Centre for Internet and Society

Consilience – 2013

praskrishna — 2013-11-20T06:15:15Z

The Law and Technology Committee of National Law School of India University, Bangalore is organising ‘Consilience – 2013′, an annual conference on law and technology, to be held on May 25 and 26, 2013. The Centre for Internet and Society is a co-partner for this event.

Theme: Data Protection and Cyber Security in India. Click to read the report here.

Topics:
Frameworks for Data Protection in India: The J. A.P. Shah “Report of the Group of Experts on Privacy”

a. What is the scope of the principles/framework?

b. What could be the strengths and limitation of their application?

c. How does Report define privacy for India?

d. Would an alternative framework for privacy in India be better? If so, what would this framework look like?

India and the EU: The Privacy Debate

a. How does the Indian data protection regime differ from the EU regime?

b. Was the EU is justified in not accepting India as a data secure country? Reason for or against.

c. In what way does the Indian regime on data protection not meet the requirements of EU’s data protection directive?

d. What changes need to be made in the Indian regime to become EU compliant? Are these changes feasible? Should India make these changes?

Governmental Schemes, Data Protection, and Security

a. In India, do private public partnerships between government and the private sector adequately incorporate data protection standards?

b. What have been concerns related to data protection and security that have arisen from government schemes? (Please use two governmental schemes as case studies)

c. Are these concerns related to the policy associated with the project – the architecture of the project as well as the implementation?

d. Should the larger question of data protection for governmental schemes be incorporated into a privacy legislation? If yes, how so?

Contracts and Data Protection in India

a. How are contracts used to ensure data protection in India? What actors use contracts?

b. Are there weaknesses in using contracts to ensure data protection standards?

c. Do contracts address questions brought about from technology like the cloud?

Cyber security in India

a. What are the perceived challenges and threats to cyber security in India?

b. Are these currently being addressed through policy/projects? If yes, how so?

c. How does India’s cyber security regime compare to other countries?

Surveillance and Cyber Security

a. Does policy in India enable the Government of India to surveil individuals for reasons related to cyber security?

b. If so – through what policy, projects, legislation?

c. Do the relevant policies, projects, and legislation impact privacy? How so?

The Draft National Cyber Security Policy

a. What is the scope of the National Cyber Security Policy of India? Does the draft policy adequately address all of the concerns within the ambit of cyber security?

b. Would the Draft National Cyber Security Policy of India be effective in meeting the goal of enhancing cyber security levels in India?

c. How does the Draft National Cyber Security Policy compare to other countries cyber security policies?

Word Limit:

Abstract: 750-800 words

Paper: 2,500 words

Deadlines:

Abstract Submission: April 30, 2013

Paper Submission: May 15, 2013

Contact Details:

consilience2013[at]gmail[dot]com

Mohak Arora: +91-90359-21926

Shivam Singla: +91-99167-08701

Each participant is required to submit an abstract on any one of the seven topics above and can choose the specific issue within the selected topic to discuss.

For additional details, click here.

For more details visit https://cis-india.org/internet-governance/events/consilience-2013-law-technology-committee-nls-bangalore

The Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!

maria — 2013-07-12T11:59:10Z

Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out!

This blog post has been cross-posted in Medianama on May 8, 2013. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

So yes, we live in an Internet Surveillance State. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?

Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it lacks privacy legislation which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.

The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?

A glimpse of the surveillance industry in India

In light of the UID scheme, the National Intelligence Grid (NATGRID), the Crime and Criminal Tracking Network System (CCTNS) and the Central Monitoring System (CMS), who supplies law enforcement agencies the technology to surveille us?

In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies simultaneously produce internet monitoring software and encryption tools! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.

Companies selling surveillance technology in India are listed in Table 1. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.

Table 2 shows the types of surveillance technology produced and sold by these 76 companies.

The graph below is based on Table 2 and shows which types of surveillance are produced the most by the 76 companies.

Graph on types of surveillance sold to law enforcement agencies by 76 companies in India

Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the UID scheme which is rapidly expanding across India. Only one company from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the Central Monitoring System (CMS), especially since the project would have to monitor and mine Big Data.

On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since the majority of the population in India does not even have Internet access. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while more than half the population owns mobile phones. Seeing as companies, such as ClearTrail Technologies and Shoghi Communications, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.

Did you Know:

CARLOS62 on flickr

WSS Security Solutions Pvt. Ltd. is north India´s first CCTV zone
Speck Systems Limited was the first Indian company to design, manufacture and fly a micro UAV indigenously
Mobile Spy India (Retina-X Studios) has the following mobile spying features:

SniperSpy: remotely monitors smartphones and computers from any location

Mobile Spy: monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces

4. Infoserve India Private Limited produces an Internet monitoring System with the following features:

Intelligence gathering for an entire state or a region
Builds a chain of suspects from a single start point
Data loss of less than 2%
2nd Generation Interception System
Advanced link analysis and pattern matching algorithms
Completely Automated System
Data Processing of up to 10 G/s
Automated alerts on the capture of suspicious data (usually based on keywords)

5. ClearTrail Technologies deploys spyware into a target´s machine
6. Spy Impex sells Coca Cola Tin Cameras!
7. Nice Deal also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and Lighter Video Cameras to name a few...
8. Raviraj Technologies is an Indian company which supplies RFID and biometric technology to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?

Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further oppression within these countries

Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards

“I´m not a terrorist, I have nothing to hide!”

r1chardm on flickr

It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:

“I´m not a terrorist, I have nothing to hide!”

Indeed. You may not be a terrorist...and you may think you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?

Last year at the linux.conf.au, Jacob Appelbaum stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. Bruce Schneier has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.

That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, we are all potentially suspects. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called ´risky information´. As long as our data is being surveilled, we are all suspects, which means that we can all potentially be arrested, interrogated and maybe even tortured, just like any other criminal suspect.

But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.

Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The market appears to demand for surveillance technologies because a pre-existing surveillance culture has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as 3M, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that surveillance is being socially integrated. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.

By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as NATGRID and the CMS in India- or by handing over our data, we are fuelling the surveillance state. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution and of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.

Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because India lacks privacy legislation which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.

Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as Raviraj Technologies, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus export controls are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.

Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even murdered in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.

For more details visit https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers

Is free speech an Indian value?

praskrishna — 2013-04-30T07:18:10Z

Is freedom of speech and expression deeply accepted in Indian society? Or is it merely a European cultural import that made its way along with the English language and appeared in the Constitution because of the founding fathers' genius? Satarupa Sen Bhattacharya reviews Freedom Song, a film and connects the dots.

Satarupa Sen Bhattacharya's blog post was published in India Together on April 27, 2013. Snehashish Ghosh is quoted.

Debates on freedom of speech can be traced back to the earliest evolutions of human society, but if there is a time which could be considered most apposite for this debate to come to the fore and dominate public thought and discourse, this surely would be it for Indian society.

From the banishment of literary icons such as Salman Rushdie to repeated assaults on artists and cartoonists seeking to express their viewpoints through their art, and even the gag on the common man’s voice in traditional and new media, freedom of speech and expression has found itself under fire increasingly and in the most alarming of ways.

Is India as a nation becoming more intolerant of contrarian perspectives, or is it merely that voices seeking to stifle dissent are now amplified, thanks to a greater number, as well as newer forms, of media covering this debate?

Can India really achieve free speech in the way that its founding fathers conceived of and constitutionalized it?

These are the questions probed in Freedom Song – a 52-minute documentary from the Public Services Broadcasting Trust, co-directed by veteran journalist, author and academic Paranjoy Guha Thakurta and Professor Subi Chaturvedi.

Freedom Song, the film

Interestingly, since the time Freedom Song was conceived of and filmed, the clamp-down or attacks on free speech in India have only become more frequent and flagrant. This was made much before the time that Salman Rushdie, in almost a repeat of the 2010 Jaipur Lit-fest incident, was stopped by the state from attending the screening of Midnight’s Children in Kolkata; or when two young girls from Palghar in Maharashtra were arrested by the police merely because one of them had questioned on Facebook the derailment of normal life in Mumbai following Balasaheb Thackeray’s death and the other had ‘liked’ it; or even before the long-awaited Kamal Hassan film Vishwaroopam was banned for purportedly offending the sensibilities of a religious community in a few scenes, which the director eventually had to agree to censor in order to ensure that his creation could reach the audience.

Freedom Song, the documentary, chronologically precedes all of these as well as the debate and outrage over sociologist Ashish Nandy’s remarks on corruption and backward castes; yet, when one sees it now, recalls the numerous incidents highlighted in the film, and hears the debates that rage on, the larger context and culture that has facilitated the perpetuation of suppression become clearer. It also drives home, disturbingly, the alarming regularity with which speech and expression have been muffled. It can thus be seen as a commentary on the gradual but consistent build-up to the current climate where there is an almost systematic and continuous crackdown on free speech whenever it inconveniences the powers-that-be.

Gags on expression - recent incidents

In July 2010, when T.J. Joseph, a professor of Malayalam at the Newman College in Thodupuzha (Ernakulam district) in Kerala was arrested by police following a controversial examination question set by him, allegedly containing disparaging remarks about the Prophet Mohammad. He was released on bail but suspended from his post following protests by Islamic organizations. But suspension wasn’t the last of Joseph’s tribulations: he was brutally attacked by a gang of men who chopped off his hand at the wrist with an axe. He was also stabbed in the arms and legs. While Joseph’s hand was stitched back in a 16-hour-long operation, even as he was recuperating, his college terminated his services on grounds that he had offended the religious sentiments of students. He was also stripped of all benefits and pension.

Curiously, Joseph himself distances the entire incident from the issue of freedom of expression. In his conversation with the film-makers he says that whatever happened could be interpreted as attempts to meddle with and dilute academic independence in the state. “The incident is not related to the issue of freedom of expression...external attempts to break down communication between students and their teacher was at the core of the entire episode,” says Joseph. Even Union Minister for Human Resource Development Shashi Tharoor, who hails from the state himself, attributes this incident to the act of some anti-social fringe elements who masquerade as representatives of a particular community. But these arguments from the victim himself, and an eminent authority, cannot resolve the question of his expulsion from service. Nor can they address the fact that the atmosphere of tolerance in the country is such that anti-socials can hijack as simple an academic exercise as question-setting to their advantage and perpetrate such atrocities.

A more recent incident highlighted in the documentary is the arrest and detention of Ambikesh Mahapatra, a professor of Chemistry in Jadavpur University of West Bengal for forwarding a set of cartoons that allegedly defamed Chief Minister Mamata Banerjee. Shortly after the dismissal of Union Railway Minister, Trinamool’s Dinesh Trivedi, and his replacement by Mukul Roy, the widely-circulated cartoon showed Roy and the CM having a conversation along the lines of one in a very popular Satyajit-Ray film, conspiring to get rid of Trivedi.

Ambikesh was not the creator of this cartoon – as he himself says, he received it on a forwarded email. Amused by it, he wanted to share it with his friends. Thus he forwarded it again to over 60 members of his housing co-operative society, some of whom happened to have affiliations to the party in power. This action led to the professor being arrested and charged under IPC Sections 509 (insulting the modesty of a woman), Section 500 (defamation) and Section 66 A of the IT Act (causing offence using a computer). He had to spend a night in jail before he was released on bail the following afternoon.

However, charges against the professor have since been dropped and the West Bengal Human Rights Commission (WBHRC) ruled that the state police were indeed guilty of harassing the professor (and one of his colleagues, who had also been arrested).

Paranjoy Guha Thakurta, co-director of Freedom Song

Muffling creativity

One thing that stands out pretty sharply in Freedom Song is the deep angst shared by the creative fraternity in the country over the assault on free speech. Perhaps, by dint of being that section of society which is most inclined to spontaneous and non-conformist expression, they also constitute one of the most vulnerable groups when it comes to being restrained or gagged.

One of the darkest chapters of suppression of artistic expression in India relates to the forced exile of iconic painter M F Hussain during the last days of his life, after being targeted for his nudist depictions of Hindu Gods and Goddesses. Sadly, as artist Arpana Caur points out, such waves of intolerance or fanaticism fail to factor in either subjective value judgments (how deeply Hussain must have loved Hindu culture and mythology to actually apply his creative instincts to bring it alive) or objective facts (that the nudist paintings were actually done in the ancient Khajuraho tradition of figurative depiction, it was not something Hussain had developed).

Often, the gag on works by artists and writers has transcended to direct discrimination against the person himself. The state of West Bengal banned exiled Bangladeshi author Taslima Nasreen’s book “Dwikhandito” in 2003 on fears that it would stoke communal disharmony. When human rights activists challenged the decision in Court and managed to win rulings on her behalf, the writer herself was banished from public life in the state. She was unceremoniously asked to leave the state in 2007, after violent protests against her by fundamentalists. Much later in 2012, even after the political reins in the state had changed hands, the launch of her book at the Kolkata Book Fair was cancelled upon threats of protest.

One of the most heart-rending is the story of Pakistani singer Ali Haidar, who confesses to being almost brainwashed, in one of his weakest moments, by radical elements into believing that the loss of his child was in fact a retribution for him having taken up music as a profession.

The feeling of anger, frustration and even a sense of bewilderment among the artists, writers and performers interviewed in the documentary is almost palpable. As Rajiv Lochan, Director of the National Gallery of Modern Art, says, “Freedom of expression, creative freedom…in simple words, that is the only freedom you are born with...” The unuttered question of how anyone can take that away from you hangs heavy in the silence.

If artists are the most vulnerable, they are also perhaps the most resilient. In the context of the various cartoon controversies that this nation has seen and the proscriptions of cartoonists from Shankar to Aseem Trivedi, eminent political cartoonist Sudhir Tailang says, “We cartoonists know only one way of protest, which is the most peaceful, Gandhian way…you do what you want, we’ll draw a cartoon…and more cartoons… we’ll flood you with cartoons.”

The defiance and rejection of censorship is also strongly voiced by noted danseuse Mallika Sarabhai, who talks of the various forms of attack and insult that she has been subjected to for her unconventional presentations and activism, but asserts that despite all of it, she feels it is her “dharma to go on.”

The language barrier

Perhaps unwittingly, Freedom Song tends to favour the premise that freedom of speech as a principle in India is largely a preoccupation among the English-educated, intellectual and creative segments of the populace. Even the musical score that has played such a dominant part in invoking the spirit of freedom throughout the film seems to underline that - from the refrains of Bob Marley’s ‘Won't you help to sing these songs of freedom,’ to the remixed pop version of ‘Raghupati Raghav Raja Ram’ that one hears in parties and joints in India’s westernized urban landscape.

How attuned to the issue of free speech is the wide majority of India, the section that still follows vernacular media and are relatively distanced from the constructs of Anglo-Saxon influence? The verdict on the linguistic divide does not emerge with clear certainty when we talk to intellectuals or thought leaders from various parts of the country.

In the words of academic Subhoranjan Dasgupta, a professor at the Kolkata-based Institute of Development Studies, mainstream Bengali media has played a big role in highlighting transgressions of freedom of speech and expression every time it has occurred, irrespective of the political regime in power at the time.

"Whether in the case of the ban on Taslima Nasreen or the arrest of Professor Mahapatra, local media - and especially two widely-followed dailies, the Anandabazar Patrika and Ei Shomoy - have been audibly vocal and consistent in their coverage of these incidents," says Dasgupta. "Irrespective of political ideologies, the common man in Bengal knows that Taslima Nasreen got a raw deal or that what happened to the professor was not acceptable," he adds. Ostensibly, the role of local media in such public consciousness cannot be written off. In a way, it might not be an exaggeration to say that the voices of these publications have been instrumental, to a large extent, in ensuring that these issues grab the eyeballs of the largest number possible, and hence gain traction.

And yet, a completely different picture emerges as one reaches out to another part of the country. Badri Seshadri, Publisher, New Horizon Media - a Chennai-based company that publishes books in Tamil, and an active blogger, feels that notions of freedom, or free speech, are essentially offshoots of the modern era which have found a voice in our country primarily through English media.

Seshadri goes back to the freedom struggle in India when many among the noted thought leaders and freedom exponents wrote both in English and the local language. In those days, the discourse on freedom of thought and expression were perhaps more at par across spheres. But with the dying trend of bilingual writing, intellectual writing increasingly gravitated towards English. Today, the gulf between English writers and regional writers has become so huge in his state that even the most fundamental of issues are discussed in vocabularies that cannot bridge the schism. Issues pertaining to secularism and democracy are viewed with a completely different lens in vernacular media, and those pertaining to liberalism, not at all.

"Take the case of the most recent ban on Kamal Hassan's Vishwaroopam," points out Seshadri; "this was not a film made in Hindi or English that you could assume to be emotively disconnected from the Tamil mindspace. It was a film that had been made by one of the cult film personalities of the region, and yet even as the national English media followed this issue and consistently questioned the violation of an individual's right to creative freedom, deliberations in local channels and publications were strangely muted and focused only on whether or not the disputed scenes in the film could be considered to be offensive to the Islamic community. The larger debate on whether one has the right to offend, in an impersonal way, was completely missing." Those who want to toe the line of liberalism either through their writing or new media are dismissed as harbouring "fancy" ideals or pandering to Western sensibilities.

Guhathakurta, himself, disagrees with the claim that free expression is essentially a Western construct or that debates around it are restricted to the chattering classes in plush drawing rooms. “It is something that concerns every common man,” he says, referring to the case of Laxmi Oraon, the teenaged tribal girl who was stripped, beaten and molested in the streets of Guwahati, where she had been part of a peaceful protest rally, seeking the inclusion of 80 lakh Adivasis living in Assam in the ST category. Traumatised and deeply angered by the brutal injustice meted out to her and the lack of legal redress, Laxmi eventually even contested the Lok Sabha elections, points out the director in order to elucidate the struggle that even the most marginalized take part in to press for their fundamental rights.


A still from the documentary Freedom Song. Pic: PSBT India via Youtube

"Reasonable” restrictions

Despite the continuous infringements on artistic and even individual expression, what emerges from the film is not a blanket wave of intolerance that is engulfing society but rather certain powerful groups with vested interests who are driven either by fanaticism for their ideologies or by the lure of political mileage to raise voices against freedom. In the age of 24x7 channels, their voices gain in both volume and pitch and new media enables greater visibility and debate around it.

As Tharoor says, “The government has the lowest level of tolerance possible because it cannot be seen as offending anybody who is held precious by any segments of Indian society.”

Veteran journalist Saeed Naqvi points out, “You have a whole link between the politician, the vote bank and the proprietor. Therefore, the freedom of the press, while this trio exists, is under threat.”

But having said all of the above, it is also clear that defining freedom, especially in an absolute sense, is in itself a huge challenge that most of society acknowledges. More so, in the context of Article 19 (2) of the Constitution which itself allows the state to impose “reasonable restrictions on the exercise of the right...in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.”

Senior journalists such as Rajdeep Sardesai are quoted in the documentary, expressing their support for such ‘reasonable restrictions’ to combat the spread of expression or opinion that fuels divisiveness or hatred in society. But the fact remains that such restrictions not only add a qualifier to freedom as enshrined in the founding principles, but also create the larger question of ‘who decides?’

Young India however would prefer to see Article 19 (2) as an enabler rather than as a veto. As Apar Gupta, an advocate of the Supreme Court says in the film, he would like to believe that the incorporation of “reasonable restrictions” was done with a view to ensuring that the Constitution does not remain a static document and does not apply only to fixed definitions of facts and circumstances. Certainly not with the objective of curbing any form of dissent or deviation from convention.

Fali S. Nariman, senior advocate to the Supreme Court and a constitutional jurist, also points out very pertinently that the range of restrictions in 19(2) does not include public interest.

Reality does not bear that out though; especially when one looks at the many recent instances of arbitrary impositions of Sec 66A of the IT Act in booking individuals for expression of their opinion and stances through channels offered by new media and Internet. The documentary in itself does not delve deep into the challenges and threats to freedom of expression that have emerged in the FB/Twitter era, perhaps because many of the most volatile and controversial cases surrounding freedom of speech on the Internet occurred after the film was made. But a new debate is brewing in India, especially after the Palghar incident or the arrest of a Puducherry businessman for allegedly posting 'offensive' text on the micro-blogging site Twitter about the son of an Union Minister.

Snehashish Ghosh, a lawyer and Policy Associate at the Centre for Internet and Society, Bangalore, says, “Essentially, there are eight restrictions on freedom of speech and expression as enumerated in Article 19(2) of the Constitution. The Supreme Court in many cases has held that these reasonable restrictions should be construed narrowly and with due regards to the value of freedom of speech in a democratic society. Section 66A in its current form goes well beyond the restrictions laid down under Article 19(2). Therefore, it is liable to be struck down for being in violation of Article 19(1)(a) of the Constitution.”

Snehashish also feels that technologically, in the present time, it would be near-impossible to 'monitor' the Internet. As far as regulations are concerned, there are laws already in place which ensure the implementation of reasonable restrictions. For example, the Indian Penal Code, 1860 already covers offenses such as incitement of violence, obscenity, criminal intimidation and outraging religious sentiments. The laws which are being applied offline are well equipped to deal with offenses committed online. There is no need to have extraordinary laws where ordinary laws suffice.

But in a country that appears to grow increasingly thin-skinned with time, the import of such logic could well be lost.

Access and freedom

Interestingly, Freedom Song begins with a series of frames capturing the widely different and divergent faces of Indian society, fast moving scenes juxtaposing the educated, affluent sections of urban India against the child who performs on sidewalks to earn his bread or the old emaciated man getting his night’s sleep on the pavement. The clear correlation between access – to basic needs, education and media – and the very consciousness of freedom is hard to ignore.

“Freedom to me is the ability to do what I want, where no one tells me to do anything” says one child on screen, evidently from an English-speaking, relatively privileged background; but one cannot help feeling that his coherence and articulation on freedom would be hard to come across in the children on the streets who are filmed in some of the previous shots.

The point that access to the very basic necessities of life is a necessary condition for freedom of expression is driven home by social activist Ram Bhat in the documentary, who says that despite the technologies aiding free expression, and the profusion of players in this debate, talk of freedom of speech will be pointless unless the problem of access is solved. In its absence, such freedom will remain the privilege of a few.

On balance, in all the voices that emerge from our conversations, and the many more episodes that Freedom Song, the documentary narrates, the only thing that can be concluded without doubt is the challenge of establishing freedom as a perennial or permanent concept in a country as complex and diverse as India. A truly effective and desirable state of free speech and expression can only evolve out of a continuous, fearless, rational dialogue between society and its stakeholders, in which all voices are expressed and heard.

Whether India, as a whole, can facilitate such a dialogue is going to be the moot question in the times to come.

For more details visit https://cis-india.org/news/india-together-april-27-2013-satarupa-sen-bhattacharya-is-free-speech-an-indian-value

IT (Amendment) Act, 2008, 69B Rules: Draft and Final Version Comparison

jdine — 2013-04-30T09:47:46Z

Jadine Lannon has performed a clause-by-clause comparison of the Draft 69B Rules and official 69B Rules under Section 69B in order to better understand how the two are similar and how they differ. Notes have been included on some changes we deemed to be important.

There has been a considerable amount of re-arrangement and re-structuring of the various clauses between the 69B Draft Rules and the official Rules, as can be seen in the comparison chart, but very little content has been changed. The majority of the changes made to the official Rules are changes in wording and language that serve to provide some much-needed clarification to the Draft Rules (see the differences between Clause (9) of the Draft Rules and sub-section (4) of Clause (3) of the official Rules as an example). Language redundancies, as well as full clauses (Clause [6] of the Draft Rules) have been thankfully removed in the official Rules.

Aside from the addition of four definitions, including a definition for a “security policy”, a phrase which appears in the Draft Rules without being defined, Clause (2) contains what is most likely one of the more noteable changes between the two definitions: under sub-section (g) in the 69 Rules, the words “or unauthorised use” have been added to the definition of “cyber security breaches”, which significantly increases the scope of what can be considered a cyber security breach under the Rules.

A significant change between the two sets of rules can be found in sub-section (2) of Clause (8) of the official rules, which states that, “save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or the person in-charge of computer resource shall destroy records pertaining to directions for monitoring or collection of information”. The section in italics has been added to the original Clause (22) of the Draft Rules, meaning that when the Rules were originally drawn up, no exceptions were to be made for the destructions of the records for the issuing of directions for monitoring and/or the collected information. They would simply have to be destroyed within six months of the discontinuance of the monitoring/collection.

One change that may or may not be significant is the replacement of the words “established violations” in the Draft Rules to simply “violation” in the official Rules in Clauses (19)/(6), which deal with the responsibility of the intermediary. This could be taken to mean that suspected and/or perceived violations may also be punishable under this clause, but this is a hard stance to argue. Most likely the adjustment was made when those superfluous and/or convoluted parts of the Draft rules were being removed.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-b-draft-and-final-version-comparison

IT (Amendment) Act, 2008, 69 Rules: Draft and Final Version Comparison

jdine — 2013-04-30T09:56:07Z

Jadine Lannon has performed a clause-by-clause comparison of the Draft 69 Rules and official 69 Rules under Section 69B in order to better understand how the two are similar and how they differ. Very brief notes have been included on some changes we deemed to be important.

Similar to the other comparisons that I have done on the 69A and 69B Draft and official Rules, the majority of the changes between these two sets of rules serves to restructure and clarify various clauses in the Draft 69 Rules.

Three new definitions appear in the Clause (2) of the 69 Rules, including a definition for “communication”, which appears in the Draft Rules but has no associated definition under Clause (2) of the Draft Rules.

Clause (31) of the Draft Rules, which deals with the requirement of security agencies of the State and Union territories to share any information gathered through interception, monitoring and/or decryption with federal agencies, does not make an appearance in the official rules. Further, this necessity does not seem to be implied anywhere in the official 69 Rules.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-rules-draft-and-final-version-comparison

April 2013 Bulletin

praskrishna — 2013-05-31T08:07:38Z

The Centre for Internet & Society (CIS) welcomes you to the fourth issue of its newsletter for the year 2013. In this issue we bring you an overview of our research programs, updates of events organised by us, events we participated in, news and media coverage, and videos of some of our recent events.

Celebrating 5 Years of CIS
We at the Centre for Internet and Society celebrate 5 years of existence with an exhibition showcasing our work and accomplishments over this time. The exhibition will be held concurrently at both our Bangalore and Delhi offices from May 20 to 24, 2013, from 10 a.m. to 8 p.m.

Google Policy Fellowship
CIS is inviting applications for the Google Policy Fellowship programme. Google is providing a USD 7,500 stipend to the India fellow who will be selected by July 1, 2013. Fellowship focus areas include Access to Knowledge, Openness in India, Freedom of Expression, Privacy, and Telecom Send in your applications for the position by June 15, 2013.

Jobs
CIS invites applications for the posts of Developer (NVDA Screen Reader Project), and Programme Officer (Internet Governance). To apply send your resume to sunil@cis-india.org and pranesh@cis-india.org. CIS also invites applications for the post of Programme Officer (Access to Knowledge, Pilot Projects). To apply for this position send your resume to vishnu@cis-india.org.

Accessibility

CIS is doing two projects in partnership with the Hans Foundation. One is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and another is for developing a screen reader and text-to- speech synthesizer for Indian languages. CIS is also working with the World Blind Union and many other organisations to develop a Treaty for the Visually Impaired helped by the WIPO:

National Resource Kit for Persons with Disabilities
Anandhi Viswanathan from CIS and Manojna Yeluri from the Centre for Law and Policy Research are working in this project. Draft chapters have been published. Feedback and comments are invited from readers for the chapters on Himachal Pradesh, Goa, Jammu and Kashmir and Rajasthan:

The Himachal Pradesh Chapter (by Anandhi Viswanathan, April 30, 2013).
Goa Chapter (by Anandhi Viswanathan, April 30, 2013).
The Jammu & Kashmir Chapter (by Anandhi Viswanathan, April 30, 2013).
The Rajasthan Chapter (by Manojna Yeluri, April 30, 2013).

Note: All of these are early drafts and will be reviewed and updated.

Events Organised

Girls in ICT Day (April 25, 2013, Mitra Jyothi Auditorium, HSR Layout, Bangalore). Dr. U.B. Pavanaja gave a talk on Social Media and Kannada Language for Women with Disabilities. Sara Morais wrote an event report.
Global Accessibility Awareness Day (May 9, 2013, TERI, Southern Regional Centre, Domlur, Bangalore).

Announcement

CIS Gets ITU-D Sector Membership: CIS has become a sector member of ITU-D.

Access to Knowledge and Openness

The Wikimedia Foundation awarded CIS a two year grant of INR 26,000,000 to support and develop the growth of Indic language communities and projects by community collaborations and partnerships. This is being carried out by the Access to Knowledge team based in Delhi. CIS is also doing a project (Pervasive Technologies) on examining the relationship between production of pervasive technologies and intellectual property. CIS also promotes openness including open government data, open standards, open access, and free/libre/open source software through its Openness programme.

Wikipedia
Beginning from September 1, 2012, Wikimedia Foundation awarded CIS a two-year grant of INR 26,000,000 to support and develop free knowledge in India. The A2K team consists of four members based in Delhi: T. Vishnu Vardhan, Nitika Tandon and Subhashish Panigrahi, and one team member Dr. U.B. Pavanaja who is working from Bangalore office. Noopur Raval, Programme Officer has left the organisation. April 24, 2013 was her last working day.

Indic Wikipedia Visualisation Project

Indic Wikipedia Visualisation Project #2: Visualising Page Views and Project Pages.

Blog Entries

Indian WikiWomen celebrate Women’s History Month (by Netha Hussain, April 29, 2013).
Analysis of Konkani Wikipedia: Facts & Challenges (by Nitika Tandon, April 30, 2013).
Odia Wikipedia: Needs Assessment (by Subhashish Panigrahi, April 30, 2013).

Event Organised

Kannada Wikipedia Workshop (April 29, 2013, Govinda Pai Research Centre, MGM College Udupi). Dr. U.B. Pavanaja led the workshop and gave a talk on Kannada Wikipedia.

Events Co-organised
The following events were organised in the month of March but reports were written during the month of April. Vishnu Vardhan and Subhashish Panigrahi held meetings with wikipedians:

Kolkata Wiki Community Meetup (organised by CIS and Kolkata Wiki Community, March 14, 2013).
Odia Wikipedia - Cuttack Community Meetup (organised by CIS and Odia Wiki Community, Cuttack, March 16, 2013).
Odia Wikipedia – Bhubaneswar Community Meetup (organised by CIS and Odia Wiki Community, Bhubaneswar, March 17, 2013).

The following event was organised in the month of April. We will be publishing the report soon:

Telugu Wiki Mahotsavam 2013 (organised by Telugu Wikipedia Community and CIS, Hyderabad, April 9 – 11, 2013). Vishnu Vardhan was one of the trainers at the Wikipedia Academy at Centre for Good Governance on April 9, 2013. Vishnu Vardhan spoke about the Access to Knowledge work in one of the sessions of Wikimedia Meeting with Media Heads on April 10, 2013. Vishnu Vardhan gave a talk on A2K’s plans for the growth of Telegu Wikipedia in 2013-14 at the Telegu Wikipedia general meeting on April 11, 2013. Vishnu Vardhan also gave a talk about Access to Knowledge in the digital era at the Wiki Chaitanya Vedika on April 11, 2013.

Other Access to Knowledge Updates

WIPO

CIS Intervention on the Treaty for the Visually Impaired at SCCR/SS/GE/2/13 (Geneva, April 18 – 20, 2013). Pranesh Prakash participated in the session and spoke about the rights of the visually impaired.

Internet Governance

The Internet Governance programme conducts research around the various social, technical, and political underpinnings of global and national Internet governance, and includes online privacy, freedom of speech, and Internet governance mechanisms and processes. Currently, CIS is doing a project with Privacy International, London to facilitate research and events around surveillance, and freedom of speech and expression.

Information Technology

IT (Amendment) Act, 2008, 69A Rules: Draft and Final Version Comparison (by Jadine Lannon, April 27, 2013).
Indian Telegraph Act, 1885, 419A Rules and IT (Amendment) Act, 2008, 69 Rules (by Jadine Lannon, April 28, 2013).
IT (Amendment) Act, 2008, 69 Rules: Draft and Final Version Comparison (by Jadine Lannon, April 30, 2013).
IT (Amendment) Act, 2008, 69B Rules: Draft and Final Version Comparison (by Jadine Lannon, April 30, 2013).

Resources
The below rules were published recently:

Newspaper Column

Off the Record (by Nishant Shah, Indian Express, April 6, 2013).

Privacy

India´s ´Big Brother´: The Central Monitoring System (CMS) (by Maria Xynou, April 8, 2013).

Events Organised
Maria Xynou gives an overview of the discussions and recommendations from the privacy round tables held in Delhi and Bangalore:

A Privacy Round Table in Delhi (organized by CIS and Federation of Indian Chambers of Commerce and Industry, FICCI Federation House, Tansen Marg, New Delhi, April 3, 2013).
A Privacy Round Table in Bangalore (organized by CIS and Federation of Indian Chambers of Commerce and Industry, Jayamahal Palace, Jayamahal Road, Bangalore, April 20, 2013).

Announcements

2nd Expert Committee meeting on draft 'Human DNA Profiling Bill 2012': The Department of Biotechnology has constituted an Expert Committee to discuss various issues of this Bill in detail. Sunil Abraham has been nominated as one of the members of this Committee. A meeting of this Expert Committee has been scheduled for May 13, 2013 under the Chairmanship of Dr. T. S. Rao, Adviser, DBT.
Chinmayi Arun is one of the international experts supporting the Internet & Jurisdiction project, a global multi-stakeholder dialogue process.

Upcoming Events

A Privacy Round Table in Chennai (co-organised with Data Security Council of India and the Federation of Indian Chambers of Commerce and Industry, Residency Towers, Sir Thyagaraja Road, T Nagar, Chennai, May 18, 10.30 a.m. to 4.00 p.m.).
Consilience – 2013 (National Law School of India University, Bangalore, May 26 – 27, 2013).

Other Event Hosted

Or-bits.com — A Talk by Marialaura Ghidini (CIS, Bangalore, April 19, 2013). Marialaura Ghidini gave a talk abou the creation and activities of or-bits.com, a web-based curatorial platform that she founded in 2009.

News and Media

Clarify and define terms in IT rules, panel tells govt. (by Prashant Jha, Hindu, April 1, 2013).
India takes its first serious step toward privacy regulation – but it may be misguided (Privacy Surgeon, April 9, 2013).
Regulating Social Media: Unrealistic, Impossible, Necessary? (NDTV, April 11, 2013). Pranesh Prakash participated in a discussion on social media aired on NDTV.
Social media may influence 160 LS seats in 2014 (by Zia Haq, Hindustan Times, April 12, 2013).
Vote: Will Social Media Impact the Election? (by R. Jai Krishna, Wall Street Journal, April 15, 2013).
Untangling the web of India's 'ungovernable' Net (Deutsche Welle, April 15, 2013).
CIS in GNI Annual Report (April 25, 2013). CIS gets mentioned in GNI Annual Report. Sunil Abraham is quoted in it.
Is free speech an Indian value? (by Satarupa Sen Bhattacharya, India Together, April 27, 2013).

Knowledge Repository on Internet Access

CIS in partnership with the Ford Foundation is executing a project on Internet Access. It covers the history of the internet, technologies involved, principle and values of internet access, broadband market and universal access and will touch upon various polices and regulations which has an impact on internet access and bodies and mechanism which are responsible for formulation policies related to internet access. The blog posts and modules will be published in a new website: www.internet-institute.in.

Upcoming Event
We are hosting an “Institute on Internet and Society” with the support of Ford Foundation India, which is to be held from June 8, 2013 to June 14, 2013. Call for registration and relevant details have been announced.

The following units have been published:

Internet Infrastructure (by Srividya Vaidyanathan, April 30, 2013).
Internet Service Provider – Introduction (by Srividya Vaidyanathan, April 30, 2013).

Telecom

CIS is involved in promoting access and accessibility of telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

Prioritizing Communications & Energy (by Shyam Ponappa, Business Standard and Organizing India Blogspot, April 4, 2013).

Blog Entry

From Open Citizen Radio Networks to the Race for .RADIO gTLD (by Sharath Chandra Ram, April 30, 2013).

Event Participated

Broadband Policy Course (organised by Lirne Asia, Bangalore, April 5 – 6, 2013). Nirmita Narasimhan and Snehashish Ghosh attended the course.

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.
Follow us elsewhere

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us
Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration
We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/april-2013-bulletin

Indian Telegraph Act, 1885, 419A Rules and IT (Amendment) Act, 2008, 69 Rules

jdine — 2013-04-30T10:04:38Z

Jadine Lannon has performed a clause-by-clause comparison of the 419A Rules of the Indian Telegraph Act, 1885 and the 69 Rules under Section 69 of the Information Technology (Amendment) Act, 2008 in order to better understand how the two are similar and how they differ. Though they are from different Acts entirely, the Rules are very similar. Notes have been included on some changes we deemed to be important.

Though they are from different Acts entirely, the 419A Rules from the Indian Telegraph Act of 1885 and the 69 Rules from the Information Technology (Amended) Act, 2008 are very similar. In fact, much of the language that appears in the official 69 rules is very close, if not the same in many places, as the language found in the 419A rules. The majority of the change in language between the 419A Rules and the equivalent 69 Rules acts to clarify statements or wordings that may appear vague in the former. Aside from this, it appears that many of the 69 Rules have been cut-and-pasted from the 419A Rules.

Arguably the most important change between the two sets of rules takes place between Clause (3) of the 419A Rules and Clause (8) of the 69 Rules, where the phrase “while issuing directions [...] the officer shall consider possibility of acquiring the necessary information by other means” has been changed to “the competent authority shall, before issuing any direction under Rule (3), consider possibility of acquiring the necessary information by other means”. This is an important distinction, as the latter requires other options to be looked at before issuing the order for any interception or monitoring or decryption of any information, whereas the former could possibly allow the interception of messages while other options to gather the “necessary” information are being considered. It seems unreasonable that the state and various state-approved agencies could possibly be intercepting the personal messages of Indian citizens in order to gather “necessary” information without having first established that interception was a last resort.

Another potentially significant change between the rules can be found between Clause (15) of the 419A Rules, which states, in the context of punishment of a service provider, the action taken shall include “not only fine but also suspension or revocation of their licenses”, whereas Clause (21) of the 69 Rules states that the punishment of an intermediary or person in-charge of computer resources “shall be liable for any action under the relevant provisions of the time being in force”. This is an interesting distinction, possibly made to avoid issues with legal arbitrariness associated with assigning punishments that differ for those punishments for the same activities laid out under the Indian Penal Code. Either way, the punishments for a violation of the maintenance of secrecy and confidentiality as well as unauthorized interception (or monitoring or decryption) could potentially be much harsher under the 69 Rules.

In the same vein, the most significant clarification through a change in language takes place between Clause (10) of the 419A and Clause (14) of the 69 Rules: “the service providers shall designate two senior executives of the company” from the 419A Rules appears as “every intermediary or person in-charge of computer resource shall designate an officer to receive requisition, and another officer to handle such requisition” in the 69 Rules. This may be an actual difference between the two sets of Rules, but either way, it appears to be the most significant change between the equivalent Clauses.

The addition of certain clauses in the 69 Rules can also give us some interesting insights about what was of concern when the 419A rules were being written. To begin, the 419A rules provide no definitions for any of the specific terms used in the Rules, whereas the 69 Rules include a list of definitions in Clause (2). Clause (4) of 69 Rules, which deals which the authorisation of an agency of the Government to perform interception, monitoring and decryption, is sorely lacking in the 419A rules, which alludes to “authorised security [agencies]” without ever providing any framework as to how these agencies become authorised or who should be doing the authorising.

The 69 Rules also include Clause (5), which deals with how a state should go about obtaining authorisation to issue directions for interception, monitoring and/or decryption in territories outside of its jurisdiction, which is never mentioned in 419A rules, lamely sentencing states to carry out the interception of messages only within their own jurisdiction.

Lastly, Clause (24), which deals with the prohibition of interception, monitoring and/or decryption of information without authorisation, and Clause (25), which deals with the prohibition of the disclosure of intercepted, monitored and/or decrypted information, have fortunately been added to the 69 Rules.

For more details visit https://cis-india.org/internet-governance/blog/indian-telegraph-act-419-a-rules-and-it-amendment-act-69-rules

Surveillance technology companies operating in India - spreadsheet

maria — 2013-04-27T16:29:14Z

The Centre for Internet and Society has started investigating surveillance technology companies operating in India! This spreadsheet entails the first 77 companies which are being researched.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-technology-companies-operating-in-india

Rule 419A of the Indian Telegraph Rules, 1951

jdine — 2013-11-19T07:16:04Z

The Central Government made the following rules to amend the Indian Telegraph Rules, 1951.

G.S.R. 193 (E).— In exercise of the powers conferred by Section 7 of the Indian Telegraph Act, 1885 (13 of 1885), the Central Government hereby makes the following rules further to amend the Indian Telegraph Rules, 1951, namely:—

10 (1) These rules may be called the Indian Telegraph (Amendment) Rules, 2007.

(2) They shall come into force on the date of their publication in the Official Gazette.

20 In the Indian Telegraph Rules, 1951, after rule 419, the following rule shall be substituted, namely:—

[1] 419-A. (1) Directions for interception of any message or class of messages under sub-section (2) of Section 5 of the Indian Telegraph Act, 1885 (hereinafter referred to as the said (Act) shall not be issued except by an order made by the Secretary to the Government of India in the Ministry of Home Affairs in the case of Government of India and by the Secretary to the State Government in-charge of the Home Department in the case of a State Government. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorized by the Union Home Secretary or the State Home Secretary, as the case may be:

Provided that in emergent cases—

(i) in remote areas, where obtaining of prior directions for interception of messages or class of messages is not feasible; or
(ii) for operational reasons, where obtaining of prior directions for interception of message or class of messages is not feasible;

the required interception of any message or class of messages shall be carried out with the prior approval of the Head or the second senior most officer of the authorized security i.e. Law Enforcement Agency at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police at the state level but the concerned competent authority shall be informed of such interceptions by the approving authority within three working days and that such interceptions shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the competent authority is not received within the stipulated seven days, such interception shall cease and the same message or class of messages shall not be intercepted thereafter without the prior approval of the Union Home Secretary or the State Home Secretary, as the case may be.

(2) Any order issued by the competent authority under sub-rule (1) shall contain reasons for such direction and a copy of such order shall be forwarded to the concerned Review Committee within a period of seven working days.

(3) While issuing directions under sub-rule (1) the officer shall consider possibility of acquiring the necessary information by other means and the directions under sub-rule (1) shall be issued only when it is not possible to acquire the information by any other reasonable means.

(4) The interception directed shall be the interception of any message or class of messages as are sent to or from any person or class of persons or relating to any particular subject whether such message or class of messages are received with one or more addresses, specified in the order, being an address or addresses likely to be used for the transmission of communications from or to one particular person specified or described in the order or one particular set of premises specified or described in the order.

(5) The directions shall specify the name and designation of the officer or the authority to whom the intercepted message or class of messages is to be disclosed and also specify that the use of intercepted message or class of messages shall be subject to the provisions of sub-section (2) of Section 5 of the said Act.

(6) The directions for interception shall remain in force, unless revoked earlier, for a period not exceeding sixty days from the date of issue and may be renewed but the same shall not remain in force beyond a total period of one hundred and eighty days.

(7) The directions for interception issued under sub-rule (1) shall be conveyed to the designated officers of the licensee(s) who have been granted licenses under Section 4 of the said Act, in writing by an officer not below the rank of Superintendent of Police or Additional Superintendent of Police or the officer of the equivalent rank.

(8) The officer authorized to intercept any message or class of message shall maintain proper records mentioning therein, the intercepted message or class of messages, the particulars of persons whose message has been intercepted, the name and other particulars of the officer or the authority to whom the intercepted message or class of messages has been disclosed, the number of copies of the intercepted message or class of messages made and the mode or the method by which such copies are made, the date of destruction of the copies and the duration within which the directions remain in force.

(9) All the requisitioning security agencies shall designate one or more nodal officers not below the rank of Superintendent of Police or Additional Superintendent of Police or the officer of the equivalent rank to authenticate and send the requisitions for interception to the designated officers of the concerned service providers to be delivered by an officer not below the rank of Sub-lnspector of Police.

(10) The service providers shall designate two senior executives of the company in every licensed service area/State/Union Territory as the nodal officers to receive and handle such requisitions for interception.

(11) The designated nodal officers of the service providers shall issue acknowledgment letters to the concerned security and Law Enforcement Agency within two hours on receipt of intimations for interception.

(12) The system of designated nodal officers for communicating and receiving the requisitions for interceptions shall also be followed in emergent cases/unavoidable cases where prior approval of the competent authority has not been obtained.

(13) The designated nodal officers of the service providers shall forward every fifteen days a list of interception authorizations received by them during the preceding fortnight to the nodal officers of the security and Law Enforcement Agencies for confirmation of the authenticity of such authorizations. The list should include details such as the reference and date of orders of the Union Home Secretary or State Home Secretary, date and time of receipt of such orders and the date and time of Implementation of such orders.

(14) The service providers shall put in place adequate and effective internal checks to ensure that unauthorized interception of messages does not take place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of interception of messages as it affects privacy of citizens and also that this matter is handled only by the designated nodal officers of the company.

(15) The service providers are responsible for actions for their employees also. In case of established violation of license conditions pertaining to maintenance of secrecy and confidentiality of information and unauthorized interception of communication, action shall be taken against the service providers as per Sections 20, 20-A, 23 & 24 of the said Act, and this shall include not only fine but also suspension or revocation of their licenses.

(16) The Central Government and the State Government, as the case may be, shall constitute a Review Committee. The Review Committee to be constituted by the Central Government shall consist of the following, namely:

(a) Cabinet Secretary — Chairman

(b) Secretary to the Government of India Incharge, Legal Affairs — Member

The Review Committee to be constituted by a State Government shall consist of the following, namely:

(a) Chief Secretary — Chairman

(b) Secretary Law/Legal Remembrancer Incharge, Legal Affairs — Member

(17) The Review Committee shall meet at least once in two months and record its findings whether the directions issued under sub-rule (1) are in accordance with the provisions of sub-section (2) of Section 5 of the said Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above it may set aside the directions and orders for destruction of the copies of the intercepted message or class of messages.

(18) Records pertaining to such directions for interception and of intercepted messages shall be destroyed by the relevant competent authority and the authorized security and Law Enforcement Agencies every six months unless these are, or likely to be, required for functional requirements.

(19) The service providers shall destroy records pertaining to directions for interception of message within two months of discontinuance of the interception of such messages and in doing so they shall maintain extreme secrecy.

[1].Subs, by G.S.R. 193 (E), dated 1.3.2007 (w.e.f. 12.3.2007).

For more details visit https://cis-india.org/internet-governance/resources/rule-419-a-indian-telegraph-rules-1951

When Netas Network

praskrishna — 2013-06-19T06:19:00Z

In September 2009, a freshly re-elected Congress took exception to a light-hearted tweet by its newly inducted minister Shashi Tharoor, chastising him not only for causing offence but also for being too quick to air his views on social media.

This article by Rukmini Shrinivasan was published in the Times of India on April 27, 2013. Sunil Abraham is quoted.

So much can change in less than four years.

Rocked by allegations of corruption, and with anti-incumbency firmly setting in, the Congress is struggling to reconnect with voters, and is belatedly embracing social media. Tharoor has had the last laugh;his social media activity has earned him praise and is being emulated by others in his cabinet.

As political discussion spills over from the neighbourhood tea shop and coffee house to Facebook and Twitter, their potential impact on electoral politics is something that those in power and those hoping to get there are taking very, very seriously.

The BJP runs its social media operation out of its headquarters in Delhi. Most of the party's top leaders have an official Facebook page and a verified Twitter handle, while others, including octogenarian L K Advani, blog.

The Congress is late to the party;it does not have an official Twitter account and has such a halfhearted Facebook presence that it isn't immediately clear that it's official. But it seems to be waking up - young leaders including Deepender Hooda are now part of a social media strategy team, and the younger cabinet ministers are enthusiastic social media adopters.

Rural India Logs On

Despite representing a largely rural, relatively impoverished constituency, 48-year-old Biju Janata Dal MP Baijayant Panda is a Twitter natural. "Rural Indians are slowly beginning to get more active online and I am beginning to interact more often with my constituents there. In fact, particularly on Facebook, there are already a significant number of Odia users, from all around the world, but also those living in my constituency, " Panda says.

Simultaneously, social media entrepreneurs are responding to what they see as an area of huge growth. The Australian web-based citizen-politician interaction platform OurSay has just come to India (see interview on page 5). In the run-up to the elections, Twitter and Google are both reaching out to politicians and civil society organisations in the citizen engagement game and have pitched town-hall style interactions to several politicians, including union cabinet members and state governments.

Social media entrepreneur and analyst Mahesh Murthy believes that Indian social media users have discovered the wonders of political engagement online. "Only now are they figuring out that the real news doesn't seem to get out on traditional media - and more importantly, that their response on traditional media (at best, a letter to the editor) is puny in comparison to the impact they can have via social, " he says. Moreover, says Murthy, the impact is not online alone. "The Nirbhaya case, the Palghar case, the recent child rape case - all would have gone generally unnoticed a few years ago. Each of them, thanks to social media, became a cause to rally around. Add to this disclosures under RTI, NGOs becoming more transparent, online petitions and more - the staid and set political world of India is undergoing the first wave of massive, irreversible change. "

Such evangelism about the potentially transformational impact of social media was echoed in a recent study which claimed that Facebook users could swing elections in 150 constituencies in the next Lok Sabha election. Apart from being statistically flawed, the study also failed to look beyond the number of people on social media, to the kinds of conversations they are actually having.

A Broadcast Medium?

With some exceptions, the majority of politicians on Twitter and Facebook use it as yet another broadcast medium for purely one-way traffic, a rare few respond to the hundreds who leave comments on their Facebook and Twitter posts. So while Gujarat chief minister Narendra Modi might have asked the FICCI ladies to get in touch with him on social media, what he omitted to mention was that he never responds.

Most politicians and parties are not doing a good job of engaging with citizens through social media, agrees Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "Most of them are still outsourcing this function completely. This reminds me of the early days of email in large corporations and government offices when every email was printed before it was read by its recipient and the response dictated and recorded using shorthand before it was entered into the computer. This approach will not work with social media users. Personal involvement will be one way to improve results, " says Abraham.

Arvind Gupta, who sold off his analytics firm to run the BJP's IT cell from its Lutyens' Delhi headquarters, disagrees. "The volume of responses on Twitter or Facebook make it impossible for Sushmaji [Swaraj] or Modiji to respond to them all, but they often meet online supporters offline too, or highlight insightful comments on their blogs, " says Gupta.
Younger leaders tend to be better at online interaction. So while 89-year-old Karunanidhi of the DMK has a Twitter account but follows no one, the party's youngest MLA, TRB Rajaa, has five Facebook pages and a Twitter handle, and replies personally. "I get several hundred messages on Facebook in a day, but I try to respond to at least half, especially those who are raising grievances, " he says.

Some times, the proximity of a politician to the blaze of online outrage can force action. "When (IIPM director) Arindam Choudhary got a remote district court to ban a UGC web page, social media turmoil spurred first Shashi Tharoor and then [minister of state for information technology] Milind Deora and then the government into action - and the case was challenged and the ban was overturned, " says Murthy.

Influencing First-time Voters

But the big question remains - in a country where the internet is for a privileged few, is it too early to start talking of social media playing a role in electoral politics?

Sanjay Jha who runs the website Hamara-Congress. com and is a member of the party's social media strategy team, believes the impact will largely be on youngt voters. "It will have an impact on first time voters of urban India as also on voters who are unsure about their political leanings, " he says.

"Social media like mainstream media will influence its users. Internet users are still roughly around 10% of the population. However, they are elites and can influence wider offline discourse. Social media may have other benefits as it would help make the elections more transparent and free from manipulation, " says Abraham.

"One has to be careful - we don't know yet how many people on Facebook are registered to vote, and how many more will do so in time. We also need to understand better the ability of a youth on Facebook to influence his parents' and family's voting choices, " says Murthy.

In number terms, Murthy believes that social media will have some impact on 8-15 % of the electorate come 2014. "The 2014 elections will be a turning point. But I sense the 8% to 15% will more than double by 2019 elections - and that will be a moment when social media is far, far more important. The smarter parties and politicians will realise this and start making investments and efforts right away, " says Murthy.

Gupta strongly believes that a segment of the population that is politically engaged online but will not come to dharnas nevertheless votes, and should not be dismissed. "You often see people who make "I voted today" their Facebook status, " he says. Moreover, citizens politically engaged online are influencing each other and changing minds, he says.

Party Time

Many in politics also believe that besides the voter - who makes his or her decision based on a complex matrix of reasons - social media plays an important role in helping the leadership of parties connect with and energise their cadre and supporters.

"At the very least, social media will bring interested volunteers and party-workers closer to public representatives by making direct interaction possible. Certain candidates, even independent and otherwise lesser fancied ones, will have a shot at mobilising supporters at rallies, even though they have far fewer traditional resources to do so, " says Panda.
Rajaa agrees. "Not just voters, many motivated cadre also use social media to keep in touch with our youth wing and with the second-rung leadership, " he says.

With additional reporting by Kim Arora.

For more details visit https://cis-india.org/news/times-of-india-crest-edition-april-27-2013-rukmini-shrinivasan-when-netas-network

IT (Amendment) Act, 2008, 69A Rules: Draft and Final Version Comparison

jdine — 2013-04-30T10:10:48Z

Jadine Lannon has performed a clause-by-clause comparison of the 69A draft rules and 69A rules for Section 69A of the IT Act in order to better understand how the two differ. While there has been reshuffling of the clauses in the official rules, the content itself has not changed significantly. Notes have been included on some changes we deemed to be important.

Below is a chart depicting the 69A Draft Rules and the 69A Rules:

There was a lot of structural change between the draft rules and the official rules—many of the draft clauses were shuffled around and combined—but not a lot of change in content. Many of the changes that appear in the official rules serve to clarify parts of the draft rules.

Three definitions were added under clause (2), two to clarify later references to a “designated officer” and a “nodal officer” and the third to indicate a form appended to the official Rules.

Clause (3) of the official rules then clarifies who shall be named the “designated officer”, which was not done in the draft rules as there was no inclusion of an official title of the officer who would have the responsibilities of the “designated officer”. Interestingly, clause (3) of the draft rules requires the Secretary of the Department of Information Technology, Ministry of Communications & Information Technology, Government of India to name an officer, whereas clause (3) of the official rules states that the “Central Government” shall designate an officer, a change in language that allows for much more flexibility on the government's part.

Clause (5) in the draft rules and clause (4) in the official rules deal with the designation of a Nodal Officer, but omitted in the official rules are responsibilities of the designated officer, which includes acting on the “direction of the indian competent court”. This responsibility does not appear in any part of the official rules. Further, clause (4) of the official rules requires the organizations implicated in the rules to publish the name of the Nodal Officer on their website; this is an addition to the draft rules, and a highly useful one at that. This is an important move towards some form of transparency in this contentious process.

Clause (5) of the official rules significantly clarifies clause (4) of the draft rules by stating that the designated officer may direct any Agency of the Government or intermediary to block access once a request from the Nodal Officer has been received.

Clause (7) of the official rules uses the word “information” instead of “computer resource”, which is used in the corresponding clause (12) in the draft rules, when referring to the offending object. This change in language significantly widens the scope of what can be considered offending under the rules.

The sub-sections (2), (3) and (4) of clause (9) of the official rules are additions to the draft rules. Sub-section (2) is a significant addition, as it deals with the ability of the Secretary of the Department of Information Technology's ability to block for public access any information or part thereof without granting a hearing to the entity in control of the offending information in a case of emergency nature. The request for blocking will then be brought before the committee of examination of request within 48 hours of the issue of direction, meaning that the offending information could be blocked for two days without giving notice to the owner/controller of the information of the reason for the blockage.

An important clarification has been included in clause (15) of the official rules, which differs from clause (23) of the draft rules through the inclusion of the following phrase: “The Designated Officer shall maintain complete record of the request received and action taken thereof [...] of the cases of blocking for public access”. This is a significant change from clause (23), which simply states that the “Designated Officer shall maintain complete record [...] of the cases of blocking”. This could be seen as an important step towards transparency and accountability in the 69B process of blocking information for public access if clause (16) of the official rules did not state that all requests and complaints received and all actions taken thereof must be kept confidential, so the maintenance of records mentioned in clause (15) of the official rules appears to be only for internal record-keeping. However, just the fact that this information is being recording is a significant change from the draft rules, and may, if the sub-rules relating to confidentiality were to be changed, be useful data for the public.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-a-rules-draft-and-final-version-comparison

CIS in GNI Annual Report

praskrishna — 2013-04-25T07:31:01Z

The Centre for Internet and Society (CIS) joined the Global Network Intiative (GNI) in March 2012. Recently, GNI brought out its Annual Report. Sunil Abraham is quoted in it.


GNI participants Sunil Abraham - Centre for Internet and Society (second from left) and Cynthia Wong - Center for Democracy and Technology (right) at the Google Internet at Liberty 2012 Conference, May 23, 2012. Also pictured (left to right): Dunja Mijatovic´ - OSCE Representative on Freedom of the Media, Judy Woodruff (Moderator) - Senior Correspondent, PBS Newshour, Mohamed El Dahshan - writer, journalist. Credit: Tony Powell

GNI participants Sunil Abraham - Centre for Internet and Society (second from left) and Cynthia Wong - Center for Democracy and Technology (right) at the Google Internet at Liberty 2012 Conference, May 23, 2012. Also pictured (left to right): Dunja Mijatovic´ - OSCE Representative on Freedom of the Media, Judy Woodruff (Moderator) - Senior Correspondent, PBS Newshour, Mohamed El Dahshan - writer, journalist.
Credit: Tony Powell

An increasingly global network

"Technological development happens too quickly for us to purely depend on government regulation. Self-regulation has an important role to play in keeping up with these rapid changes … we will influence GNI norms using our Indian perspective."
Sunil Abraham

A key objective for GNI is increasing its membership across all constituencies with a focus on developing countries and emerging markets. In 2012, GNI welcomed Azerbaijani press freedom organization the Institute for Reporters’ Freedom and Safety as the global Internet governance community gathered in Baku, Azerbaijan for the Internet Governance Forum. Their participation, alongside other new civil society participant, the Centre for Internet & Society based in Bangalore, India represents a step toward further internationalizing the GNI network. Other new members include the George Washington University Law School and Christine Bader from the Kenan Institute for Ethics at Duke University.

Click to read the GNI Annual Report
Click to read the news of CIS joining the GNI in 2012

For more details visit https://cis-india.org/news/gni-annual-report-mentions-cis

Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009

jdine — 2013-04-25T04:49:05Z

Draft Rules under section 69B of the Information Technology (Amendment) Act, 2008 as notified by the Central Government.

G.S.R. 782 (E).— In exercise of the power conferred y clause (za) of sub-section (2) of section 87, read with sub-section (3) of section 69B of the Information Technology Act 2000 (21 of 2000), the Central Government hereby makes the following rules, namely:—

1. Short title and commencement.—

(1) These rules may be called the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009.

(2) They shall come into force on the date of their publication in the Official Gazette.

2. Definitions.— In these rules, unless the context otherwise requires,—

(a) “Act” means the Information Technology Act, 2000 (21 of 2000);

(b) “communication” means dissemination, transmission, carriage of information or signal in come manner and include both a direct communication and an indirect communication;

(c) “communication link” means the use of satellite, microwave, radio, terrestrial line, wire, wireless or any other communication media to inter-connect computer resource;

(d) “competent authority” means the Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology;

(e) “computer resource” means computer resource as defined in clause (k) of sub-section (1) of section 2 of the Act;

(f) “cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service/disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;

(g) “cyber security breaches” means unauthorised acquisition or unauthorised use by a person of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource;

(h) “information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(i) “information security practices” means implementation of security policies and standards in order to minimize the cyber security incidents and breaches;

(j) “intermediary” means an intermediary as defined by clause (w) of sub-section (1) of section 2 of the Act;

(k) “monitor” with its grammatical variations and cognate expressions, includes to view or inspect or to record or collect traffic data or information generated, transmitted, received or stored in a computer resource by means of a monitoring device;

(l) “monitoring device” means any electronic, mechanical, electro-mechanical, electro-magnetic, optical or other instrument, device, equipment or apparatus which is used or can be used, whether by itself or in combination with any other instrument, device, equipment or apparatus, to view or inspect or record or collect traffic data or information;

(m) “port” or “application port” means a set of software rules which identifies and permits communication between application to application, network to network, computer to computer, computer system to computer system;

(n) “Review Committee” means the Review Committee constituted under rule 419A of Indian Telegraph Rules, 1951;

(o) “security policy” means documented business rules and processes for protecting information and the computer resource;

(p) “traffic data” means traffic data as defined in Explanation (ii) to section 69B of the Act.

3. Directions for monitoring.—

(1) No directions for monitoring and collection of traffic data or information under sub-section (3) of section 69B of the Act shall be issued, except by an order made by the competent authority.

(2) The competent authority may issue directions for monitoring for any or all of the following purposes related to cyber security, namely:-

(a) forecasting of imminent cyber incidents;

(b) monitoring network application with traffic data or information on computer resource;

(d) tracking cyber security breaches or cyber security incidents;

(e) tracking computer resource breaching cyber security or spreading virus or computer contaminants;

(f) identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;

(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;

(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;

(i) any other matter relating to cyber security.

(3) Any direction issued by the competent authority under sub-rule (2) shall contain reasons for such direction and a copy of such direction shall be forwarded to the Review Committee withing a period of seven working days.

(4) The direction of the competent authority for monitoring and collection of traffic data or information may include the monitoring and collection of traffic data or information from any person or class of persons or relating to any particular subject whether such traffic data or information, or class of traffic data of information, are received with one or more computer resources, being a computer resource likely to be used for generation, transmission, receiving, storing of traffic data or information from or to one particular person or one or many set of premises.

4. Authorised agency of government for monitoring and collection of traffic data or information.—

(1) The competent authority may authorise any agency of the government for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The agency authorised by the competent authority under sub-rule (1) shall designated one or more nodal officer, not below the rank of Deputy Secretary to the Government of India, for the purpose to authenticate and send the requisition conveying direction issued under rule 3 to the designated officers of the concerned intermediary or person in-charge of computer resources.

(3) The requisition under sub-rule (2) shall specify the name and designation of the officer or the agency to whom the monitored or collected traffic data or information is to be disclosed.

(4) The intermediaries or person in-charge of computer resource shall designate one or more officers to receive requisition and to handle such requisition from the nodal officer for monitoring or collection of traffic data or information.

(5) The requisition conveying directions for monitoring shall be conveyed to the designated officers of the intermediary or person in-charge of computer resources, in writing through letter or fax by the nodal officer or delivered, (including delivery by email signed with electronic signature), by an officer not below the rank of Under Secretary or officer of the equivalent rank.

(6) The nodal officer issuing the requisition conveying directions for monitoring under sub=rule (2) shall also make a request in writing to the designated officer of intermediary or person in-charge of computer resource for monitoring in accordance with the format indicated in such requisition and report the same to the officer designated under sub-rule (3).

(7) The nodal officer shall also make a request to the officer of intermediary or person in-charge of computer resource designated under sub-rule (4) to extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access or to secure and provide online access to the computer resource for monitoring and collecting traffic data or information.

(8) On receipt of requisition under sub-rule (2) conveying the direction issued under sub-rule (2) of rule 3 the designated officer of the intermediary or person in-charge of computer resource designated under sub-rule (4) shall acknowledge the receipt of requisition by way of letter or fax or electronically signed e-mail to the nodal officer within a period of two hours from the time of receipt of such requisition.

(9) The officer of the intermediary or person in-charge of computer resource designed under sub-rule (4) shall maintain proper records of the requisitions received by him.

(10) The designated officer of the intermediary or person in-charge of computer resource shall forward in every fifteen days a list of requisition conveying direction for monitoring or collection of traffic data or information to the nodal officer which shall include details such as the reference and date of requisition conveying direction of the concerned competent authority.

5. Intermediary to ensure effective check in handling monitoring or collection of traffic data or information.— The intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure that unauthorised monitoring or collection of traffic data or information does not take place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of monitoring or collection of traffic data or information as it affects privacy of citizens and also that this matter is handled only by the designated officer of the intermediary or person in-charge of computer resource.

6. Responsibility of intermediary.— The intermediary or person in-charge of computer resource shall be responsible for the actions of their employees also, and in case of violation of the provision of the Act and rules made thereunder pertaining to maintenance of secrecy and confidentiality of information or any unauthorised monitoring or collection of traffic data or information, the intermediary or person in-charge of computer resource shall be liable for any action under the relevant provision of the laws for the time being in force.

7. Review of directions of competent authority.— The Review Committee shall meet at least once in two months and record its finding whether the directions issued under sub-rule (2) of rule 3 are in accordance with the provisions of sub-section (3) of section 69B of the Act and where the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issue order for destruction of the copies, including corresponding electronic record of the monitored or collected traffic data or information.

8. Destruction of records.—

(1) Every record, including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed by the designated officer after the expiry of a period of nine months from the receipt of direction or creation of record, whichever is later, except in a case where the traffic data or information is, or likely to be, required for functional requirements.

(2) Save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or the person in-charge of computer resource shall destroy records pertaining to directions for monitoring or collection of information within a period of six months of discontinuance of the monitoring or collection of traffic data and in doing so they shall maintain extreme secrecy.

9. Prohibition of monitoring or collection of traffic data or information without authorisation.—

(1) Any person who, intentionally or knowingly, without authorisation under sub-rule (2) of rule 3 or sub-rule (1) of rule 4, monitors or collects traffic data or information, or attempts to monitor or collect traffic data or information, or authorises or assists any person to monitor or collect traffic data or information in the course of its occurrence or transmission at any place within India, shall be proceeded against, punished accordingly under the relevant provisions of the law for the time being in force.

(2) the monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, may be undertaken in course of his duty relating to the services provided by that intermediary, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with the following matters, namely:—

(i) installation of computer resource or any equipment to be used with computer resource; or

(ii) operation or maintenance of computer resource; or

(iii) installation of any communication link or software either at the end of the intermediary or subscriber, or installation of user account on the computer resource of intermediary and testing of the same for its functionality;

(iv) accessing stored information from computer resource relating to the installation, connection or maintenance of equipment, computer resource or a communication link or code; or

(v) accessing stored information from computer resource for the purpose of--

(a) implementing information security practices in the computer resource;

(b) determining any security breaches, computer contaminant or computer virus;

(vi) accessing or analysing information from a computer resource for the purpose of tracing a computer resource of any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.

(3) The intermediary or the person in-charge of computer resource and its employees shall maintain strict secrecy and confidentiality of information while performing the actions as specified under sub-rule (2).

(4) The details of monitored or collected traffic data or information shall not be used or disclosed by intermediary or person in-charge of computer resource or any of its employees to any person other than the intended recipient of the said information under sub-rule (2) of rule 4. Any intermediary or its employees of person in-charge of computer resource who contravenes the provisions of this rule shall be proceeded against and punished accordingly under the relevant provisions of the Act or any other law for the time being in force.

10. Prohibition of disclosure of traffic data or information by authorised agency.— The details of monitored or collected traffic data or information shall not be used or disclosed by the agency authorised under sub-rule (1) of rule 4 for any other purpose, except for forecasting imminent cyber threats or general trend of port-wise traffic on Internet, or general analysis of cyber incidents, or for investigation or in judicial proceedings before the competent court in India.

11. Maintenance of confidentiality.— Save as otherwise provided in rule 10, strict confidentiality shall be maintained in respect of directions for monitoring or collection of traffic data or information issued by the competent authority under these rules.

For more details visit https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009

Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

jdine — 2013-07-06T01:51:58Z

Rules under section 69(2) of the Information Technology Act, 2008 (after the 2008 amendment).

G.S.R. 780 (E).— In exercise of the powers conferred by clause (y) of sub-section (2) of section 87, read with sub-section (2) of section 69 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely:

1. Short title and commencement.—

(1) These rules may be called the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

(2) They shall come into force on the date of their publication in the Official Gazette.

2. Definitions.— In these rules, unless the context otherwise requires,--

(a) “Act” means the Information Technology Act, 2000 (21 of 2000);

(b) “communication” means dissemination, transmission, carriage of information or signal in some manner and include both a direct communication and an indirect communication”;

(c) “communication link” means the use of satellite, microwave, radio, terrestrial line, wire, wireless or any other communication media to inter-connect computer resource;

(d) “competent authority” means--

(i) the Secretary in the Ministry of Home Affairs, in case of the Central Government; or

(ii) the Secretary in charge of the Home Department, in case of a State Government or Union territory, as the case may be;

(e) “computer resource” means computer resource as defined in clause (k) of sub-section (1) of section 2 of the Act;

(f) “decryption” means the process of conversion of information in non-intelligible form to an intelligible form via a mathematical formula, code, password or algorithm or a combination thereof;

(g) “decryption assistance” means any assistance to--

(i) allow access, to the extent possible, to encrypted information; or

(ii) facilitate conversion of encrypted information into an intelligible form;

(h) “decryption direction” means a direction issued under Rule (3) in which a decryption key holder is directed to--

(i) disclose a decryption key; or

(ii) provide decryption assistance in respect of encrypted information

(i) “decryption key” means any key, mathematical formula, code, password, algorithm or any other data which is used to--

(i) allow access to encrypted information; or

(ii) facilitate the conversion of encrypted information into an intelligible form;

(j) “decryption key holder” means any person who deploys the decryption mechanism and who is in possession of a decryption key for purposes of subsequent decryption of encrypted information relating to direct or indirect communications;

(k) “information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(l) “intercept” with its grammatical variations and cognate expressions, means the aural or other acquisition of the contents of any information through the use of any means, including an interception device, so as to make some or all of the contents of an information available to a person other than the sender or recipient or intended recipient of that communication, and includes--

(a) monitoring of any such information by means of a monitoring device;

(b) viewing, examination or inspection of the contents of any direct or indirect information; and

(c) diversion of any direct or indirect information from its intended destination to any other destination to any other destination;

(m) “interception device” means any electronic, mechanical, electro-mechanical, electro-magnetic, optical or other instrument, device, equipment or apparatus which is used or can be used, whether by itself or in combination with any other instrument, device, equipment or apparatus, to intercept any information; and any reference to an “interception device” includes, where applicable, a reference to a “monitoring device”;

(n) “intermediary” means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

(o) “monitor” with its grammatical variations and cognate expressions, includes to view or to inspect or listen to or record information by means of a monitoring device;

(p) “monitoring device” means any electronic, mechanical, electro-mechanical, electro-magnetic, optical or other instrument, device, equipment or apparatus which is used or can be used, whether by itself or in combination with any other instrument, device, equipment or apparatus, to view or to inspect or listen to or record any information;

(q) “Review Committee” means the Review Committee constituted under rule 419A of Indian Telegraph Rules, 1951.

3. Direction for interception or monitoring or decryption of any information.— No person shall carry out the interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub-section (2) of section 69 of the Act, except by an order issued by the competent authority;

Provided that in an unavoidable circumstances, such order may be issued by an officer, not below the rank of Joint Secretary of the Government of India, who has been duly authorised by the competent authority;

Provided further that in a case of emergency--

(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or

(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generation, transmitted, received or stored in any computer resource is not feasible,

the interception or monitoring of decryption of any information generated, transmitted, received or stored in any computer resource may be carried out with the prior approval of the Head or the second senior most officer of the security and law enforcement agency (hereinafter referred to as the said security agency) at the Central level and the officer authorised in this behalf, not below the rank of the inspector General of Police or an officer of equivalent rank, at the State or Union territory level;

Provided also that the officer, who approved such interception or monitoring or decryption of information in case of emergency, shall inform in writing to the competent authority about the emergency and of such interception or monitoring or decryption within three working days and obtain the approval of the competent authority thereon within a period of seven working days and if the approval of competent authority is not obtained within the said period of seven working days, such interception or monitoring or decryption shall cease and the information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the competent authority.

4. Authorisation of agency of Government.— The competent authority may authorise an agency of the Government to intercept, monitor or decrypt information generated, transmitted received or stored in any computer resource for the purpose specified in sub-section (1) of section 69 of the Act.

5. Issue of decryption direction by competent authority.— The competent authority may, under Rule (3), give any decryption direction to the decryption key holder for decryption of any information involving a computer resource or part thereof.

6. Interception or monitoring or decryption of information by a State beyond its jurisdiction.— Notwithstanding anything contained in Rule (3), if a State Government or Union territory Administration requires any interception or monitoring or decryption of information beyond its territorial jurisdiction, the Secretary in-charge of the Home Department in that State or Union territory, as the case may be, shall make a request to the Secretary in the Ministry of Home Affairs, Government of India for issuing direction to the appropriate authority for such interception or monitoring or decryption of information.

7. Contents for direction.— Any direction issued by the competent authority under Rule (3) shall contain reasons for such direction and a copy of such direction shall be forwarded to the Review Committee within a period of seven working days.

8. Competent authority to consider alternative means in acquiring information.— The competent authority shall, before issuing any direction under Rule (3), consider possibility of acquiring the necessary information by other means and the direction under Rule (3) shall be issued only when it is not possible to acquire the information by any other reasonable means.

9. Direction of interception or monitoring or decryption of any specific information.— The direction of interception or monitoring or decryption of any information generation, transmitted, received or stored in any computer resource shall be of any information as is sent to or from any person or class of persons or relating to any particular subject whether such information or class of information are received with one or more computer resources, or being a computer resource likely to be used for the generation, transmission, receiving, storing of information from or to one particular person or one or many set of premises, as may be specified or described in the direction.

10. Direction to specify the name and designation of the officer to whom information to be disclosed.— Every directions under Rule (3) shall specify the name and designation of the officer of the authorised agency to whom the intercepted or monitored or decrypted or stored information shall be disclosed and also specify that the use of intercepted or monitored or decrypted information shall be subject to the provisions of sub-section (1) of section 69 of the said Act.

11. Period within which direction shall remain in force.— The direction for interception or monitoring or decryption shall remain in force, unless revoked earlier, for a period not exceeding sixty days from the date of its issue and may be renewed from time to time for such period not exceeding the total period of one hundred and eighty days.

12. Authorised agency to designate nodal officer.— The agency authorised by the competent authority under Rule (4) shall designate one or more nodal officer, not below the rank of Superintendent of Police or Additional Superintendent of Police or the officer of the equivalent rank to authenticate and send the requisition conveying direction issued under Rule (3) for interception or monitoring or decryption to the designated officers of the concerned intermediaries or person in-charge of computer resource;

Provided that an officer, not below the rank of Inspector of Police or officer of equivalent rank, shall deliver the requisition to the designated officer of the intermediary.

13. Intermediary to provide facilities, etc.—

(1) The officer issuing the requisition conveying direction issued under Rule (3) for interception or monitoring or decryption of information shall also make a request in writing to the designated officers of intermediary or person in-charge of computer resources, to provide all facilities, co-operation and assistance for interception or monitoring or decryption mentioned in the directions.

(2) On the receipt of request under sub-rule (1), the designated officers of intermediary or person in-charge of computer resources, shall provide all facilitates, co-operation and assistance for interception or monitoring or decryption of information mentioned in the direction.

(3) Any direction of decryption of information issued under Rule (3) to intermediary shall be limited to the extent the information is encrypted by the intermediary or the intermediary has control over the decryption key.

14. Intermediary to designate officers to receive and handle.— Every intermediary or person in-charge of computer resource shall designate an officer to receive requisition, and another officer to handle such requisition, from the nodal officer for interception or monitoring or decryption of information generation, transmitted, received or stored in any computer resource.

15. Acknowledgement of instruction.— The designated officer of the intermediary or person in-charge of computer resources shall acknowledge the instructions received by him through letters or fax or e-mail signed with electronic signature to the nodal officer of the concerned agency within two hours on receipt of such intimation or direction for interception or monitoring or decryption of information.

16. Maintenance of records by designated officer.— The designated officer of intermediary or person in-charge of computer resource authorised to intercept or monitor or decrypt any information shall maintain proper records mentioning therein, the intercepted or monitored or decrypted information, the particulars of persons, computer resource, e-mail account, website address, etc. whose information has been intercepted or monitored or decrypted, the name and other particulars of the officer or the authority to whom the intercepted or monitored or decrypted information has been disclosed, the number of copies, including corresponding electronic records of the intercepted or monitored or decrypted information made and the mode of the method by which such copies, including corresponding electronic records are made, the date of destruction of the copies, including corresponding electronic record and the duration within which the directions remain in force.

17. Decryption key holder to disclose decryption key or provide decryption assistance.— If a decryption direction or a copy thereof is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer referred to in Rule (12), the decryption key holder shall within the period mentioned in the decryption direction--

(a) disclose the decryption key; or

(b) provide the decryption assistance,

specified in the decryption direction to the concerned authorised person.

18. Submission of the list of interception or monitoring or decryption of information.—
(1) The designated officers of the intermediary or person in-charge of computer resources shall forward in every fifteen days a list of interception or monitoring or decryption authorisations received by them during the preceding fortnight to the nodal officers of the agencies authorised under Rule (4) for confirmation of the authenticity of such authorisations.
(2) The list referred to in sub-rule (1) shall include details, such as the reference and date of orders of the concerned competent authority including any order issued under emergency cases, date and time of receipt of such order and the date and time of implementation of such order.

19. Intermediary to ensure effective check in handling matter of interception or monitoring or decryption of information.— The intermediary or the person in-charge of the computer resource so directed under Rule (3), shall provide technical assistance and the equipment including hardware, software, firmware, storage, interface and access to the equipment wherever requested by the agency authorised under Rule (4) for performing interception or monitoring or decryption including for the purposes of--

(i) the installation of equipment of the agency authorised under Rule (4) for the purposes of interception or monitoring or decryption or accessing stored information in accordance with directions by the nodal officer; or

(ii) the maintenance, testing or use of such equipment; or

(iii) the removal of such equipment; or

(iv) the performance of any action required for accessing of stored information under the direction issued by the competent authority under Rule (3).

20. Intermediary to ensure effective check in handling matter of interception or monitoring or decryption of information.— The intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure the unauthorised interception of information does not take place and extreme secrecy is maintained and utmost care and precaution shall be taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary and no other person of the intermediary or person in-charge of computer resources shall have access to such intercepted or monitored or decrypted information.

21. Responsibility of intermediary.— The intermediary or person in-charge of computer resources shall be responsible for any action of their employees also and in case of violation pertaining to maintenance of secrecy and confidentiality of information or any unauthorised interception or monitoring or decryption of information, the intermediary or person in-charge of computer resources shall be liable for any action under the relevant provisions of the laws for the time being in force.

22. Review of directions of competent authority.— The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (3) are in accordance with the provisions of sub-section (2) of section 69 of the Act and where the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issues order for destruction of the copies, including corresponding electronic record of the intercepted or monitored or decrypted information.

23. Destruction of records of interception or monitoring or decryption of information.—

(1) Every record, including electronic records pertaining to such directions for interception or monitoring or decryption of information and of intercepted or monitored or decrypted information shall be destroyed by the security agency in every six months except in a case where such information is required, or likely to be required for functional requirements.

(2) Save as otherwise required for the purpose of any ongoing investigation, criminal complain or legal proceedings, the intermediary or person in-charge of computer resources shall destroy records pertaining to directions for interception of information within a period of two months of discontinuance of the interception or monitoring or decryption of such information and in doing so they shall maintain extreme secrecy.

24. Prohibition of interception or monitoring or decryption of information without authorisation.—

(1) Any person who intentionally or knowingly, without authorisation under Rule (3) or Rule (4), intercepts or attempts to intercept, or authorises or assists any other person to intercept or attempts to intercept any information in the course of its occurrence or transmission at any place within India, shall be proceeded against and punished accordingly under the relevant provisions of the laws for the time being in force.

(2) Any interception, monitoring or decryption of information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, may be undertaken in course of his duty relating to the services provided by that intermediary, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with the following matters, namely--

(i) installation of computer resource or any equipment to be used with computer resource; or

(ii) operation or maintenance of computer resource; or

(iv) accessing stored information from computer resource relating to the installation, connection or maintenance of equipment, computer resource or a communication link or code; or

(v) accessing stored information from computer resource for the purpose of--

(a) implementing information security practices in the computer resource;

(b) determining any security breaches, computer contaminant or computer virus;

25. Prohibition of disclosure of intercepted or monitored decrypted information.—

(1) The contents of intercepted or monitored or stored or decrypted information shall not be used or disclosed by intermediary or any of its employees or person in-charge of computer resource to any person other than the intended recipient of the said information under Rule (10).

(2) The contents of intercepted or monitored or decrypted information shall not be used or disclosed by the agency authorised under Rule (4) for any other purpose, except for investigation or sharing with other security agency for the purpose of investigation or in judicial proceedings before the competent court in India.

(3) Save as otherwise provided in sub-rule (2), the contents of intercepted or monitored or decrypted information shall not be disclosed or reported in public by any means, without the prior order of the competent court in India.

(4) Save as otherwise provided in sub-rule (2), strict confidentiality shall be maintained in respect of direction for interception, monitoring or decryption issued by concerned competent authority or the nodal officers.

For more details visit https://cis-india.org/internet-governance/resources/it-procedure-and-safeguards-for-interception-monitoring-and-decryption-of-information-rules-2009

Report on the 2nd Privacy Round Table meeting

maria — 2013-07-12T11:54:28Z

This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first Privacy Round Table in Delhi, this report entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20^th April 2013.

Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”

The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13^th April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.

DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.

The discussion points brought forward by DSCI were:

What role should government and industry respectively play in developing and enforcing a regulatory framework?
How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?
How can an organization be incentivized to follow the codes of practice under the SRO?
What should be the role of SROs in redressal of complaints?
What should be the business model for SROs?

DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.

Discussion on the draft Privacy (Protection) Bill 2013

Discussion of definitions and preamble: Chapter I & II

The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.

Sensitive Personal Data

The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.

Information vs. Data

During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.

Exemptions

Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.

Discussion of “Protection of Personal Data”: Chapter III

Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.

Data Collection

In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.

Consent

On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they choose to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.

Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.

Data Disclosure

In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.

A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.

Data Destruction

In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.

Data Processing

In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.

However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.

In brief, the following questions with regards to chapter III of the bill were raised during the meeting:

Should consent be required prior to the collection of data?
Should consent be acquired prior and after the disclosure of data?
Should the purpose of data collection be the same as the purpose for the disclosure of data?
Should an executive order or a court order be required to disclose data?
At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?
An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?

Should companies notify individuals when they share their (individuals´) data with international third parties?

In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:

The data subject has to be informed, unless there is a model contract.
The request for consent should depend on the type of data that is to be disclosed.
Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).
The shared data may be considered private data (need of a relevant regulatory framework).
An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.
If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country.
India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.
The problem with disclosure is when there is an exception for certain circumstances
Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability.
Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).
´Data ownership´ should be included in the definitions of the Bill.
What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.

Discussion of “Interception of Communications”: Chapter IV

The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.

Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.

Discussion on self-regulation and co-regulation

The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.

The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.

Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.

Meeting conclusion

The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table