Research Centre, Canada and is being administered in collaboration with the Society and Action Group, Gurgaon. The two-year project commenced on 24 March 2010 and will be completed as agreed to by the stakeholders. It was set up with the objective of raising awareness, sparking civil action and promoting democratic dialogue around challenges and violations of privacy in India. In furtherance of these goals it aims to draft and promote over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

Featured

Privacy & Media Law (by Sonal Makhija). The research examines the existing media norms governed by Press Council of India, the Cable Television Networks (Regulation) Act, 1995 and the Code of Ethics drafted by the News Broadcasting Standard Authority, the constitutional protection guaranteed to an individual’s right to privacy upheld by the courts, and the reasons the State employs to justify the invasion of privacy.

Comments

Right to Privacy Bill 2010 — A Few Comments (by Elonnai Hickok). CIS has given specific recommendations and specific comments on the Right to Privacy Bill, 2010, which was introduced in the Rajya Sabha by Rajeev Chandrashekhar.

Event Report

Privacy Matters, Guwahati – the event was organised by IDRC, Society in Action Group, IDEA Chirang, an NGO initiative working with grassroots initiatives in Assam, Privacy India and CIS on 23 June 2011.

New Blog Entries

My Experiment with Scam Baiting (by Sahana Sarkar)
When Data Means Privacy, What Traces Are You Leaving Behind? (by Noopur Raval)
Video Surveillance and Its Impact on the Right to Privacy (by Elonnai Hickok)
Consumer Privacy in e-Commerce (by Sahana Sarkar)
An Overview of DNA Labs in India (by Shilpa Narani)
UID: Nothing to Hide, Nothing to Fear? (by Shilpa Narani)

News & Media Coverage

Indian SMEs still fail to harness the power of Net [Sunday Guardian, 19 June 2011]

Sorry Wrong Number [Telegraph, 3 July 2011]

Aadhaar’s moment of truth [Deccan Herald, 5 July 2011]
The Walls Have Ears [Outlook, issue, 11 July 2011]
Transparent Government, via Webcams in India [New York Times, 17 July 2011]; news also published in other languages in wprost (Polish), ictnews (Vietnamese) and @rret sur images(French)
NYT lauds Oommen Chandy’s 24/7 office webcast [Deccan Chronicle, 19 July 2011]
UID: The World’s Largest Biometric Database [International School on Digital Transformation, 21 July 2011]. Sunil Abraham made a presentation.
Facebook, my boyfriend is lousy [Bangalore Mirror, 24 July 2011]

Portal augurs well for transparency [The Hindu, 25 July 2011]

Follow us elsewhere

Get short, timely messages from us on Twitter

Follow CIS on identi.ca

Join the CIS group on Facebook

Visit us at www.cis-india.org

CIS is grateful to Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/july-2011-bulletin

Facebook, my boyfriend is lousy

praskrishna — 2011-07-25T10:07:37Z

While a sizeable chunk of users do not mind living their life in public, oversharing can have nasty repercussions in real life. This article by Sahana Saran was published in the Bangalore Mirror on 24 July 2011.

A wife wrote a bitchy remark about her mother-in-law on Facebook when her husband was out of town. A happy homecoming turned sour when the husband saw the comment. There was a huge showdown which finally led to divorce.

On the flip side, when Savita and Vinay’s (name changed) baby was about to be born a couple of years ago, the couple’s friend live-tweeted the whole childbirth process and the proud parents didn’t mind.

Oversharing on social networks by young people can have damaging results, say internet experts. Why does it happen?

"These days youngsters hook on to social networking sites, and you cannot blame them for seeking each other’s company because that is how they are at that age. There are more restrictions on children these days because of security and abuse issues which the earlier generation may not have encountered. For example, sleepovers which were much common earlier may now not be readily allowed. Their time outside their house is also monitored. Many schools these days have surveillance cameras or some form of curbs that might restrict students from having a private interaction. That is why they seek such interactions through the internet and social networks. Still in India, there is not really a need to press the panic button saying that they are becoming Facebook addicts," says Sunil Abraham, executive director of the Centre for Internet and Society, who is an internet behaviour expert.

Sunil quotes an analysis done in Poland to show how much social networking has become a part of young people’s lives. It showed that teenage girls who meet every day in school, go back home and immediately switch on their PCs and start interacting with each other again. And all through the day, they are on Skype and can see every single thing that each one of them are doing in their rooms in their respective homes. Studies done in the Philipines demonstrate how personal life is becoming public. A study by the Institute of Philippine Culture showed that many of those assessed were on Friendster and allow full access to information on their accounts and readily share details of activities, interests and contacts.

Is the situation different in India? Bhavana, a business management graduate in her 20s, says that what she puts up on her social networking account depends solely on her state of mind. But she ensures that messages are not too personal because earlier she had put up posts which backfired.

"Sometime ago we were celebrating my brother’s birthday and some misunderstanding happened during the celebrations and I was heaped with blame by friends and relatives on FB when I tried to justify myself. I was taken aback. Now, I am more careful about posting messages about sensitive topics," she says.

And when you let people know where you are through Google Latitude, you need to watch against saying offensive things.

"There have been instances of people gate-crashing parties following a Twitter or FB post; in China, mobs of people have attacked those whose views they oppose," adds Sunil.

What makes some people, who would never dream of whipping up controversies in the real world, so reckless when they are online?

"Most often, it is a way of being noticed, of getting attention. Everyone wants to have a popular public profile and telling the world about your opinions and your activities is a way of gaining attention. But new forms of communication are being invented every other day and each has an etiquette of its own," says Sunil.

According to Dr Thomas M J, there are two kinds of people who are the net — attention-seeking and anonymous. The anonymous generally never put personal details about themselves on social networks. "But the other group consists of those who are externally controlled. For such people any open media acts as a place to talk about themselves and they love being in that public space. Moreover, social networks give internet users the courage to say whatever they want because they can avoid face-to-face contact. Even if there is a response, it is muted because because it is not direct and they can escape confrontation," says Thomas.

Read the original article published in Bangalore Mirror here

For more details visit https://cis-india.org/news/facebook-my-lousy-boyfriend

Video Surveillance and Its Impact on the Right to Privacy

Vaishnavi Chillakuru — 2011-09-29T05:35:56Z

The need for video surveillance has grown in this technologically driven era as a mode of law enforcement. Video Surveillance is very useful to governments and law enforcement to maintain social control, recognize and monitor threats, and prevent/investigate criminal activity. In this regard it is pertinent to highlight that not only are governments using this system, but residential communities in certain areas are also using this system to create a safer environment.

However, this move is fundamentally opposed by many civil rights and privacy groups across different jurisdictions and have expressed concern that by allowing continual increases in government surveillance of citizens that we will end up in a mass surveillance society, with extremely limited, or non-existent political and/or personal freedoms.

European Union

The Data Protection Directive [1]of 1995, a Directive was issued by the European Union (EU) to regulate the processing and free movement of personal data. In pursuance with this Directive, every country of the EU passed a legislation to govern the protection of personal data. In this regard, the United Kingdom (UK) enacted the Data Protection Act (DPA) in 1998 and the same was brought into force in the year 2001.

The DPA sets forth eight, Data Protection Principles (DPP)[2] to protect personal data in the public sphere. Although video surveillance has not been explicitly referred to in the legislation, the definition given by the DPA is broad enough to encompass it. The application of these principles to video surveillance has been made explicit through the publication of the CCTV Code of Practice (CoP) by the information commissioner. The CoP does not apply to surveillance cameras used for household purposes. Images captured for recreational purposes with a camera, video recorder, etc., are also exempt. The main features of the CoP have been summarized below:

It is important to ascertain who has the responsibility for the control of the images i.e., deciding what is to be recorded, how the images should be used and to whom they may be disclosed. The body which makes these decisions is called the data controller and is responsible for the compliance with the DPA. The body has to notify the information commissioner as to who the data controller is.
An impact assessment should be done to evaluate the scheme’s impact on the privacy rights of the public. While conducting such an assessment, the data controller should take into account what benefits can be gained, whether better solutions exist, and what effect it may have on individuals. The results of the assessment should be used to determine whether video surveillance is justified and if so, how it should be operated.
The camera equipment should be chosen so as to fulfill the purposes for which the surveillance is being carried out. They should have the necessary technical specification so that the images are of appropriate quality. The camera should be positioned in such a way that only those areas which are intended to be the subject of surveillance are covered.
Viewing of live feed must be restricted to authorized personnel only. The data controller should try and protect the images from public view. Disclosure of recorded images should also be controlled and limited to the purpose for which the surveillance was set up. All other requests for viewing images should be considered carefully and balanced against the privacy rights of other individuals who may be affected by the disclosure of the images.
The DPA does not prescribe any minimum or maximum period of retention. It should be ascertained keeping in mind the purpose for which the surveillance system was set up. However, the images should not be kept for longer than is strictly necessary.
There should be prominently placed signs to let people know that they are in an area which is under video surveillance. This can be supplemented by an audio announcement in places where public announcements are already being used, such as in stations. Systems in public spaces and shopping centres should have signs giving the name and contact details of the company, organisation or authority responsible.
Staff operating the system needs to be aware of the rights of the individual under the DPA.

Canada

Canada has two federal laws which deal with privacy — the Privacy Act, 1985 and the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA). The former protects privacy rights by limiting the collection, use and disclosure of personal information by the federal government departments and agencies whereas the latter deals with the collection, use and disclosure of personal information by private sector organizations. In addition to these two legislations, every province or territory has their own privacy legislations.

A privacy commissioner is appointed to receive and investigate complaints filed by Canadian citizens pertaining to allegations of violation of the Acts. They also conduct research into privacy issues and promote awareness. The privacy commissioner reports directly to the House of Commons and the Senate. Every province or territory may also have its own commissioner or ombudsman authorized to investigate complaints. The Office of the Privacy Commissioner of Canada (OPC) published two sets of guidelines in order to define and circumscribe the use of video surveillance and ensure that the impact on privacy is minimized.

The first set of guidelines is meant to guide the regulation of video surveillance (by law enforcement agencies) in public spaces i.e., in places where there is free and unrestricted access to everyone. These guidelines were drawn up after extensive discussions between the OPC and the Royal Canadian Mount Police (RCMP). However, these guidelines are to be considered merely as an aid and notwithstanding anything stated in the guidelines, the RCMP has the right to carry out its functions as it deems fit. Some of the important pointers are[3]

Video surveillance should only be used to address a "real and pressing problem" which is of sufficient in magnitude so as to warrant the overriding of the privacy rights of citizens. Hence, there should be "real and verifiable" instances of crime or concern for public safety.
Video surveillance should be conducted only as a last resort i.e., in circumstances where there in no other less privacy-intrusive alternative.
A "privacy impact assessment" should be conducted beforehand to assess the degree of interference that will result due to the video surveillance.
Relevant stakeholders (for example, members of the communities that will be affected by the surveillance systems) should be considered before arriving at a decision.
Video surveillance must comply with all applicable laws including over arching laws such as the Canadian Charter of Rights and Freedoms.
The video surveillance should be conducted in such a way that impact on the privacy rights of citizens is minimized. For example, limited use of video surveillance (e.g., for limited periods of day, public festivals, peak periods) should be preferred to be always on surveillance if it will achieve substantially the same result.
The public should be informed that they are under surveillance. Clear signs should be put up mentioning the perimeter of the surveillance areas, the person responsible for surveillance and his contact details in case of any queries.
Security of the equipment and images should be assured.
People whose images are recorded should be able to request access to their recorded personal information.

The second set of guidelines is with respect to video surveillance in private sector organizations. These guidelines apply to overt video surveillance of the public by private sector organizations in publicly accessible areas. They do not apply to covert video surveillance nor do they apply to the surveillance of employees.

"Determine whether a less privacy-invasive alternative to video surveillance would meet your needs.
Establish the business reason for conducting video surveillance and use video surveillance only for that reason.
Develop a policy on the use of video surveillance.
Limit the use and viewing range of cameras as much as possible.
Inform the public that video surveillance is taking place.
Store any recorded images in a secure location, with limited access, and destroy them when they are no longer required for business purposes.
Be ready to answer questions from the public. Individuals have the right to know who is watching them and why, what information is being captured, and what is being done with recorded images.
Give individuals access to information about themselves. This includes video images.
Educate camera operators on the obligation to protect the privacy of individuals.
Periodically evaluate the need for video surveillance."

United States of America

Statutory laws governing the regulation of video surveillance in America are scarce. While there are some state laws which regulate aspects of public video surveillance, there are virtually no federal laws which directly deal with it. However, video surveillance implicates certain constitutional doctrines — especially the first and the fourth amendments. Although it cannot be denied that the liberties enshrined by these amendments can be severely affected by continuous surveillance, so far, the American courts and jurisprudence on the subject have been very permissive.

Another important directive is the "Fair Information Practices" (FIP) originating from the recommendations written by the United States Government which provide certain rights to individuals with respect to the use and dissemination of personal information. Although these guidelines do not have the force of law, they can prove to be a valuable guide for the treatment of any government-held record containing personally identifiable information. The rights of individuals listed by the FIP, in their most basic form, have been given below:[4]

"Notice and awareness of the purpose of data collection, and how such information is used;
Consent to the collection of personal information, and choice concerning how it is used;
Access to and participation in the process of data collection and use, including the right to correct errors;
Integrity and security adequate to protect the information against loss or misuse; and
Redress and accountability for injury resulting from loss or misuse of personal information."

Also, the American Bar Association, in 1999, published standards for technologically-assisted physical surveillance, including video surveillance. Some of the key points of these guidelines are given below:

While regulating the use of video surveillance for law enforcement purposes, certain factors should be kept in mind. For example, the nature of the law enforcement objective or objectives sought to be achieved, the extent to which the surveillance will achieve the law enforcement objectives, the nature and extent of the crime involved, etc.
The extent to which the surveillance invades privacy should be assessed. While conducting such an assessment, care should be taken to enhance the privacy of the location under surveillance by taking into consideration the nature of the place, activity, condition, or location.
Alternate measures should be preferred over video surveillance in order to maintain a balance between the right to privacy and the need for surveillance.
Notice of the surveillance should be given when appropriate.
The scope of the surveillance should be limited to its authorized objectives and be terminated when those objectives are achieved.

Australia

Neither the Australian Federal Constitution nor the Constitutions of the six states and two territories contain any express provisions relating to privacy. However, there are several state and federal privacy laws governing specific sectors and aspects. The primary federal statute is the Privacy Act of 1988 (PA). This statute was enacted in a bid to give effect to Australia's commitment to the International Covenant on Civil and Political Rights and the Organization for Economic Cooperation and Development (OECD). There are four key areas of application of the Act out of which only two are relevant in the context of video surveillance. The first is the eleven Information Privacy Principles (IPPs), based on the OECD Guidelines. These principles are applicable to federal government agencies. The second is the National Privacy Principles (NPP) which regulates private sector organizations. However, private organizations can set forth their own "code of practice" and get it approved by the privacy commissioner as long as it does not go against the broad framework laid down by the NPPs.

Apart from the PA, each state or territory may have its own laws or practices regarding video surveillance. For instance, covert video surveillance in New South Wales is governed by the Workplace Video Surveillance Act, 1998. The Government of New South Wales also published a report on CCTV in public places. Similarly, Victoria is governed by the Surveillance Devices Act, 1999 and Western Australia by the Surveillance Devices Act, 1998. However, South Australia, Tasmania, Northern Territory and Australian Capital Region have no legislation dealing with the use of video surveillance.

Japan

The Constitution of Japan does not contain any express provisions guaranteeing the right to privacy. Till 2003, even statutory law in the field of data protection was non-existent and the government followed a policy of self regulation. It was only in 2003 that the Japanese Parliament enacted the Protection of Personal Information Act. The law underlying privacy in Japan[6] protects only personal information that is obtained and held by administrative agencies, private agencies. It seeks to set forth penal provisions in order to curb leakage of personal information by the government. The subsequent amendments to this Act have widened its scope to cover data that is paper based as well as computerized. Therefore, it can be said that the instant legislation is broad enough to encompass video surveillance data as well.

In this regard it is set forth that there exists no consolidated law to govern video-surveillance systems. Nevertheless, Japan uses video surveillance systems in order to assist the law enforcement agencies. The National Police Agency uses a video surveillance system called the "N system"[7] in order to record license plate numbers of vehicles on roads, highways, etc. This facilitates effective and efficacious law enforcement in Japan. Furthermore, Tokyo police have been operating surveillance cameras on utility poles and buildings to monitor pedestrians in the several densely populated districts of the city.[8] However, this mechanism has been challenged severely by litigants and many privacy groups in the court of law.

Conclusion

We have now moved into an age where security seems to be the primary issue for most countries and their citizens. Video surveillance is increasingly being used to assuage the fears of the citizens and bring perpetrators to justice. In such a scenario, the issue of privacy rights of individuals seems to have taken a backseat. While some countries such as Canada and Britain have attempted to strike a balance between the need for surveillance and the privacy rights of the people, other countries such as the United States of America and Japan do not seem to have made much progress in terms of creating video surveillance norms or regulations to protect the privacy rights of citizens.

Considering the pressing need for video surveillance to address national security issues, India surprisingly has no laws on the same. In this regard, India needs to draw from the experience of the United Kingdom and Canada. The first step is to enact laws permitting video surveillance.

These laws should be tightly worded and strictly connoted, considering the encroachment on civil liberties. Further, in order to balance security with privacy, the next step is to create an office for the information commissioner. It should be created and powers should be conferred to ensure that the privacy related disputes are handled efficiently and expeditiously. Furthermore, the misuse of the powers conferred upon surveillance authorities should be deterred by giving further powers to the commissioner to impose pecuniary liability.

Bibliography

European Union

Canada

United States of America:

Australia:

Japan

https://www.privacyinternational.org/article/phr2006-japan#[45]

Notes

[1]Directive 95/46/EC.

[2]See http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx (eight data protection principles)

[3]Full guidelines: http://www.priv.gc.ca/information/guide/vs_060301_e.cfm.

[4]Full guidelines: http://www.americanbar.org/publications/criminal_justice_section_archive/crimjust_standards_taps_blk.html#9.

[5]http://www.proactivestrategies.com.au/library/Loss%20Prevention/Video%20Surveillance%20National%20article.PDF.

[6]This law extends to private businesses, government organizations and independent administrative agencies.

[7]540 locations on expressways and major highways throughout the country; it automatically records the license plate number of every passing car.

[8]This regime has also been litigated upon thoroughly with lawyers claiming the same to be unconstitutional.

For more details visit https://cis-india.org/internet-governance/blog/privacy/video-surveillance-privacy

UID: The World’s Largest Biometric Database

praskrishna — 2011-07-23T02:04:45Z

At the start of his presentation, Sunil Abraham pointed to two aerial drawings of cybercafes: one where each computer was part of a private booth, and one where the computers were in the open so the screens would be visible to any one. Which layout would be more friendly to women, and why, Abraham wanted to know. Some participants selected the first option, liking the idea of the privacy, while others liked the second option so that the cybercafe owner would be able to monitor users’ activities.

Abraham said he was surprised no one said option one looked like masturbation booths, adding that in May, India passed rules prohibiting the first design option to avoid just such an issue. This is despite a survey conducted of female college students, who liked the idea of privacy in cybercafés that typically are male-dominated.

Cybercafes are just one of the areas impacted by India’s plan for collecting and using biometrics to create unique individual identification cards.

Abraham focused his presentation on activists’ efforts to counter the government’s myths about a unique identification (UID) program.

One campaign image showed two soldiers on the border asking for an east-Asian looking person’s identification. The way to balance, or rectify, the drawing, Abraham said, would be to allow citizens to be able to ask the soldiers for the identification information.

The campaign, “Rethink UID Project,” included several images illustrating various problems with the plan. For example, one said: “Central storage of keys is a bad idea, so is central storage of our biometrics.” As Abraham explained, if storing a copy of your housekey at the police station does not make us feel more secure, then why wouldn’t storing our biometrics with the government also make us a little more scared?

In the Indian scheme, Abraham said, the government says biometrics will be used as an authentication factor in order to prove your identity, but from a computer science perspective, it’s a bad idea because it is so easy to steal biometrics. And, as Abraham pointed out, if your biometrics are stolen, it’s not possible for you to re-secure it—it’s not like getting a new ATM card and password, he said.

If this system of national UID was designed using digital keys instead of biometrics, then we would have a completely different configuration, Abraham said.

Centralized storage is nonnegotiable, and therefore the process of authentification is done through a centralized database, but with digital keys or digital signatures, authentification could be done on a peer basis, so citizen could authenticate border guards and vice versa.

Another image from the “Rethink UID Project” campaign pointed out that “Technology cannot solve corruption.” As Abraham said, problems of corruption in the subsidy system (food, loans, education, employment guarantee act in rural India, etc) won’t be fixed with biometrics. For example, if biometric equipment is installed at fair-price shops, before the shop owner gives the grain, the citizen would have to present biometrics, which would go through a centralized server and be authenticated, then the citizen would get the grain, and ultimately there would be a record saying this particular citizen collected this amount of subsidized grain at this particular time.

But there are a whole range of ways shop owners can compromise the system, Abraham said.

The first way: 30-50 percent of India is illiterate, so shop owner can say the biometrics were rejected by the server and the citizen would not know better. Or, the owner can say there was no connectivity so authentification didn’t go through, or the owner could say there was no electricity so the system won’t work, or the shop owner could give just part of the grain that the citizen is due.

Corruption innovates and terrorism innovates—if technology innovates, so does corruption, as it is not a static phenomenon, Abraham said. You can’t wish away human beings from technological configurations.

One village will have multiple biometric readers.

Abraham said they have proposed an alternative schema: remove readers from the shop, school, hospital, bank, etc., and have only one scanner at the local governance hall. Instead of the citizen becoming transparent to the government, the government should become transparent to the citizen. The shop owners should make transparent which IDs they have given how much grain to, and only if they are going to dispute the ID of a citizen, can they go to the local government administrative office to prove the ID.

Another image from the “Rethink UID Project” campaign said, “The poor and the rich: who do we track first?”

Abraham explained that one problem in India is “black money,” or money for which you don’t pay taxes because the accounts are in fake names in order to store money. Like creating fake bank accounts, he said it also would be easy to create fake biometrics by combining the handprints and eyes of multiple people to get a second fake ID. Also the system could be hacked into and iris images Photoshopped. Ghost ideas also could be created and then sold off. Because the rich will get their IDs behind closed doors, Abraham said, it will be easy for them to get multiple IDs, but the poor will not be able to.

Referring to “tailgating,” or when one ID is card swiped to gain entrance for multiple people, such as swiping one metro card and then two people walking through, Abraham noted that the problem is that the tailgating only is seen as a problem when it’s at the bottom of the pyramid, such as one woman goes to the fair-price shop to collect grain for five or six families so only one person has to lose a day’s wage instead of all five or six losing a day’s wages. Tailgating at the bottom if the pyramid is usually a question of survival, he said.

Thus, another image from the campaign showed a pyramid and said, “Transparency at the top first…before transparency at the bottom.”

The first principle is that expectations of privacy should be inversely proportional to power, so people who are really powerful, like NGOs, politicians, or heads of corporations, should have less privacy, and people who have very little power should have more privacy, Abraham said.

Also, from a business perspective, the nation gets greater return on its investment if surveillance equipment is trained on people at the top of the pyramid to catch big-time corruption, he said.

Most of the panic around the UID is over the transaction database. Beyond a databse storing everyone’s biometrics, another database will track transactions: every time you buy a mobile phone or purchase a ticket or access a cyber cafe or subsidies, thanks to UID, there will a record made in the transaction database, Abraham said.

Abraham said it is important to note that surveillance is not an intrinsic part of information systems, but once surveillance is engineered into information systems, both those with good intentions or bad intentions can take advantage of that surveillance capability.

The UID means there will be 22 databases available to 12 intelligence agencies, he said.

So when a girl enters into a cybercafé, first she will have to provide her UID, and then the café owner will photocopy the card, then the owner has the right to take a photo of the girl using his own camera, then the owner is supposed to maintain browser logs of her computer for a period of one year.

So the question then is how to assure accountability without surveillance?

The first possibility, Abraham said, is partial storage. The transaction database could store half the data, and the central database could store the other half, so the full 360-view of the data would not be available without a court order.

The second solution is a transaction escrow, where every time a record is put into the main database, it will be encrypted using 2-3 keys, and only if 3 agencies cooperate with keys, can the information be decrypted. Thus, it is targeted surveillance, not blanket surveillance.

To conclude his presentation, Abraham divided participants into four groups in order to design surveillance systems for internet surveillance, mobile technologies, CCTVs, and border control.

Sharon Strover spoke on behalf of the CCTV group, saying they ended up with more questions than anything else. They agreed there should be notices when cameras are in use, there should be public knowledge of who is doing surveillance and who has access to the footage, and the data shouldn’t be sold. But the group couldn’t decide which spaces warranted CCTVs and which not.

Abraham then pointed out that the next generation of CCTVs can read everybody’s irises as they pass the cameras—it’s in the lab now, and 2-3 years from the market, he said.

Next, Andy Carvin spoke on behalf of the mobile technologies surveillance group. Whether or not capturing metadata or content as well, the mobile phone company can collect it, but it shouldn’t be able to keep any identifiable information for the person – it should only be able to look at information in the aggregate. The rest of the information should be shipped to a non-governmental organization or government agency specialized in privacy, and 2 keys would be required: one from the judiciary and one from the NGO or governmental agency.

Smári McCarthy reported back for the Internet surveillance group, pointing out that data retention has been useful in criminal cases less than 0.2 percent of the time in one study, and another showed there has been no statistically significant increase in the number of criminal cases solved because of data retention. So, he said, the group concluded there should be no blanket surveillance, only court orders in certain criminal cases that define who will be under surveillance and for how long. Also, they wanted to see a transparency register available so the public could be informed about how many people are under surveillance currently and throughout year and other general information, such as the success rate—how many of these surveillances have led to criminal convictions or similar.

Finally, Summer Harlow spoke on behalf of the border control group, which said scanning of checked- and carry-on luggage is acceptable, but there should be no luggage searches without specific probable cause from intelligence agencies or if the scans pick up weapons or other contraband. Similarly, people could be subject to spectrum scans and drug/bomb sniffing dogs for weapons and contraband, but again they would not be physically searched by border agents without probable cause. Also, people and luggage could not randomly be searched based on the country of their passport or their flight destination or origin.

In summary, Abraham said, surveillance is like salt in food: it is essential in small amounts, but completely counter-productive if even slightly excessive.

Download Sunil's presentation here [PDF, 1389 kb]
Sunil Abraham made the presentation at the Gary Chapman International School on Digital Transformation on 21 July 2011. The original news published by International School on Digital Transformation can be read here
Read the schedule here

For more details visit https://cis-india.org/news/uid-worlds-largest-database

Internet Governance

kaeru — 2014-05-10T01:00:35Z

The Tunis Agenda of the second World Summit on the Information Society has defined internet governance as the development and application by governments, the private sector and civil society, in their respective roles of shared principles, norms, rules, decision making procedures and programmes that shape the evolution and use of the Internet. As part of internet governance work we work on policy issues relating to freedom of expression primarily focusing on the Information Technology Act and issues of liability of intermediaries for unlawful speech and simultaneously ensuring that the right to privacy is safeguarded as well. We have worked with the UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, and helped him in the preparation of his 2011 report on freedom of speech on the Internet by organizing South Asia-wide consultations.

Note: The two year project with Privacy International and Society in Action Group was for 2010-2012.

Key Research

Our partnership with Privacy International, UK and Society in Action Group, Gurgaon for a two-year research project on Privacy in Asia has produced outputs in these areas:
Banking, Telecommunications, Consumer Protection, IT Act, Limitations, Copyright, Internet Protocol, Media, Sexual Minorities, UID
Submitted seven open letters to the Parliamentary Finance Committee on the UID covering the following aspects:
SCOSTA standard, Centralized Database, Biometrics, Budget, Operational Design, Transactions, Deduplication
Government of India through its various departments sought feedback on the policies listed below. We sent our feedback:
Privacy Approach Paper (22 November 2010), NIA Bill, (13 July 2010), IT Act (28 July 2009), National Policy on Electronics (1 November 2011), Cyber Café Rules (25 February 2011), Security Practices Rules (25 February 2011), Intermediary Due Diligence Rules (25 February 2011).
Peer reviewed essays by Nishant Shah:
Material Cyborgs; Asserted Boundaries (European Journal of English Studies, Volume 12, Issue 2, 2008), Internet and Society in Asia: Challenges and Next Steps (Inter-Asia Cultural Studies, Volume 11, Number 1, March 2010)

SAFEGUARD project

From 2013 to 2015 CIS is working with Privacy International on the Surveillance and Freedom: Global Understandings and Rights Development (SAFEGUARD) project. The SAFEGUARD project is directed at enhancing respect for the right to privacy in developing countries through research and engagement in national, regional and international policy dialogues by developing country researchers.

The specific objectives of the project are to:

Generate evidence and analysis on national and regional-level privacy issues;
Identify policy and legislative gaps and obstacles in targeted developing countries;
Enable engagement in policy-making for greater protection and promotion of the right to privacy in the developing world;
Engage with national, regional and international governmental bodies to promote research findings, and raise the profile of privacy issues in regional and international fora.

Key Research

Banking Policy Guide (by Elonnai Hickok, April 22, 2014).
Privacy Protection Bill (by Bhairav Acharya, February 25, 2014).
Privacy Book Chapters: Freedom of Expression and Privacy, Health and Privacy,E-Governance, Identity and Privacy, Telecommunications and Internet Privacy, Consumer Privacy, and Law Enforcement, National Security and Privacy.
India Privacy Monitor Map (by Maria Xynou and Srinivas Atreya, October 31, 2013).

For more details visit https://cis-india.org/internet-governance/front-page

Privacy Matters, Guwahati — Event Report

praskrishna — 2011-08-26T10:31:08Z

On June 23, a public seminar on “Privacy Matters” was held at the Don Bosco Institute in Karhulli, Guwahati. It was organised by IDRC, Society in Action Group, IDEA Chirang, an NGO initiative working with grassroots initiatives in Assam, Privacy India and CIS and was attended by RTI activists and grass roots NGO representatives from across the North Eastern region: Manipur, Arunachal Pradesh, Tripura, Nagaland, Assam and Sikkim. The event focused on the challenges and concerns of privacy in India.

Unfortunately many of the scheduled invitees had to drop out owing to developments on the Lokpal issue at the Centre, and simultaneously Guwahati was witnessing unrest following an agitation over land rights that left three persons dead.

Welcoming the participants, Prashant Iyengar, lead researcher for Privacy India, gave an introduction to the objectives of Privacy India, and briefed the gathering about the thematic “Privacy Matters” consultations previously held across the country in Kolkata, Bangalore and Ahmedabad. Mr. Iyengar also gave a background to issues that India is facing in concern with privacy, explaining the many contexts that privacy can be found in, and raising questions such as: Why is privacy important? How can it be maintained with the way technology is encroaching upon our lives? And how can we make privacy laws functional?

"Privacy objectives are to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. One of Privacy India’s goals is to build consensus towards the promulgation of a comprehensive privacy legislation in India through consultation with the public, legislators and the legal and academic community."

Prashant Iyengar, Privacy India.

Event Sessions

The structure of the event was one of open discussion, with presentations made by those who wanted to share. Throughout the day, the conversation fell into three main topics including: privacy and the RTI, privacy and the UID, and privacy and surveillance in the context of North East India.

Privacy and the RTI

Prashant Iyengar opened the discussion on privacy and the RTI by highlighting the tension between the need for transparency of the State, and the need to protect the privacy of public figures. For many participants privacy and transparency was a new concept that they had just started thinking about. Participant Rakesh (HRLN, Manipur) spoke on the shortcomings that he saw in the RTI Act noting that though the RTI brings some transparency to society, many citizens still do not understand the extent of their Right to Information as it is protected under the Act. Furthermore, the RTI Act is still not applied equally across the country, and the transparency that the RTI tries to achieve is still in very nascent stages. Lowang, a participant from Aru nachal Pradesh, shared the importance of drawing a line between privacy and transparency when it comes to information related to education and health. Anjuman Azra Begum, a research scholar working on indigenous people rights, noted the irony of the RTI as it is meant to bring transparency to the state, yet all ministers and MLA’s take an oath of secrecy, not transparency. Anjuman also spoke on the fact that the RTI often fails to protect the privacy of sensitive issues, such as sexual balance. She echoed Rakesh’s comment on the inaccessibility of the RTI, sharing that for a common person to exercise his/her rights is a very daunting task. Anthony Debbarmun, a human rights activist from Tripura noted that he felt that the North Eastern states are by and large seen as resource (land) by the centre and has shown no concern for citizens and their well-being. Government is seen as a dictator in this region, hence the question — Transparency for whom?, Privacy for Whom? The distinction between the transparency brought about by the RTI and individual privacy was also made. It was pointed out that the RTI is concerned with transparency of the State, but individual privacy is separate from this concept.

Personal Experiences Shared

Anjuman Azra Begum shared her sister’s experience with the RTI. Her sister had applied for a job in 2008. Their family filed an RTI for details of the procedure, but was denied details by the RTI officer, who said that furnishing details would violate the privacy of other candidates. This example raises questions about when it is appropriate for RTI officers to withhold information in the name of privacy, and what mechanisms can be put in place to ensure that the RTI does not use privacy as a way to deny information. Lowang also shared his experience with the RTI. He had filed an RTI asking for answer sheets because he doubted the appointment of police personnel. He was told that the cost in total would be Rs.2000, when in reality each sheet costs Rs.2 — the misconstruing of facts was another example of how RTI officials restrict access information indirectly. From these examples the concern about RTI officials using privacy as an excuse to deny information was brought to the surface. To highlight the problems with the current implementation of the RTI and the lack of basic knowledge of how to use the RTI Mhao Lotha from the DICE Foundation shared a personal experience of his friend who had filed an RTI against the fishery department, and the RTI official simply shouted at her. L. Rima told a similar story as Mhao Lotha. In her experience the RTI is good in theory, but in practice it has become a commercial platform, where officers pay money to applicants for RTI cases to be taken off.

From the discussion and the shared experiences it was clear that the RTI, although a strong law on paper, still faces many challenges in implementation that a privacy law could also face, and that the fact that if more privacy is brought into the RTI, it will become yet another way for the State to avoid disclosing information.

Questions to Consider

Can a privacy law be made to be functional in the same way that the RTI is functional?
In terms of the RTI who should have more privacy? Who should be more transparent? Can NGOs be held accountable under the RTI?
What mechanism should be established to enforce the balance between privacy and transparency?

Privacy and Security/Law Enforcement in the North East of India

Another important discussion held during the conference was the practices of law enforcement in the North East, security, and privacy. Because the North East is in a state of armed conflict several laws such as the Armed Forces Special Powers Act, Sedition Act and provisions in the IPC give immunity to security forces. This has led to gross violation of citizens’ privacy by law enforcement agencies — as the acts give large amounts

of power to law enforcement agencies with little or no accountability, and the acts are often misused. Furthermore, the security laws that exist in the North East explicitly prohibit access to individual personal information. For example, in the Assam Police Manual, which is followed by police in the North East — no papers can be given out to the public except to the investigation officer — this includes personal information such as medical records and post-mortem reports. Anjuman shared an example of how this rule violates individual privacy. In her example, a victim was not allowed access her own medical report, but her medical records were being circulated among police, doctors, and media. This example highlights how privacy and the right to information can go hand in hand as it was the victim’s right to access her own medical file, and at the same time getting access to her own medical file is an act of personal privacy protection.

Personal Experiences Shared

Participants shared how individual privacy is often violated by the army, as it is allowed to enter and search any space without warrant, if there is any type of “suspicion”. They also shared how phone tapping and random monitoring is a common practice by both the army and civil police. For example, one day the police recorded a conversation by Director of the Police, Wireless who was giving a lecture on how to lead an effective agitation. The transcript was handed to the high court and the director punished. Other examples include policemen frisking women in public, newspapers publishing police frisking women in public, and law enforcement agencies compelling pregnant women to give birth in open in front of people. The discussion surrounding privacy and security/law enforcement highlighted an important way in which privacy is violated in the North East. The unregulated action of law enforcement acts as a very real and dangerous way in which individual privacy is violated on a daily basis.

Questions to Consider

Can privacy legislation regulate the acts of law enforcement agencies?
Will privacy legislation be implemented differently in the North East because of the armed conflict?
Will a privacy law supersede other laws such as the AFSPA?

Privacy and the UID

During the conference the discussion also briefly focused on the UID and privacy. It was shared that there had yet to be UID consultations in the North East of India. The only information individuals had about the UID was that it was going to allow individuals to access BPL benefits more easily.

Questions around the UID included: why is the UID needed for citizens living within their own country? How will the UID impact and help families who send their children to gather rations from the ration shops? What is the connection between the UID and the expected privacy law? What is the connection between the UID and intelligence agencies? What would UID mean to people living in border areas?

Conclusion

Privacy as a Fundamental Right

In the closing discussion Prashant Iyengar shared different examples of privacy in Indian case law, and the various ways in which the Supreme Court has defined privacy as a right that is implicit in the right to life. The participants discussed what privacy means to them, and what they thought a right to privacy should entail. Among the points raised, it was brought up that privacy should be a right that is legally protected for sovereign individuals. The law should also include parameters and limitations in order to protect an individual’s autonomy. Furthermore, privacy should be understood and linked to the concept of human rights and individual rights. From the closing session, and the above sessions many themes and questions pertaining to privacy came out that will need to be addressed when considering the way forward for a privacy legislation including:

Property rights and privacy
Privacy rights of minorities
Privacy and the UID
Privacy and law enforcement agencies
Privacy as a fundamental right
The interplay of privacy law and traditional law

Download the Event Report here [PDF, 178 kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-guwahati-report