Centre for Internet and Society

Fourth Meeting of the two Sub-Groups on Privacy Issues under the Chairmanship of Justice AP Shah

praskrishna — 2012-08-07T10:12:41Z

The next meeting of the two Sub-Groups (4th meeting) on privacy issues under the Chairmanship of Justice A.P. Shah, former Chief Justice of Delhi High Court is scheduled to be held on July 9, 2012 at 11.00 a.m. in Committee Room No. 228, Yojana Bhawan, Planning Commission, New Delhi.

Members of both the Sub-Groups are requested to send their final drafts as decided in the meeting held on June 27, 2012, by July 4, 2012 so that these could be circulated for obtaining feedback and for discussions/deliberations on July 9, 2012.

The above information was communicated by Shri S. Bose, Under Secretary, (CIT & I) to the following individuals:

Justice A.P. Shah, Chairman
Dr. Kamlesh Bajaj
Ms. Usha Ramanathan
Shri Sunil Abraham/Shri Pranesh Prakash
Prashant Reddy
Prof. Arghya Sengupta (requested to join the meeting on skype. Exact time for coming online will be communicated separately)
Shri Som Mittal
Shri Gulshan Rai
Ms. Mala Dutt

A copy of this information was sent to the following individuals:

Dr. C.M. Kumar, Sr, Adviser (CIT&I)

Shri R.K. Gupta, Adviser (CIT&I)

Shri Ramesh Kumar, Director (CIT&I)

For more details visit https://cis-india.org/news/fourth-meeting-of-sub-groups-on-privacy-issues

India Privacy Meet

praskrishna — 2012-07-02T10:48:54Z

Microsoft, DSCI and Greyhead came together to organise India Privacy Meet at Hotel LeMeridien on June 29, 2012 in New Delhi. Sunil Abraham was a panelist in the event.

Agenda

10:00a.m.- 10:10a.m.	Welcome and Introduction: Rahul Neel Mani, Editor & Co-founder Grey Head Media
10:10a.m.- 10:30a.m.	Conference Opening Remarks: Dr. Kamlesh Bajaj, CEO Data Security Council of India
10:30a.m.- 10:45a.m.	Theme Address: Deepak Rout, CSO & Director Privacy, Microsoft India
10:45a.m.- 11:00a.m.	Tea/Coffee Break
11:00a.m.- 12:00p.m.	Panel 1: Consumer Privacy – Creating the Right Balance

Brief: Data Privacy is perhaps the most concerning issue in the digital age. Consumer privacy or customer privacy, involves the handling and protection of sensitive personal information that individuals provide in the course of everyday commercial or professional transactions. This involves exchange or use of data electronically or by other means, including telephone, fax, writing, and word of mouth. With the advent and evolution of Internet and other electronic methods of mass communications, consumer privacy has become a major concern to deal with. Personal information, when misused or inadequately protected, can result in identity theft, financial fraud, and other problems that collectively cost individuals, businesses, and governments. In addition, Internet crimes and civil disputes consume law enforcement and judicial resources, confound legislators and bureaucracy, and produce untold personal aggravation.

Key Discussion Areas:

Handling of Personal Information including Sensitive Personal Information
Customer education on understanding business models and motives behind collection and use of Personal Information?
Privacy legislation and striking the right balance between various objectives
Privacy by design, online tracking, and transparency issues
Role of Government, Academia and Citizen groups

Panelists:

Chair - Dr. Kamlesh Bajaj, CEO, Data Security Council of India (DSCI)
Sivarama Krishnan, Executive Director, PwC India
Pankaj Agarwal, Head of IT Governance & CISO Aircel
Prashant Mali, Advocate & Cyber Law Expert
Deepak Rout, CSO & Director Privacy, Microsoft India
Vishal Jain, Director, Ernst & Young

12:00p.m.- 01:00p.m.	Panel 2: Citizen Privacy Transparency, Accountability and Social Progress

Brief: While citizens are adopting new technologies which are increasingly making it easier to share information more freely and thereby track individuals more easily, they are also demanding more accountability and openness. Experience indicates that having a more informed citizenry improves services, and accelerates innovation; thus the era of copious content has the potential to generate a host of new services and businesses. However, there is a need for greater transparency in the handling of citizen data and its legitimate use in governance and law enforcement. While new age technologies, if inappropriately used, have a potential impact on citizens’ privacy, they also arm us with the capability to protect citizen data and provide opportunities for privacy conscious and transparent usage of such data, provided there is an enabling environment created by informed and responsible privacy legislation.

Key Discussion Areas:

Core objectives for privacy legislation
Role of government in protecting citizen privacy
Citizen awareness of privacy concerns in today’s legal, business and technology landscape
Expectations of government and citizens on policies around usage and collection of personal data and ability to build profiles for being used for different purposes
Model privacy legislation

Panelists:

Chair - Nirmaljeet Singh Kalsi, Jt. Secretary, Ministry of Home Affairs
Na Vijaya Shankar, E-business Consultant & Cyber Law Specialist (Coordinator)
Sunil Abraham, Executive Director, Centre for Internet & Society
Akhilesh Tuteja, Executive Director, KPMG India
A P Singh, DDG, Unique Identification Authority of India (UIDAI)
Kailas Karthikeyan, Regulatory & Pub Policy Manager, Legal and Corp Affairs Microsoft

01:00p.m.- 01:10p.m.	Conference Closing Remarks by Deepak Rout, CSO & Director, Privacy Microsoft India Vote of Thanks
01:15p.m. onwards	Lunch

For more details visit https://cis-india.org/news/india-privacy-meet

How Facebook is Blatantly Abusing our Trust

nishant — 2012-06-28T12:42:32Z

‘Don’t fix it, if it ain’t broken’ is not an adage Facebook seems to subscribe to. Nishant Shah's column on privacy and Facebook was published in First Post on June 27, 2012.

Facebook is just re-emerging from the controversies around how it conducted the voting on its new privacy policies, when it goes and digs itself deeper by trying to push down its email services down the throats of its users. If you have recently logged-in to Facebook, you will have received a notification that says that you have been ‘gifted’ with a free Facebook email account.

However, that is a later phenomenon. A couple of days ago, the whole community of Facebook users went about their usual way, without knowing that something substantial had changed.

Facebook, who launched their email service as a part of their social networking empire, with or without your consent, has given us a ‘yourname@facebook.com’ email account. I know free things are considered good, but not an email account that I did not sign up for!

And to make things worse, this email account was, without our consent, added to our time-line and displayed as the primary email address.

In itself, it is a small move – with the redesign of the Timeline, Facebook had already introduced many such forced disclosures and changes that most of just had to accept, even if it might have had us fuming. However, with this change, Facebook has now started showing exactly what it can do in building your public profile and creating information about you, without your consent.

In their lame PR spiel, the company tried to pass it off as a freebie that they were gifting their users. But anybody who was not born yesterday realises that this is a desperate attempt to make a floundering service work.

Facebook messaging may work despite the clunky user interface, but its email services remain terribly underused. One of the paradoxes for this lies in the fact that you cannot open a Facebook account without a primary email account with another service, which is used as your authentication as well as the system through which Facebook notifications work.

Thus, many times, when introducing Facebook to first-time users of the web, we have to first train them in creating and using an email account before they can get on to the social network.

Hence, when Facebook did offer users the option of using a Facebook email service, most of them politely declined because nobody in their right mind is going to migrate to new a email services unless there was a substantial range of benefits being offered.

So how did Facebook respond? It just forced the email service upon its millions of users. While this is no different from the other kind of restrictions that are imposed upon us within the Facebook universe – the advertisements we see, the design and layout, the insipid white-and-blue background, the kind of information we can and cannot share and display – etc. this is the first time that Facebook actually added to our information profile and displayed it to the public.

Which means, that the next time somebody looks you up on Facebook – and let’s face it, one of the things we all use Facebook for, is to find people we know and get connected with them – they will see your Facebook email id listed as your contact address. And while you might get a notification in your primary email about any mails that you receive in your Facebook account, the fact is that, all those emails will become a part of Facebook’s huge data farms.

In a move that is almost a pale imitation of Google’s growing monopoly over our private information, Facebook seems to be now looking to expand its data empires. However, while Google did it through strategic design and marketing, offering innovations and incentives for its users to use their services, Facebook seems to have decided to build a Trojan horse and sneak these services in through the back door.

While this might not seem a big deal right now, it has deeper repercussions for what this corporate behemoth can do, not only with our data, but also to our data that we think is actually our own.

If your alarm bells aren’t already ringing, they should be, as Facebook demonstrates a blatant abuse of the trust that we have put in its system, to keep our private data safe.

The million dollar question – or maybe a slightly reduced price, given its public listing status on the stock-exchange right now – is that while Facebook might keep us safe from other people using our data, will it also be able to keep us safe from itself?

Read the original here

For more details visit https://cis-india.org/internet-governance/how-facebook-is-blatantly-abusing-our-trust

Securing e-Governance

natasha — 2012-06-26T06:45:26Z

On June 16, 2012, Privacy India in partnership with the Centre for Internet & Society, Bangalore, International Development Research Centre, Canada, Privacy International, UK and the Society in Action Group, Gurgaon organised a public discussion on “Securing e-Governance: Ensuring Data Protection and Privacy”, at the Ahmedabad Management Association.

The conversation brought together a cross section of citizens, lawyers, activists, researchers, academia and students.

	Prashant Iyengar, Assistant Professor, Jindal Global Law, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the series of eight consultation previously organized across India in Kolkata on January 23, 2011, in Bangalore on February 5, 2011, in Ahmedabad on March 26, 2011, in Guwahati on June 23, 2011, in Chennai on August 6, 2011, in Mumbai on January 21, 2012, in New Delhi on February 3, 2012 and again in New Delhi on February 4, 2012. He described an egregious instance where the State Government of Karnataka, announced a plan to “post on its website all details of (1.51 crore) ration cardholders in the state”, to weed out duplicate ration cards and promote transparency. Details posted on the website would include the “ration card number, category of card (BPL/APL), names and photographs of the head and other members of a family, address, sources of income, LPG gas connection and number of cylinders in village/taluk/district wise.” An official said, “This would also work as a marriage bureau, for instance, a boy can see a photograph of a girl on the website and see whether she suits him”.[1] He described another embarrassing incident, which took place in 2008. Sixteen surveillance cameras were stolen from the Taj Mahal. After they had been replaced, in December 2010, it was reported that all of the CCTVs in the Taj Mahal had stopped working due to a “virus attack” on their computer systems. The district administration and the police department were apparently in disagreement as to who bore the burden of their maintenance.

Prashant Iyengar, Assistant Professor, Jindal Global Law, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the series of eight consultation previously organized across India in Kolkata on January 23, 2011, in Bangalore on February 5, 2011, in Ahmedabad on March 26, 2011, in Guwahati on June 23, 2011, in Chennai on August 6, 2011, in Mumbai on January 21, 2012, in New Delhi on February 3, 2012 and again in New Delhi on February 4, 2012.

He described an egregious instance where the State Government of Karnataka, announced a plan to “post on its website all details of (1.51 crore) ration cardholders in the state”, to weed out duplicate ration cards and promote transparency. Details posted on the website would include the “ration card number, category of card (BPL/APL), names and photographs of the head and other members of a family, address, sources of income, LPG gas connection and number of cylinders in village/taluk/district wise.” An official said, “This would also work as a marriage bureau, for instance, a boy can see a photograph of a girl on the website and see whether she suits him”.[1]

He described another embarrassing incident, which took place in 2008. Sixteen surveillance cameras were stolen from the Taj Mahal. After they had been replaced, in December 2010, it was reported that all of the CCTVs in the Taj Mahal had stopped working due to a “virus attack” on their computer systems. The district administration and the police department were apparently in disagreement as to who bore the burden of their maintenance.

Prof. Subhash Bhatnagar, Advisor Center for e-Governance IIM, Ahmedabad, dismissed the notion that privacy is irrelevant in India. A survey on e-governance, of 50,000 people conducted in major cities of India shows that confidentiality and security of data were among the top 3 concerns among 20 choices. He discussed various mission mode projects in the National e-Governance Plan that holds and shares large amounts of data on individuals and business. He referred to his personal experience when enrolling for UID. He noticed that the box concerning consent for sharing of information with third parties was, by default, automatically ticked. When he asked the UID staff, they mentioned that the software does not allow for enrollment to continue if the box is not ticked. He called for increased vigilance among citizens, a phone helpline dedicated to resolution of privacy intrusions and sensitizing designers of e-Governance projects.

Prof. Subhash Bhatnagar, Advisor Center for e-Governance IIM, Ahmedabad, dismissed the notion that privacy is irrelevant in India. A survey on e-governance, of 50,000 people conducted in major cities of India shows that confidentiality and security of data were among the top 3 concerns among 20 choices. He discussed various mission mode projects in the National e-Governance Plan that holds and shares large amounts of data on individuals and business. He referred to his personal experience when enrolling for UID. He noticed that the box concerning consent for sharing of information with third parties was, by default, automatically ticked. When he asked the UID staff, they mentioned that the software does not allow for enrollment to continue if the box is not ticked. He called for increased vigilance among citizens, a phone helpline dedicated to resolution of privacy intrusions and sensitizing designers of e-Governance projects.

	Dr. Nityesh Bhatt, Sr. Associate Prof and Chairperson-Information Management Area, Institute of Management, Nirma University, Ahmedabad, stressed the importance of limiting access of information on a need-to-know basis, which is one of the most fundamental security principles. He described various characteristics of information security management including: planning, policy, programs, protection, people and project management. Lastly, he recommended ‘SETA’ as an essential program, designed to reduce the incidence of accidental security breaches by employees, contractors, consultants, vendors, and business partners. A SETA program consists of three elements: security education, security training, and security awareness. It can improve employee behavior and enables the organization to hold employees accountable for their actions.

Dr. Nityesh Bhatt, Sr. Associate Prof and Chairperson-Information Management Area, Institute of Management, Nirma University, Ahmedabad, stressed the importance of limiting access of information on a need-to-know basis, which is one of the most fundamental security principles. He described various characteristics of information security management including: planning, policy, programs, protection, people and project management. Lastly, he recommended ‘SETA’ as an essential program, designed to reduce the incidence of accidental security breaches by employees, contractors, consultants, vendors, and business partners. A SETA program consists of three elements: security education, security training, and security awareness. It can improve employee behavior and enables the organization to hold employees accountable for their actions.

Dr. Neeta Shah, Director (e-Governance) Gujarat Informatics Limited, described the extent of e-governance initiatives in Gujarat (there are more than 100 e-governance applications running) and its impact. She discussed successful e-governance initiatives that have helped solve critical problems such as the online teacher application process, which accelerates the recruitment process of primary teachers. E-governance applications of various departments ensure security of data and privacy protection through the following measures: Network security (NIPS, Firewalls, content filtering, HIPS, antivirus, etc.) Data security (robust SAN environment with high raid levels to prevent any data loss) Application security (audited by empanelled TPA) DR/BCP provisioning (real-time data is replicated to DR site in case of any physical calamity or damage to resources at primary site, backup exists at remote different seismological locations) When designing e-government projects, the government tends to think about security of the system, but not privacy of the data. Security in the minds of the government is achieved through strengthening infrastructure, but they often overlook the human dynamic.

Dr. Neeta Shah, Director (e-Governance) Gujarat Informatics Limited, described the extent of e-governance initiatives in Gujarat (there are more than 100 e-governance applications running) and its impact. She discussed successful e-governance initiatives that have helped solve critical problems such as the online teacher application process, which accelerates the recruitment process of primary teachers.

E-governance applications of various departments ensure security of data and privacy protection through the following measures:

Network security (NIPS, Firewalls, content filtering, HIPS, antivirus, etc.)
Data security (robust SAN environment with high raid levels to prevent any data loss)
Application security (audited by empanelled TPA)
DR/BCP provisioning (real-time data is replicated to DR site in case of any physical calamity or damage to resources at primary site, backup exists at remote different seismological locations)

When designing e-government projects, the government tends to think about security of the system, but not privacy of the data. Security in the minds of the government is achieved through strengthening infrastructure, but they often overlook the human dynamic.

Gopalkrishnan Devnathan (Kris dev), Co-founder, International Transparency and Accountability Network, described e-Governance as the application of Information and Communication Technology for delivering government services. It involves the integration of various systems and services between Government-to-Citizens, Government-to-Business, Government-to-Government as well as back office processes and interactions within the entire government framework. E-governance initiatives can ensure privacy and security through: Securing data/transaction using Smart Card with triple access control, Card, PIN and Biometrics (multimodal) Mirrored data storage with proper security Indelible audit trail using encrypted flat file Prevent server intrusion and data theft upfront rather than do post-mortem analysis Information on data accessed can be communicated on real time basis using ICT tools Lastly, he identified the usefulness, inhibitions and potential security solutions for the Unique Identification System.

Gopalkrishnan Devnathan (Kris dev), Co-founder, International Transparency and Accountability Network, described e-Governance as the application of Information and Communication Technology for delivering government services. It involves the integration of various systems and services between Government-to-Citizens, Government-to-Business, Government-to-Government as well as back office processes and interactions within the entire government framework. E-governance initiatives can ensure privacy and security through:

Securing data/transaction using Smart Card with triple access control, Card, PIN and Biometrics (multimodal)
Mirrored data storage with proper security
Indelible audit trail using encrypted flat file
Prevent server intrusion and data theft upfront rather than do post-mortem analysis
Information on data accessed can be communicated on real time basis using ICT tools

Lastly, he identified the usefulness, inhibitions and potential security solutions for the Unique Identification System.

	Anindya Kumar Banerjee, Regional Manager- East, CG & MP at Ncomputing Inc., discussed a comparative analysis of e-governance initiatives in India. He analyzed various factors such as ease of use, simplicity of procedures, time savings compared to manual, affordable cost of service and reduction in corruption. He described the difference infrastructural threats of security and privacy in e-Governance.

Anindya Kumar Banerjee, Regional Manager- East, CG & MP at Ncomputing Inc., discussed a comparative analysis of e-governance initiatives in India. He analyzed various factors such as ease of use, simplicity of procedures, time savings compared to manual, affordable cost of service and reduction in corruption. He described the difference infrastructural threats of security and privacy in e-Governance.

Dr. Mrinalini Shah, Professor of Operations Management at Institute of Management Technology, Ghaziabad identified the slow legal system and multiple jurisdiction system as a challenge for privacy and security of data and implementations of suitable access controls and authorization as a helping factor.

Utkarsh Jani, Advocate, Jani Advocates, described the relevant section of the Information Technology Act (ITA) relating to privacy and the political and social challenges surrounding the right to privacy. He discussed the right to privacy vis-à-vis data protection. Though the ITA does enforce a level of data protection, it is far from flawless.

The ITA lacks the following:

The definition and classification of data types.

The nature and protection of the categories of data.

Data controllers and data processors have distinct
Clear restrictions on the manner of data collection.
Clear guidelines on the purposes for which the data can be put and to whom it can be sent.

Standards and technical measures governing the collection, storage, access to, protection, retention and destruction of data.
It does not provide strong safeguard and penalties against the aforesaid breaches.

Sunny Vaghela, Founder and CTO, TechDefence Pvt. Ltd., provided a hacker’s perspective to security and privacy issues in e-governance. Cyber crimes such as privacy violations and data breaches are increasing because of the dependence on complex computer infrastructures. Complex computer infrastructures make systems vulnerable because if one application is hacked, the entire network can be accessed and compromised. He conducted a live demonstration, showing how simple it is to hack into a government website. From his personal experience as an ethical hacker, he stated that government agencies are extremely negligent about the privacy and the security of data. A major concern with e-governance websites is that they not designed with privacy in mind, leaving the personal and private details of citizens vulnerable. He called for full penetration testing and vulnerability assessment of e-governance portals in order to maintain the privacy of citizens and protect government data. Some government websites that were hacked include AMC e-governance (was awarded one best e-governance award in 2010), CBI server and the Income Tax of India server. Lastly, he described the frequent mistakes made by the government in e-Governance projects. The government started using the e-Governance systems in 2003. Typically, three things are a component of the application: the person, the source code and the database, but the security is on the network. Governments work on developing the network to be secure, but they often overlook the application. A solution to this could be the use of high interaction honey pots.

Sunny Vaghela, Founder and CTO, TechDefence Pvt. Ltd., provided a hacker’s perspective to security and privacy issues in e-governance. Cyber crimes such as privacy violations and data breaches are increasing because of the dependence on complex computer infrastructures. Complex computer infrastructures make systems vulnerable because if one application is hacked, the entire network can be accessed and compromised.

He conducted a live demonstration, showing how simple it is to hack into a government website. From his personal experience as an ethical hacker, he stated that government agencies are extremely negligent about the privacy and the security of data. A major concern with e-governance websites is that they not designed with privacy in mind, leaving the personal and private details of citizens vulnerable.

He called for full penetration testing and vulnerability assessment of e-governance portals in order to maintain the privacy of citizens and protect government data. Some government websites that were hacked include AMC e-governance (was awarded one best e-governance award in 2010), CBI server and the Income Tax of India server.

Lastly, he described the frequent mistakes made by the government in e-Governance projects. The government started using the e-Governance systems in 2003. Typically, three things are a component of the application: the person, the source code and the database, but the security is on the network. Governments work on developing the network to be secure, but they often overlook the application. A solution to this could be the use of high interaction honey pots.

	Nisha Thompson, Data Project Manager at Arghyam/ India Water Portal, discussed the increased amount of data generated through e-governance initiatives and its impact. When more data is generated and collected, politics and privacy become intertwined. There can be a conflict between opening up data and privacy thus; one needs to decide on parameters. For example, with regards to privacy and national security, parameters should be in place to determine where privacy ends and the public good starts. In India, this line does not begin with the individual as it does in many contexts. Collective privacy in India is important. She described various online tools that increase transparency and awareness such as: Transparency Chennai, India Governs and I Paid a Bribe. Over the course of the day, participants engaged in lively discussion on various issues such as the objectives and features of e-governance, examples of e-governance projects, and the parameters, problems, loopholes and tensions in e-governance projects. Participants response to privacy concerns have to a large extent focused on the fact that e-Governance is a double-edge sword. E-governance initiatives are an invariable tool for ensuring wider participation and deeper involvement of citizens, institutions, NGOs as well as private firms in the decision making process. However, the political and regulatory environment must be strengthened.

Nisha Thompson, Data Project Manager at Arghyam/ India Water Portal, discussed the increased amount of data generated through e-governance initiatives and its impact. When more data is generated and collected, politics and privacy become intertwined. There can be a conflict between opening up data and privacy thus; one needs to decide on parameters. For example, with regards to privacy and national security, parameters should be in place to determine where privacy ends and the public good starts. In India, this line does not begin with the individual as it does in many contexts. Collective privacy in India is important. She described various online tools that increase transparency and awareness such as: Transparency Chennai, India Governs and I Paid a Bribe.

Over the course of the day, participants engaged in lively discussion on various issues such as the objectives and features of e-governance, examples of e-governance projects, and the parameters, problems, loopholes and tensions in e-governance projects.

Participants response to privacy concerns have to a large extent focused on the fact that e-Governance is a double-edge sword. E-governance initiatives are an invariable tool for ensuring wider participation and deeper involvement of citizens, institutions, NGOs as well as private firms in the decision making process. However, the political and regulatory environment must be strengthened.

About Privacy India

Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of our goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, policymakers, legislators and the legal and academic community.

[1] Nagesh Prabhu, A way to check bogus ration cards, THE HINDU, September 18, 2010, http://www.thehindu.com/todays-paper/tp-national/tp-karnataka/article696087.ece (last visited Oct 23, 2011).

Click below to download the following resources:

E-Governance, Identity and Privacy [PDF, 253 Kb]
Event Brochure [PDF, 1618 Kb]

For more details visit https://cis-india.org/internet-governance/securing-e-governance-event-report

Privacy Matters — Consumer Privacy

praskrishna — 2012-07-31T10:55:30Z

Privacy India, in partnership with the Centre for Internet & Society, International Development Research Centre, Society in Action Group and Privacy International, invites you to a public conference focused on discussing the challenges and concerns to consumer privacy in India. The event will be held at the Indian International Centre, New Delhi on Saturday, July 7, 2012, from 9 a.m. to 5 p.m.

According to the Consumer Protection Act, 1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. Certain services that consumers use may, by their very nature, put an extraordinary amount of sensitive personal information into the hands of vendors.

Consumer privacy is concerned with accuracy of how a consumers information is collected and used. Because a consumers relationship with another entity is based on an exchange along consented terms, a breach in consumer privacy can be constituted as an action that was not agreed to. In the age of data collection – a breach in privacy occurs when information is used in different ways than was intended. Consumer privacy in India is determined at the sectoral level, and differs depending on the services that is provided for.

As corporations sell data banks, ISP's expose consumer habits, or ones personal information falls in the wrong hands – the consequences are far reaching, and can result in spamming, unwanted marketing, theft, or the violation can impact an individual's ability to buy a home, potential employment opportunities, or gain access to credit.

In India, the right to privacy has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. - people who most need to know that sensitive information is protected.

Since June 2010, Privacy India in collaboration with Privacy International, based in London, has been conducting workshops and engaging in public awareness. Participants include policy makers, researchers, sectoral experts, NGOs, and the public to discuss and deliberate different questions of privacy, its intersections and its implications with our everyday life. The discussions have ranged from topics of online privacy to minority rights and privacy and e-Governance initiatives privacy. The workshops have been organized in different cities - Bangalore, Guwahati, Mumbai, Delhi, Kolkata, Ahmedabad, Chennai, Goa, etc.

Click here for the agenda

Please confirm your participation with natasha@cis-india.org

Download the invite here [PDF, 160 Kb]

Download our research here [PDF, 178 Kb]

For more details visit https://cis-india.org/internet-governance/consumer-privacy-delhi

Cos spying on competitors, staff: Study

praskrishna — 2012-06-20T08:46:38Z

Most companies are spying on their competitors and their own employees, according to a recent survey conducted by the Associated Chambers of Commerce and Industry of India (Assocham).

The Statesman published this article on June 19, 2012. Sunil Abraham is quoted in it.

The survey's results raise questions about whether employees have enough privacy in the workplace. Rubbishing the survey's findings, head of the Indian Council of Corporate Investigators, Mr Kunwar Vikram Singh, said businesses are not spying but verifying facts.

The Assocham survey said almost 1,200 of 1,500 executives surveyed admitted to hiring people to spy on their employees and monitor their lifestyles. They said they watch former employees, too, especially those who had been laid off or kicked out for fraud.

In the survey, which was done between January and May this year in Ahmedabad, Bangalore, Chennai, the Delhi-National Capital Region and Mumbai, about 900 top industry officials said they carry out corporate espionage, bug the offices of their rivals and plant moles in other companies. About a quarter of respondents said they have hired computer experts to hack networks and track e-mails of their rivals.

Many more respondents — 1,110 of those questioned — said they use social media sites to track their rival companies and employees. “Most of the companies have mentioned their sensitive details including their data, plans, clients’ details, products and other confidential and trade-related secrets on their page and unknowingly share the same in the social media circuit,” said Mr DS Rawat, national secretary-general of Assocham, “which is why it is the most favoured spying activity being carried out by the companies.”

The practice of companies pilfering trade secrets and ideas may be bad for the country's business environment, said Mr Rawat. It “might dampen the spirit of innovation in the long-run,” he said.

The Indian Council of Corporate Investigators’ Mr Singh, however, disputed Assocham's picture of rampant corporate espionage. “I totally deny that corporates are spying on their employees,” he said. “It is not spying. It is verification of facts.”

Mr Singh said that when companies look into their employees or other companies, for example, before they enter into joint ventures, they are just carrying out “due diligence”. He said they legally gather information needed for companies to survive. He also denied there were any privacy issues.

Mr Sunil Abraham, executive director of the Centre for Internet and Society, though, said there are growing concerns about privacy in the workplace, including about intense video surveillance. “Managers started to object to this,” he said. “What they started saying was it really undermines the morale of these locations ... friends and relatives would ask, 'In spite of you being so educated, it's funny your companies don't trust you at all.'”

Companies need to develop more nuanced ways to deal with these problems — perhaps something more similar to the military's multiple levels of clearance — and different ways for people to acquire and lose trust, Mr Abraham said.

Whether or not surveillance is legal, depends on the type, Mr Abraham said. There is some private information a person will expect to remain private, and some information that is expected to be public — like Twitter feeds.

There is no law against monitoring this second type, known as “clear view surveillance”, he said, and blanket legislation could clash with freedom of expression. He said an ideal law for this should include a “proportional relation to power” clause, which would limit the legal ability of the powerful to monitor, but allow individual citizens more leeway.

For more details visit https://cis-india.org/news/co-spying-on-competitors-staff

India's struggle for online freedom

praskrishna — 2012-06-18T06:39:32Z

"65 years since your independence," a new battle for freedom is under way in India — according to a YouTube video uploaded by an Indian member of Anonymous, the global "hacktivist" movement.

Rebecca MacKinnon's article was published in the Sydney Morning Herald on June 9, 2012

With popular websites like Vimeo.com blocked across India by court order, the video calls for action: "Fight for your rights. Fight for India." Over the past several weeks, the group has launched distributed denial-of-service attacks against websites belonging to internet service providers, government departments, India's Supreme Court, and two political parties.

Street protests are being planned for today in as many as 18 cities to protest laws and other government actions that a growing number of Indian internet users believe have violated their right to free expression and privacy online.

A lively national internet freedom movement has grown rapidly across India since the beginning of this year.

The most colourful highlight so far was a seven-day Gandhian hunger strike, otherwise known as a "freedom fast," held in early May on a New Delhi pavement by political cartoonist Aseem Trivedi and activist-journalist Alok Dixit. Trivedi's website was shut down this year in response to a police complaint by a Mumbai-based advocate who alleged that some of Trivedi's works "ridicule the Indian Parliament, the national emblem, and the national flag."

Escalating political and legal battles over internet regulation in India are the latest front in a global struggle for online freedom — not only in countries like China and Iran where the internet is heavily censored and monitored by autocratic regimes, but also in democracies where the political motivations for control are much more complicated.

Democratically elected governments all over the world are failing to find the right balance between demands from constituents to fight crime, control hate speech, keep children safe, and protect intellectual property, and their duty to ensure and respect all citizens' rights to free expression and privacy. Popular online movements — many of them globally interconnected — are arising in response to these failures.

Only about 10 per cent of India's population uses the web, making it unlikely that internet freedom will be a decisive ballot-box issue anytime soon. Yet activists are determined to punish New Delhi's "humourless babus," as one columnist recently called India's censorious politicians and bureaucrats, in the country's media. Grassroots organisers are bringing a new generation of white-collar protesters to the streets to defend the right to use a technology that remains alien to the majority of India's people.

The trouble started with the 2008 passage of the Information Technology (Amendment) Act, whose Section 69 empowers the government to direct any internet service to block, intercept, monitor, or decrypt any information through any computer resource.

Company officials who fail to comply with government requests can face fines and up to seven years in jail. Then, in April 2011, the Ministry of Communications and Information Technology issued new rules under which internet companies are expected to remove within 36 hours any content that regulators designate as "grossly harmful," "harassing," or "ethnically objectionable" — designations that are open to a wide variety of interpretations and that free speech advocates argue have opened the door to abuse.

It is thanks to these rules that the website of the hunger-striking cartoonist, Trivedi, was taken offline. Also thanks to the 2011 rules, Facebook and Google are facing trial for having failed to remove objectionable content. If found guilty, the companies could face fines, and executives could be sentenced to jail time.

Saturday's protesters are calling for annulment of the 2011 rules and the repeal of part of the 2008 act. They are also calling for internet service companies to reverse the wholesale blocking of hundreds of websites, including the file-sharing services isoHunt and The Pirate Bay, as well as the video-sharing site Vimeo and Pastebin, which is primarily used for the sharing of text and links.

Internet service providers were responding to a court order from the Madras High Court demanding the blockage, which is aimed at preventing the online distribution of pirated versions of one particular film. The internet companies, fearing that they would not be able to catch every individual instance on every possible site they host, instead chose to block entire services along with all of their content — which had nothing to do with the film in question.

Such "John Doe" orders, named because they are directed against unknown potential offenders in the present and future, are characterised "by their overly broad and sweeping nature," argue lawyer Lawrence Liang and researcher Achal Prabhala, which extends "to a range of non-infringing activities as well, thus catching a whole range of legal acts in their net."

More broadly, as Delhi-based journalist Shivam Vij wrote in a recent essay: "The current mechanisms of internet censorship in India — blocking, direct removal requests to websites, intermediary rules — are draconian and unconstitutional. They need to be replaced with a new set of rules that are fair, transparent and accessible for public scrutiny. They should not be amenable to misuse by the powers-that-be for their own private interests."

Not only are the rules abused, but researchers find that they are causing extralegal censorship by companies that overcompensate in order to err on the side of caution. Last year, the Bangalore-based Centre for Internet and Society performed an experiment in which it sent "legally flawed" takedown demands to seven companies that provide a range of online services, including search, online shopping, and news with user-generated comments.

The legal flaws in the notices were such that the companies could have rejected them without being in breach of the law. Yet "of the 7 intermediaries to which takedown notices were sent, 6 intermediaries over-complied with the notices, despite the apparent flaws in them," reads the Centre for Internet and Society report.

Despite the growing public opposition, a motion to annul the 2011 rules was defeated by voice vote in the upper house of Parliament last month. Yet the criticism was sufficiently sharp that Communications Minister Kapil Sibal announced that he will hold consultations with all members of Parliament, representatives of industry, and other "stakeholders" to discuss the law's problems and how it might be revised.

Many of the law's critics, however, are skeptical that this will eliminate the law's deep flaws and loopholes for abuse, especially given the government's failure to listen so far. Comments on the 2011 rules submitted last year by the Centre for Internet and Society were not even acknowledged as having been received by the Ministry of Communications and Information Technology. "Sibal uses the excuse of national security and hate speech," says the center's director, Sunil Abraham, "but that is not what is happening."

Abraham worries that what is really happening is a government effort at Internet "behavior modification" through a process akin to an experiment involving caged monkeys, bananas, and ice water. Put four monkeys in a cage and hang a bunch of bananas on the ceiling. Every time one of them climbs up to reach the bananas, you drench all of them with ice water.

Soon enough, the monkeys will start policing themselves — attacking anybody who tries to reach the bananas, making it unnecessary for their masters to deploy the ice water. "This is why the government is being so aggressive so early on, with only 10 percent of India's population online," says Abraham. "If you start the drenching early on, by the time you get to 50 per cent [internet penetration], every one will be well-behaved monkeys."

Companies will act as private internet police for fear of legal punishment before the government is called upon to step in and enforce the law. If it works, Indian politicians could have fewer reasons to worry about online critiques or mockery, because companies fearing prosecution will proactively delete speech that could potentially be designated "harassing" or "grossly harmful."

India is not China or Iran, however. Its politicians may be corrupt, and most of its voters may not understand why Internet freedom matters because they've never used the Internet. But it still has an independent press and boisterous civil society that are not going to give up their critiques and protests anytime soon. India also has a strong, independent judiciary, with a record of ruling against censorship and surveillance measures when a strong case can be made that they conflict with constitutional protections of individual rights. "On free speech I have high faith in the Indian judiciary," says Abraham. "There is a good chance to launch a constitutional challenge."

If Google and Facebook lose at their impending trial — now scheduled for July — they will most certainly appeal, which activists hope could provide just such an opportunity to prevent the sort of "behaviour modification" process that Abraham warns against.

Now India's burgeoning internet freedom movement needs its own reverse "behaviour modification" strategy — imposing consistent and regular doses of political and legal ice water upon India's bureaucrats, politicians, and companies whenever they do things that threaten to corrode the rights of India's internet users. Saturday's protest is just the beginning.

Sunil Abraham is quoted in the article. The report on Intermediary Guidelines co-produced by CIS and Google is also mentioned.

For more details visit https://cis-india.org/news/indias-struggle-for-online-freedom

'Attempts to censor the web ill-advised'

praskrishna — 2012-06-17T07:11:39Z

Amid concerted government attempts to censor the internet and the recent blocking of file-sharing websites due to a court order based on a petition by producers of a Tamil film, speakers at a discussion on Saturday felt that there was a fear of freedom of expression among those affected by it, primarily the powerful.

Article by Krish Fernandes published in the Times of India on June 3, 2012

At the discussion on 'freedom of expression and privacy: Proposition' held at Goa University, senior journalist Paranjoy Guha Thakurta felt the increasing attempts at online censorship were a consequence of the government being unable to formulate coherent responses to the widening of the limits to freedom of expression on the internet.

He was of the view that all stakeholders should be consulted before any legislation in this regard.

Vickram Crishna of Privacy International spoke about "the fear of freedom of expression". While stating that the internet access had jumped due to the increased usage of smartphones, he observed that "there were concerted moves to make these things (censorship) happen in India".

"What use is access, if we don't have freedom of expression?" Crishna questioned.

Geeta Seshu of The Hoot was of the opinion that the world was also seeing the rise of powerful web players such as search engines and social networks with no obligations to permit free speech.

Chinmayi Arun of the National University of Juridical Sciences echoed this view. She felt freedom of speech and expression were vulnerable because they receive very little protection from non-state factors. She felt surveillance may soon become as serious a threat to free speech as censorship.

Advocate Apar Gupta felt there are better safeguards against banning books, while web content bans see almost no safeguards.

Touching on the ban on file-sharing sites, Lawrence Liang of Alternative Law Forum felt private bodies such as ISPs were being given powers of the state.

Anja Kovacs of Internet Democracy Project was critical of the government instructing internet service providing companies to setup servers in the country. The internet as we know it will stop to exist if we have server requirements in all countries, she said.

Frederick Norohna of publishing house Goa 1556, Siddhart Narrain and Danish Sheikh of the Alternative Law Forum, Paromita Vohra of Devi Pictures and Werner Souza also spoke on the occasion.

For more details visit https://cis-india.org/news/attempts-to-censor-the-web-ill-advised

Poor Guarantee of Online Freedom in India

praskrishna — 2012-06-17T04:18:26Z

The debate over the "Intermediaries Guidelines" as part of the Information Technology Act, 2000 in Parliament brought focus to the issue of censorship and lack of accountability of governing bodies vis-à-vis the internet in the country. This cannot be divorced from the larger questions related to the threats to freedom of expression from both the state and various societal actors today.

This article by Geeta Seshu was published in the Economic & Political Weekly, Vol XLVII No. 24, June 2012.

An annulment motion against the Information Technology (Inter-mediaries Guidelines) Rules, 2011 moved by Member of Parliament (MP) P Rajeev of the Communist Party of India (Marxist) in the Rajya Sabha, was the first serious attempt by internet freedom activists to get the Information Technology (IT) Act, 2000 discussed and reviewed by the country’s lawmakers.

Not unexpectedly, the motion, specifically against the rules governing intermediaries – clause (zg) of subsection (2) of Section 87 read with subsection (2) of Section 79 of the >IT Act, 2000 – was not carried. However, the discussion that preceded it at least demonstrated the concerns of parliamentarians about what internet freedom activists have termed the “draconian” provisions of the IT Act.

It is about time, really, that parliamentarians sit down to review what they very quickly acquiesced to in December 2009. It is also about time that the debate over the provisions of the IT Act be conducted in the public domain, instead of in closed-door meetings with expert groups and committees comprising a narrow set of stakeholders favoured by the government or its various wings.

The discussion in the Rajya Sabha largely centred around the vague and sweeping terminology of the range of content that anyone could take objection to. P Rajeev said that while he supported the regulation of the internet, he was not in favour of its control. The rules were ultra vires the IT Act, he said. Echoing his concern, leader of the opposition Arun Jaitley of the Bharatiya Janata Party, D Raja of the Communist Party of India and N K Singh of the Janata Dal (United) – to name just a few – also said that the internet was different from other media and censoring it was untenable.

Finally, union minister for information technology, Kapil Sibal, was forced to give an assurance to the house that he would call a meeting of MPs, industry and all stakeholders and implement whatever consensus emerges after a discussion on the specific words members had objections to.

There was no mention from the minister on a host of other problem areas in the rules as they are currently framed, including the very sweeping definition of an “intermediary” itself (any entity which on behalf of another receives, stores or transmits any electronic record – which means internet service providers, web hosting providers, search engines, online payment sites, cybercafes and bloggers too). No mention either of the rules for intermediaries to takedown notices within 36 hours of receiving a complaint, irrespective of whether these are fair and reasonable. No mention of whether the rules need to provide procedures for hearing and adjudicating complaints before any content is taken down.

The IT Guidelines

In several ways, the rules have gone way beyond what was laid down in the IT Act, but they also add considerably to the original reasonable restrictions laid down under Article 19 (2) of the Constitution of India. Some of the terms that can invite objections under the guidelines are:

(a) Belongs to another person and to which the user does not have any right to; (b) grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophiliac, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever; (c) harm minors in any way; (d) infringes any patent, trademark, copyright or other proprietary rights; (e) violates any law for the time being in force; (f) deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature; (g) impersonate another person; (h) contains software viruses or any other computer code, files or programmes designed to interrupt, destroy or limit the functionality of any computer resource; (i) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.

With this wide-ranging and entirely arbitrary set of potential violations, the possibility of misuse is also immense. In its comments submitted in response to the draft rules, Privacy India and the Centre for Internet and Society (CIS) pointed out that Sections 79(1) and (2) of the amended IT Act itself did provide for exemptions for third party liabilities of intermediaries, something that the rules have now virtually set aside.[1]

Other comments submitted by these organisations about security and privacy of cybercafe users deal with minors and with the general architecture of cybercafes. In the first instance, the organisations expressed concern that undue restrictions on the use of the internet by minors (photo identity cards, accompanied by adults, etc) would hamper their access to the internet and would actually discourage poorer children from using the internet.

In the second instance, the detailed restrictions on the layout of the cybercafés – the height of cabins and the directions of the screens, etc, would, they felt, be intrusive and violate the privacy of internet users in cybercafes. Besides, vulnerable sections like sexual minorities or HIV positive patients may even be open to identity theft, they feared.

The discussion on the rules unfortunately did not come close to addressing these fears. While the lawmakers generally accepted the importance of regulation of the internet and electronic communication, there is still very little clarity on exactly how this must be done, the extent to which regulation must take place and the agency that will be entrusted with this task.

The IT Act, 2000 was first passed in an era when the country was transitioning to an electronic age. E-commerce was uppermost in the minds of policymakers, their eyes firmly fixed on the new economy. But soon enough, it was clear that technology was developing rapidly and an expert committee was constituted to revise the act and suggest amendments that would incorporate technological changes.

Lack of Accountability

In the wake of the 26 November 2008 attack in Mumbai, national security and intelligence were powerful emotional catchwords and few questioned some of the sweeping provisions laid down by the rules under the IT Act. While the annulment motion focuses on the pernicious nature of the guidelines for intermediaries, this is only one amongst a series of rules that seek to change the very manner in which Indians can access and use the internet. Other rules relate to decrypting, monitoring and blocking of communication, data security and privacy (Section 69: interception, monitoring and decryption of information, Section 69 A: blocking, Section 69 B: monitoring of traffic data or information) and of course, the complete absence of checks and balances for the powers given to authorities like Computer Emergency Response Team India (CERT-In).

In fact, there has been little or no review of the responsibility vested in an agency like CERT-In, which describes itself as the nodal agency to oversee the security of the nation. Conflating security concerns with content that may be objectionable to some is one thing but also providing this agency with the powers to block sites without even the creators of these sites getting to know about it is another.

Most of our attention today is on the censorship rampant on the internet in India. Most recently, there have been several instances of internet sites being blocked and takedown notices sent to bloggers. In the last few months, we have had the arbitrary blocking of the website cartoonsagainstcorruption.com which was run by Kanpur-based cartoonist Aseem Trivedi, the arrest of Jadavpur University professor Ambikesh Mohapatra and the controversial move last year by the Indian government to get internet service providers to remove so-called objectionable content on Facebook, Orkut and Youtube, apart from other sites. A complaint against these sites by journalist Vinay Rai followed soon after, though it strangely did not invoke provisions of the IT Act, preferring to cite alleged violations under the Indian Penal Code.

Trivedi did not even know that his site was blocked till some friends called him to tell him that they could not access his site. After an exchange of emails with his webhost, the portal “Big Rock”, he was informed that the site was suspended because it contained cartoons that showed disrespect to national emblems. A complaint had been received by Mumbai’s cybercrime cell by a Mumbai-based advocate, R P Pandey. The Kanpur resident also learnt later from newspaper reports that another case, this time under charges of sedition, were lodged against him in Beed district of Maharashtra.

While this method of embroiling someone in cases in far-flung geographical areas is not new (the complaint by the Indian Institute of Planning and Management against New Delhi-based Caravan magazine in Silchar, Assam is a good case in point), Trivedi quickly moved the content on his site onto another blogging platform, also got together friends and supporters to launch “Saveyourvoice”, an online and offline campaign, with a cheeky celebration of All Fool’s Day on 1 April 2012 with a greeting to the minister Kapil Sibal “for his foolish attempts to try censoring internet” and another campaign – “Freedom in a cage” – at Jantar Mantar, Delhi, in April 2012.

Other internet freedom activists have got together to secure information on censorship. Last year, a right-to-information (RTI) application by the CIS revealed that 11 websites were blocked on orders from the department of information technology. A writ petition against the IT Act has been filed in the Kerala High Court and the Software Freedom Law Centre, which was instrumental in campaigning for the annulment motion in the Rajya Sabha, has launched an online petition against the IT Act rules that refers to government authority to censor facebook posts, monitor emails and skype conversations, access private information and mine sensitive personal data.[2]

Governments the world over are exercised about the need to impose restrictions on online freedom and a good indication is the bi-annual Google Transparency Report that monitors the number and categories of requests sent by different governments to take down content. In the last report for the period January to June 2011, the report recorded requests to remove 358 items and 68 content removal requests, 58% of which were fully or partially complied with. In addition, there were government requests to remove Youtube videos that were protests against local leaders or used offensive language against religious leaders, besides 236 communities and profiles from Orkut which were critical of a local politician.

Interestingly, while content removal requests for the Orkut profiles remained as Google maintained it did not fit its own community standards or local law, Google chose to “locally” restrict the videos that may incite enmity between communities. With minor variations, this is a stance adopted by other online companies, like Facebook and Twitter, with the latter coming out with a policy earlier this year that it would remove content that appeared to violate local laws.

In the struggle to keep the internet free and protect communication from surveillance and blocking by governments, it would be naive to expect commercially-driven internet companies to put up much of a stand. Most of these stakeholders have agreed with lawmakers that the internet does need regulation. On their part, the Indian government, which has flexed its desire to regulate the internet, has also been sensitive to criticism of its role in censoring online freedom. Other stakeholders – the vast community of users of the internet, bloggers, website hosts, creators and producers of online videos, file-sharers, software developers, etc, are only engaged in a race to protect their content and shift it to more amenable sites every time they run into trouble.

Threats to Freedom of Expression

However, it must be noted that the censorship of online media is but a reflection of the curbs on freedom of expression in general. The attacks on freedom of expression in “offline” media, the attacks on journalists and the deaths of eight journalists since 2010,[3] the alarming regularity with which we are witnessing a ban on books and cinema, art or theatre, the increasing intolerance of dissenting or differing opinions in society, the abject fear of free and independent debate and discussion and the role of the government in actively furthering this intolerance are suggestive of a dangerous trend.

Almost all these instances are marked by the clear absence of any due procedure in addressing the content that becomes objectionable to someone or some sections of society, instead arbitrarily and speedily removing this content from the public domain. Whether it is the withdrawal of Rohinton Mistry’s book Such a Long Journey, a prescribed textbook by Bombay University, midway through the academic year, or that of recent issue of the National Council of Educational Research and Training (NCERT) textbook on the Constitution of India, institutional redressal mechanisms were simply not given a chance.

The woeful absence of similar redressal mechanisms for so-called objectionable content under the rules of the amended IT Act only exacerbates this situation further.

Notes

[1].http://privacyindia.org/2011/03/10/comments-on-the-information-technology-guidelines-for-cyber-cafe-rules-2011/
[2].www.softwarefreedom.org
[3].The Free Speech Hub, which has been tracking violations of freedom of expression as part of a project from the media-watch site, The Hoot (www.thehoot.org), has this list: Hemchandra Pandey (July 2010), Bimala Prasad Talukdar (September 2010), Sushil Pathak (December 2010), Umesh Rajput (January 2011), J Dey (June 2011), Ramesh Singhla (October 2011), Chandrioka (February 2012) and Rajesh Mishra (March 2012).

For more details visit https://cis-india.org/news/poor-guarantee-of-online-freedom-in-india

Medical Privacy

natasha — 2012-06-15T16:11:11Z

Privacy India in partnership with the Indian Network for People living with HIV/AIDS, Centre for Internet & Society, IDRC, Society in Action Group and Privacy International is organising an event on Medical Privacy at Yashwantrao Chavan Academy of Development Administration, Rajbhavan Complex, Baner Road, Pune on June 30, 2012, from 9 a.m to 5 p.m.

Confidentiality and privacy are essential to all trusting relationships, such as that between patients and doctors. Moreover, in a healthcare context, patient confidentiality and the protection of privacy is the foundation of the doctor-patient relationship. Medical confidentiality promotes the individual's medical autonomy, by sheltering those seeking morally controversial medical care from outside criticism and interference with decisions.[1]Patients must feel comfortable sharing private information about their bodily functions, physical and sexual activities, and medical history.[2] This will make them more willing to seek information and support to fully understand and evaluate their options so that they can make the most informed medical decisions.

The disclosure of personal health information has the potential to be embarrassing, stigmatizing or discriminatory. Furthermore, various goods such as employment, life, and medical insurance, could be placed at risk if the flow of medical information were not restricted.[3]

This workshop will explore the various types of medical privacy including: informational privacy (e.g., confidentiality, anonymity, secrecy and data security); physical privacy (e.g., modesty and bodily integrity); associational privacy (e.g. intimate sharing of death, illness and recovery); proprietary privacy (e.g., selfownership and control over personal identifiers, genetic data, and body tissues); and decisional privacy (e.g., autonomy and choice in medical decision-making).[4]

The right to privacy in India has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. - people who most need to know that sensitive information is protected.

The discussions have ranged from topics of online privacy to minority rights and privacy, and consumer privacy. The workshops have been organized in different cities - Bangalore, Guwahati, Mumbai, Delhi, Kolkata, Chennai, Goa, etc.

Please confirm your participation through email to Natasha Vaz. We sincerely hope you will be able to attend and look forward to your participation.

Download the event Invite [PDF, 522 Kb]

[1]. Allen, A. (2011). Privacy and Medicine. in E. N. Zalta (Ed.), The Stanford Encyclopedia of Philosophy (2011st ed.). Retrieved from http://plato.stanford.edu/archives/spr2011/entries/privacy‐medicine/
[2]. Mishra, N., Parker, L., Nimgaonkar, V., & Deshpande, S. (2008). Privacy and the Right to Information Act, 2005. Indian Journal of Medical Ethics, 5(4), 158‐161.
[3].Nissenbaum, H. (2004). Privacy as Contextual Integrity. Washington Law Review, 79(1), 101‐139.
[4]. Allen, A. (2011). Privacy and Medicine. In E. N. Zalta (Ed.), The Stanford Encyclopedia of Philosophy (2011st ed.). Retrieved from http://plato.stanford.edu/archives/spr2011/entries/privacy‐medicine/

The event is free and open to the public.

For more details visit https://cis-india.org/internet-governance/medical-privacy

Meeting of the two Sub-Groups on Privacy Issues under the Chairmanship of Justice AP Shah in Delhi

praskrishna — 2012-06-14T08:31:39Z

The next meeting of the two Sub-Groups on privacy issues under the Chairmanship of Justice A.P. Shah, former Chief Justice of Delhi High Court is scheduled to be held on June 27, 2012 at 11.00 a.m. in the Committee Room No. 228, Yojana Bhawan, Planning Commission.

Members of both the Sub-Groups are requested to send their final write-ups as decided in the last meeting, by June 20, 2012 so that those could be circulated to all concerned for obtaining feedback and for discussions/ deliberations on June 27, 2012.

Shri S. Bose, Under Secretary (CIT & I) communicated this through notice No. M-13040/47/2011-CIT&I.

The notice was e-mailed to the following individuals:

Justice A.P.Shah, Chairman
Dr. Kamlesh Bajaj
Usha Ramanathan
Sunil Abraham
Prashant Reddy
Prof. Arghya Sengupta
Som Mittal
Shri Gulshan Rai
Mala Dutt

For more details visit https://cis-india.org/news/meeting-of-two-sub-groups-in-delhi

Watch out for cyber bullies

praskrishna — 2012-06-05T06:08:19Z

It's time to take a closer look at this form of cyber crime in India, writes KV Kurmanath in an article published in the Hindu Business Line on June 4, 2012.

The suicide of Tyler Clementi, the 18-year-old New Jersey student in 2010, had triggered a strong debate on invasion of privacy in the cyber age.

His roommate, an Indian student, captured the boy kissing another man in their hostel using his web camera.

The boy jumped into a river unable to take the humiliation, when the former tried to circulate the clip. Though the court refused to link the recording with the death, it sentenced the Indian youth to 30 days in prison last month.

What Clementi was subjected to is cyber bullying, argued those who campaigned for the Indian student's deportation.

Along with other cyber crimes, cyber bullying is on the rise in India too. The fledgling cyber police wings in different states are being flooded with complaints of invasion of privacy, blackmail and circulating electronic messages that cause annoyance.

Ms Aparna (name changed) was aghast when a close friend called her up about a nude picture of her being circulated on the web. A quick check pointed the needle of suspicion at a friend who she had just spurned. Angered by her rejection, the boy morphed her picture, checked into her email account and sent it to all the people in the contact list.

After finding Facebook not so amusing, Sujatha (name changed) decided to close her account and discussed this with a few friends too. A few days later, she found both her FB and gmail accounts compromised. She also found obscene pictures posted on the same.

Legal Issues

Incidents like these are growing sharply with poor knowledge among users abut how to protect accounts. Sharing one's passwords with others too is proving dangerous.

Prof. Madabhushi Sridhar, a cyber laws expert at NALSAR University, says the crimes cited above come under the bracket of invasion of privacy.

He says Section 66A in the amended IT Act deals with these crimes. Sending any message (through a computer or a communication device) that is grossly offensive or has menacing character; any communication which he knows to be false, but for the purpose of causing insult, annoyance, criminal intimidation comes under this section. This crime, he says, is punishable up to three years with a fine.

Prof. Sridhar, who has just completed a book on cyber laws, feels that punishments under the IT Act are insufficient. "They should be read with the Indian Penal Code. This will be an effective method to check cyber crimes," he says.

Prof. Sridhar also represents the Institute of Global Internet Governance and Advocacy (GIGA) at the Law University. GIGA conducts research on the Internet and takes up advocacy and training programmes on Internet Governance.

"We already have anti-voyeurism provisions in the IT Act under Sec. 66E," Mr Sunil Abraham, Executive Director of Centre for Internet and Security, says.

This offence is punishable with ‘imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.'

Repeated harassment aka cyber bullying can be addressed using the already over-broad provisions under Sec. 66A. Unfortunately this Section goes too far and can be used to censor legitimate speech.

"Security and privacy awareness in India is very poor. It would be very useful if both the government and civil society was more aggressive in awareness raising and triggering change in behaviour. Unfortunately this is a bit like smoking - even though people are aware of the issues - they engage in risky behaviour online," he says.

Lack of Data

Mr.Pavan Duggal, Chairman of Cyber Law Committee and Cyber laws expert, said there is no specific data on cyber crime in India and the data available with the NCRB (National Crimes Records Bureau) of around 900 cases for overall cybercrime is also doubtful.

"The solution is to make cyber laws more strict as current law under IT Act 2000 is a bailable offence with three years imprisonment and a fine," he points out.

"IT Act 2000 has to be re-amended to specific provisions pertaining to cyber bullying. Further, cyber bullying needs to be made a serious offence with minimum five years imprisonment and a fine of Rs 10 lakh. Unless you have deterrence in law it will be a continuing offence," he observes.

Fortunately, there are some safeguards which can help prevent such acts of cyber offences. In most cases, the acts of bullying or blackmailing are done by someone close to the victims. People should make it a point to keep their Internet identities very safe.

One should not disclose their identities such as passwords or hint questions to anyone – no matter how close they are. Parents should keep an eye on their children who are addicted to the Internet. They should inform and educate their children on the clear and present dangers that lurk on the Net.

They should also teach the importance of respecting others' privacy apart from taking precautions to keep their private space very safe.

(with inputs from Ronendra Singh)

Click to read the original published in the Hindu Business Line. Sunil Abraham is qouted in this article.

For more details visit https://cis-india.org/news/watch-out-for-cyber-bullies

Privacy International's Trip to Asia

praskrishna — 2012-04-25T09:58:12Z

In February 2012, the PI team travelled to India, Bangladesh and Hong Kong to meet with our local partners in the region and speak at four conferences they had organized. We also got the chance to interview our partners in India and Bangladesh on the privacy issues facing them at the moment - this video is the result of those conversations.

PI spent the first half of February in Asia, visiting our regional partners and speaking at events. Our trip began in Delhi, where the Centre for Internet and Society (in collaboration with the Society in Action Group) had organized two consecutive privacy conferences – an invite-only conclave on Friday 3rd February and a free symposium open to the public on Saturday 4th February. The conclave consisted of two panels, the first focusing on the relationship between national security and privacy, the second on privacy and the Internet. We were seriously impressed with the calibre of the speakers CIS and SAG had gathered – the panels included a Supreme Court Advocate, a Member of Parliament and the Former Chief of the Research and Analysis Wing (the Indian equivalent of MI-6 and the CIA) – but Gus and Eric held their own!

The All India Privacy Symposium the next day was partly intended as a public showcase of the amazing research Privacy India, CIS and SAG have conducted over the past two years, including consultations in Kolkata, Bangalore, Ahmedabad, Guwahati, Chennai and Mumbai. The event was organized into five panels: Privacy and Transparency, Privacy and E-Governance Initiatives, Privacy and National Security, Privacy and Banking, and Privacy and Health. A few themes recurred throughout the day – perhaps the most prominent being the repeated allegation that the Indian government's technological illiteracy is putting its citizens at risk. One panellist described how an RTI (right to information) request had recently revealed that the government had no idea how many of its own computers had been hacked or how much data had been stolen – even though this information has been in the public domain since the Wikileaks diplomatic cable releases.

On Sunday, our IDRC funder in Delhi very kindly lent us his beautiful house for a PrivAsia strategy meeting. We chatted about how the Indian project had gone thus far, and the sort of activities our partners would like to undertake over the next couple of years. Their main priority at the moment is India's proposed UID (Unique Identification) project, which is riddled with flaws, inconsistencies and logical gaps. The project is also extremely expensive, with estimates ranging from just under $4 billion to $33 billion. Our partners strongly oppose the programme in its current form, and are exploring a number of strategies for fighting it - we'll keep you appraised of their progress...

PI then parted ways – Gus headed to Hong Kong and Eric and I flew to Dhaka to meet up with Simon and Ahmed Swapan of Voices for Interactive Choice and Empowerment (VOICE), our partner in Bangladesh. We spent a day at the VOICE offices, getting extremely jealous of their huge kitchen and the fact that they all sit down to a freshly cooked lunch every day. That evening, Ahmed took us to a book fair, which was much livelier than we were expecting! It was held outside and was packed with people socialising, eating deep-fried crayfish and (occasionally) perusing the books and pamphlets on display. The fair is apparently an annual event and VOICE have had their own stand there for the past few years.

The following day was the National Convention on the Right to Privacy and Data Protection, organized by VOICE and a group of other Bangladeshi NGOs. We were delighted by the turnout - over 80 people showed up to listen and to voice their own opinions - but Ahmed was unsurprised, explaining that privacy was a hot topic in Bangladesh at the moment. Several issues were clearly extremely controversial, and the debate became very heated when it turned to the relationship between privacy and the right to information (recently enshrined in law in the RTI Act 2009). It was amazing to see how passionate people were, and how eager to improve things. The debate was presided over by retired Justice Golam Rabbani, who urged the government to create a national tribunal for the protection of the citizen's right to privacy.

Gus spent a brief 36 hours in Hong Kong but was able to participate in a symposium run by our partners at Hong Kong University's Faculty of Law. The participants at the symposium included the Privacy Commissioner of Hong Kong, academics and industry experts from China, Macau and Taiwan, and guest speakers from Switzerland and Canada. The slides of many of the presentations are available online. Apparently the level of sophistication in the academic research that is now starting to influence the legislative environment in Hong Kong and China is astonishing.

Trips like these are exhausting but invaluable - they allow us to see the PrivAsia work in action rather than hearing about it in emails and phone calls, and to discuss progress and problems face-to-face. Eric and Gus are already looking forward to Pakistan in April...

This blog post by Emma Draper was published on the Privacy International blog

Watch the video about contemporary privacy issues in India and Bangladesh below

For more details visit https://cis-india.org/news/privacy-internationals-trip-to-asia

The Centre for Internet & Society Joins the Global Network Initiative

praskrishna — 2012-04-25T09:13:50Z

The Global Network Initiative (GNI) is pleased to announce its newest member, the Centre for Internet & Society based in Bangalore, India. A technology policy research institute, CIS brings to GNI in-depth expertise on global Internet governance as well as online freedom of expression and privacy in India.

"We are delighted to add our first member based in India and welcome CIS’s engagement in support of transparency and accountability in technology," says GNI Executive Director Susan Morgan. "GNI's Principles for responsible company behavior apply globally, but require an appreciation of unique local contexts if they are to take hold. CIS will provide invaluable insight as we consider opportunities to work with India's burgeoning ICT industry."

"India’s ICT sector is one of the most dynamic worldwide, " says CIS Executive Director Sunil Abraham, "but rapid technological advances have raised anxieties around issues including hate speech, political criticism, and obscene content at a time when Indian institutions for the protection of free expression are under strain. We look forward to working with GNI's member organizations on these challenging issues."

CIS an independent, non-profit, research organization which is involved in research on the emerging field of the Internet and its relationship to the society, CIS brings together scholars, academics, students, programmers and scientists to engage in a large variety of Internet issues. CIS also runs different academic and research programs and is receptive to new ideas and collaborations, projects and campaigns for the public.

Leslie Harris, GNI Board Member and President and CEO of the Center for Democracy and Technology says: "The addition of CIS not only increases GNI’s global reach, it significantly enhances the initiative’s capacity around shared learning and policy engagement, not just in India, but on internet policy around the world."

Click to read the original published on the Global Network Initiative website.

For more details visit https://cis-india.org/internet-governance/cis-joins-gni

The All India Privacy Symposium: Conference Report

natasha — 2012-04-30T05:16:41Z

Privacy India, the Centre for Internet and Society and Society in Action Group, with support from the International Development Research Centre, Privacy International and Commonwealth Human Rights Initiative had organised the All India Privacy Symposium at the India International Centre in New Delhi, on February 4, 2012. Natasha Vaz reports about the event.

The symposium was organized around five thematic panel discussions:
Panel 1: Privacy and Transparency
Panel 2: Privacy and E-Governance Initiatives
Panel 3: Privacy and National Security
Panel 4: Privacy and Banking
Panel 5: Privacy and Health

Introduction

Elonnai Hickok (Policy Advocate, Privacy India) introduced the objectives of Privacy India. The primary objectives were to raise national awareness about privacy, do an in-depth study of privacy in India and provide feedback on the proposed ‘Right to Privacy’ Bill. Privacy India has reviewed case laws, legislations, including the upcoming policy and conducted state-level privacy workshops and consultations across India in Kolkata, Bangalore, Ahmedabad, Guwahati, Chennai, and Mumbai. India like the rest of the world is answering some fundamental questions about the powers of the government and citizen’s rights and complications that arise from emerging technologies. Through our research we have come to understand that privacy varies across cultures and contexts, and there is no one concept of privacy but instead several distinct core notions that serve as complex duties, claims and obligations.

Privacy and Transparency

Panelists: Ponnurangam K, (Assistant Professor, IIIT New Delhi), ), Chitra Ahanthem (Journalist, Imphal), Nikhil Dey (Social & Political Activist), Deepak Maheshwari (Director, Corporate Affairs, Microsoft), Gus Hosein (Executive Director, Privacy International, UK), and Prashant Bhushan, (Senior Advocate, Supreme Court of India).
Moderator: Sunil Abraham (Executive Director, Centre for Internet and Society, Bangalore)
Poster: Srishti Goyal (Law Student, NUJS)

Srishti Goyal provided the general contours, privacy protections, limits to privacy and loopholes of policy relating to transparency and privacy, specifically analyzing the Right to Information Act, Public Interest Disclosures Act, and the Official Secrets Act.

Nikhil Dey commented on the interaction between the right to privacy and the right to information (RTI). He referred to Gopal Gandhi, the former Governor of West Bengal, “we must ensure that tools like the UID must help the citizen watch every move of government; not allow the government watch every move of the citizen.” Currently, the RTI and the UID stand on contrary sides of the information debate. A privacy law could allow for a backdoor to curb RTI. So, utmost care has to be taken while drafting legislation with respect to right to privacy.

Data and information has leaked furiously in India and it has leaked to the powerful. A person who is in a position of power can access private information irrespective of any laws in place to safeguard privacy. It is necessary to look at the power dynamics, which exists in the society before formulating legislation on right to privacy. According to Nikhil Dey, there should be different standards of privacy with respect to public servants. A citizen should be entitled to information related to funds, functions and functionaries. The main problem arises while defining the private space of a public servant or functionaries.

The RTI Act has failed to address the legal protection for the right to privacy. Perhaps, rules regarding privacy can be added to the Act. It can be defined by answering the questions: (i) what is ‘personal information’? (ii) what is it’s relation to public activity or public interest? (iii) what is the unwarranted invasion of the privacy of an individual? and (iv) what is the larger public good? Expanding on these four points can provide greater legal protection for the right to privacy.

Gus Hosein described the intersection and interaction of the right to information and the right to privacy. He referred to a petition filed by Privacy International requesting information on the expenses of members of parliament. Privacy and transparency of the government are compatible in the public interest. Gross abuse of the public funds by MPs was revealed by this particular petition such as pornography or cleaning of moats of MPs homes. Privacy advocates are supporters of RTI, however, it cannot be denied that there is no tension between transparency and privacy. In order chalk out the differences, there is a need of a legal framework. According to Gus Hosein, in many countries the government office that deals with right to information also deals with cases related to right to privacy.

Mumbai and New Delhi police have started using social media very aggressively, encouraging citizens to take photographs of traffic violations and upload them to Facebook or Twitter. In reference to this, Ponnurangam described the perceptions of privacy and if it agreed or conflicted with his research findings. Ponnurangam has empirically explored the awareness and perspective of privacy in India with respect to other countries. He conducted a privacy survey in Hyderabad, Chennai and Mumbai. People are very comfortable in posting pictures of others committing a traffic violation or running a red light. Ironically, many people have posted pictures of police officers committing a traffic violation such as not wearing a helmet or running a red light.

Chitra Ahanthem described the barriers and challenges of using RTI in Manipur. There are more than 40 armed militia groups, which are banned by the central and state government. The central government provides economic packages for the development of the north-east region. However, the state government officials and armed groups pocket the economic packages. These armed groups have imposed a ban on RTI. Furthermore, Manipur is a very small community. If people try and access information through RTI they risk getting threatened by the Panchayat members and being ostracized from the community or their clan.

People are apprehensive about filing RTI because they believe that these procedures are costly and the police and government may also get involved. Officials use the privacy plea to avoid giving out information. Since certain information are private and not in the public domain, government officials, use the defense of privacy to hide information. In addition, the police brutality prevalent in the area deters people to even have interactions with government officials.

According to Deepak Maheshwari, the open data initiative is a subset within the larger context of open information. There is an onus on the government to publish information, which is in the public domain. As a result, one does not necessarily have to go through the entire process of filing an RTI to get information, which is already there in the public domain. Moreover, if it is freely available in public domain, then one can anonymously access such information; this further strengthens the privacy aspects of requesting information and facilitating anonymity with respect to access to such information in the public domain. It has also to be noted that it is not sufficient to put data out in the public domain but it should also disclose the basis of the data for example, if there is representation of a data on a pie chart, the data which was used to arrive at the pie chart should also be available in the public domain. The main intention of releasing data to the public domain or having open data standards should not only be to provide access to such data but also should be in such a fashion so as to enable people to use the data for multiple purposes.

Prashant Bhushan noted that one of the grounds for withholding information in the RTI Act is privacy. An RTI officer can disclose personal information if he feels that larger public interest warrants the disclosure, even if it is personal information, which has no relationship to public activity or interest. This raises the important question, “what constitutes personal information?” He referred to the Radia Tapes controversy. Ratan Tata has filed a petition in the Supreme Court on the grounds that the Nira Radia tapes contained personal information and that the release of these tapes into the public domain violated his privacy. The Centre for Public Interest Litigation has filed a counter petition on the grounds that the nature of the conversations was not personal but in relation to public activity. They were between a lobbyist and bureaucrats, journalists and ministers. Prashant Bhushan stressed the importance of releasing these tapes into the public domain to show glimpses of all kinds of fixing, deal-making and show how the whole ruling establishment functions. It is absurd for Ratan Tata to claim that this is an invasion of privacy. Lastly, he felt when drafting a privacy law, clearly defining and distinguishing personal information and public is extremely important.

One of the interesting comments made during the panel was on the assumption that data is transparent. Transparency can be staged; questions have to be asked around whether the word is itself transparent.

Privacy and E-Governance Initiatives

Panelists: Anant Maringanti, (Independent Social Researcher), Usha Ramanathan, (Advocate & Social Activist), Gus Hosein, (Executive Director, Privacy International, UK), Apar Gupta, (Advocate, Supreme Court of India), and Elida Kristine Undrum Jacobsen (Doctoral Researcher, The Peace Research Institute Oslo).
Moderator: Sudhir Krishnaswamy (Centre for Law and Policy Research)
Poster: Adrija Das (Law Student, NUJS)

Adrija Das discussed the legal provision relating to identity projects and e-governance initiatives in India. The objective of any e-governance project is to increase efficiency and accessibility of public services. However, a major problem that arises is the linkage of the data results in the creation of a central database, accessible by every department of the government. Furthermore, implementing data protection and security standards are very expensive.

Sudhir Krishnaswamy highlighted the default assumptions surrounding e-governance initiatives: e-governance initiatives solve governance problems, increase efficiency, increase transparency and increase accountability. It is important to analyze the problems that arise from e-governance initiatives, such as privacy.

Usha Ramanathan described the increased number and vastness of e-governance initiatives such as UID, NPR, IT Rules and NATGRID. There are also many burdens on privacy that emanate from the introduction and existence of electronic data management systems. Electronic data management systems have allowed state to collect, store and use personal information of individual. Currently, the DNA Profiling Bill is pending before the Parliament. It is important to question the purpose and need for the government to collect such personal information. It is also to be noted that, there are certain laws such as Collection of Statistics Act, 2008 that penalize individuals if they do not comply with the information requests of the government.

Anant Maringanti discussed the limitations of data sharing that once existed. Currently, data can move across space in a very short time. He analyzed the state and market rationalities involved in e-governance initiatives, which raise the question “who can access data and at what price?”. Data may seem to be innocent or neutral, but data in the hands of wrong people becomes very crucial due to abuse and misuse. For example, Andhra Pradesh was praised as the model state for UID implementation. However, during the process of collecting data for UID a company bought personal information and sold the data to third parties.

Apar Gupta discussed the dilemmas of e-governance. Generally information in the form of an electronic record is presumed to be authentic. The data which government collects is most often inaccurate and wrong. So the digital identity of a person can be totally different from the real identity of that particular person. The process for correcting such information is also very inconvenient and sometimes impossible.
Under the evidence law any electronic evidence is presumed to be authentic and admissible as evidence. The Bombay High Court decided a case involving the authenticity of a telephone bill generated by a machine. The judgment said that since it is being generated by a machine, through and automated process, there is no need to challenge the authenticity of the document, it is presumed to true and authentic. The main danger in such case is that one does away with the process of law and attaches certain sanctity to the electronic record and evidence.

It should be also observed that how government maintains secrecy as to the ways in which it collects data. For example, the Election Commission has refused to disclose the functioning and design of electronic voting machines. The reason given for such secrecy is that if such information is put in the public domain then the electronic voting machines will be vulnerable and can be tampered with. But we, who use the voting machines, will never find out its vulnerabilities.

According to Gus Hosein, politicians generally have this wrong notion that technology can solve complex administrative problems. Furthermore, the industry is complicit; they indulge in anti-competitive market practice to sell these technologies as a solution to problems. However, such technology does not solve any problems rather it gives rise to problems.

Huge amount of government funds is associated with collection of personal data but such data is rendered useless or rather misused, because the government does not have clue as to how to use the data for development and security purposes. The UK National Health Records project estimated to cost around twelve to twenty billion pounds. However, a survey carried out by a professor in University College London showed that the hospital and other health institutions do not use the information collected by the National Health Records. Similarly, the UK Identity Card scheme was estimated to cost 1.3 billion pounds and finally it was estimated to cost five billion pounds. The identity cards are rendered obsolete, the sole department interested in the identity card was the Home Office Department, no other department intended on using it.

Technology should be built in such a manner that it empowers the individual. Technology should allow the individual to control his identity and as well as access all kinds of information available to the government and private bodies on that individual.

According to Elida Kristine Undrum Jacobsen, technology is regarded in this linear manner. It is increasingly being naturalized and as an all-encompassing solution. The use of biometric systems in the UID raises three areas of concern: power, value and social relationships.

With regards to power, there is a difference between providing documentation and information for identification. However, problems arise when the mode of identification becomes one’s body. It also leads to absolute reliance on technology, if the machine says that this is an individual’s identity then it is considered to be the absolute truth and it does not matter even if the individual is someone else. It becomes furthermore problematic with biometric system because it is generally used for forensic purposes.

The other component of UID or any national identification scheme is the question of consent and its relationship to privacy. In the case of UID project, people are totally unaware about how their information will be used and what purposes can it be used or misused for. Therefore, there is no informed consent when it comes to collection of biometric data under the UID project.

On the issue of social value it is to be noted that the value of efficiency becomes the most important value, which is valued. Many of the UIDAI documents state that the UID will provide a transactional identity. However, at the same time it takes away societal layers, which is inherently part of one’s identity. In addition, it makes it possible for the identity of a person to become a commodity to be sold. This also means that the personal information has economic value and players in the market such as insurance companies, banks can buy and sell the information.

When there is identification projects using biometrics it gives the State a lot of power; the power to determine and dictate one’s identity irrespective of the difference in real identity. Moreover, when such identifications projects are carried out at a national level it also gives rise to problem related to exclusion and inclusion of people or various purposes. The classification of the society based on various factors becomes easy and there is a huge risk involved with such classification.

The issues, which came out from the Q&A session, were:

The interplay between fairness and lawfulness in the context of privacy and data collection. There has to be a question asked as to why certain information is required by the State and how is it lawful.
In the neo-liberal era corporations are generally considered to be private. This has to be questioned and furthermore the difference between what is private and what is public. There are also concerns about corporations increasingly collaborating with the State. Can it be still considered as private?

Privacy and National Security

Panelists: PK Hormis Tharakan (Former Chief of Research and Analysis Wing, Government of India), Saikat Datta (Journalist), Menaka Guruswamy, (Advocate, Supreme Court, New Delhi), Prasanth Sugathan, (Legal Counsel, Software Freedom Law Center), and Oxblood Ruffin, (Cult of the Dead Cow Security and Publishing Collective).
Moderator: Danish Sheikh (Alternative Law Forum)
Poster: Suchitra Menon (Law Student, NUJS)

Suchitra Menon discussed the legal provisions for national security in relation to privacy. Specifically, she described the guidelines and procedural safeguards with respect to phone tapping and interception of communication decisional jurisprudence.

In the year 2000, the Information Technology Act (IT Act), 2000 was enacted, this Act had under section 69 allowed the State to monitor and intercept information through intermediaries. Prasanth Sugathan described how the government has been trying to bypass the procedural safeguard laid down by the Supreme Court in the PUCL case by using Section 28 of the IT Act, 2000. The provision deals with certifying authority for digital signatures. The certifying authority under the Act also has the authority to investigate offences under the Act. The provision mainly deals with digital signature but it is used by the government to intercept communication without implementing the procedural safeguards laid down for such interception. Furthermore, the IT Rules which was notified by the government in April, 2007 allows the government to intercept any communication with the help of the intermediaries. The 2008 amendment to the IT Act was an after effect of the 26/11 attacks in Mumbai. The legislation has become draconian since then and privacy has been sacrificed to meet the ends of national security.

Oxblood Ruffin read out his speech and the same is reproduced below.

“The online citizenry of any country is part of its national security infrastructure. And the extent to which individual privacy rights are protected will determine whether democracy continues to succeed, or inches towards tyranny. The challenge then is to balance the legitimate needs of the state to secure its sovereignty with protecting its most valuable asset: The citizen.

It has become trite to say that 9/11 changed everything. Yet it is as true for the West as it is for the global South. 9/11 kick started the downward spiral of individual privacy rights across the entire internet. It also ushered in a false dichotomy of choice, that in choosing between security and privacy, it was privacy that had adapted to the new realities, or so we’ve been told.

Let’s examine some of the fallacies of this argument.

The false equation which many argue is that we must give up privacy to ensure security. But no one argues the opposite. We needn’t balance the costs of surveillance over privacy, because rarely banning a security measure protects privacy. Rather, protecting privacy typically means that government surveillance must be subjected to judicial oversight and justification of the need to surveillance. In most cases privacy protection will not diminish the state’s effectiveness to secure itself.

The deference argument is that security advocates insist that the courts should defer to elected officials when evaluating security measures. But when the judiciary weighs privacy against surveillance, privacy almost always loses. Unless the security measures are explored for efficacy they will win every time, especially when the word terrorism is invoked. The courts must take on a more active role to balance the interests of the state and its citizens.

For the war time argument security proponents argue that the war on terror requires greater security and less privacy. But this argument is backwards. During times of crisis the temptation is to make unnecessary sacrifices in the name of security. In the United States, for example, we saw that Japanese-American internment and the McCarthy-era witch-hunt for communists was in vain. The greatest challenge for safeguarding privacy comes during times when we are least inclined to protect it. We must be willing to be coldly rational and not emotional during such times.

We are often told that if you have nothing to hide, you have nothing to fear. This is the most pervasive argument the average person hears. But isn’t privacy a little like being naked? We might not be ashamed of our bodies but we don’t walk around naked. Being online isn’t so different. Our virtual selves should be as covered as our real selves. It’s a form of personal sovereignty. Being seen should require our consent, just as in the real world. The state has no business taking up the role of Peeping Tom.

I firmly believe that the state has a right and a duty to secure itself. And I equally believe that its citizens are entitled to those same rights. Citizens are part of the national security infrastructure. They conduct business; they share information; they are the benefactors of democratic values. Privacy rights are what, amongst others, separate us from the rule of tyrants. To protect them is to protect and preserve democracy. It is a fight worth dying for, as so many have done before us.

PK Hormis Tharakan discussed the importance of interception communication in intelligence gathering. In the western liberal democracies, restrictions of privacy were introduced for the anti-terrorism campaigns and these measures are far restrictive than what the Indian legislations contemplate. Preventive intelligence is a major component in maintenance of national security and this intelligence is generated and can be procured through interception.

We do need laws to make sure that the power of interception is not excessive or out of proportion. But the graver issue is that the equipment used for interception of communication is freely available in the market at a cheap price. This allows private citizens also to snoop into others conversation. So, interception by civilians should be the main concern.

Menaka Guruswamy discussed the lack of regulation of Indian intelligence agencies that creates burdens on privacy. When there is a conflict between individual privacy and national security, the court will always rule in favour of the national security. Public interest always takes precedence over individual interest.

When there is a claim right to privacy vis-à-vis national security, generally these claims are characterized by dissent, chilling effects on freedom of expression and government accountability. In India, privacy is fragile and relatively a less justifiable right. Another challenge to privacy is that, when communication is intercepted, which part of the conversation can be considered to be private and which part cannot be considered so.

Saikat Datta described his experience of being under illegal surveillance by an unauthorized intelligence agency. When a person is under surveillance, he or she is already considered to be suspect. If the State commits any mistake as to surveillance, carrying surveillance, who is not at all a person of interest in such case upon discovery, there is no penalty for such discrepancy.
He warned of the dangers of excessive wiretapping, a practice that currently generates such a “mountain” of information that anything with real intelligence value tends to be ignored until it is too late, as happened with the Mumbai bombings in 2008. It is clear that the Indian government’s surveillance and interception programmes far exceed what is necessary for legitimate law enforcement.

The issues, which came during the Q&A session was:

In case of national security vis-à-vis privacy in heavily militarized zone, legislations such as Armed Forces Special Powers Act actually give authority to the army to search and seizure on mere suspicion? This amounts gross violation of privacy.

Privacy and Banking

Panelists: M R Umarji, (Chief Legal Advisor, Indian Banks Associations), N A Vijayashankar, (Cyber Law Expert), Malavika Jayaram, (Advocate, Bangalore)
Moderator: Prashant Iyengar (Associate Professor, Jindal Law University)
Poster: Malavika Chandu (Law Student, NUJS)

Prashant Iyengar highlighted how privacy has been a central feature in banking and finance. Even before the notion of privacy came into existence, banks had developed an evolved notion of secrecy and confidentiality, which was fairly robust. Every legislation dealing with banking and finance generally have a clause related to privacy and confidentiality. It might seem that it would be easy to implement privacy in banking and finance given the long relationship between banking and secrecy and confidentiality. However, this is not the case in the contemporary times. Specifically, with the growth in issues related to national security, transparency and technology, the highly regarded notion of privacy seems to be slowly depleting.

Malavika Chandu described the data protection standards that govern the banking industry. As part of the know-you-customer guidelines, banks are required to provide the Reserve Bank with customer profiles and other identification information. Lastly, she described case laws in relation to privacy with respect to financial records.

N A Vijayashankar noted that the confidentiality and secrecy practices in the banking sector emanate from the banker-customer relationship. In the present context, secrecy and privacy maintained by the banks should be analyzed from the perspective of the right of the customer to safeguard his or her information from any third party. Generally, banks and other financial institutions protect personal information as a fraud control measure and not as duty to protect the privacy of a customer.

There has been a paradigm shift in banking practices from traditional banking practices to more efficient but less secure banking practice. Some of the terms and conditions of internet banking are illegal and do not stand the test of law. In contemporary times, banking institutions use confidentiality to cover up problems and data breach rather than protecting the customer. But the banks are not ready to disclose data breach as it apprehends that it will result in public losing faith in the system. The Reserve Bank of India, has recently notified that protection which is provided to the customers in banking services should also be extended to e-banking services. However, the banks have not properly implemented this.

M R Umarji highlighted fourteen laws related to banking which carries confidentiality clauses. In India, public sector banks dominate the market. These banks are created under a statute and such statute governs them. Therefore, they are duty bound to maintain secrecy and confidentiality. Private banks and cooperative banks are not bound by any statute. They do not have any obligations to maintain secrecy, but they do strictly observe confidentiality as a form of banking practice.

Banks are not allowed to reveal any personal information of an individual unless it is sought by some authority that has a legitimate right to claim such information. There has been a constant erosion of confidentiality due to various laws which empowers authorities to seek confidential information from the banks. Recently, in the light of the growing national security concerns, banks also have an obligation to report suspicious transactions. These have caused heavy burdens on right to privacy of an individual.

Under the Right to Information Act, 2005 public sector banks are considered to be public authorities. By the virtue of the Statute, any person can access information from banks. For example, in a recent case an information officer directed Reserve Bank of India, to disclose Inspection Reports. These reports generally contain information regarding doubtful accounts, non-performing account, etc. There is a need that banks should be exempted from the Right to Information Act, 2005. Since they are not dealing with public funds there is no need to apply transparency law to the banks.

Malavika Jayaram described the major conflicts and tensions with respect to privacy vis-à-vis banking and financial systems and financial data. Other privacy and transparency issues include: the publication of online tax information and income data.

Surveillance is built in the design of banking system, so it is capable of tracking personal information and activity. There is a need to implement more privacy friendly and privacy by design systems in the banking sector. Customers are generally ignorant about privacy policies and this influences informed consent and furthermore marketing institution may influence customers to behave in a particular manner. In this context privacy by design becomes very important.

Data minimization principles should be applied; since the more data collected the more there is a risk of data breach and misuse. In case of data retention it is necessary that person giving such data should know how much proportion of the data is being retained and for how long it is stored and also what is the scope of the data and for what purpose will it be used.

Personal information and data, which was previously collected by the government, are gradually being outsourced to private bodies. On one hand it is a good thing that private sector get their technology and security measures right as compared to the government agencies but it comes with the risk that it can be sold out by private bodies as commodities in the market. Private bodies that are harvesting the data can also be forced by the government to disclose it under a particular law or statute without taking into consideration the consent of the individual whose personal information is sought for.

There is multiplicity of documentation for identification, which makes transactions less efficient. This has attracted customers to more convenient systems such as one-access point systems, but people tend to forget the issues related to privacy, in using such a system. What is portrayed as efficient for the consumer is a tool for social control and who has access and authority to use such information.

Often the reason given for collecting information is that it will help the service provider to combat fraud. However, studies have shown people more often fake situation rather than identity. The other concerns are that of sharing of information and lack of choice with respect to such sharing. There should be check as to sharing of personal information as the data belongs to the individual and not the bank or any other institution which requires furnishing personal information in lieu of services. This gives rise to a binary choice to the user; either the individual has to provide information to avail the service or else one cannot avail the services.

There is supposed to be market for privacy. The notion of personal information is subjective and varies from person to person. For example, one might be comfortable to share certain information. However, others might not be.

The issues that came out of the Q&A sessions are:

The default settings are generally put at the low protection settings. Unless the user is aware of the privacy protection setting, he or she is prone to breach of privacy. Should the default privacy setting be set to maximum security and option can be given to the user to change it according to his or her preference?
Is there any system in the banks, which allows the customers of bank to know about which all third parties the bank has shared his or her personal information with?

Health Privacy

Panelists: K. K. Abraham, (President, Indian Network for People with HIV), Dr. B. S. Bedi, (Advisor, CDAC & Media Lab Asia), and Raman Chawla, (Senior Advocacy Officer, Lawyers Collective).
Moderator: Ashok Row Kavi (Journalist and LGBT Activist)
Poster: Danish Sheikh (Researcher, Alternative Law Forum)

Danish Sheikh outlined the possible health privacy violations. These included the disclosure of personal health information to third parties without consent, inadequate notification to a patient of a data breach, the purpose of collecting data is not specified and improper security standards, storage and disposal. The disclosure of personal health information has the potential to be embarrassing, stigmatizing or discriminatory.

Subsequently, Danish Sheikh examined the status of sexual minorities’ vis-à-vis the privacy framework. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, he also described privacy violations committed by both individuals as well as state authorities.

Ashok Row Kavi recounted how privacy was very contextual when debating section 377 in the LGBT community. The paradigm upon which they were going to fight the anti-sodomy law was that it was consenting sex between two adults in private space. However, this paradigm was not well received by women, as women did not see private space as safe space, due to domestic violence. Perceptions of privacy are very subjective and it differs from person to person.

Raman Chawla recounted the history of the Draft HIV/AIDS Bill. In 2002, the need for law related to HIV/AIDS was realized in order to protect right to consent, right against discrimination and right to confidentiality of HIV patients. The bill was finalized in the year 2006. Alarmingly, it is yet to be tabled before the Parliament.

The privacy provisions in the HIV bill clearly state that no person can be tested, treated or researched for HIV without the consent of the patient. It also casts that in a fiduciary relationship the health care provider must maintain confidentiality, however if the patient provides written consent then their status may be disclosed. The HIV condition of the patient can also revealed by the doctor if there is a court order demanding such disclosure. The doctor may disclose the status of the patient to his or her partner but he has to follow a particular protocol. The doctor should have sufficient belief that his or her partner is at risk of contracting HIV. The person who is infected will be asked for his/her views and counseled before his/her partner is informed. However, there are doubts as to the implementation and enforcement of this protocol.

Conclusion

Natasha Vaz (Policy Advocate, Privacy India) brought the symposium to a close by thanking the partners, the panelists, the moderators and the participants for their sincere efforts in making the All India Privacy Symposium a grand success. In India, a public discussion regarding privacy has been long over due. The symposium provided a platform for dialogue and building greater awareness around privacy issues in health, banking, national security, transparency and e-governance. Using our research, expert opinions, personal experiences, questions and comments various facets of privacy were explored.

Press Coverage

The event was featured in the media as well:

India needs an independent privacy law, says NGO Privacy India, Economic Times, February 2, 2012
New Bill to decide on individual’s right to privacy, Tehelka, February 6, 2012
Lack of strong privacy law in healthcare a big worry, Daily News & Analysis, February 13, 2012
Privacy concerns grow in India, Washington Post, February 3, 2012

Click to download the Agenda and Profile of Speakers (PDF, 1642 Kb)

Download the PDF (555 Kb)
Follow the webcast of the event

For more details visit https://cis-india.org/internet-governance/all-india-privacy-delhi-report