Centre for Internet and Society

Do we need the Aadhar scheme?

sunil — 2012-02-03T10:11:24Z

"Decentralisation and privacy are preconditions for security. Digital signatures don’t require centralised storage and are much more resilient in terms of security", Sunil Abraham in the Business Standard on 1 February 2012.

We don’t need Aadhar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a “billions-of-users” scale on the internet with reasonable security. The Unique Identification (UID) project based on the so-called “infallibility of biometrics” is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies.

Biometrics are poor authentication factors because once they are compromised they cannot be re-secured unlike digital signatures. Additionally, an individual’s biometrics can be harvested remotely without his or her conscious cooperation. The iris can be captured remotely without a person’s knowledge using a high-res digital camera.

Biometrics are poor identification factors in a country where the registrars have commercial motivation to create ghost identities. For example, bank managers trying to achieve targets for deposits by opening benami accounts. Biometrics for these ghost identities can be imported from other countries or generated endlessly using image processing software. The de-duplication engine at the Unique Identification Authority of India (UIDAI) will be fooled into thinking that these are unique residents.

An authentication system does not require a centralised database of authentication factors and transaction details. This is like arguing that the global system of e-commerce needs a centralised database of passwords and logs or, to use an example from the real world, to secure New Delhi, all citizens must deposit duplicate keys to their private property with the police.

Decentralisation and privacy are preconditions for security. The “end-to-end principle” used to design internet security is also in compliance with Gandhian principles of Panchayat Raj. Digital signatures don’t require centralised storage of private keys and are, therefore, much more resilient in terms of security.

Biometrics as authentication factors require the government to store biometrics of all citizens but citizens are not allowed to store biometrics of politicians and bureaucrats. The state authenticates the citizen but the citizen cannot conversely authenticate the state. Digital signatures as an authentication factor, on the other hand, does not require this asymmetry since citizens can store public keys of state actors and authenticate them. The equitable power relationship thus established allows both parties to store a legally non-repudiable audit trail for critical transactions like delivery of welfare services. Biometrics exacerbates the exiting power asymmetry between citizens and state unlike digital signatures, which is peer authentication technology.

Privacy protections should be inversely proportional to power. The transparency demanded of politicians, bureaucrats and large corporations cannot be made mandatory for ordinary citizens. Surveillance must be directed at big-ticket corruption, at the top of the pyramid and not retail fraud at the bottom. Even for retail fraud, the power asymmetry will result in corruption innovating to circumvent technical safeguards. Government officials should be required by law to digitally sign the movement of resources each step of the way till it reaches a citizen. Open data initiatives should make such records available for public scrutiny. With support from civil society and the media, citizens will themselves address retail fraud. To solve corruption, the state should become more transparent to the citizen and not vice versa.

UIDAI’s latest 23-page biometrics report is supposed to dispel the home ministry’s security anxieties. It says “biometric data is collected by software provided by the UIDAI, which immediately encrypts and applies a digital signature.” Surely, what works for UIDAI, that is digital signatures, should work for citizens too. The report does not cover even the most basic attack — for example, the registrar could pretend that UIDAI software is faulty and harvest biometrics again using a parallel set-up. If biometrics are infallible, as the report proclaims, then sections in the draft UID Bill that criminalise attempts to defraud the system should be deleted.

The compromise between UIDAI and the home ministry appears to be a turf battle for states where security concerns trump developmental aspirations. This compromise does nothing to address the issues raised by the Parliamentary Standing Committee on Finance, headed by the Bharatiya Janata Party’s Yashwant Sinha.

Read the original published in the Business Standard on 1 February 2012

For more details visit https://cis-india.org/internet-governance/do-we-need-the-aadhar-scheme

Google move is not good for netizens, say experts

praskrishna — 2012-02-03T10:03:17Z

Google's plan to merge data across 60 of its properties, which was announced last week, has drawn criticism from experts on the Internet, who are saying that this is detrimental to privacy. Balaji Narasimhan wrote this in the Hindu Business Line. The article was published on 31 January 2012.

"Google is doing what is good for shareholders. This is not positive for netizens,” said Mr Sunil Abraham, Executive Director, Centre for Internet and Society. “People like you and me have to either accept it or leave."

But what are the alternatives? Mr Somick Goswami, Director Consulting, PwC India, didn't want to comment directly on Google, but in the larger context of data privacy, he asked, "Do users want a free Internet or control over content? There is a lot of advocacy going around it. End of the day, when using the Internet, there has to be trust."

One way that Google could build trust could be by using something pertaining to loyalty, which retailers use in the real world in order to woo customers.

Mr Ram Menon, Executive Vice-President and Chief Technology Officer of Tibco, said that many of his clients make offers that are in context with what users want.

"For example, if you like cappuccino and this knowledge is known to a vendor, he can offer you a cappuccino when you walk past the store." He said that in such cases, there was no affront to privacy because the offer is relevant and in context. "You are a member and have opted in," he said.

Perhaps, the fact that all of Google's services are free has something to do with the privacy issue, pointed out the Australian Privacy Foundation. As its site privacy.org.au noted, "The company's business model is based on advertising revenue. Users pay no fees for their use of the services."

And the merger of its 60 policies apart, there is another issue worrying users — new acquisitions. As Mr Abraham pointed out, “When I was browsing Silk Smitha before YouTube was acquired by Google, I had no idea that one day this information would be known to Google."

And the issue becomes more serious in the context of a growing mobile workforce. As the Australian Privacy Foundation said, "Android mobile phones effectively trap users into having a Google user account."

Using Google services on a mobile – especially Google Latitude, a service that allows you to enable your friends to view your current location – allows Google to track your movements.

And since Google is predominantly an advertising-driven company, it could be argued that one day they might share information about you with a third party, enabling them to market to you more effectively, though this may not necessarily be done with your explicit permission – and this means that you may get an offer for products even if you have not opted in for such a service.

What can be done? Mr Abraham rued the fact that there are no specific laws to safeguard users.

"India needs privacy laws. In the US, law makers will create a fuss. In India, we are at the mercy of companies."

The original was published in the Hindu Business Line. Sunil Abraham is quoted in this article.

For more details visit https://cis-india.org/news/google-move-is-not-good-for-netizens-say-experts

Google’s privacy policy raises hackles

praskrishna — 2012-01-30T03:58:57Z

Have you ever used Google to search for a restaurant while you were logged in its network using your Google id? Or shared information about your trip to Goa with your friends on Google +? Or watched belly dance on YouTube? Or looked for Sunny Leone pictures on Google images? If yes, Google knows about it. Javed Anwer wrote on article on this. It is published in the Times of India on 26 January 2012.

And according to its new privacy policy it is going to put this information to some use.

The web giant says the new privacy policy will allow it to offer better services, including more relevant search results. But web experts have raised concerns over potential misuse of data and breach of privacy. According to Google's new privacy policy that will come into effect from March 1, the company is "getting rid of over 60 different privacy policies across Google services and replacing them with one that's shorter, easier to read" and something that will enable it to "create intuitive experience across Google" . Unlike in the past when Google had allowed users to choose personalized services, this time there is no option to opt out.

For an end-user this means that whatever information he shares through Google searches, Gmail, Google +, Picassa etc will be used to customize Google services for him. That the move is significant can be gauged from the fact that Google has provided a link to the new policy directly under its search engine on main page, something that the company rarely does. Google users will also be notified about the policy change through an email. "Our new privacy policy makes clear that, if you're signed in, we may combine information you've provided from one service with information from other services. In short, we'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience," said Alma Whitten, Google's director of privacy, in a post on the company's official blog.

Whitten gave some example of how this information will be used. "We can make search better - figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too," she wrote. "We can provide reminders that you're going to be late for a meeting based on your location , your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends' names, are accurate because you've typed them before."

The privacy policy from Google is at the heart of its new business strategy as it works to keep the search engine relevant and its services fresh in the face of social networking websites like Twitter and Facebook. It is also prompted by the proliferation of devices like smartphones and tablets. However, privacy experts are not amused. Sunil Abraham, director of Centre for Internet and Society, said the new changes are not good for a consumer's privacy.

"I understand that Google collects the data so that it can build a 360 degree profile of a user and based on the information serve relevant advertisements . But there is no reason for them to store this data for long. Storing data makes it prone to misuse by authorities as well as corporations," said Abraham. Another, problem, he said is that different services are used for different purposes. "I don't want my bakery shop owner to know what kind of medicines Ibuy from the nearby medical store," said Abraham.

Are you being watched?

What |

For an end-user the new policy means that whatever information he shares through Google searches, Gmail, Google+, Picassa, etc will be used to customize Google services for him

Why |

The privacy policy is at the heart of Google's business strategy as it tries to keep the search engine relevant in the face of social networking websites like Twitter and Facebook

Concerns |

It's instrusive as online activity is tracked; storing data makes it prone to misuse by authorities as well as corporations

The original was published in the Times of India. Sunil Abraham has been quoted in it.

For more details visit https://cis-india.org/news/google2019s-privacy-policy-raises-hackles

Privacy Matters — Analyzing the Right to "Privacy Bill"

natasha — 2012-02-15T04:27:28Z

On January 21, 2012 a public conference “Privacy Matters” was held at the Indian Institute of Technology in Mumbai. It was the sixth conference organised in the series of regional consultations held as “Privacy Matters”. The present conference analyzed the Draft Privacy Bill and the participants discussed the challenges and concerns of privacy in India.

The conference was organized by Privacy India in partnership with the Centre for Internet & Society, International Development Research Centre, Indian Institute of Technology, Bombay, the Godrej Culture Lab and Tata Institute of Social Sciences. Participants included a wide range of stakeholders that included the civil society, NGO representatives, consumer activists, students, educators, local press, and advocates.

Comments to the Right to Privacy Bill

Welcome

Prashant Iyengar was the Lead Researcher with Privacy India, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the five “Privacy Matters” series previously organised across India in Kolkata on January 23, 2011, in Bangalore on February 5, 2011, in Ahmedabad on March 26, 2011, in Guwahati on June 23, 2011 and in Chennai on August 6, 2011.

Keynote Address

Na. Vijayashankar (popularly known as Naavi), a Bangalore based e-business consultant, delivered the key note address on the quest of a good privacy law in India.

He described the essential features of good privacy legislation. In analyzing the Draft Privacy Bill’s definition of the right to privacy, he suggested it should be defined through the “right to personal liberty” rather than through what constitutes “infringements”. Mr. Vijayashankar went on to explain that the “privacy right” should be taken beyond “information protection” and defined as a “personal privacy or a sense of personal liberty without constraints by the society”. He explained the various classifications and levels of protection associated with the availability and disclosure of data. He expressed concerns regarding monitoring of data processors and suggested that data controllers have contractual agreements between data processors, so as to ensure an obligation of data security practices. He also called for the simplification and division of offences and suggested numerous reasons as to why the Cyber Appellate Tribunal would not be an ideal monitoring mechanism or authority. See Naavi's presenation here

Session I: Privacy and the Legal System

Dr. Sudhir Krishnaswamy, Assistant Professor at the National Law School of India

Dr. Krishnaswamy started off the presentation by questioning the normative assumptions the Draft Privacy Bill makes. He referred to the controversy of Newt Gingrich's second marriage, to question the range of moral interests that were involved. The Bill falls short in accounting for dignity in relation to privacy.

He described the Draft Privacy Bill as a reasonable advance, given where privacy laws were before. Although, he feels that it does fall short, in terms of a narrow position, on what privacy law should do. He also questioned if it satisfies constitutional standards. He stressed the importance of philosophical work around the Draft Privacy Bill considering that the nature of privacy is not neat and over-arching.

Privacy and the Constitutional Law

N S Nappinai, Advocate, High Court, Mumbai,

Nappinai spoke on the constitutional right to privacy. She explained the substantial development of Article 21 of the Constitution of India to include the ‘right to privacy’ with regards to its interpretation and application. She described the different shift of the application of the right to privacy in the West in comparison to India. The West has moved from the right to privacy pertaining to property to the right to privacy concerning personal rights, whereas India moved from personal rights to property rights. She outlined three aspects of privacy: dignity, liberty and property rights.

Ms. Nappinai dissected the Bill in its major components: interception, surveillance, method and manner of personal data, health information, collection, processing and use of personal data. Using these components, she questioned what precedence exists? What should be further protected or reversed? What lessons should legislators draw from?

Shortcomings of the Draft Right to Privacy Bill falls include:

The objects and reasons section in the Draft Privacy Bill declares the right to privacy to every citizen as well as delineates the collection and dissemination of data. Nappinai dismisses the need for this delineation on the grounds that data protection is an inherent part of the right to privacy, it is not exclusive.
Large focus on transmission of data. The provisions do not account for property rights pertaining to the right to privacy. Therefore, the ‘knock-and-enter’ rule, the ‘right to be left alone’ and the ‘right to happiness’ should be included.
Applicability of the Bill should extend to all persons as well as data residing within the territory. It would be self-defeating if it only includes citizens, considering that the Constitution extends to all persons within the territory.
The right to dignity is unaccounted for.

See Nappinai's presentation here

Session II: Privacy and Freedom of Expression

Apar Gupta, Advocate, Delhi

Apar Gupta is an advocate based in Delhi who specializes in IP and electronic commerce law, spoke predominantly on the interplay between privacy and freedom of expression. He used the example of an advocate tweeting about his criticism of a judges’ ruling, to illustrate how different realms of online anonymity enable freedom of speech. He went beyond the traditional realm of journalistic architecture such as television channels or newspapers and explained online community disclosure.

Mr. Gupta provided a practical example of Indian Kanoon, a popular online database of Indian court decisions. Because Indian Kanoon is linked to the Google search engine, many individuals involved in civil and criminal matters have requested Indian Kanoon to remove the court judgments, under privacy claims. This particularly occurs with individuals involved in matrimonial cases. However, as court judgment constitute public records India Kanoon only removes court judgments when requested by a court order.

He described the several ways legislators can define privacy and freedom of expression. Considering that the privacy of an individual may border upon freedom of speech and expression, he questioned whether or not privacy should override the right to freedom of speech and expression. In addition, Mr. Gupta discussed the debate on whether or not the Privacy Bill should override all existing provisions in other laws.

Additionally, he analyzed the provisions of the Draft Privacy Bill using three judgments. In these judgments, different entities sought of various forms of speech to be blocked under privacy claims. He spoke about the dangers of a statutory right for privacy that does not safeguard freedom of speech and expression. Considering that the privacy statute may allow for a form of civil action permitting private parties to approach courts to stop certain publications, he stressed the importance for legislators to ensure balanced privacy legislation inclusive of freedom of speech and expression.

Sexual Minorities and Privacy

Danish Sheikh, researcher at Alternative Law Forum

Danish examined the status of sexual minorities in the light of privacy framework in India. The tag of decriminalization has served to greatly alter the way institutions approach the question of privacy when it comes to sexual minorities. He used the Naz Foundation judgment as a chronological marker to map the developments in the right to privacy and sexual minorities over the years.

He outlined four key effects on the right to privacy due to the Naz Foundation judgment:

Prepared the understanding of privacy as a positive right and placed obligations on the state,
Discussed privacy as dealing with persons and not just places, it took into account decisional privacy as well as zonal privacy,
Connected privacy with dignity and the valuable worth of individuals, and
Included privacy on one’s autonomous identity.

He described various incidents that took place before the Naz Foundation judgment, pre-Naz, that altered the way we conceived of queer rights in general and privacy in particular, including the Lucknow incidents, transgender toilets, passport forms, the medical establishment and lesbian unions. Post-Naz, he described two incidents including the Allahabad Muslim University sting operation as well as the TV9 “Expose” that captured public imagination.

He concluded by asking: “What do these stories tell us about privacy?” The issues faced by the transgender community tell us that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers. The issues faced by the Lucknow NGOs display the institutionalized disrespect for privacy and that has marginally more devastating consequences for the homosexual community by the spectre of outing. The issues faced by lesbian women evidence yet another need for breaching the public/private divide, demonstrating how the protection of the law might be welcome in the family sphere. Alternate sexual orientation and gender identity might bring the community under a common rubric, but distilling the components of that rubric is essential for engaging in any kind of useful understanding of the community and the kind of privacy violations it suffers – or engage with situations when the lack of privacy is empowering.

Session III: Privacy and National Security

Menaka Guruswamy, Advocate, Supreme Court of India

Menaka explored national security and its relationship to privacy. In her presentation, she compared the similar manner in which the courts approach national security and privacy issues. The courts feel national security and privacy issues are too complex to define, therefore, they take a case-by-case approach.

Ms. Guruswamy described three incidents that urged her to question national security and privacy. First, she was interested in the lack of regulation surrounding intelligence agencies and was involved in the introduction of the Regulations of Intelligence Agencies Bill as a private members bill. Second, national security litigation between the Salwa Judum judgment and the State of Chhattisgarh is an example of how national security triumphs constitutional rights and values. Third, privacy in the context of the impending litigation of Naz Foundation in the Supreme Court. She described the larger conversation of national security focus on values of equality and privacy. She discussed the following questions that serve in advancing certain conception of rights:

How do we posit privacy which necessarily, philosophically as well as judicially, is carved out as the right of an individual to be left alone?
What are the consequences when national security, which is posited as the rights of the nation, is in conflict with the right of the individual to be left alone?
Considering that constitutional rights are posited as a public facet of citizenship how does a right to privacy play in that context?

Privacy and UID

R. Ramakumar, professor at the Tata Institute of Social Sciences

Prof. Ramakumar spoke on UID, its collection of information and the threat to individual privacy. First, he provided a historical trajectory of national security that has led to increased identity card schemes. He described the concrete connection between UID and national security.

He briefed the gathering on the objectives of the UID project. He described several false claims as proposed by the UIDAI. He explicitly disproved the UIDAI claim that Aadhaar is voluntary. He did this by comparing various legislations associated with the National Population Registrar that had provisions mandating the inclusion of the UID number.

He went on to explain that the misplaced emphasis of technology to handle large populations remains unproven. He described two specific violations of privacy inherent in the UID system: convergence of information and consent. The UID database makes it possible for the linking or convergence of information across silos. In addition, consent is unaccounted for in the UID system. The UID enrollment form requires consent from a person to share their information. However, the software of the enrollment form automatically checks ‘yes’, therefore you are not asked. Even if you disagree, it automatically checks ‘yes’. Default consent raises the important question, “to what extent are we the owners of our information?” and “what are the privacy implications?”

Mr. Ramakumar was once asked, by Yashwant Sinha in a Parliamentary Standing Committee meeting, “Is the Western concept of privacy important in developing country like India?”. Using this question posed to him, he stressed the importance of privacy to be understood as a globally valued right, entitlement and freedom. He also referred to Amartya Sen’s work on individual freedoms.

Conclusion

During the daylong consultation numerous questions and themes relating to privacy were discussed:

How is the right to privacy defined?
How can the Draft Privacy Bill redefine the right to privacy?
How can reasonable deterrence mechanisms be included?
Does duplication of the right to privacy exists in different statutes?
Is the Cyber Appellate Tribunal an ideal monitoring mechanism or authority?
What are the circumstances under which authorized persons can exercise the Right of privacy invasion?
How can the Draft Privacy Bill account for the right to dignity?
How much information should the State be allowed to collect?
How can citizens become more informed about the use of their information and the privacy implications involved?
What would be the appropriate balance or trade-off between security and civil liberties?
What are the dangers with permitting the needs of national security to trump competing values?
What are the consequences for the homosexual community, when faced with institutionalized disregard for privacy?

For more details visit https://cis-india.org/internet-governance/privacy-matters-analyzing-the-right-to-privacy-bill

Google to change privacy policy to use personal info of users

praskrishna — 2012-01-30T05:03:55Z

It is a warning for users of Google and other Social Networking sites. Who are using these sites for searching anything they want to know and sharing their personal life with friends, colleagues and relatives. If you have ever used Google for searching any place, restaurant or shared information about your personal life with your friends on Google and other social networking sites, or you have watched adult stuff on YouTube, if your answer is yes, Google knows about it. And according to its new privacy policy Google is going to put this information to some use. Sheetal Ranga's article was published in Punjab Newsline on 27 January 2012.

It is claimed by the web enormous that according to new privacy policy, better service will be provided to its users, including more relevant search results. And other side the web experts have expressed their concerns over potential misuse of data and defy of privacy. Google's new privacy policy will come into effect from 1 March 2012, said by Google.

Google provide service which will be shorter and easier to read and something that will enable it to create spontaneous experience across Google. Google had allowed users to choose personalized services; “unlike” this time there is no option to pick for the users.

The new policy of Google has made some people anxious over their privacy issues. The new policy is being adopted by Google, SafeGov monitors security issues for federal, state and local government is not happy with it.

A security analyst, Jeff ( SafeGov) said, "Google should not be data-mining information in e-mails, text messages, searches and documents that workers are putting into Google services. It’s a matter of not making government workers unnecessarily exposed to hackers and to inadvertent disclosures of information."

The Vice President of Google ,Amit Singh claims that Google’s new privacy policy for consumer data is antiquated by data privacy provisions in contracts with government agencies and other organization that use the paid version of Google Apps. Google will maintain our endeavor customers’ data in conformity with the confidentiality and security obligations provided to their domain, he said.

The new policy of Google has made some people edgy over their privacy issues. SafeGov monitors security issues for federal, state and local government agencies are very unhappy with the new policy of Google. It is also said by Sunil Abraham, director of Centre for Internet and Society that the new changes are not good for a consumer's privacy.

Director of privacy Alma Whitten has given some example of how this information will be used. "We can make search better - figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too," she wrote. "We can provide reminders that you're going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends' names, are accurate because you've typed them before."

Other side after the cross-checked the contract between Google and the city of Los Angele by Gould, claimed that he didn’t think through the consequences for government users.

Punjab Newsline published this story. Sunil Abraham was quoted in it.

For more details visit https://cis-india.org/news/google-to-change-privacy-policy

Whose Data is it Anyway?

praskrishna — 2012-04-28T04:12:15Z

Tactical Technology Collective and the Centre for Internet & Society invite you to the second round of discussions of the Exposing Data Series at the CIS office in Bangalore on 24 January 2012. Siddharth Hande and Hapee de Groot will be speaking on this occasion.

Like countless others, this title is a convenient adaptation of a 1972 play by Brian Clark, Whose Life is it Anyway?, a meditation on 'euthanasia' and the extent to which governments or the law can determine the private life of an individual. In a similar sense we use the title to help frame the second set of conversations in the Exposing Data Series, to zero in on the idea of data and who has the right to decide what happens with it. Philosophically, and also at the level of code, computing and the law, the ownership of data can be a somewhat odd and a contentious thing to grapple with. The only other understandings of 'ownership' we really have are those of property and identity and these get imputed onto the intangibility of data. And, in some senses now, many aspects of one's identity exist as data.

There are a range of experiences of data ownership that we talk about and experience daily. On the one hand you can hoard hard disks with favourite content to retrieve memories and experiences. On the other end of things, you can aggregate your experiences and memories with that of thousands of others, that then gets treated almost like a private hard disk belonging to some mysterious X. Who is this Mysterious X? Is there a Y? Or an XY? What is the trajectory of data in its movement from the individual to a larger, shadowy infrastructure that harvests it? What happens to our idea of data in its reconfiguration from intangible code to an idea of politics and rights? To introduce another provocation, do our existing ideas of data ownership objectify individuals? What does this objectification imply for the notion of personal privacy? For example, does the fetishization of 'things' called data obfuscate the idea of personal privacy?

One of the ways in which we may consider looking at open data initiatives for transparency and accountability is to assess it as discourse, and in relation to what happens when communities aggregate data. Open Government Data usually involves a top-down approach in terms of how it is aggregated, collated, shared, whilst community based approaches are more particular, contextual and local. What do these different approaches give us when we bring them to the same table?

The second event in the Exposing Data Series will focus on data ownership, looking into open government data and community-based data aggregation, to explore the various levels of data collection, the movement of data and its exchange, its representation, and dissemination in different contexts.

Speakers

Siddharth Hande, Transparent Chennai
Hapee de Groot, Hivos, Netherlands

This event is free and open to everyone. However, we would appreciate a confirmation of attendance ahead of time so as to ensure that your space is reserved. To confirm your attendance please write to: yelena.gyulkhandanyan@gmail.com

Photo Source: http://www.freedigitalphotos.net/images/view_photog.php?photogid=2000

VIDEOS

For more details visit https://cis-india.org/internet-governance/whose-data-is-it

Keeping it Private

nishant — 2012-01-27T03:50:51Z

As we disclose more information online, we must ask who might access it and why. This article by Nishant Shah was published in the Indian Express on Sunday, 15 January 2012.

As a researcher of the blink-and-change cyberspaces, I am often asked about the future of all things digital. I generally refuse to answer such questions because researchers are happier talking about things past than things present. Also, when people ask questions of the future, they are more interested in gadgets and platforms. Will Facebook survive the next year? Will more people use Twitter? Is the mobile the new weapon of protest? Shall we all soon talk only on FaceTime? I shrug my shoulders at these questions. However private information and privacy ties all these questions.

I pronounce that 2012 is going to be the year of Personal Information Management and the need for increased privacy, where more than anything else, people will realise that what they do online is not only significant to their present, but that it might bite them in their digital futures. We have heard stories that have hinted at management of information and reputations online. Young people put compromising pictures and videos online, severely damaging their social and professional relationships; people express opinions on public forums, which might not necessarily reflect them well; users reveal personal information, which can be abused by those with malice. These instances should remind us that unlike in the physical worlds, where our foot-in-the-mouth moments, youthful indiscretions or embarrassing behaviour quickly runs through the grapevine and is forgotten, in the digital worlds, the things that we say and do, stay long after we have forgotten them.

And this is where privacy kicks in. Many people in India, when they encounter the idea of “privacy”, raise their eyebrows. Culturally, we are not very private people. We celebrate our triumphs and sorrows in public, freely part with information to strangers on train rides, and don’t have qualms asking about age, marital status or salary. In the age of ubiquitous computing, we must remember that once something has been committed to the online world, it will be etched somewhere and will be available for somebody else to look at. The internet, specially with increasing bandwidth, expanded spectrum and cloud-based distributed data storage, is an unforgiving space that never lets go.

Privacy, in this brave new world, is not about disclosure. It is becoming increasingly clear that we will need to disclose more and more of our private information if we want services — from government public delivery systems to private credit and education — online. However, once we have disclosed our private information, then what? Who uses it? Who reads it? Who stores it for what purpose? What are the implications of having that private information out there?

In the digital world, privacy is about having more control over the personal information that we have disclosed, the right to know who, where, when, how and for what purposes information that we have willingly disclosed is used. And as the country finalises privacy bills, this right of the individual, whose private information is going to feed government and business ecologies, is at stake.

There is a need to institute better regulation around data protection, data mining, data retention and data retrieval that is still in the limbo in our country, at the mercy of privately crafted terms of service that we blindly accept while signing into the digital world.

It is time to move away from understanding privacy as disclosure to privacy as control of information — to know who is doing what with your private information and how you should have a say in it. And it is time to realise that just because you don’t have anything to hide, does not mean that you need to be in a state of disclosure. There is a reason why you have curtains in your house, or do not allow strangers to look into your bags.

The article was originally published in the Indian Express

For more details visit https://cis-india.org/internet-governance/keeping-it-private

NGO questions people's privacy in UID scheme

praskrishna — 2012-01-12T11:45:07Z

Taking a leaf out of the recommendations of the parliamentary standing committee on finance (SCF) that raised objections on the National Identification Authority of India Bill 2010, Delhi-based NGOs have called upon the Jharkhand government to stay the execution of UID projects in the state. Jaideep Deogharia's article was published in the Times of India on 11 January 2012.

Citing excerpts from the recommendations of the SCF, headed by BJP MP Yashwant Sinha, the NGO activists asserted that the MoU signed by the government on June 25, 2010, was without any legal and constitutional mandate.

This claim, however, remains unfounded as the UIDAI is functioning under an executive order of the department of planning and has no links with the NIDAI Bill. The issue was recently clarified by the director general and mission director of UIDAI when he addressed the media in the capital during his three-day visit.

Organizing a round table, report on SCF and its implications for Aadhaar project and National Population register for multipurpose National ID Card (MNIC),

Citizens Forum for Civil Liberties member Gopal Krishna said given the fact that the Election Commission had shortlisted 15 documents as evidence of identity and citizenship, there was no need to have the 16th instrument (read UID).

"It violates citizens' basic and constitutional right to privacy because collecting biometric information of an individual was limited to criminals," he said clarifying that even in case of prisoners, the fingerprint data is supposed to be deleted after acquittal under the Prisoner Identification Act.

JT D'Souza, an expert in biometrics technology, Mumbai, gave a presentation on how biometric information was vulnerable to exploitation. Using a finger print reader, he demonstrated fake finger prints being read by the machine. He said a fingerprint on a semi solid wax slab can be filled up with adhesive and allowed to set for eight hours. "Once the adhesive block is removed, it takes up the exact marks of finger prints using which any finger print reader can be fooled," he said.

Another participant, Sunil Abraham, director, Centre for Internet and Society, Bangalore, said there is no data protection or privacy law in place. "The UID project was allowed to march on without any protection being put in place," he said.

"On one hand, the government wants its citizens to be transparent by giving all their biometric and demographic data, but on the other hand, people in higher authorities are making every bid to conceal facts and function in a non-transparent manner," he said.

D' Souza also raised questions about the uniqueness of fingerprints as it has never been tested on a vast population. Citing examples from foreign countries where fingerprint studies have proved to be ineffectual in establishing non duplication, he said biometric data if hacked could be misused.

Read the original published in the Times of India

For more details visit https://cis-india.org/news/ngo-questions-peoples-privacy-in-uid-scheme

Constitution of Group of Experts to Deliberate on Privacy Issues

praskrishna — 2012-01-04T07:49:37Z

It has been decided to constitute a Small Group of Experts under the Chairmanship of Justice A.P. Shah, Former Chief Justice, Delhi High Court, to identify the privacy issues and prepare a paper to facilitate authoring the Privacy Bill. The constitution of the proposed group and ToR are as follows:

Constitution of the Group

S.No.	Name	Designation
1	Justice A.P. Shah, Former Chief Justice, Delhi High Court	Chairman
2	Shri. R S Sharma, DG UIDAI	Member
3	Dr. Gulshan Rai, Director General CERT-In, DIT	Member
4	Sh. Rajiv Kapoor, JS, DOPT	Member
5	Representative, Department of Legal Affairs	Member
6	Sh. Som Mittal, President, NASSCOM	Member
7	Ms. Barkha Dutt, NDTV	Member
8	Dr. (Ms) Usha Ramanathan, Researcher & Advocate	Member
9	Sh. PraneshPrakash, Programme Manager, Centre for Internet & Society	Member
10	Dr. Kamlesh Bajaj, CEO, Data Security Council of India (DSCI)	Member
11	Dr. Nagesh Singh, Adviser, Planning Commission	Member
12	Sh. R K Gupta, Adviser (CIT&I), Planning Commission	Member

Terms of Reference
- To study the Privacy laws and related bills promulgated by various countries.
- To make an in-depth analysis of various programmes being implemented by GoI from the point of view of their impact on Privacy.
- To make specific suggestions for consideration of the DOPT for incorporation in the proposed draft Bill on Privacy.
The Chairman may co-opt other Members to the group for their specific inputs.
The expenditure towards TA/DA in connection with the meetings of the Group in respect of the official members will be borne by their respective Ministries/Departments. Domestic travel in respect of non-Official Members of the group would be permitted by Air India (economy class) and the expenditure would be met by the Planning Commission.
The group will be serviced by the CIT & I Division, Planning Commission.
The group shall submit its report by 31st March 2012.

(S Bose)
Under Secretary to the Government of India

To:
The Chairman and all Members of the Group of Experts
Copy forwarded to:

PS to Deputy Chairman, Planning Commission
PS to MOS (Planning, PA, S&T and ES), Planning Commission
PS to all Members of the Planning Commission
PS to Member Secretary, Planning Commission
Director (PC), IFA unit,Deputy Secretary (Admn.),Planning Commission
Administration/Accounts/General Branches, Library, CIT & I Division, Planning Commission
Information Officer, Planning Commission

(S Bose)
Under Secretary to the Government of India

Download the PDF we got from the Planning Commission.

For more details visit https://cis-india.org/news/constitution-of-group-of-experts

Indecent Proposals

praskrishna — 2012-02-14T06:13:22Z

If Kapil Sibal’s attempts to police net content fructify, it may even lead to a reversal of some of the forward-looking provisions of the Information Technology (IT) Act, 2000. The new proposal, for instance, will reverse Section 79 which protects intermediaries (websites and carriers) from being prosecuted or made liable for any objectionable content published. Says Pranesh Prakash, programme manager, Centre for Internet and Society: “Unfortunately, what Sibal says turns this upside down as they would now be held responsible for e-content.” Sibal wants to monitor content prior to publication.

The article by Arindam Mukherjee was published in Outlook Magazine on December 19, 2011. Pranesh Prakash was quoted in it.

While there are privacy concerns, any attempt to do real-time monitoring could pose serious legal complications. Says cyber law expert Pavan Duggal: “This proposition could be ultra vires of the Constitution which guarantees fundamental rights under Article 19, which is about freedom of speech and expression subject to reasonable restrictions.” And the reasonable restrictions for monitoring, blocking and interception of internet content are already built into the IT Act.

Says Rajya Sabha MP Rajeev Chandrasekhar: “If Sibal was really serious about protecting people, he should have read the IT Act that has a section which allows a victim to legally pursue his/her claim of defamation. If Sibal has his way, DoT bureaucrats will decide what content is ‘appropriate’ or ‘inappropriate’.”

“If Sibal was really serious, he should have read the IT Act...it has a section on how victims can pursue defamation claims.”

Moreover, the IT Intermediary Guideline Rules, 2011, though still provisional, mandate that once service providers receive instructions, they have to remove objectionable content within 36 hours. The Act also has other specific provisions like Section 69, which provides safeguards for interception, monitoring/decryption of information; Section 69A which gives procedures and safeguards for blocking access of information by the public; Section 69B for monitoring and collecting traffic data or information. There are also provisions for obscenity and defamation, with steep fines prescribed. Following these, the state has blocked 11 websites since ’09

However, what Sibal and his men would have seen is the Act’s inability to act on the content freely flowing in social media sites. Says Duggal: “The IT Act, 2000, was amended in ’08, but doesn’t talk about social media which came up only around that time. There is a need to bring social media within the ambit of the Act. What Sibal is suggesting doesn’t exist anywhere in the world.” Monitoring social media websites would also be a huge challenge as crores of messages and tweets are generated from India everyday.

And privacy? Experts say since India does not have dedicated legislation on privacy, the government could escape any attack on that front. Although some privacy elements were added to the IT Act in 2008, its scope is limited and the concept of data privacy is missing. In fact, the law doesn’t even recognise a person’s right to data privacy!.

For more details visit https://cis-india.org/news/indecent-proposals

Caught in the Web

praskrishna — 2011-12-12T15:32:28Z

Do we need a cyber Big Brother watching us? A look at both sides of the coin.

In the summer of 2009, a hue and cry was raised by netizens when the Government blocked a hugely popular adult-oriented cartoon site called Savitabhabhi.com. The site was blocked after complaints that Savita Bhabhi's lurid tales were highly offending to the sensibilities of those grounded in Indian traditions. Those who opposed the move said that this was done without granting the creators an opportunity to defend their right to freedom of expression.
Recent ruffles

A similar brouhaha erupted recently when Communication and IT Minister Kapil Sibal, in a hurriedly called press conference, announced that the Government will bring in a law to pre-filter content posted on social networking Web sites. The trigger for this was certain pictures, with religious connotations, uploaded on various social networking sites including Facebook and Google Plus. Sibal claims that despite Government appeals the Web site refused to remove the content. If the new law is implemented, your status updates or videos will be screened by the internet company for objectionable content before it is published.

The move has angered Internet users, promoters of free speech and social networking companies. “As it is the status of freedom of speech in India is in a bad shape. Sibal's new rules will only make it worse,” says Sunil Abraham, Executive Director, Centre for Internet and Society.

Abraham's point is buttressed by a report from the United Nations Democracy Fund called ‘Freedom on the Net 2011' which gives Indian Internet usage a “partly free” status clubbed along with the likes of Egypt, Jordan, Rwanda and Venezuela.

“Pressure on private intermediaries to remove certain information in compliance with administrative censorship orders has increased since late 2009, with the implementation of the amended IT Act. While some observers acknowledge that incendiary online content could pose a real risk of violence, particularly given India's history of periodic communal strife, press freedom and civil liberties advocates have raised concerns over the far-reaching scope of the IT Act, its potential chilling effect, and the possibility that the authorities could abuse it to suppress political speech,” the report says.
User content removal

When Google began reporting government requests for data and content removal in early 2010, India ranked third in the world for removal requests and fourth for data requests. Between July 1, 2009, and December 31, 2009, India had submitted 142 removal requests. By June 2011, the Internet search giant received requests from the Indian government to remove 358 items. In a breakdown of reasons for such requests, 255 items were classified under the “government criticism” category. In May 2008, two men were arrested and charged for posting derogatory comments about Congress party chief Sonia Gandhi on Orkut. There are many other instances of Government intervention over the past 3 years.

Those who support monitoring argue that content on social media network should be scanned because the users are not responsible enough. California-based media commentator Andrew Keen blames the Internet users in a book called The Cult of the Amateur where he writes that technology has fostered a “dictatorship of idiots”. “.....the masses are liable to be further vulgarised by the overwhelming surfeit of their own voluntary contributions, which are inherently without value (otherwise they wouldn't have been offered freely). Without cultural elites empowered to control public discourse and deify their chosen superstars, the monkeys are running the show,” Keen declares.

Abraham says this argument is flawed because there is no empirical evidence to determine that people use the Internet for a single purpose. “There is no cause and effect here. People may use the Internet for anything ranging from pornography to science. One cannot generalise user behaviour. If Internet was a tool for the Egypt uprising, the same may not work in some other country,” says Abraham.
Monitoring issues

Then there are others who want the social network Web sites to take some responsibility. Rajesh Chharia, President of the Internet Service Providers Association thinks that multi-national Internet firms cannot get away by saying that they conform to standards of their country alone.

But experts feel that it is practically impossible for any social networking Web site to monitor everything that's posted on their site due to sheer volume. For instance, YouTube has 48 hours of videos uploaded every minute and Facebook has 38 million users in India posting thousands of pictures and messages every day. “The Internet is like a sea, you just cannot control everything that's thrown into it unless you man the entire coastline. Even if you block someone from posting content on one site, they will find another way to get in,” said one of major Internet firms.

Meanwhile the Savita Bhabhi site is back with all new content at a new address. So much for the Government's desire to monitor the Internet.

This article by Thomas K Thomas was published in the Hindu Business Line. Sunil Abraham was quoted in this article. Read the original here

For more details visit https://cis-india.org/caught-in-web

Privacy Matters — Analyzing the "Right to Privacy Bill"

Natasha Vaz — 2012-04-28T04:10:12Z

Privacy India in partnership with International Development Research Centre, Canada, Indian Institute of Technology, Bombay, the Godrej Culture Lab, Tata Institute of Social Sciences, Mumbai and the Centre for Internet and Society, Bangalore is organising "Privacy Matters", a public conference at IIT, Bombay on 21 January 2012.

The conference will focus on the questions and dilemmas posed by privacy in India today, with a concentration on the "Right to Privacy Bill". The right to privacy in India has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities, prisoners, etc. — people who most need to know that sensitive information is protected.

Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of our goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

The event will focus on discussing the challenges and concerns to privacy in India. We invite you to attend the meeting and contribute your views. Please confirm your participation by getting in touch with Natasha (natasha@cis-india.org). We sincerely hope that you will be able to attend and look forward to your participation.

Agenda

09:30- 10:00	Registration
10:00- 10:30	Welcome- Privacy in India Prashant Iyengar is a practicing lawyer and lead researcher for Privacy India. He will present who Privacy India is, and the objectives of Privacy India's research. His presentation will focus on discussing privacy in India.
10:30- 11:15	Key Note Address- Draft Privacy Bill Critique Na. Vijayashankar is an e-business consultant. He established the premier Cyber Law information portal in India. He is the founder secretary of Cyber Society of India, Founder Trustee of International Institue of Information Technology Law, and Founder Chairman of Digital Society Foundation. He will present a critique of the Draft Privacy Bill.
11:15- 11:30	Tea Break
11:30- 12:15	Session I Privacy and the Legal System Sudhir Krishnaswamy is an Assistant Professor at the National law School of India University and is currently writing a Doctoral Thesis at the Faculty of Law, Oxford University on ‘The Basic Structure Doctrine in Indian Constitutional Adjudication’. His presentation will look at the trajectory of privacy through the years from a legal perspective.
12:15- 13:00	Privacy and Constitutional Law N. Nappinai is an advocate who specializes in IP and technology laws. She is a founder member of Technology Law Forum (TLF). She has spearheaded and driven several initiatives of TLF with various organization including NASSCOM, FICCI, IMC etc., and has also conducted several workshops and training sessions for the Mumbai Police, Public Prosecutors & Industry verticals in Cyber Laws. Her presentation will define the scope of Article 21 under the Indian Constitution, which protects the right to privacy.
13:00- 13:15	Discussion
13:15- 14:00	Lunch Break
14:00- 14:45	Session II Privacy and Freedom of Expression Apar Gupta is an advocate who specializes in intellectual property, electronic commerce law and technology media and telecoms. He holds a master from Columbia Law School and has authored a Commentary on the Information Technology Act, 2000. His presentation will focus on the limits of a privacy right when it competes and conflicts with the freedom of speech and expression. He will examine certain provisions of the Draft Privacy Bill questioning how privacy arguments may be used to stifle debate or disclosure made in the public interest.
14:45- 15:30	Sexuality Minorities and Privacy Danish Sheikh graduated from Nalsar University of Law with a B.A., LL.B. (Hons.). Currently, he is a researcher at the Alternative Law Forum in Bangalore. He will examine the status of sexual minorities in the light of privacy framework in India. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, he will bring to light the privacy violations being committed by both individuals as we all state authorities.
15:30- 15:45	Discussion
15:45- 16:30	Session III Privacy and National Security Menaka Guruswamy practices law at the Supreme Court of India. She was a Rhodes Scholar at Oxford University, a Gammon Fellow at Harvard Law School, and a gold medalist from the National Law School of India and has law degrees from all three schools. Menaka has advised the United National Development Program and the United Nations Development Fund for Women. She will discuss the relationship between national security and privacy, from the perspective of surveillance by the state etc.
16:30- 17:15	Privacy and UID R. Ramkumar is a Professor at the Tata Institute of Social Sciences. He is advocate as well as a patent and trademark attorney. His presentation will focus on what standards of privacy are afforded within the UID system.
17:15- 17:30	Tea Break
17:30- 18:00	Discussion and Questions

	Organizers
	Privacy India Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of our goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.
	Privacy International (https://www.privacyinternational.org/) Privacy International’s mission is to defend the right to privacy across the world, and to fight surveillance and other intrusions into private life by governments and corporations. PI has been providing citizens and policy-makers with the tools and perspectives to enable them to hold to account those who threaten privacy since 1990. PI has active associates and networks in 46 countries.
	The International Development Research Centre (www.idrc.ca/) Canada’s International Development Research Centre (IDRC) is one of the world’s leading institutions in the generation and application of new knowledge to meet the challenges of international development. They help developing countries use science and technology to find practical, long-term solutions to the social, economic, and environmental problems they face.
	The Centre for Internet & Society (http://cis-india.org/) The Centre for Interenet & Society brings together a team of practitioners, theoreticians, researchers and artists to work on the emerging field of Internet and Society to critically engage with concerns of digital pluralism, public accountability and pedagogic practices, with particular emphasis on South-South dialogues and exchange.
	Partners
	The Godrej India Culture Lab (www.godrej.com) The Godrej India Culture Lab is an interdisciplinary space which aims to build knowledge networks and interpret the changes rapidly taking place in contemporary India by bringing together the best minds from global academia, business and the creative worlds working on different aspects of Indian society.
	IIT, Bombay (www.iitb.ac.in/) Established in 1958, IIT is recognised worldwide as a leader in the field of engineering education and research. It is reputed for the quality of its faculty and the outstanding calibre of students graduating from its undergraduate and postgraduate programmes. Over the years, there has been dynamic progress at IIT Bombay in all academic and research activities, and a parallel improvement in facilities and infrastructure, to keep it on par with the best institutions in the world.
	Tata Institute of Social Sciences (http://www.tiss.edu/) Tata Institute of Social Sciences (TISS) offers higher professional education in the field of human service and applied social science research. The institute has gone beyond the initial concern of social work education, since its inception in 1936, to consistently contribute to the promotion of sustainable, participatory development and social justice. Through its work, the Institute facilitates strong linkages between education, research, field action and policy advocacy.

Speakers

1. Apar Gupta

2. Danish Sheikh, Alternative Law Forum

3. NA Vijayashankar, E-Business Consultant, Founder Secretary of Cyber Society of India, Founder Trustee of International Institute of Information Technology Law, and Founder Chairman of Digital Society Foundation

4. N S Nappinai, Advocate and Founder Member of Technology Law Forum

5. Prashanth Iyengar, Assistant Professor & Assistant Director, Centre for Intellectual Property Rights Studies, Lead Researcher with Privacy India, Bangalore; Legal Aid Manager with Rural Development Institute, Hyderabad; Researcher & Lawyer with Alternative Law Forum

6. R. Ramkumar, Assistant Professor, School of Social Sciences, Tata Institute of Social Sciences

7. Shishir Jha, Project Lead at Creative Commons India and Associate Professor at Indian Institute of Technology, Bombay

8. Menaka Guruswamy, practices law at the Supreme Court of India.

9. Sudhir Krishnaswamy, is an Assistant Professor at the National law School of India University.

Download the invitation [PDF, 988 kb]

Download the event poster [PDF, 2155 kb]
IIT Bombay Map http://www.iitb.ac.in/campus/howto/howtoget.html

VIDEOS

For more details visit https://cis-india.org/internet-governance/right-to-privacy-bill-conference

An Interview with Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada

elonnai — 2011-12-03T01:26:04Z

Elonnai Hickok interviewed Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada. The full interview is reproduced below.

When Canada weighed a broad privacy legislation against sectoral legislation, was the decision close? What were the most decisive factors?

Canada’s legislative privacy regime consists of both broad and sectoral privacy legislation.

Broadly, the use of personal information in Canadian commercial activities is regulated by federal legislation under the Personal Information Protection and Electronic Documents Act (PIPEDA), or by provincial legislation that is “substantially similar” to PIPEDA, or by provincial legislation that is “substantially similar” to PIPEDA.

Sectorally, a prime example is the protection of personal health information under Ontario's Personal Health Information Protection Act, 2004 (PHIPA).

Regarding the decisive factors surrounding Parliament's passing of a broad private sector privacy statute, you may know that oversight of PIPEDA falls within the jurisdiction of the Office of the Privacy Commissioner of Canada (OPC). Accordingly, you may wish to focus your contact with the OPC regarding your question. In addition, Industry Canada may have some helpful resources regarding the federal government’s decision to enact PIPEDA.
Do you see the different perceptions and cultural understandings of privacy as something to be addressed through legislation? If not, do you think it should be addressed at all? How?

In an era marked by the widespread use of new information technologies, globalization, and the international flow of personal information, the establishment of global privacy standards is required to effectively protect personal privacy. Fortunately, an international community of data protection commissioners is hard at work contributing to the establishment of a set of global privacy principles. At the annual International Data Protection Commissioners Conference in 2005, Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, chaired a Working Group of Data Protection Commissioners that led to the Creation of a Global Privacy Standard. Such a principled but flexible approach can also be seen, for example, in the landmark Privacy by Design (PbD) resolution adopted unanimously, in 2010, by the international Privacy Authorities and Regulators at the International Conference of Data Protection and Privacy Commissioners in Jerusalem.[1]

The resolution recognizes PbD as an “essential component of fundamental privacy protection” – an International Standard, and urges its adoption in regulations and legislation around the world. Governments that employ this internationally recognized standard will be able to both protect privacy and address local and national priorities.[2]
How does the Canadian model implement self-regulation of privacy standards? How is that balanced against legal enforcement of privacy legislation?

In Canada, as elsewhere, private sector privacy regulation recognizes the dual purposes of protecting the individual's right to privacy, on the one hand, and recognizing the commercial need for access to personal information, on the other.[3]

PIPEDA furthers these two purposes by tying a set of flexible, technology-neutral privacy principles to a statutory framework of rules governing the collection, use, and disclosure of personal information.

In particular, Part I of PIPEDA provides the overarching statutory framework, while Schedule I, which was borrowed from the Canadian Standards Association’s Model Code for the Protection of Personal Information, provides flexible, technology-neutral privacy principles. To accomplish the dual purposes that animate PIPEDA and its Schedule, Canada’s Federal Court of Appeal has directed that the interpretation and application of this regulatory framework should be guided by "flexibility, common sense and pragmatism."[4]

Such an approach allows organizations to address their own goals and priorities within a privacy protective framework. Moreover, by incorporating the flexible principles of PbD, organizations can "go beyond mere legal compliance with notice, choice, access, security and enforcement requirements." Instead, they can be empowered to design their own responsive approaches to risk management and privacy-related innovation, within the context of the relevant regulatory framework. This approach allows organizations to develop doubly-enabling, positive-sum solutions that are win/win in nature and appropriate given the size and nature of the organization, the personal information it manages, and the range of risks, opportunities, and solutions available.
Does Canada favor private forms of redress or agency/state enforcement to prevent and remedy privacy violations? In what circumstances is one more effective than the other?

Canadian privacy legislation includes both state enforcement and private forms of redress; neither is necessarily favoured.

For example, under PHIPA, the Attorney General may impose fines of up to $50,000 for individuals and $250,000 for corporations who are found to be in breach of PHIPA. Further, our office has broad powers of investigation and can directly order a custodian to comply with its obligations. An individual affected by a Commissioner’s final PHIPA order may commence a proceeding in the Ontario Superior Court for damages for actual harm suffered.

Another example is under PIPEDA where contravention can result in fines of up to $100,000 depending upon the type and severity of the matter. Further, the federal privacy Commissioner has powers to investigate and report findings with respect to privacy complaints. Following the release of the Commissioner’s report, a complainant may apply to the Federal Court to seek remedies that include damages and an order requiring an organization to correct its practices.

Generally, fines and other penalties imposed on individuals and corporations by the government are effective in deterring certain actions and protecting the public from a variety of harmful practices. On the other hand, a private right of action may be effective when a particular individual is harmed by an individual or corporation and is seeking damages to compensate or redress that particular harm.
What types of privacy violations are the most common? How have these been addressed?

The most common types of privacy violations are inadvertent disclosures or privacy breaches of personal information, including personal health information. In particular, these violations usually stem from the improper retention, transfer and disclosure of personal information.

Privacy breaches are addressed in a variety of ways, depending on the type and amount of information disclosed. For example, under PHIPA, if health information is stolen, lost, or accessed by unauthorized persons, the health information custodian must notify the affected individual at the first reasonable opportunity and should take immediate steps to contain the breach. Further, the Commissioner may order the health information custodian to take corrective action such as requiring the custodian to implement a certain procedure when handling personal health information or conduct privacy training.
What forms of privacy education has Canada pursued? What audiences have been targeted? Which efforts have been the most successful and why?

Canadian institutions and organizations have pursued a wide variety of privacy education initiatives including programs that award professional designations (e.g. IAPP, CAPAPA, University of Toronto Identity, Privacy and Security Initiative, University of Alberta Program).

Our Office has led a wide variety of educational initiatives to spread the word about privacy protection and freedom of information under our Ontario legislation. We have focused on a variety of audiences from the general public to individuals who deal with privacy and access to information issues as part of their daily professional role.

Initiatives include frequent contact between our Information Officers and the public, and dozens of marketing materials geared to providing guidance (e.g. “Circle of Care: Sharing of Personal Health Information for Health-Care purposes”, “What to do When Faced With a Privacy Breach: Guidelines for the Health Sector”). Our Office has developed Educational Resource Guides (Grade 5, Grade 10, Grades 11/12), which have been added to the formal Ontario curriculum to help teachers educate about privacy protection. Commissioner Cavoukian participates in extensive presentations and speeches at numerous conferences and events. As well, representatives from our Office reach out into the community to educate about our offerings and role (hospitals, conference, community events etc.). In addition, to educate Ontarians about privacy protection, the IPC also allots significant resources to many marketing initiatives including a quarterly e-newsletter, video production, and social media outreach. Most recently, we circulated an online tool kit (available via USB as well), to assist new Freedom of Information and Protection of Privacy Co-ordinators in the public sector. Most of our resources are available in English and French.

Without a doubt, the IPC’s most successful educational effort thus far is in the area of PbD, now an international standard. This Ontario-made solution was created by Commissioner Cavoukian who has led the IPC in partnering with global stalwarts such as IBM, Intel, and Nokia to advance Privacy by Design, and to foster innovation in many fields, including biometrics, the Smart Grid and even Targeted Advertising. Privacy by Design knows no boundaries and makes sense for everyone — especially businesses. Not only is it cheaper to build in privacy before a breach occurs, it is also a compelling way to win the trust of clients and build a successful brand.
What [have] proven to be [the main] challenges or obstacles to protecting privacy in Canada?

The most common obstacle to protecting privacy is that key stakeholders hold on to misconceptions about privacy.
Misconception #1 – Privacy is dead or obsolete.
Misconception #2 – Privacy stops us from performing our job.
Misconception #3 – With the massive growth of online social media, you cannot have both widespread connectivity and privacy.

Not only do these misconceptions contradict each other, they are both dead wrong!

Privacy is alive and well and more relevant than ever. Consider, for example, that the same technologies that serve to threaten privacy may also be enlisted to support it. Properly understood, privacy is becoming increasingly critical to achieving success in the new economy. In this environment, PbD offers a principled, flexible, and technology-neutral vehicle for engaging with privacy issues, and for resolving them in ways that support multiple outcomes in a full functionality, positive-sum, win-win scenario.

It does so by ensuring that privacy is built in right up front, directly into the design specifications and architecture of new systems and processes.

PbD seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. PbD avoids the pretense of false dichotomies or unnecessary trade-offs, such as privacy vs. security, demonstrating that it is possible to have both. For more on PbD, go to www.privacybydesign.ca

Dr. Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada

Dr. Ann Cavoukian is recognized as one of the leading privacy experts in the world. Noted for her seminal work on Privacy Enhancing Technologies (PETs) in 1995, her concept of Privacy by Design seeks to proactively embed privacy into the design specifications of information technology and accountable business practices, thereby achieving the strongest protection possible. In October, 2010, regulators from around the world gathered at the annual assembly of International Data Protection and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a landmark Resolution recognizing Privacy by Design as an essential component of fundamental privacy protection. This was followed by the U.S. Federal Trade Commission’s inclusion of Privacy by Design as one of its three recommended practices for protecting online privacy – a major validation of its significance.

An avowed believer in the role that technology can play in the protection of privacy, Dr. Cavoukian’s leadership has seen her office develop a number of tools and procedures to ensure that privacy is strongly protected, not only in Canada, but around the world. She has been involved in numerous international committees focused on privacy, security, technology and business, and endeavours to focus on strengthening consumer confidence and trust in emerging technology applications.

Dr. Cavoukian serves as the Chair of the Identity, Privacy and Security Institute at the University of Toronto, Canada. She is also a member of several Boards including, the European Biometrics Forum, Future of Privacy Forum, RIM Council, and has been conferred a Distinguished Fellow of the Ponemon Institute. Dr. Cavoukian was honoured with the prestigious Kristian Beckman Award in 2011 for her pioneering work on Privacy by Design and privacy protection in modern international environments. In the same year, Dr. Cavoukian was also named by Intelligent Utility Magazine as one of the Top 11 Movers and Shakers for the Global Smart Grid industry, received the SC Canada Privacy Professional of the Year Award and was honoured by the University of Alberta Information Access and Protection of Privacy Program for her positive contribution to the field of privacy. Most recently in November 2011, Dr. Cavoukian was ranked by Women of Influence Inc. as one of the top 25 Women of Influence recognizing her contribution to the Canadian and global economy. This award follows her recognition in 2007 by the Women’s Executive Network as one of the Top 100 Most Powerful Women in Canada.

Notes

[1].Information and Privacy Commissioner/Ontario, Landmark Resolution passed to preserve the Future of Privacy, http://www.ipc.on.ca/images/Resources/2010-10-29-Resolution-e_1.pdf
[2].For a discussion of how governments might employ an PbD approach to privacy regulation, see Commissioner Cavoukian’s White Paper, Privacy by Design in Law, Policy, and Practice available at:
http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1095
[3].See the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Can.), http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html.
[4].Englander v. Telus Communications Inc., 2004 FCA 387, Locus Para. 38-46.

For more details visit https://cis-india.org/internet-governance/interview-with-anne-cavoukian

All India Privacy Symposium

praskrishna — 2012-02-27T11:08:32Z

Privacy India in partnership with the International Development Research Centre, Canada, Society in Action Group, Gurgaon, Privacy International, UK and Commonwealth Human Rights Initiative is organizing the All India Privacy Symposium at the India International Centre, New Delhi on Saturday, February 4, 2012.

Since June 2010, Privacy India has been engaging in discussions with policy makers, the public and sectoral experts about privacy in India. The discussions have ranged from topics of identity and privacy, to minority rights and privacy, and consumer privacy. The findings of our research show that privacy was a neglected area of study for India in the past, however, this is changing. Advancements in technology, the introduction of e-governance initiatives like the National Fibre Optic Network, the introduction of new legislations, and debates surrounding national security, have brought privacy debates to the forefront in India. Although currently sectoral legislation deals with privacy issues, e.g., the Telegraph Act or RBI guidelines for banking, India has just begun to consider a horizontal legislation that deals comprehensively with privacy across all contexts. This conference is an opportunity to look forward to what could be the future scope of privacy in India.

Privacy India was set up in collaboration with the Centre for Internet and Society, Bangalore and Society in Action Group, Gurgaon, under the auspices of an international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries. For more info, visit its website.

This is a public meeting. For participation in the event, get in touch with Elonnai (elonnai@cis-india.org)

Symposium Advisors

Sunil Abraham, Centre for Internet &Society (www.cis-india.org)
Rajan Gandhi, Society in Action Group
Phet Sayo, IDRC (www.idrc.org)
Gus Hosein, Privacy International (www.privacyinternational.org)
Sudhir Krishnaswamy, Centre for Law and Policy Research, Bangalore (www.clpr.org.in)
Vickram Crishna, Privacy International (www.privacyinternational.org)

Agenda

09:30- 10:00	Registration
10:00- 10:15	Welcome & Introduction to Privacy India Elonnai Hickok (Policy Advocate, Privacy India)
10:15- 10:30	Tea Break
10:30- 11:30	Panel I: Privacy and Transparency Moderator: Sunil Abraham (Executive Director, Centre for Internet & Society) Panelists: Prashant Bhushan (Senior Advocate, New Delhi), Simon Davies (Director General, Privacy International, UK), Ponnurangam K (Assistant Prof, IIIT New Delhi), Chitra Ahanthem (Journalist, Imphal), Aruna Roy (Social & Political Activist), Deepak Maheshwari (Director Corporate Affairs, Microsoft) Poster:Srishti Goyal (Law Student)
11:30- 12:30	Panel II: Privacy and E-Governance Initiatives Moderator: Sudhir Krishnaswamy (Professor, Azim Premji University) Panelists: Anant Maringanti (Independent Social Researcher), Usha Ramanathan (Advocate&Social Activist), Ram Sewak Sharma (Director General, UIDAI), Gus Hosein (Executive Director, Privacy International, UK), R K Singh (Union Home Secretary, New Delhi), Apar Gupta (Advocate, Supreme Court of India) Poster: Adrija Das (Law Student)
12:30- 13:30	Lunch
13:30- 14:30	Panel III: Privacy and National Security Moderator: Justice A P Shah (Former Chief Justice, Delhi High Court)* Panelists: Menaka Guruswamy (Advocate, Supreme Court, New Delhi), Amol Sharma (Journalist, Wall Street Journal)*, Saikat Datta (Journalist, DNA), Eric King (Human Rights and Technology Advisor, Privacy International, UK), Prasanth Sugathan (Legal Counsel, Software Freedom Law Center) and Oxblood Ruffin (Cult of the Dead Cow Security and Publishing Collective) Poster: Suchithra Menon (Law Student)
14:30- 15:30	Panel IV: Privacy and Banking Moderator: Prashant Iyengar (Associate Professor, Jindal Law University) Panelists: M R Umarji (Chief Legal Advisor, IBA), N A Vijayashankar (Cyber Law Expert), Sucheta Dalal (Managing Editor, MoneyLife Magazine)*, Malavika Jayaram (Advocate, Bangalore) Poster: Malavika Chandu (Law Student)
15:30- 15:45	Tea Break
15:45- 16:45	Panel V: Privacy and Health Moderator: Ashok Row Kavi (Journalist & LGBT Activist) Panelists: K K Abraham (President, Indian Network for People with HIV), Shri Sayan Chatterjee (Secretary, National Aids Control Organization), Dr V M Katoch (Secretary, Department of Health Research), Dr B S Bedi (Advisor, CDAC & Media Lab Asia) Poster: Danish Sheikh (Alternative Law Forum)
16:45- 17:00	The Way Forward Elonnai Hickok (Policy Advocate, Privacy India)

Bios of Speakers

Usha Ramanathan

Usha Ramanathan is an internationally recognized expert on the jurisprudence of law, poverty and rights. She writes and speaks on leading issues like the Bhopal gas leak tragedy, mass displacement, civil liberties, criminal law, environment and the judicial process. She is involved in the UID project and has written and debated extensively on it. She is a member of Amnesty International's Advisory Panel on Economic, Social and Cultural Rights and has been called upon by the World Health Organisation as a expert on mental health on various occasions. Her writings can be found at http://www.ielrc.org/.

NA.Vijayashankar

NA.Vijayashankar, more popularly known as Naavi, is a Techno Legal Information Security Consultant based in Bangalore, India. Naavi is a pioneer in the field of Cyber Law in India. He is the author of the first book (1999) and first E-Book (2003) on Cyber Laws in India. He has also authored a book titled “Cyber Laws, Corporate Mantra for the Digital Era”, “Cyber Laws Demystified” and “Cyber Laws for Engineers” as well as a book on Cyber Crimes in Kannada.

Naavi is the founder of www.cyberlawcollege.com which is the pioneering virtual educational institution in India dedicated to Cyber Law Education. Cyber Law College presently conducts offline and virtual courses on Cyber Laws. It has conducted several courses in association with law colleges in Karnataka such as KLE Law College, Bangalore, JSS Law College, Mysore, SDM law college Mangalore and KLE Law College Hubli.

Naavi is also the founder of www.naavi.org the premier Cyber Law Portal in India. Naavi has been engaged in the training of Police in Tamil Nadu and Karnataka and conducts several courses in Cyber Laws for different audiences. He has been a guest faculty in a number of institutions including NPA, IDRBT, DTRI, ISACA, NADT, LBS National Academy, Judicial Academies, NALSAR, etc., as well as several law, engineering and management institutions.

Naavi has over three decades of senior Corporate executive experience behind him. He has been an ex-Banker and Consultant to several Companies in IT Services. He has conducted hundreds of training sessions to professionals of various disciplines such as bankers, lawyers, chartered accountants, engineers, software professionals, police and judicial officers through workshops and in-house training programmes in cyber laws, cyber crimes, information security and related areas.

Chitra Ahanthem

Chitra Ahanthem is a features writer with Imphal Free Press, published in Imphal, Manipur. She is also a freelance writer and researcher on issues around HIV/AIDS, child rights, conflict and gender.

Baljit Singh Bedi

Baljit Singh Bedi did his B.Tech and M.Tech. from Indian Institute of Technology (IIT), Delhi. After serving for five years in the Centre for Applied Research in Electronics (CARE) IIT, Delhi he joined the Department of Information Technology (DIT), Ministry of Communication & IT (MCIT), Government of India. The major responsibilities and contributions over the years cover conceptualizing, evolving and implementation of a number of major schemes/programmes and projects in the field of electronics and IT applications with primary role in healthcare. He was instrumental in starting an integrated programme in promoting the area of Electronics, IT and Electronic Medical Records (EMR) Standards in Healthcare in India. As the head of Medical Electronics & Telemedicine division, he was looking after the activity of promotion of e-health & tele–health technology and R&D in medical electronics and launched a number of schemes in India. He was part of the National Task Force Telemedicine in India set up by the Ministry of Health & Family Welfare (MoH&FW), Government of India and headed the Group on Standards. He was a Member of National Knowledge Commission’s Working Group on India-Health Information Network Development (I-HIND) and is part of the Advisory Group for follow-up implementation program under the consideration of MoH&FW. He is actively involved in policy, development and deployment programmes of IT in Health initiatives of DIT, MoH&FW, and Media Lab Asia. He is a member of the National Committee set up by MoH&FW for EMR Standardization and Heading its Task Group on Interoperability. He is also International Telecommunication Union (ITU) Expert for e-Health Standardization. He is Executive Member of Indian Association of Medical Informatics (IAMI) and President, Telemedicine Society of India (TSI). At present, he is an Adviser to the Centre for Development of Advanced Computing (CDAC), Scientific Society of MCIT, Government of India.

Deepak Maheshwari

Deepak Maheshwari is Director – Corporate Affairs with Microsoft in India and responsible for interactions with the policymakers & regulators as well as with industry associations & the civil society organizations. An active participant and a keen observer of the interplay between technological innovation and socio-economic development, he has been closely associated with development & evolution of Information & Communication Technology policy, law & regulation for more than a decade and is often invited as a speaker and a contributor of articles & opinions in the media.

He has been active in several trade associations and served as committee chair & co-chair. He served for two consecutive terms as the elected secretary in the ISP Association of India and co-founded National Internet eXchange of India (NIXI) as well as the ITU-APT Foundation of India. He is also a member on the academic board of the IIM Ahmedabad- IDEA Telecom Centre of Excellence.

At times mistaken as a lawyer, he was actually awarded degree in engineering by one of India’s leading technical institute IT-BHU. His professional experience of more than 2 decades spans functional responsibilities across sales, marketing, operations and last but not the least, corporate affairs.

*Participants to be confirmed

Download the poster here
Download the agenda here (PDF, 755 KB)

VIDEOS

For more details visit https://cis-india.org/internet-governance/privacy-symposium

Comment by CIS at ACE on Presentation on French Charter on the Fight against Cyber-Counterfeiting

pranesh — 2011-12-01T11:59:45Z

The seventh session of the World Intellectual Property Organization's Advisory Committee on Enforcement is being held in Geneva on November 30 and December 1, 2011. Pranesh Prakash responded to a presentation by Prof. Pierre Sirinelli of the École de droit de la Sorbonne, Université Paris 1 on 'The French Charter on the Fight against Cyber-Counterfeiting of December 16, 2009' with this comment.

Thank you, Chair. I speak on behalf of the Centre for Internet and Society. First, I would like to congratulate you on your re-election.

And I would like to congratulate Prof. Sirenelli on his excellent presentation.

I would like to flag a few points, though:

One of the benefits of normal laws, as opposed to the soft/plastic laws, which he champions, is that normal laws are bound by procedures established by law, due process requirements, and principles of natural justice. Unfortunately, the soft/plastic laws, which in essence are private agreements, are not.
The report of the UN Special Rapporteur on the Freedom of Expression and Opinion made it clear in his report to the UN Human Rights Council that the Internet is now an intergral part of citizens exercising their right of freedom of speech under national constitutions and under the Universal Declaration of Human Rights. That report highlights that many initiatives on copyright infringement, including that of the French government with HADOPI and the UK, actually contravene the Universal Declaration of Human Rights
The right of privacy is also flagged by many as something that will have to be compromised if such private enforcement of copyright is encouraged.

I'd like to know Prof. Sirinelli's views on these three issues: due process, right of freedom of speech, and the right to privacy.

For more details visit https://cis-india.org/a2k/blogs/ace-7-french-charter-cis-comment

Centre for Internet and Society

Do we need the Aadhar scheme?

Google move is not good for netizens, say experts

Google’s privacy policy raises hackles

Privacy Matters — Analyzing the Right to "Privacy Bill"

Welcome

Keynote Address

Session I: Privacy and the Legal System

Privacy and the Constitutional Law

Session II: Privacy and Freedom of Expression

Sexual Minorities and Privacy

Session III: Privacy and National Security

Privacy and UID

Conclusion

Google to change privacy policy to use personal info of users

Whose Data is it Anyway?

Speakers

Keeping it Private

NGO questions people's privacy in UID scheme

Constitution of Group of Experts to Deliberate on Privacy Issues

Indecent Proposals

Caught in the Web

Privacy Matters — Analyzing the "Right to Privacy Bill"

Agenda

Session I

Session II

Session III

Organizers

Partners

Speakers

An Interview with Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada

Dr. Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada

All India Privacy Symposium

Symposium Advisors

Agenda

Bios of Speakers

Usha Ramanathan

NA.Vijayashankar

Chitra Ahanthem

Baljit Singh Bedi

Deepak Maheshwari

Comment by CIS at ACE on Presentation on French Charter on the Fight against Cyber-Counterfeiting