Centre for Internet and Society

Counter Surveillance Panel: DiscoTech & Hackathon

praskrishna — 2014-02-28T05:36:15Z

We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.

Overview

Mirroring the call by MIT Civic Media Lab Co-Design Studio, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of DiscoTech.(Discovering Technology)

Agenda

We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy , titled "Privacy for Humanity" at 5.00 p.m.

Introductory Catalyst Sessions

Malavika Jayaram: Fellow at Berkman Center for Internet and Society at Harvard University and the Centre for Internet and Society, Bangalore
Laird Brown: DesiSec Project at the Centre for Internet and Society, Bangalore and University of Toronto
Kaustubh Srikant: Head of Technology, Tactical Technology Collective and Maya Indira Ganesh (Program Director)
Abhay Raj Naik: Assistant Professor, Azim Premji University

Design and Hackathon Lead Catalysts

Yashas Shetty:Faculty@ www.srishti.ac.in and Co-Founder Hackteria.org (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)

Hari Dilip Kumar: Co, Founder, FluxGen: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )

Sharath Chandra Ram: Researcher @ CIS Open Lab and Faculty@Srishti (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing)

Featured Talk and Interactive Closing Session by Smari McCarthy

(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)

Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.

Click to download the flyer invite
Date: Saturday, March 1, 2014
Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)
Venue: Centre for Internet and Society, Bangalore
Map : http://bit.ly /1fcDDLG

Please RSVP due to limited space and logistics for lunch and refreshments

For more details visit https://cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon

India's Central Monitoring System (CMS): Something to Worry About?

maria — 2014-02-22T13:50:37Z

In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!

The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as a project run by the Centre for Communication Security Research and Monitoring (CCSRM), along with the Telecom Testing and Security Certification (TTSC) project.

The Central Monitoring System (CMS), which was largely covered by the media in 2013, was actually approved by the Cabinet Committee on Security (CCS) on 16th June 2011 and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, government funding of the CMS has reached at least Rs. 450 crore (around $72 million).

In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, clause 41.10 of the Unified Access Services (UAS) License Agreement was amended in June 2013. In particular, the amended clause includes the following:

“But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”

Furthermore, draft Rule 419B under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. Call Data Records, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to draft Rule 419B, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.

Other than this draft Rule and the amendment to clause 41.10 of the UAS License Agreement, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the Indian Telegraph Act, 1885, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:

the interests of the sovereignty and integrity of India
the security of the State
friendly relations with foreign states
public order
for preventing incitement to the commission of an offense

However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.

So how does the Central Monitoring System (CMS) actually work?

We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized access to the country's telecommunications network. The question, though, is how.

Well, prior to the CMS, all service providers in India were required to have Lawful Interception Systems installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.

In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that the authority can also bypass service providers in gaining such access. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.

The above is illustrated in the following chart:

The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, 70 ISF servers have been purchased for six License Service Areas and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.

The Centre for Development of Telematics plans to integrate ISF servers which connect with the CMS in the premises of service providers in the following regions:

Delhi
Maharashtra
Kolkata
Uttar Pradesh (West)
Andhra Pradesh
Uttar Pradesh (East)
Kerala
Gujarat
Madhya Pradesh
Punjab
Haryana

With regards to the UAS License Agreement that TSPs are required to comply with, amended clause 41.10 specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a Memorandum of Understanding (MoU) for MPLS connectivity has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, Rs. 4.8 crore have been given to BSNL for interconnecting 81 CMS locations of the following License Service Areas:

Delhi
Mumbai
Haryana
Rajasthan
Kolkata
Karnataka
Chennai
Punjab

Clause 41.10 of the UAS License Agreement also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor at least 30 simultaneous calls for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:

Called/calling party mobile/PSTN numbers
Time/date and duration of interception
Location of target subscribers (Cell ID & GPS)
Data records for failed call attempts
CDR (Call Data Records) of Roaming Subscriber
Forwarded telephone numbers by target subscriber

Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, 80% of the CMS Physical Data Centre has been built so far.

In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. Training has been imparted to the following law enforcement agencies:

Intelligence Bureau (IB)
Central Bureau of Investigation (CBI)
Directorate of Revenue Intelligence (DRI)
Research & Analysis Wing (RAW)
National Investigation Agency (NIA)
Delhi Police

And should we even be worried about the Central Monitoring System?

Well, according to the brief material for the Honourable MOC and IT Press Briefing on 16th July 2013, we should not be worried about the Central Monitoring System. Over the last year, media reports have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However, Indian authorities have argued that the Central Monitoring System will better protect the privacy of individuals and maintain their security due to the following reasons:

The CMS will just automate the existing process of interception and monitoring, and all the existing safeguards will continue to exist
The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A
The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted
The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data
A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard

While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.

The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will “just” be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the Information Technology (Amendment) Act, 2008, and the Indian Telegraph Act, 1885, potentially infringe upon individual's right to privacy and other human rights.

May I remind you of Section 69 of the Information Technology (Amendment) Act, 2008, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an ambiguous matter. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”

The second argument appears inadequate too. Section 5(2) of the Indian Telegraph Act, 1885, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates targeted surveillance, while the Central Monitoring System could potentially undertake mass surveillance. Since the process of interception is automated and, under clause 41.16 of the Unified License (Access Services) Agreement, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.

As for the third argument, it is not clear how bypassing the nodal officers of TSPs will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?

While the fourth argument makes a point about differentiating the provisioning and requesting entities with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.

Furthermore, this argument states that the CMS authority will not have access to content data, but does not specify if it will have access to metadata. What's concerning is that metadata can potentially be more useful for tracking individuals than content data, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.

The final argument appears to provide some promise, since the maintenance of a command log of all provisioning activities could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.

In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it protects individuals from abuse by those in power and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.

If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.

After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.

How can we not be worried about the Central Monitoring System?

The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.

For more details visit https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about

UAS License Agreement Amendment regarding the Central Monitoring System (CMS)

maria — 2014-01-30T12:43:56Z

For more details visit https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment

New Document on India's Central Monitoring System (CMS) - 2

maria — 2014-01-30T12:40:31Z

For more details visit https://cis-india.org/internet-governance/blog/new-cms-doc-2

Surveillance and the Indian Constitution - Part 2: Gobind and the Compelling State Interest Test

pranesh — 2014-01-27T18:03:38Z

Gautam Bhatia analyses the first case in which the Supreme Court recognized a constitutional right to privacy, Gobind v. State of Madhya Pradesh, and argues that the holding in that case adopted the three-pronged American test of strict scrutiny, compelling State interest, and narrow tailoring in its approach to privacy violations.

After its judgment in Kharak Singh, the Court was not concerned with the privacy question for a while. The next case that dealt – peripherally – with the issue came eleven years later. In R.M. Malkani v State of Maharashtra, the Court held that attaching a recording device to a person’s telephone did not violate S. 25 of the Telegraph Act, because

"where a person talking on the telephone allows another person to record it or to hear it, it can-not be said that the other person who is allowed to do so is damaging, removing, tampering, touching machinery battery line or post for intercepting or acquainting himself with the contents of any message. There was no element of coercion or compulsion in attaching the tape recorder to the telephone."

Although this case was primarily about the admissibility of evidence, the Court also took time out to consider – and reject – a privacy-based Article 21 argument, holding that:

"Article 21 was invoked by submitting that the privacy of the appellant’s conversation was invaded. Article 21 contemplates procedure established by law with regard to deprivation of life or personal liberty. The telephonic conversation of an innocent citizen will be protected by Courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants. It must not be understood that the Courts will tolerate safeguards for the protection of the citizen to be imperiled by permitting the police to proceed by unlawful or irregular methods."

Apart from the fact that it joined Kharak Singh in refusing to expressly find a privacy right within the contours of Article 21, there is something else that unites Kharak Singh and R.M. Malkani: they hypothetical in Kharak Singh became a reality in Malkani – what saved the telephone tapping precisely because it was directed at "… a guilty person", with the Court specifically holding that the laws were not for targeting innocent people. Once again, then, the targeted and specific nature of interception became a crucial – and in this case, a decisive – factor. One year later, in another search and seizure case, Pooran Mal v Inspector, the Court cited M.P. Sharma and stuck to its guns, refusing to incorporate the Fourth Amendment into Indian Constitutional law.

It is Gobind v State of MP, decided in 1975, that marks the watershed moment for Indian privacy law in the Constitution. Like Kharak Singh, Gobind also involved domiciliary visits to the house of a history-sheeter. Unlike Kharak Singh, however, in Gobind the Court found that the Regulations did have statutory backing – S. 46(2)(c) of the Police Act, which allowed State Government to make notifications giving effect to the provisions of the Act, one of which was the prevention of commission of offences. The surveillance provisions in the impugned regulations, according to the Court, were indeed for the purpose of preventing offences, since they were specifically aimed at repeat offenders. To that extent, then, the Court found that there existed a valid “law” for the purposes of Articles 19 and 21.

By this time, of course, American constitutional law had moved forward significantly from eleven years ago, when Kharak Singh had been decided. The Court was able to invoke Griswold v Connecticut and Roe v Wade, both of which had found a "privacy" as an "interstitial" or "penumbral" right in the American Constitution – that is, not reducible to any one provision, but implicit in a number of separate provisions taken together. The Court ran together a number of American authorities, referred to Locke and Kant, to dignity, to liberty and to autonomy, and ended by holding, somewhat confusingly:

“the right to privacy must encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing. This catalogue approach to the question is obviously not as instructive as it does not give analytical picture of that distinctive characteristics of the right of privacy. Perhaps, the only suggestion that can be offered as unifying principle underlying the concept has been the assertion that a claimed right must be a fundamental right implicit in the concept of ordered liberty… there are two possible theories for protecting privacy of home. The first is that activities in the home harm others only to the extent that they cause offence resulting from the mere thought that individuals might he engaging in such activities and that such ‘harm’ is not Constitutionally protective by the state. The second is that individuals need a place of sanctuary where they can be free from societal control. The importance of such a sanctuary is that individuals can drop the mask, desist for a while from projecting on the world the image they want to be accepted as themselves, an image that may reflect the values of their peers rather than the realities of their natures… the right to privacy in any event will necessarily have to go through a process of case-by-case development."

But if no clear principle emerges out of the Court’s elucidation of the right, it was fairly unambiguous in stressing the importance of the right itself. Interestingly, it grounded the right within the context of the freedom struggle. "Our founding fathers," it observed, "were thoroughly opposed to a Police Raj even as our history of the struggle for freedom has borne eloquent testimony to it." (Para 30) The parallels to the American Fourth Amendment are striking here: in his historical analysis Akhil Amar tells us that the Fourth Amendment was meant precisely to avoid the various abuses of unreasonable searches and seizures that were common in England at the time.

The parallels with the United States become even more pronounced, however, when the Court examined the grounds for limiting the right to privacy. "Assuming that the fundamental rights explicitly guaranteed to a citizen have penumbral zones and that the right to privacy is itself a fundamental right, that fundamental right must be subject to restriction on the basis of compelling public interest." "Compelling public interest" is an interesting phrase, for two reasons. First, “public interest” is a ground for fundamental rights restrictions under Article 19 (see, e.g., Article 19(6)), but the text of the Article 19 restrictions do not use – and the Court, in interpreting them, has not held – that the public interest must be “compelling”. This suggests a stricter standard of review for an Article 21 privacy right violation than Article 19 violations. This is buttressed by the fact that in the same paragraph, the Court ended by observing: “even if it be assumed that Article 19(5) [restrictions upon the freedom of movement] does not apply in terms, as the right to privacy of movement cannot be absolute, a law imposing reasonable restriction upon it for compelling interest of State must be upheld as valid.” The Court echoes the language of 19(5), and adds the word “compelling”. This surely cannot be an oversight.

More importantly – the compelling State interest is an American test, used often in equal protection cases and cases of discrimination, where “suspect classes” (such as race) are at issue. Because of the importance of the right at issue, the compelling state interest test goes hand-in-hand with another test: narrow tailoring. Narrow tailoring places a burden upon the State to demonstrate that its restriction is tailored in a manner that infringes the right as narrowest manner that is possible to achieve its goals. The statement of the rule may be found in the American Supreme Court case of Grutter v Bollinger:

"Even in the limited circumstance when drawing racial distinctions is permissible to further a compelling state interest, government is still constrained under equal protection clause in how it may pursue that end: the means chosen to accomplish the government’s asserted purpose must be specifically and narrowly framed to accomplish that purpose."

To take an extremely trivial example that will illustrate the point: the State wants to ban hate speech against Dalits. It passes legislation that bans “all speech that disrespects Dalits.” This is not narrowly tailored, because while all hate speech against Dalits necessarily disrespects them, all speech that disrespects Dalits is not necessarily hate speech. It was possible for the government to pass legislation banning only hate speech against Dalits, one that would have infringed upon free speech more narrowly than the “disrespect law”, and still achieved its goals. The law is not narrowly tailored.

Crucially, then, the Court in Gobind seemed to implicitly accept the narrow-tailoring flip side of the compelling state interest coin. On the constitutionality of the Police Regulations itself, it upheld their constitutionality by reading them narrowly. Here is what the Court said:

“Regulation 855, in our view, empowers surveillance only of persons against whom reasonable materials exist to induce the opinion that they show a determination, to lead a life of crime – crime in this context being confined to such as involve public peace or security only and if they are dangerous security risks. Mere convictions in criminal cases where nothing gravely imperiling safety of society cannot be regarded as warranting surveillance under this Regulation. Similarly, domiciliary visits and picketing by the police should be reduced to the clearest cases of danger to community security and not routine follow-up at the end of a conviction or release from prison or at the whim of a police officer.”

But Regulation 855 did not refer to the gravity of the crime at all. Thus, the Court was able to uphold its constitutionality only by narrowing its scope in a manner that the State’s objective of securing public safety was met in a way that minimally infringed the right to privacy.

Therefore, whether the Gobind bench was aware of it or not, its holding incorporates into Indian constitutional law and the right to privacy, not just the compelling State interest test, but narrow tailoring as well. The implications for the CMS are obvious. Because with narrow tailoring, the State must demonstrate that bulk surveillance of all individuals, whether guilty or innocent, suspected of crimes or not suspected of crimes (whether reasonably or otherwise), possessing a past criminal record or not, speaking to each other of breaking up the government or breaking up a relationship – every bit of data must be collected to achieve the goal of maintaining public security, and that nothing narrower will suffice. Can the State demonstrate this? I do not think it can, but at the very least, it should be made to do so in open Court.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-the-indian-consitution-part-2

Surveillance and the Indian Constitution - Part 1: Foundations

pranesh — 2014-01-23T15:12:30Z

In this insightful seven-part series, Gautam Bhatia looks at surveillance and the right to privacy in India from a constitutional perspective, tracing its genealogy through Supreme Court case law and compares it with the law in the USA.

Note: This was originally posted on the Indian Constitutional Law and Philosophy blog.

On previous occasions, we have discussed the ongoing litigation in ACLU v. Clapper in the United States, a challenge to the constitutionality of the National Security Agency’s (NSA) bulk surveillance program. Recall that a short while after the initial Edward Snowden disclosures, The Hindu revealed the extent of domestic surveillance in India, under the aegis of the Central Monitoring System (CMS). The CMS (and what it does) is excellently summarized here. To put thing starkly and briefly:

“With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.”

The CMS is not sanctioned by parliamentary legislation. It also raises serious privacy concerns. In order to understand the constitutional implications, therefore, we need to investigate Indian privacy jurisprudence. In a series of posts, we plan to discuss that.

Privacy is not mentioned in the Constitution. It plays no part in the Constituent Assembly Debates. The place of the right – if it exists – must therefore be located within the structure of the Constitution, as fleshed out by judicial decisions. The first case to address the issue was M. P. Sharma v. Satish Chandra, in 1954. In that case, the Court upheld search and seizure in the following terms:

"A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to Constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right. by some process of strained construction."

The right in question was 19(1)(f) – the right to property. Notice here that the Court did not reject a right to privacy altogether – it only rejected it in the context of searches and seizures for documents, the specific prohibition of the American Fourth Amendment (that has no analogue in India). This specific position, however, would not last too long, and was undermined by the very next case to consider this question, Kharak Singh.

In Kharak Singh v. State of UP, the UP Police Regulations conferred surveillance power upon certain “history sheeters” – that is, those charged (though not necessarily convicted) of a crime. These surveillance powers included secret picketing of the suspect’s house, domiciliary visits at night, enquiries into his habits and associations, and reporting and verifying his movements. These were challenged on Article 19(1)(d) (freedom of movement) and Article 21 (personal liberty) grounds. It is the second ground that particularly concerns us.

As a preliminary matter, we may observe that the Regulations in question were administrative – that is, they did not constitute a “law”, passed by the legislature. This automatically ruled out a 19(2) – 19(6) defence, and a 21 “procedure established by law” defence – which were only applicable when the State made a law. The reason for this is obvious: fundamental rights are extremely important. If one is to limit them, then that judgment must be made by a competent legislature, acting through the proper, deliberative channels of lawmaking – and not by mere administrative or executive action. Consequently – and this is quite apart from the question of administrative/executive competence - if the Police Regulations were found to violate Article 19 or Article 21, that made them ipso facto void, without the exceptions kicking in. (Paragraph 5)

It is also important to note one other thing: as a defence, it was expressly argued by the State that the police action was reasonable and in the interests of maintaining public order precisely because it was “directed only against those who were on proper grounds suspected to be of proved anti-social habits and tendencies and on whom it was necessary to impose some restraints for the protection of society.” The Court agreed, observing that this would have “an overwhelming and even decisive weight in establishing that the classification was rational and that the restrictions were reasonable and designed to preserve public order by suitable preventive action” – if there had been a law in the first place, which there wasn’t. Thus, this issue itself was hypothetical, but what is crucial to note is that the State argued – and the Court endorsed – the basic idea that what makes surveillance reasonable under Article 19 is the very fact that it is targeted – targeted at individuals who are specifically suspected of being a threat to society because of a history of criminality.

Let us now move to the merits. The Court upheld secret picketing on the ground that it could not affect the petitioner’s freedom of movement since it was, well secret – and what you don’t know, apparently, cannot hurt you. What the Court found fault with was the intrusion into the petitioner’s dwelling, and knocking at his door late at night to wake him up. The finding required the Court to interpret the meaning of the term “personal liberty” in Article 21. By contrasting the very specific rights listed in Article 21, the Court held that:

“Is then the word “personal liberty” to be construed as excluding from its purview an invasion on the part of the police of the sanctity of a man’s home and an intrusion into his personal security and his right to sleep which is the normal comfort and a dire necessity for human existence even as an animal? It might not be inappropriate to refer here to the words of the preamble to the Constitution that it is designed to “assure the dignity of the individual” and therefore of those cherished human value as the means of ensuring his full development and evolution. We are referring to these objectives of the framers merely to draw attention to the concepts underlying the constitution which would point to such vital words as “personal liberty” having to be construed in a reasonable manner and to be attributed that these which would promote and achieve those objectives and by no means to stretch the meaning of the phrase to square with any preconceived notions or doctrinaire constitutional theories.” (Paragraph 16)

A few important observations need to be made about this paragraph. The first is that it immediately follows the Court’s examination of the American Fifth and Fourteenth Amendments, with their guarantees of “life, liberty and property…” and is, in turn, followed by the Court’s examination of the American Fourth Amendment, which guarantees the protection of a person’s houses, papers, effects etc from unreasonable searches and seizures. The Court’s engagement with the Fourth Amendment is ambiguous. It admits that “our Constitution contains no like guarantee…”, but holds that nonetheless “these extracts [from the 1949 case, Wolf v Colorado] would show that an unauthorised intrusion into a person’s home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man – an ultimate essential of ordered liberty”, thus tying its own holding in some way to the American Fourth Amendment jurisprudence. But here’s the crucial thing: at this point, American Fourth Amendment jurisprudence was propertarian based – that is, the Fourth Amendment was understood to codify – with added protection – the common law of trespass, whereby a man’s property was held sacrosanct, and not open to be trespassed against. Four years later, in 1967, in Katz, the Supreme Court would shift its own jurisprudence, to holding that the Fourth Amendment protected zones where persons had a “reasonable expectation of privacy”, as opposed to simply protecting listed items of property (homes, papers, effects etc). Kharak Singh was handed down before Katz. Yet the quoted paragraph expressly shows that the Court anticipated Katz, and in expressly grounding the Article 21 personal liberty right within the meaning of dignity, utterly rejected the propertarian-tresspass foundations that it might have had. To use a phrase invoked by later Courts – in this proto-privacy case, the Court already set the tone by holding it to attach to persons, not places.

While effectively finding a right to privacy in the Constitution, the Court expressly declined to frame it that way. In examining police action which involved tracking a person’s location, association and movements, the Court upheld it, holding that “the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

The “therefore” is crucial. Although not expressly, the Court virtually holds, in terms, that tracking location, association and movements does violate privacy, and only finds that constitutional because there is no guaranteed right to privacy within the Constitution. Yet.

In his partly concurring and partly dissenting opinion, Subba Rao J. went one further, by holding that the idea of privacy was, in fact, contained within the meaning of Article 21: “it is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” Privacy he defined as the right to “be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures.” On this ground, he held all the surveillance measures unconstitutional.

Justice Subba Rao’s opinion also explored a proto-version of the chilling effect. Placing specific attention upon the word “freely” contained within 19(1)(d)’s guarantee of free movment, Justice Subba Rao went specifically against the majority, and observed:

“The freedom of movement in clause (d) therefore must be a movement in a free country, i.e., in a country where he can do whatever he likes, speak to whomsoever he wants, meet people of his own choice without any apprehension, subject of course to the law of social control. The petitioner under the shadow of surveillance is certainly deprived of this freedom. He can move physically, but he cannot do so freely, for all his activities are watched and noted. The shroud of surveillance cast upon him perforce engender inhibitions in him and he cannot act freely as he would like to do. We would, therefore, hold that the entire Regulation 236 offends also Art. 19(1)(d) of the Constitution.”

This early case, therefore, has all the aspects that plague the CMS today. What to do with administrative action that does not have the sanction of law? What role does targeting play in reasonableness – assuming there is a law? What is the philosophical basis for the implicit right to privacy within the meaning of Article 21’s guarantee of personal liberty? And is the chilling effect a valid constitutional concern?

We shall continue with the development of the jurisprudence in the next post.

You can follow Gautam Bhatia on Twitter

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-the-indian-consitution-part-1

Misuse of Surveillance Powers in India (Case 1)

pranesh — 2013-12-06T09:37:24Z

In this series of blog posts, Pranesh Prakash looks at a brief history of misuse of surveillance powers in India. He notes that the government's surveillance powers have been freqently misused, very often without any kind of judicial or political redressal. This, he argues, should lead us as concerned citizens to demand a scaling down of the government's surveillance powers and pass laws to put it place more robust oversight mechanisms.

Case 1: Unlawful Phone-tapping in Himachal Pradesh

In December 2012, the government changed in Himachal Pradesh. The Bharatiya Janata Party (BJP) went out of power, and the Indian National Congress (INC) came into power. One of the first things that Chief Minister Virbhadra Singh did, within hours of taking his oath as Chief Minister on December 25, 2012, was to get a Special Investigation Team (SIT) to investigate phone tapping during the BJP government’s tenure.

On December 25th and 26th, 12 hard disk drives were seized from the offices of the Crime Investigation Department (CID) and the Vigilance Department (which is supposed to be an oversight mechanism over the rest of the police). These hard disks showed that 1371¹ phone numbers were targetted and hundreds of thousands of phone conversations were recorded. These included conversations of prominent leaders “mainly of” the INC but also from the BJP, including three former cabinet ministers and close relatives of multiple chief ministers, a journalist, and many senior police officials, including the Director General of Police.

Violations of the Law

While the law required the state’s Home Secretary to grant permission for each person that was being tapped, the Home Secretary had legitimately only granted permission in 34² cases. This leaves over a thousand cases where phones were tapped illegally, in direct violation of the law. The oversight mechanism provided in the law, namely the Review Committee under Rule 419A of the Indian Telegraph Rules, was utterly powerless to check this. Indeed, the internal checks for the police, namely the Vigilance Department, also seems to have failed spectacularly.

Every private telecom company cooperated in this unlawful surveillance, even though the people who were conducting it did so without proper legal authority. Clearly we need to revise our interception rules to ensure that these telecom companies do not cooperate unless they are served with an order digitally signed by the Home Secretary.

While all interception recordings are required to be destroyed within 6 months as per Rule 419A of the Indian Telegraph Rules, that rule was also evidently ignored and conversations going back to 2009 were being stored.

Concluding Concerns

What should concern us is not merely that such a large number of politicians/police officers were tapped, but that no criminal charges were brought about on the basis of these phone taps, indicating that much of it was being used for political purposes.

What should concern us is that the requirement under Section 5 of the Indian Telegraph Act, which covers phone taps, of the existence of a “public emergency” or endangerment of “public safety”, which is a prerequisite of phone taps as per the law and as emphasised by the Supreme Court in 1996 in the PUCL judgment, were blatantly ignored.

What should concern us is that it took a change in government to actually uncover this sordid tale.

1385 according to a Hindustan Times report [1]: http://indiatoday.intoday.in/story/himachal-pradesh-police-registers-first-fir-in-phone-tapping-scandal/1/285698.html↩
A Zee News report states 34 while it’s 171 according to a Mail Today report ↩

For more details visit https://cis-india.org/internet-governance/blog/misuse-surveillance-powers-india-case1

CIS Supports the UN Resolution on “The Right to Privacy in the Digital age”.

elonnai — 2013-11-30T07:25:18Z

The United Nations adopted the resolution on the right to privacy recently. It recognised privacy as a human right, integral to the right to free expression, and also declared that mass surveillance could have negative impacts on human rights.

On November 26, 2013, the United Nations adopted a non-binding resolution on The Right to Privacy in the Digital Age. The resolution was drafted by Brazil and Germany and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to privacy extending equally to citizens and non-citizens of a country. The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.

The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the Central Monitoring System, should take cognizance of, including in short:

Privacy is a human right: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence.
Privacy is integral to the right to free expression: an integral component in recognizing the right to freedom of expression.
Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression.
Exceptions to privacy and freedom of expression should be in compliance with human rights law: Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law.
Mass surveillance may have negative implications for human rights: Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights.
Equal protection for online and offline privacy: The right to privacy must be equally protected online and offline.

The resolution further called upon states to:

Respect and protect the right to privacy, particularly in the context of digital communications.
To ensure that relevant legislation is in compliance with international human rights law
To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.
To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.

The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.

The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.

Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the Necessary and Proportionate principles that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles. The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access. A petition to sign onto the principles and demand an end to mass surveillance is currently underway.

Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.

For more details visit https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d

DesiSec: Episode 1 - Film Release and Screening

purba — 2013-12-17T08:13:32Z

The Centre for Internet and Society is pleased to to announce the release of the first documentary film on cybersecurity in India - DesiSec. We hope you can join us for a special screening of the first episode of DesiSec, on 11th December, at CIS!

Early 2013, the Centre for Internet and Society began shooting its first documentary film project. After months of researching and interviewing activists and experts, CIS is thrilled to announce the release of the first documentary film on cybersecurity in India - DesiSec: Cybersecurity and Civi Society in India.

Trailer link: http://cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer

CIS is hosting a special screening of DesiSec: Episode 1 on 11th December, 2013, 6 pm and invites you to this event. The first episode is centered around the issue of privacy and surveillance in cyber space and how it affects Indian society.

We look forward to seeing you there!

RSVP: purba@cis-india.org

Venue: http://osm.org/go/yy4fIjrQL?m=

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening

The Fight for Digital Sovereignty

sunil — 2013-10-25T07:29:22Z

It is time to incorporate free software principles to address the issue of privacy. Thanks to the revelations of Edward Snowden, a former contractor to the United States (US) National Security Agency (NSA) who leaked secrets about the agency’s surveillance programmes, a 24-year-old movement aimed at protecting the rights of software users and developers has got some fresh attention from policymakers.

The article was published in the Economic & Political Weekly, Vol-XLVIII No. 42, October 19, 2013

The free and open source software movement (often collectively labelled as FOSS or sometimes FLOSS, with the “l” standing for “libre”) guarantees four freedoms through a copyright licence – the freedom to use for any purpose, the freedom to study the code, the freedom to modify it and the freedom to distribute the modified code gratis or for a fee. Free software principles have permeated the world in the form of movements around open standards, open content, open access and open data. The second freedom is the most critical in an open society. Privacy, security and integrity are best achieved through the transparency guaranteed by free software rather than the opacity of proprietary software.

Free software is directly useful in deciding on the software required for your device operating system and applications. NSA’s surveillance programme covered operating system vendors like Microsoft and Apple, and application vendors like Skype. The concerns raised by such surveillance programmes are best addressed by shifting to free software. Increasingly, this is possible on mobile devices because of the availability of Android derivatives that keep Google’s nose out of your business and on other personal computing devices through GNU/Linux distributions such as Ubuntu. Ideally, this should be accomplished by a mandate for government and public infrastructure in specific areas where free software alternatives are on par with proprietary competitors. Two other policy options remain outside procurement policies for hardware – code escrow and independent audits. Firms that are willing to share code with the government should be preferred over those that do not, thereby encouraging proprietary software companies to provide for the second freedom in free software within a limited context. Code escrow could improve the quality of the independent audit.

Unfortunately, open hardware based on free software principles is still a fringe phenomenon in terms of market share. The Indian government cannot afford bans on foreign products, unlike the intelligence and military of Australia, the US, Britain, Canada and New Zealand, which recently prohibited the use of Lenovo machines in “secret” and “top secret” networks. Last October, the US government banned US telecos from using equipment from Huawei and ZTE. Both these bans are not based on any credible public evidence regarding back doors in any of the products manufactured by these Chinese companies. The Indian government, using funds like the Universal Service Obligation Fund, should support competitive research to reverse-engineer and analyse all foreign and indigenous hardware to ensure that there is no national security threat or infringement on the individual’s right to privacy. One example would be a research project to determine whether China-manufactured phones call home when they are used on Indian telecom networks.

Cloud and other online services run by corporations could also completely undermine privacy and security. This again can be partially addressed through the transparency enabled by free software and open standards. To begin with, the government must ban the use of Google, Yahoo, Hotmail, etc, for official purposes by those in public office, law enforcement and the military, while simultaneously mandating the use of cryptography for all sensitive material and communication. It should not, however, mandate the use of National Informatics Centre (NIC) infrastructure as it may be a single point of failure; instead, a variety of open-standards-compliant and free-software-based infrastructure for all public sector information communication technology (ICT) requirements should be encouraged. This procurement bias will result in the growth of domestic server administration and security competence, thus creating and contributing towards the establishment of a market for affordable privacy and security-enhanced services that ordinary citizens and private sector organisations can access.

The end objective through means such as free software, open hardware, code escrow and independent audits is sovereignty over software, hardware, cloud and network infrastructure. However, the state, the private sector, the consumer and the citizen may disagree on the details. Apart from law enforcement and national security concerns that may require targeted surveillance, there are other occasions when technological possibilities may have to be curtailed through policy to protect human rights and the public interest. For example, to implement the internationally accepted privacy principle of notice on electronic recording devices, some jurisdictions may require that video recorders display a blinking red light and that digital cameras make an audible click sound just like analog cameras. This was first initiated in South Korea to reduce the incidence of “upskirt photography”. This type of law may become more commonplace when technologies like Google Glass become more popular. In other words, absolute digital sovereignty may need to be curtailed in order to protect human rights in certain circumstances. But code could be used to resist regulation through law, thereby converting both the software and hardware layers of devices and networks into a battleground for sovereignty between the free software hacker and the state.

For more details visit https://cis-india.org/a2k/blogs/epw-vol-xlviii-42-october-19-2013-sunil-abraham-the-fight-for-digital-sovereignty

Privacy and Surveillance in India

praskrishna — 2013-09-13T09:49:25Z

Sunil Abraham, Executive Director from the Centre for Internet and Society will give a talk on privacy and surveillance in India at this event organised by the Centre for Culture, Media and Governance, Jamia Millia Islamia on September 18, 2013. The talk will be held at Network Governance Lab, CCMG, Jamia Millia Islamia in New Delhi at 11.30 a.m.

Click to read the brochure

Abstract

The talk will cover the development of privacy policy in India over the last 3 years, particularly in relation to projects such as NATGRID, CMS and UID. Special attention will be paid to the Justice A.P. Shah committee report, the last leak of the privacy bill from the DoPT and also the citizen draft of the privacy bill developed by the Centre for Internet and Society. International experiences such as Snowden's disclosures and the development of communication surveillance principles developed by EFF and others will be compared and contrasted with the Indian context.

About the Speaker

Sunil is the executive director of the Centre for Internet and Society (CIS), Bangalore. CIS is a 4 year old policy and academic research organisation that focuses on accessibility by the disabled, intellectual property rights policy reform, openness [Free/Open Source Software, Open Standards, Open Content, Open Access and Open Educational Resources], internet governance, telecom, digital natives and digital humanities.

He is also the founder of Mahiti, a social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. Sunil continues to serve on the board of Mahiti. He is an Ashoka fellow and was elected for a Sarai FLOSS Fellowship. For three years, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

Sunil currently serves on the advisory boards of Open Society Foundations - Information Programme, Mahiti, Samvada and International Centre for Free/Open Source Software.

For more details visit https://cis-india.org/news/jamia-millia-islamia-new-delhi-september-18-2013-privacy-and-surveillance-in-india

Cyberspying: Government may ban Gmail for official communication

praskrishna — 2013-09-02T04:19:53Z

The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyberspying by the US.

This article was published in the Times of India on August 30, 2013. Sunil Abraham is quoted.

A senior official in the ministry of communications and information technology said the government plans to send a formal notification to nearly 5 lakh employees barring them from email service providers such as Gmail that have their servers in the US, and instead asking them to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data," said J Satyanarayana, secretary in the department of electronics and information technology.

Snowden fallout

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies like Google, Facebook and Apple through a programme called PRISM.

Documents leaked by Snowden showed that NSA may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Even as the new policy is being formulated, there has been no mention yet of how compliance will be ensured.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

A Google India spokeswoman said the company has not been informed about the ban, and hence it cannot comment on speculation. "Nothing is documented so far, so for us, it is still speculation," Google said in an email response.

A senior official in the IT department admitted on condition of anonymity that employees turn to service providers such as Gmail because of the ease of use compared with official email services, as well as the bureaucratic processes that govern creation of new accounts.

"You can just go and create an account in Gmail easily, whereas for a government account, you have to go through a process because we have to ensure that he is a genuine government user."

Last week, IT Minister Kapil Sibal said the new policy would require all government officials living abroad to use NIC servers that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agrees with the government's decision to ban Gmail for official communication and that any official violating this needs to be punished.

"After Snowden's revelations, we can never be sure to what extent foreign governments are intercepting government emails," he said. Abraham, however, called the government's decision a "late reaction", as the use of Gmail and other free email services by bureaucrats has increased in the past.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

For more details visit https://cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication

Indian government to bar politicians from using Gmail for official business

praskrishna — 2013-09-05T09:52:17Z

US-based email services seen as too risky.

This article by Neil McAllister was published in the Register on August 30, 2013. Sunil Abraham is quoted.

The government of India is reportedly planning to bar its employees from using Gmail and other foreign-based email services, amid concerns over surveillance by US spy agencies.

"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, India's secretary of electronics and information technology, told the Times of India. "Currently, we are looking to address this in the government domain, where there are large amounts of critical data."

The Indian government currently employs some 500,000 people, many of whom use Gmail for their primary email addresses. A quick glance at the contact page for the country's Department of Electronics and Information Technology reveals at least eight senior officials using Gmail, and still others with Yahoo! addresses.

Under the new directive, government employees will be asked to stick to official email addresses provided by India's National Informatics Centre (NIC). But an unnamed senior government IT official told the Times of India that many government workers choose Gmail and other foreign services because they are easier to use, and setting up accounts is much faster than working within the bureaucratic process of the NIC.

The move toward locally run email for Indian government workers comes in the wake of a string of revelations from documents leaked by Edward Snowden. Among the recent disclosures has been details of US electronic surveillance of foreign governments on US soil, where the National Security Agency even went as far as to snoop encrypted communications from United Nations headquarters in New York City.

No doubt equally concerning was a motion filed by Google in a US district court earlier this month, in which the Chocolate Factory asserted that "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" such as Gmail.

But Sunil Abraham of the Bangalore-based think tank the Centre for Internet and Society said that foreign spying wasn't the only reason why government officials should be required to use a homegrown email.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives," Abraham told the paper. "Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

When contacted for comment, a spokeswoman for Google India said the company had not been informed of the proposed ban, adding, "Nothing is documented so far, so for us, it is still speculation." ®

For more details visit https://cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business

Dear Milind Deora, Prakash Javadekar Deserved The Truth

praskrishna — 2013-09-05T10:38:05Z

Milind Deora, the Minister of State for Communications, Information Technology and Shipping, isn’t your typical politician.

This article by Rohin Dharmakumar was published in Forbesindia Magazine on August 22, 2013. Sunil Abraham is quoted.

At just 36, he’s way younger than the average cabinet minister (64) or Member of Parliament (53). He’s also richer (Rs.17.5 crore compared to Rs.5.3 crore for the average M.P.)

He’s got his own website - www.milinddeora.in - which unlike most of his peer’s websites, is fairly well-designed and constantly updated. He’s also an avid user of social networks like Twitter (@milinddeora) and Facebook.

Oh, he’s also a Blues fan and a pretty good guitarist.

In short, he’s the kind of politician or minister many Indians would like to vote for.

And vote they do, in fact. Deora’s won the Mumbai (South) parliamentary constituency two times in a row, garnering nearly twice his next opponent’s votes during the 2009 elections.

Which is why it’s surprising, and saddening, to see Deora trot out a patently false set of answers to how America’s global dragnet of Internet surveillance is affecting the privacy of Indians.

On 16th August Deora responded to a question from Rajya Sabha M.P. and BJP Spokesperson Prakash Javadekar, asking the following:

(a) whether it is a fact that India was the fifth most tracked country by the United States intelligence, particularly on the internet;
(b) if so, the details thereof;
(c) the impact of USA”s surveillance program-Prism and Boundless Information on the country; and
(d) the steps Government intends to take to protect country”s interests and the privacy of its citizens?

Javadekar’s question was sorely needed in light of the near-daily disclosures being made about the scarily omnipresent extent to which the US Government spies on global Internet users through a myriad of ways.

India, as Javadekar rightly pointed out, was indeed the fifth most monitored country under the “Boundless Informant” data mining tool that tracks the NSA’s (the US’ lead communications spy agency) global surveillance efforts. In just March 2013 alone, according to a leaked presentation on the tool, the NSA collected 6.3 billion pieces of information from India. Suffice it to say, the information would have come from Indian citizens, businesses, ministries, bureaucrats and of course, members of Parliament (most of who now use webmail and social network from the likes of Google and Facebook).

The only countries that were spied upon more than us were Iran, Pakistan, Jordan and Egypt. Some sobering company, that!

One would thus expect Deora to be seized of the urgency and concern behind Javadekar’s questions. His answer was:

(a) & (b) In June 2013, Media reports have disclosed that India is the fifth largest target of United States electronic surveillance programmes, in terms of interception of communications on fibre cables and other infrastructure. As per media reports, United States agencies used a number of methods to gather intelligence including intercepting communication on fibre cables and infrastructure, collecting information from servers of global internet and Telecom Service Providers. Such companies include Google, Facebook, Microsoft, Apple, Yahoo, AOL,Youtube, Paltalk and Skype.

Here we have a member of Parliament asks India’s Minister for Communications & IT about the extent to which Indian citizens and businesses are being spied upon by the US – ostensibly a friendly country – and all the Minister could do was cite newspaper reports?

What about your own investigations Mr.Minister? What is the opinion of your leading spy agencies like the NTRO, R&AW and IB? Are they also relying on newspaper reports?

But wait, Deora does go on to provide a few more answers:

(c) & (d) Government has expressed concerns over reported United States monitoring of internet traffic from India. Concerns with regard to violation of any Indian laws relating to privacy of information of ordinary Indian citizen as well as intrusive data capture deployed against Indian citizens or government infrastructure have been conveyed to the United States. The issue of United States Cyber surveillance activities was discussed during the Indo-US (India United States ) strategic dialogue meeting held in New Delhi on 24.06.2013.

Whew. That was reassuring. We expressed “concerns with regard to violation of any Indian laws relating to privacy of information” to the US during a “strategic dialogue meeting”.

Let me guess what the US side responded: “Sure. We’ll do that. Come back to us when you have a privacy law. Ha ha!”

As Sunil Abraham, the director for the Center for Internet & Society points out in Forbes India, India has no modern and comprehensive privacy law. And the government is working on a new one for only the last three years:

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.

Which brings me to the final part of Deora’s response to Javadekar:

United States official responded that PRISM dealt only with Meta Data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored. United States Officials maintained that data content/content of emails are not accessed or not monitored under these surveillance programmes; therefore, it is not a violation of privacy. It was stated by United States that its agencies need to get separate authorization from Foreign Intelligence Surveillance Act (FISA) court, if they want to access the content of any of the data intercepted by these surveillance programmes.

Dear Mr.Minister, either you have been lied to by your friendly “United States Official”, or, well…

Firstly, by limiting the answer to only PRISM, which happens to be just one of the NSA’s secret tools for online surveillance, you are willfully or inadvertently narrowing down Javadekar’s question which specifically mentions other tools like Boundless Informant.

Almost all of the big Internet companies revealed to be part of the NSA’s global spying mechanism have also used the same tactic to tailor their denials. I suppose they got the cue from the NSA, which loves using the “Under This Program” dodge to derail specific questions about its secret programs, according to the Electronic Frontier Foundation:

Another tried and true technique in the NSA obfuscation playbook is to deny it does one invasive thing or another “under this program.” When it’s later revealed the NSA actually does do the spying it said it didn’t, officials can claim it was just part of another program not referred to in the initial answer.

In case you weren’t aware of the NSA’s obfuscation tactics Mr.Minister, here is another great piece on it from the Slate – “How to Decode the True Meaning of What NSA Officials Say”

Thus when your friendly US official tells you that “only meta data (related to the direction and the flow of the traffic) and only broad patterns of telephony and internet traffic are monitored” under PRISM, not “data content/content of emails”, he or she is technically right.

Because the NSA has other programs that capture all of that. For instance, XKeyscore, which according to leaked presentations, it can capture “nearly everything a typical user does on the internet”. This includes emails, visits to websites, web searches and Facebook chats & private messages.

Did you also know, Mr. Minister, that the XKeyscore surveillance program has servers located inside India?

Finally, you make a statement that is patently false. You say that US spy agencies need authorizations from the secret Foreign Intelligence Surveillance Courts (FISC) in order to access the data collected by various surveillance programs.

FISA courts almost always approve any request made to them (they apparently rejected just 11 requests out of 33,900 made by the US government in the last 33 years), so that’s that for oversight.

And in the NSA’s Orwellian world of doublespeak, large scale interception and storage of Internet communications isn’t considered “collected” till such time one of their agents has had a chance to look at it. Which means if you’re reading this post – the NSA’s secret servers over the world and in India can coolly capture that and store it in vast databases for posterity – without it ever registering as a “collection” or requiring any approval from FISA courts.

Fact is, Mr.Minister, we “foreigners” (unless you belong to one of the four other countries that are part of the “Five Eyes” alliance, in which case you’ll be treated with a wee bit more caution) , that is, us, are fair game:

The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.

The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.

We expected better answers from you Mr.Minister – sorry, expect better.

Alas your recent answers don’t inspire much trust, for instance when you tell us constant surveillance is “good for us” and “will enhance the privacy of citizens”.

Or when you tell us that “Google Hangouts” – a service provided by a company that looms over nearly everything Indians do online – is a better medium to reach out to people than Parliament or Television.

We deserve the truth from you Mr.Minister. Just like Prakash Javadekar.

For more details visit https://cis-india.org/news/forbesindia-august-22-2013-rohin-dharmakumar-dear-milind-deora-prakash-javadekar-deserved-the-truth

Surveillance: Privacy Vs Security

praskrishna — 2013-08-19T05:32:55Z

The Foundation for Media Professionals is organizing a debate at the India International Centre, New Delhi on August 17, 2013. Shri Kapil Sibal will give the opening speech. Natgrid chief Raghu Raman is one of the debaters. Pranesh Prakash is participating in this event as a panelist.

This was published by the Foundation for Media Professionals on their website. Also read the blog post by Vivian Fernandes and Ninglun Hanghal.

In the backdrop of the recent disclosures by US defense contractor Edward Snowden about the activity of the National Security Agency (NSA) and reports that NSA may have collaborated with India on surveillance program in the country that have raised concerns about privacy and right of citizens, Foundation for Media Professionals (FMP) in partnership with Friedrich Ebert Stiftung (FES) invited Pranesh Prakash to a panel discussion on "Surveillance: Privacy vs. Security".

Guest Speaker
Kapil Sibal, Union Minister for Communications and Information Technology, Govt. of India

Panelists

Pranesh Prakash, Policy Director, Centre for Internet and Society

Dr. Usha Ramanathan, Independent Law Researcher
Saikat Datta, Resident Editor, DNA
Capt. Raghu Raman, National Intelligence Grid (Natgrid)

Moderator

Paranjoy Guha Thakurta

For more details visit https://cis-india.org/news/foundation-for-media-professionals-august-17-2013-surveillance-privacy-v-security