Centre for Internet and Society

A Comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012

maria — 2013-07-12T15:32:08Z

In this post, Maria Xynou gives us a comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Last April, the most recent version of the DNA Profiling Bill was leaked in India. The draft 2007 DNA Profiling Bill failed to adequately regulate the collection, use, sharing, analysis and retention of DNA samples, profiles and data, whilst its various loopholes created a potential for abuse. However, its 2012 amended version is not much of an improvement. On the contrary, it excessively empowers the DNA Profiling Board, while remaining vague in terms of collection, use, analysis, sharing and storage of DNA samples, profiles and data. Due to its ambiguity and lack of adequate safeguards, the draft April 2012 Human DNA Profiling Bill can potentially enable the infringement of the right to privacy and other human rights.

**Draft 2007 DNA Profiling Bill vs. Draft 2012 Human DNA Profiling Bill**

1. Composition of the DNA Profiling Board

Amendment: The Draft 2007 DNA Profiling Bill listed the members which would be appointed by the Central Government to comprise the DNA Profiling Board. A social scientist of national eminence, as stated in section 4(q) of Chapter 3, was included. However, the specific section has been deleted from the Draft 2012 Human DNA Profiling Bill and no other social scientist has been added to the list of members to comprise the DNA Profiling Board. Despite the amendments to the section on the composition of the Board, no privacy or human rights expert has been included.

Analysis: The lack of human rights experts on the board can potentially be problematic as a lack of expertise on privacy laws and other human rights laws can lead to the regulation of DNA databases without taking privacy and other civil liberties into consideration.

DNA 2007 Bill (Section 4): “The DNA Profiling Board shall consist of the following members appointed by the Central Government from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics , social sciences, law and criminal justice or any other discipline which would, in the opinion of the Central Government, be useful to DNA Profiling , namely: (a) a Renowned Molecular Biologist to be appointed by the Central Government Chairperson, (b) Secretary, Ministry of Law and Justice, or his nominee ex-officio Member; (c) Chairman, Bar Council of India, New Delhi or his nominee ex-officio Member; (d) Vice Chancellor, NALSAR University of Law, Hyderabad ex-officio Member; (e) Director, Central Bureau of Investigation or his nominee ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, New Delhi ex-officio Member; (g) Director, National Crime Records Bureau, New Delhi ex-officio Member; (h) Director, National Institute of Criminology and Forensic Sciences, New Delhi ex-officio Member; (i) a Forensic DNA Expert to be nominated by Secretary, Ministry of Home Affairs, New Delhi, Government of India Member; (j) a DNA Expert from All India Institute of Medical Sciences, New Delhi to be nominated by its Director, Member; (k) a Population Geneticist to be nominated by the President, Indian National Science Academy, New Delhi Member; (l) an Expert to be nominated by the Director, Indian Institute of Science, Bangalore Member; (m) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi ex-officio Member; (n) Director, Centre for Cellular and Molecular Biology, Hyderabad ex-officio Member; (o) Representative of the Department of Bio-technology, Government of India, New Delhi to be nominated by Secretary, DBT, Ministry of S&T, Government of India Member; (p) The Chairman, National Bioethics Committee of Department of Biotechnology, Government of India, New Delhi ex-officio Member; (q) a Social Scientist of National Eminence to be nominated by Secretary, MHRD, Government of India Member; (r) four Directors General of Police representing different regions of the country to be nominated by MHA Members; (s) two expert Members to be nominated by the Chairperson Members (t) Manager, National DNA Data Bank ex-officio Member; (u) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad ex-officio Member Secretary”

DNA April 2012 Bill (Section 4):“The Board shall consist of the following Members appointed from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics, social sciences, law and criminal justice or any other discipline which would be useful to DNA profiling, namely:- (a) A renowned molecular biologist to be appointed by the Central Government- Chairperson; (b) Vice Chancellor of a National Law University established under an Act of Legislature to be nominated by the Chairperson- ex-officio Member; (c) Director, Central Bureau of Investigation or his nominee (not below the rank of Joint Director)- ex-officio Member; (d) Director, National Institute of Criminology and Forensic Sciences, New Delhi- ex-officio Member;(e) Director General of Police of a State to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member (g) Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (h) Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (i) Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member; (j) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- exofficio Member; (k) Financial Adviser, Department of Biotechnology, Government of India or his nominee- ex-officio Member; (l) Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members; (m) A population geneticist to be nominated by the President, Indian National Science Academy, New Delhi- Member; (n) A representative of the Department of Biotechnology, Government of India to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Member; (o) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad- ex-officio Member- Secretary”

2. Powers and functions of the Chief Executive Officer

Amendment: Although the Chief Executive Officer´s (CEO) powers and functions are set out in the 2007 Draft DNA Bill, these have been deleted from the amended 2012 Draft Bill. The Draft 2012 Bill merely states how the CEO will be appointed, the CEO´s status and that the CEO should report to the Member Secretary of the Board. As for the powers and functions of the CEO, the 2012 Bill states that they will be specified by the Board, without any reference to what type of duties the CEO would be eligible for. Furthermore, section 10(3) has been added which determines that the CEO will be ´a scientist with understanding of genetics and molecular biology´.

Analysis: The lack of legal guidelines which would determine the scope of such regulations indicates that the CEO´s power is subject to the Board. This could create a potential for abuse, as the CEO´s power and the criteria for the creation of the regulations by the Board are not legally specified. Although an understanding of genetics and molecular biology is a necessary prerequisite for the specific CEO, an official understanding of privacy and human rights laws should also be a prerequisite to ensure that tasks are carried out adequately in regards to privacy and data protection.

DNA 2007 Bill (Section 11):“(1) The DNA Profiling Board shall have a Chief Executive Officer who shall be appointed by the Selection Committee consisting of Chairperson and four other members nominated by the DNA Profiling Board. (2) The Chief Executive Officer shall be of the rank of Joint Secretary to the Govt. of India and report to the Member Secretary of the DNA Profiling Board. (3)The Chief Executive Officer appointed under sub-section (1)shall exercise powers of general superintendence over the affairs of the DNA Profiling Board and its day-to-day management under the direction and control of the Member Secretary. (4) The Chief Executive Officer shall be responsible for the furnishing of all returns, reports and statements required to be furnished, under this Act and any other law for the time being in force, to the Central Government. (5) It shall be the duty of the Chief Executive Officer to place before the DNA Profiling Board for its consideration and decision any matter of financial importance if the Financial Adviser suggests to him in writing that such matter be placed before the DNA Profiling Board.”
DNA April 2012 Bill (Section 10): “(1) There shall be a Chief Executive Officer of the Board who shall be appointed by a selection committee consisting of the Chairperson and four other Members nominated by the Board. (2) The Chief Executive Officer shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board. (3) The Chief Executive Officer shall be a scientist with understanding of genetics and molecular biology. (4) The Chief Executive Officer appointed under subsection (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary”

3. Functions of the Board

Amendment: The section on the functions of the DNA Profiling Board of the 2007 Draft DNA Profiling Bill has been amended. In particular, sub-section 12(j) of the Draft 2012 Human DNA Profiling Bill states that the Board would ´authorise procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies´. The equivalent sub-section in the 2007 Draft DNA Bill restricted the Board´s authorisation to crime investigation by law enforcement agencies, and did not include civil proceedings and other agencies.

Analysis: This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ are not defined and remain vague. The broad use of the terms ´other agencies´ and ´civil proceedings´ could create a potential for abuse, as it is unclear which parties would be authorised to use DNA profiles and under what conditions, nor is it clear what ´civil proceedings´ entail.

DNA 2007 Bill (Section 13(x)): The DNA Profiling Board constituted under section 3 of this Act shall exercise and discharge the following powers and functions, namely: “authorize communication of DNA profile for crime investigation by law enforcement agencies;”

DNA April 2012 Bill (Section 12(j)): The Board shall exercise and discharge the following functions for the purposes of this Act, namely: “authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies;”

4. Regional DNA Data Banks

Amendment: Section 33(1) of the 2007 Draft DNA Profiling Bill has been amended and its 2012 version (section 32(1)) states that the Central Government will establish a National DNA Data Bank and ´as many Regional DNA Data Banks thereunder, for every state or group of States, as necessary´.

Analysis: This amendment enables the potential establishment of infinite regional DNA Data Banks without setting out the conditions for their function, how they would use data, how long they would retain it for or who they would share it with. The establishment of such regional data banks could potentially enable the access to, analysis, sharing and retention of huge volumes of DNA data without adequate regulatory frameworks restricting their function.

DNA 2007 Bill (Section 33(1)): “The Central Government shall, by a notification published in the Gazette of India, establish a National DNA Data Bank.”
DNA April 2012 Bill (Section 32(1)): “The Central Government shall, by notification, establish a National DNA Data Bank and as many Regional DNA Data Banks thereunder for every State or a group of States, as necessary.

5. Data sharing

Section 33(2) of the 2007 Draft DNA Profiling Bill has been amended and section 32(2) of the 2012 draft Human DNA Profiling Bill includes that every state government should establish a State DNA Data Bank which should share the information with the National DNA Data Bank.

This sharing of DNA data between state and national DNA Data Banks could potentially increase the probability of data being accessed, shared, analysed and retained by unauthorised third parties. Furthermore, specific details, such as which information should be shared, how often and under what conditions, have not been specified.

DNA 2007 Bill (Section 33(2)): “A State Government may, by notification in the Official Gazette, establish a State DNA Data Bank.”
DNA April 2012 Bill (Section 32(2)):“Every State Government may, by notification, establish a State DNA Data Bank which shall share the information with the National DNA Data Bank.”

6. Data retention

Amendment: Section 32(3) of the 2012 draft DNA Bill has been amended from its original 2007 form to include that regulations on the retention of DNA data would be drafted by the DNA Profiling Board.

Analysis: This amendment does not set out the DNA data retention period, nor who would have the authority to access such data and under what conditions. Furthermore, regulations on the retention of such data would be drafted by the DNA Profiling Board, which could increase their probability of being subject to bias and lack of transparency.

DNA 2007 Bill (Section 33(3)): “The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA Profiles received from different laboratories in the format as may be specified by regulations.”
DNA April 2012 Bill (Section 32(3)): “The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA profiles received from different laboratories in the format as may be specified by the regulations made by the Board.”

7. Data Bank Manager

Amendment: Section 33 has been added to the 2012 draft Human DNA Profiling Bill and establishes a DNA Data Bank Manager, who would carry out ´all operations of and concerning the National DNA Data Bank´.

Analysis: All such operations are not clearly specified and could create a potential for abuse. The DNA Data Manager would have the same type of status as the Chief Executive Officer, but he/she would be required to have an understanding of computer applications and statistics, possibly to support data mining efforts. However, the powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.

DNA 2012 Bill (Section 33):“(1) All operations of and concerning the National DNA Data Bank shall be carried out under the supervision of a DNA Data Bank Manager who shall be appointed by a selection committee consisting of Chairperson and four other Members nominated by the Board.(2) The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board.(3) The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics. (4) The DNA Data Bank Manager appointed under sub-section (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary.”

8. Communication of DNA profiles to foreign agencies

Amendment: The 2007 Draft DNA Profiling Bill has been amended and sub-sections 35(2, 3) have been excluded from the 2012 Draft Human DNA Profiling Bill. These sub-clauses prohibited the use of DNA profiles for purposes other than the administration of the Act, as well as the communication of DNA profiles. Furthermore, sub-section 36(1) has been added to the 2012 Bill, which authorises the communication of DNA profiles to international agencies for the purposes of crime investigation.

Analysis: The exclusion of sub-sections 35(2, 3) from the 2012 Bill indicates that the use and communication of DNA profiles without prior authorisation may be legally permitted, which raises major privacy concerns. Sub-section 36(1) does not define a ´crime investigation´, which indicates that DNA profiles could be shared with international agencies for loosely defined ´criminal investigations´ or even for civil proceedings. The lack of a strict definition to the term ´crime investigation´, as well as the broad reference to foreign states and international agencies raises concerns, as it remains unclear who will have access to information, for how long, under what conditions and whether that data will be retained.

DNA 2007 Bill (Sections 35(2,3)): “(2) No person who receives the DNA profile for entry in the DNA Data Bank shall use it or allow it to be used for purposes other than for the administration of this Act. (3) No person shall, except in accordance with the provisions hereinabove, communicate or authorize communication, or allow to be communicated a DNA profile that is contained in the DNA Data Bank or information that is referred to in sub-section (1) of Section 34”
DNA April 2012 Bill (Section 36(1)): “On receipt of a DNA profile from the government of a foreign state, an international organisation established by the governments of states or an institution of any such government or international organization, the National DNA Data Bank Manager may compare the DNA profile with those in the DNA Data Bank in order to determine whether it is already contained in the Data Bank and may then communicate through Central Bureau of Investigation or any other appropriate agency of the Central Government and with the prior approval of the Central Government information referred to in subsection (1) of section 35 to that government, international organisation or institution.”

9. Data destruction

Amendment: Section 37 of the 2007 draft DNA Profiling Bill states that the DNA Data Bank Manager shall expunge the DNA analysis of a person from the DNA index once the court has certified that the conviction of a person has been set aside. The 2007 Bill had no particular reference to data retention. The equivalent clause (37) of the 2012 draft DNA Bill, however, not only states that individuals´ DNA data will be kept on a ´permanent basis´, but also that the DNA Data Bank Manager shall expunge a DNA profile under the same conditions under the 2007 Bill.

Analysis: This amendment indicates that Indians´ DNA data will be kept indefinitely and that it will be deleted only once the court has cleared an individual from conviction. This raises major concerns, as it does not clarify under what conditions individuals can have access to data during its retention, nor does it give ´non-convicts´ the opportunity to have their data deleted from the data bank.

DNA 2007 Bill (Section 37): “The Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person included in the DNA data bank has been set aside, expunge forthwith the DNA analysis of such person from the DNA index. Explanation:- For the purposes of this section, a court order is not ‘final’ till the expiry of the period of limitation for filing an appeal, or revision application, or review if permissible under the law, with respect to the order setting aside the conviction.”
DNA April 2012 Bill (Section 37):“(1) Subject to sub-sections (2) and (3), the information in the offenders’ index pertaining to a convict shall be kept on a permanent basis. (2) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the person in respect of whom the information is included in the offenders’ index has been acquitted of the charge against him, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed. (3) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person in respect of whom the information is included in the offenders’ index has been set aside, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed.”

10. Use of DNA profiles and DNA samples and records

Amendment: Section 39 of the 2007 draft DNA Profiling Bill has been amended and the equivalent section of the 2012 DNA Bill (section 39) states that DNA profiles, samples and records can be used for purposes related to ´other civil matters´ and ´other purposes´, as specified by the regulations made by the DNA Profiling Board.

Analysis: The vague use of the terms ´other civil matters´ and ´other purposes´ can create a potential for abuse, especially since the Board will not be comprised by an adequate amount of members with legal expertise on civil matters. This section enables the use of DNA data for potentially any purpose, as long as it is enabled by the Board. Furthermore, the section does not specify who can be authorised to use DNA data under such conditions, which raises further concerns.

DNA 2007 Bill (Section 39): “(1)All DNA profiles, samples and records shall solely be used for the purpose of facilitating identification of the perpetrator(s) of a specified offence: Provided that such records or samples may be used to identify victims of accidents, disasters or missing persons or for such other purposes. (2) Information stored on the DNA data base system may be accessed by the authorized persons for the purposes of: (i) forensic comparison permitted under this Act; (ii) administering the DNA data base system; (iii) accessing any information contained in the DNA database system by law enforcement officers or any other persons, as may be prescribed, in accordance with provisions of any law for the time being in force; (iv) inquest or inquiry; (v) any other purpose as may be prescribed: Provided that nothing contained in this section shall apply to information which may be used to determine the identity of any person.”
DNA April 2012 Bill (Section 39): “All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule: Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part I of the Schedule or for other purposes as may be specified by the regulations made by the Board.”

11. Availability of DNA profiles and DNA samples

Amendment: Section 40 of the 2007 draft DNA Bill has been amended and an extra paragraph has been included to the equivalent 2012 Bill. In particular, section 40 enables the availability of DNA profiles and samples in criminal cases, judicial proceedings and for defence purposes among others.

Analysis: ´Criminal cases´ are loosely defined and could enable the availability of DNA data on low profile cases.

DNA 2007 Bill (Section 40):“The information on DNA profiles, samples and DNA identification records shall be made available only : (i) to law enforcement agencies for identification purposes in a criminal case; (ii) in judicial proceedings, in accordance with the rules of admissibility of evidence; (iii) for facilitating decisions in cases of criminal prosecution; (iv) for defense purposes, to a victim or the accused to the extent relevant and in connection with the case in which such accused is charged; (v) for population statistics data base, identification, research and protocol development, or for quality control provided that it does not contain any personally identifiable information and does not violate ethical norms, as specified by rules. (vi) for any other purposes as specified by rules.”
DNA April 2012 Bill (Section 40):“Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely:- (a) for identification purposes in criminal cases, to law enforcement agencies; (b) in judicial proceedings, in accordance with the rules of admissibility of evidence; (c) for facilitating decisions in cases of criminal prosecution; (d) for defence purposes, to the accused to the extent relevant and in connection with the case in which such accused is charged; (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms; or (f) in the case of investigations related to civil dispute and other civil matter listed in Part I of the Schedule, to the concerned parties to the said civil dispute or civil matter and to the concerned judicial officer or authority; or (g) for any other purposes, as may be prescribed.”

12. Restriction on access to information in DNA Data Banks

Amendment: Section 43 has been added to the 2012 draft Human DNA Profiling Bill which states that access to information shall be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect.

Analysis: This section implies that everyone who does not belong in these two categories has his/her data exposed to (unauthorised) access by third parties.

DNA April 2012 Bill (Section 43): “Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from- (a) a victim of an offence which forms or formed the object of the relevant investigation, or (b) a person who has been excluded as a suspect in the relevant investigation.”

13. Board exemption from tax on wealth and income, profits and gains

Amendment: Section 53 of the 2007 draft DNA Bill on “Returns and Reports” on behalf of the Board has been deleted and section 62 on the Board exemption from tax on wealth and income, profits and gains, has been added to the 2012 DNA Bill.

Analysis: Although the 2007 DNA Bill stated that the Central Government was authorised to issue directions, this has been replaced by section 64 of the 2012 DNA Bill, which authorises the DNA Profiling Board to issue directions.

DNA 2007 Bill (Section 53):“(1) The DNA Profiling Board shall furnish to the Central Government at such time and in such form and manner as may be specified by rules or as the Central Government may direct, such returns and statements as the Central Government may, from time to time, require. (2) Without prejudice to the provisions of sub-section (1), the DNA Profiling Board shall, within ninety days after the end of each financial year, submit to the Central Government a report in such form, as may be prescribed, giving a true and full account of its activities, policy and programmes during the previous financial year. (3) A copy of the report received under sub-section (2) shall be laid, as soon may be after it is received, before each House of Parliament.”
DNA April 2012 Bill (Section 62): “Notwithstanding anything contained in- (a) the Wealth-tax Act, 1957; (b) the Income-tax Act, 1961; or (c) any other enactment for the time being in force relating to tax, including tax on wealth, income, profits or gains or the provision of services,- the Board shall not be liable to pay wealth-tax, income-tax or any other tax in respect of its wealth, income, profits or gains derived.”

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills

A Comparison of Legal and Regulatory Approaches to Cyber Security in India and the United Kingdom

Authored by Divij Joshi and edited by Elonnai Hickok — 2017-11-14T15:26:46Z

This report is the first part of a three part series of reports that compares the Indian cyber security framework with that of the U.K, U.S and Singapore.

This report compares laws and regulations in the United Kingdom and India to see the similarities and disjunctions in cyber security policy between them. The first part of this comparison will outline the methodology used to compare the two jurisdictions. Next, the key points of convergence and divergence are identified and the similarities and differences are assessed, to see what they imply about cyber space and cyber security in these jurisdictions. Finally, the report will lay out recommendations and learnings from policy in both jurisdictions.

Read the full report here

For more details visit https://cis-india.org/internet-governance/blog/a-comparison-of-legal-and-regulatory-approaches-to-cyber-security-in-india-and-the-united-kingdom

A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications

elonnai — 2013-07-12T15:40:51Z

This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: http://necessaryandproportionate.net/

The Principles:

1. Principle - Legality: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.

Indian Legislation: In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.

The Indian Telegraph Act, 1885

The Indian Telegraph Amendment Rules 2007: These Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications.
License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL): This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
License Agreement for Provision of Internet Services: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government.
The Information Technology Act, 2000
- Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009: These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource.
- Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009: These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.

2. Principle - Legitimate Purpose: Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.

Indian Legislation: In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.

Below are the circumstances for which access is allowed by each Act, Rule, and License:

The TA Rules 2007: Interception is allowed in the following circumstances:

On the occurrence of any public emergency

In the interest of the public safety

In the interests of the sovereignty and integrity of India

The security of the state

Friendly relations with foreign states

Public order

Preventing incitement to the commission of an offence

ITA Interception and Monitoring Rules: Interception, monitoring, and decryption of communications is allowed in the following circumstances:

In the interest of the sovereignty or integrity of India,
Defense of India
Security of the state
Friendly relations with foreign states
Public order
Preventing incitement to the commission of any cognizable offence relating to the above
For investigation of any offence

ITA Monitoring of Traffic Data Rules: Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security:

Forecasting of imminent cyber incidents
Monitoring network application with traffic data or information on computer resources
Identification and determination of viruses or computer contaminant
Tracking cyber security breaches or cyber security incidents
Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants
Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security.
Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.
Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.
Any other matter relating to cyber security.

UASL License: Assistance must be provided to the government for the following reasons and times:

Reasons defined in the Telegraph Act. (Section 41.20 (xix))
National Security. (Section 41.20 (xvii))
To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)
Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. (Section 40.4)
In the interests of security. (Section 41.7)
For security reasons. (Section 41.20 (iii))

ISP License: Assistance must be provided to the government for the following reasons and times:

To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 34.1)
In the interests of security. (Section 34.4)
For security reasons. (Section 34.28 (iii))
Reasons defined in the Telegraph Act. (Section 35.2)

3. Principle - Necessity: Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.

Indian Legislation: Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.

Below are summaries of the relevant provisions:

TA Rules 2007: Any order for interception issued by the competent authority must contain reasons for the direction (Section 2). While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means (Section 3).
ITA Interception and Monitoring Rules: Any direction issued by the competent authority must contain reasons for such direction (Section 7). The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means (Section 8).
ITA Traffic Monitoring Rules: Any direction issued by the competent authority must contain reasons for the direction (Section 3(3)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

4. Principle - Adequacy: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.

Indian Legislation: In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.

5. Principle - Competent Authority: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.

Indian Legislation: In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.

Below are summaries of relevant provisions:

The TA Rules 2007: Under the Telegraph Act the authorizing authorities are:

The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level
The Secretary to the State Government in charge of the Home Department in the case of the State Government.
In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.
In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. (Section 1(2)).
ITA Interception and Monitoring Rules: Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
- The Secretary in the Ministry of Home Affairs in case of the Central Government.
- The Secretary in charge of the Home Department, in case of a State Government or Union Territory.
- In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority.
- In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. (Section 3).
ITA Monitoring and Collecting Traffic Data Rules: Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
- The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. (Section 2(d)).
- An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. (Section 9 (2)).
UASL & ISP License: As laid out in the Telegraph Act and subsequent Rules.

6. Principle - Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should at a minimum establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.

Indian Legislation: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA Safeguards for Monitoring and Collecting Traffic Data or Information Rules.

Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.

Below is a summary of the relevant provisions:

TA Rules 2007:

Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. (Section 19).
Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. (Section 3).
The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. (Section 4).
The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 6).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 7).
- The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. (Section 8).
- The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. (Section 9).
- The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. (Section 10).
ITA Traffic and Monitoring Rules:
- Any direction issued by the competent authority must contain reasons for such direction. (Section 3(3)).
- Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. (Section 8).

7. Principle - Due process: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)

Indian Legislation: In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.

TA Rules 2007:

All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Interception and Monitoring Rules:
- All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs.
ITA Monitoring of Traffic Rules:
- The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.

8. Principle - User notification: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.

Indian Legislation: In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.

9. Principle - Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.

Indian Legislation: In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.

10. Principle - Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)

Indian Legislation: In relevant Indian legislation there are requirements for a review committee to be established. The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007:

A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. (Section 17). Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. (Section 2).
ITA Interception and Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 22).
ITA Traffic Monitoring Rules:
- Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. (Section 7).

11. Principles - Integrity of communications and systems: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.

Indian Legislation: In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.

Relevant provisions are summarized below:

TA Rules 2007: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. (Section 20, 20A 21, 23).

ITA Interception and Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 20).

ITA Traffic Monitoring Rules: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. (Section 5&6).

UASL License: The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. (Section 39.1, Section 39.2, Section 41.4).

ISP License: The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. (Section 32.1) The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. (Section 32.2) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. (Section 32.3).

Provisions requiring the provision of facilities, assistance, and retention:

ITA Interception and Monitoring Rules:

The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction (Section 13(2)).
If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. (Section 17).

ITA Monitoring of Traffic Rules:

The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. (Section 4(7)).

UASL License:

The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. (Section 39.1).
The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.(Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. (Section 41.10).
The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. (Section 41.10).
The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 41.11).
The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. (Section 41.14). The database of subscribers must also be made available to the licensor or its representatives. (Section 41.16).
The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. (Section 41.17).
Calling Line Identification must be provided and the network should also support Malicious Call Identification. (Section 41.18).
Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis (Section 41.19).
Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. (Section 41.19(iv)).
The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. (41.20 (ix)).
On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. (41.20 (x))
Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. (41.20 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. (Section 41.20 (xv)).
For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. (Section 41.20 (xx)).

ISP License:

The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. (Section 2.2(vii)).
The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. (Section 9.1).
The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. (Section 33.4).
The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. (Section 30.1).
The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. (Section 34.1).
In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. (Section 34.4).
The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. (Section 34.6).
The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. (Section 34.7).
ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. (Section 34.8).
The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. (Section 34.9).
The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. (Section 34.12).
The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies. (Section 34.13).
Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. (Section 34.15).
The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. (Section 34.22).
The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. (Section 34.23).
Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).
Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. (Section 34.27 (a(v)).
The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. (Section 34.27 (ix)).
On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. (Section 34.27 (x)).
Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. (Section 34.27 (xiv)).
A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. (Section 34.27 (xv)).
ISPs must provide access of their network and other facilities, as well as books to security agencies. (Section 34.27 (xx)).

12. Principle - Safeguards for international cooperation: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.

Indian Legislation: India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.

Below is a summary of the relevant provisions:

ITA 2000: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. (Section 1(2))

UASL License: The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. (section (41.20 (viii))

ISP License: For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. (Section 34.28 (iii)) ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) (Section 34.28 (viii))

13. Principle - Safeguards against illegitimate access: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.

Indian Legislation: Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.

The relevant provisions are summarized below:

TA Rules 2007: The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. (Section 14) Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation. (Section 20, 20A, 23, and 24 Indian Telegraph Act).

ITA Interception and Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 21).

ITA Traffic Monitoring Rules: The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. (Section 6).

UASL License:

In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. (Section 41.20 (xix)).
Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).

ISP License:

In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. (Section 34.28 (xix)).
The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. (Section 8.4).
Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).

14. Principle - Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.

Indian Legislation: In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.

Below are summaries of relevant provisions:

UASL License:

Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. (Section 40.4).
Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. (Section 41.7).
The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. (Section 41.10).
The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. (Section 41.20 (xvi)).
ISP License:
- Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. (Section 33.4).
- The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. (Section 34.7).
- Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. (Section 34.27 (a(i)).
- Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. (Section 34.27 (a(ii)) One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. (Section 34.27 (a(iii)).

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications

A Case for Greater Privacy Paternalism?

Amber Sinha — 2016-02-20T07:28:43Z

This is the second part of a series of three articles exploring the issues with the privacy self management framework and potential alternatives.

The first part of the series can be accessed here.

Background

The current data privacy protection framework across most jurisdictions is built around a rights based approach which entrusts the individual with having the wherewithal to make informed decisions about her interests and well-being.^{^[1]} In his book, The Phantom Public, published in 1925, Walter Lippmann argues that the rights based approach is based on the idea of a sovereign and omnicompetent citizens, who can direct public affairs, however, this idea is a mere phantom or an abstraction. ^{^[2]} Jonathan Obar, Assistant Professor of Communication and Digital Media Studies in the Faculty of Social Science and Humanities at University of Ontario Institute of Technology, states that Lippmann's thesis remains equally relevant in the context of current models of self-management, particularly for privacy.^{^[3]} In the previous post, Scott Mason and I had looked at the limitations of a 'notice and consent' regime for privacy governance. Having established the deficiencies of the existing framework for data protection, I will now look at some of the alternatives proposed that may serve to address these issues.

In this article, I will look at paternalistic solutions posed as alternatives to the privacy self-management regime. I will look at theories of paternalism and libertarianism in the context of privacy and with reference to the works of some of the leading philosophers on jurisprudence and political science. The paper will attempt to clarify the main concepts and the arguments put forward by both the proponents and opponents of privacy paternalism. The first alternative solution draws on Anita Allen's thesis in her book, Unpopular Privacy,^{^[4]} which deals with the questions whether individuals have a moral obligation to protect their own privacy. Allen expands the idea of rights to protect one's own self interests and duties towards others to the notion that we may have certain duties not only towards others but also towards ourselves because of their overall impact on the society. In the next section, we will look at the idea of 'libertarian paternalism' as put forth by Cass Sunstein and Richard Thaler^{^[5]} and what its impact could be on privacy governance.

Paternalism

Gerald Dworkin, Professor Emeritus at University of California, Davis, defines paternalism as "interference of a state or an individual with another person, against their will, and defended or motivated by a claim that the person interfered with will be better off or protected from harm." ^{^[6]} Any act of paternalism will involve some limitation on the autonomy of the subject of the regulation usually without the consent of the subject, and premised on the belief that such act shall either improve the welfare of the subject or prevent it from diminishing.^{^[7]} Seana Shiffrin, Professor of Philosophy and Pete Kameron Professor of Law and Social Justice at UCLA, takes a broader view of paternalism and includes within its scope not only matters which are aimed at improving the subject's welfare, but also the replacement of the subject's judgement about matters which may otherwise have lied legitimately within the subject's control.^{^[8]} In that sense, Shiffrin's view is interesting for it dispenses with both the requirement for active interference, and such act being premised on the subject's well-being.

The central premise of John Stuart Mill's On Liberty is that the only justifiable purpose to exert power over the will of an individual is to prevent harm to others. "His own good, either physical or moral," according to Mill, "is not a sufficient warrant." However, various scholars over the years have found Mill's absolute prohibition problematic and support some degree of paternalism. John Rawls' Principle of Fairness, for instance has been argued to be inherently paternalistic. If one has to put it in a nutshell, the aspect about paternalism that makes it controversial is that it involves coercion or interference, which in any theory of normative ethics or political science needs to be justified based on certain identified criteria. Staunch opponents of paternalism believe that this justification can never be met. Most scholars however, do not argue that all forms of paternalism are untenable and the bulk of scholarship on paternalism is devoted to formulating the conditions under which this justification is satisfied.

Paternalism interferes with self-autonomy in two ways according to Peter de Marneffe, the Professor of Philosophy at the School of Historical, Philosophical and Religious Studies, Arizona State University.^{^[9]} The first is the prohibition principle, under which a person's autonomy is violated by being prohibited from making a choice. The second is the opportunity principle which undermines the autonomy of a person by reducing his opportunities to make a choice. Both the cases should be predicated upon a finding that the paternalistic act will lead to welfare or greater autonomy. According to de Marneffe, there are three conditions under which such acts of paternalism are justified - the benefits of welfare should be substantial, evident and must outweigh the benefits of self-autonomy.^{^[10]}

There are two main strands of arguments made against paternalism.^{^[11]} The first argues that interference with the choices of informed adults will always be an inferior option to letting them decide for themselves, as each person is the 'best judge' of his or her interests. The second strand does not engage with the question about whether paternalism can make better decisions about individuals, but states that any benefit derived from the paternalist act is outweighed by the harm of violation of self-autonomy. Most proponents of soft-paternalism build on this premise by trying to demonstrate that not all paternalistic acts violate self-autonomy. There are various forms of paternalism that we do not question despite them interfering with our autonomy - seat belt laws and restriction of tobacco advertising being a few of them. If we try to locate arguments for self-autonomy in the Kantian framework, it refers not just to the ability to do what one chooses, but to rational self-governance.^{^[12]} This theory automatically "opens the door for justifiable paternalism."^{^[13]} In this paper, I assume that certain forms of paternalism are justified. In the remaining two section, I will look at two different theories advocating greater paternalism in the context of privacy governance and try to examine the merits and issues with such measures.

A moral obligation to protect one's privacy

Modest Paternalism

In her book, Unpopular Privacy,^{^[14]} Anita Allen states that enough emphasis is not placed by people on the value of privacy. The right of individuals to exercise their free will and under the 'notice and consent' regime, give up their rights to privacy as they deem fit is, according to her, problematic. The data protection law in most jurisdictions, is designed to be largely value-neutral in that it does not sit on judgement on what is the nature of information that is being revealed and how the collector uses it. Its primary emphasis is on providing the data subject with information about the above and allowing him to make informed decisions. In my previous post, Scott Mason and I had discussed that with online connectivity becomes increasingly important to participation in modern life, the choice to withdraw completely is becoming less and less of a genuine option.^{^[15]} Lamenting that people put little emphasis on privacy and often give away information which, upon retrospection and due consideration, they would feel, they ought not have disclosed, Allen proposes what she calls 'modest paternalism' in which regulations mandate that individuals do not waive their privacy is certain limited circumstances.

Allen acknowledges the tension between her arguments in favor of paternalism and her avowed support for the liberal ideals of autonomy and that government interference should be limited, to the extent possible. However, she tries to make a case for greater paternalism in the context of privacy. She begins by categorizing privacy as a "primary good" essential for "self respect, trusting relationships, positions of responsibility and other forms of flourishing." In another article, Allen states that this "technophilic generation appears to have made disclosure the default rule of everyday life."^{^[16]} Relying on various anecdotes and examples of individuals' disregard for privacy, she argues that privacy is so "neglected in contemporary life that democratic states, though liberal and feminist, could be justified in undertaking a rescue mission that includes enacting paternalistic privacy laws for the benefit of un-eager beneficiaries." She does state that in most cases it may be more advantageous to educate and incentivise individuals towards making choices that favor greater privacy protection. However, in exceptional cases, paternalism would be justified as a tool to ensure greater privacy.

A duty towards oneself

In an article for the Harvard Symposium on Privacy in 2013, Allen states that laws generally provide a framework built around rights of individuals that enable self-protection and duties towards others. G A Cohen describes Robert Nozick's views which represents this libertarian philosophy as follows: "The thought is that each person is the morally rightful owner of himself. He possesses over himself, as a matter of moral right, all those rights that a slaveholder has over a chattel slave as a matter of legal right, and he is entitled, morally speaking, to dispose over himself in the way such a slaveholder is entitled, legally speaking, to dispose over his slave."^{^[17]} As per the libertarian philosophy espoused by Nozick, everyone is licensed to abuse themselves in the same manner slaveholders abused their slaves.

Allen asks the question whether there is a duty towards oneself and if such a duty exists, should it be reflected in policy or law. She accepts that a range of philosophers consider the idea of duties to oneself as illogical or untenable. ^{^[18]} Allen, however relies on the works of scholars such as Lara Denis, Paul Eisenberg and Daniel Kading who have located such a duty. She develops a schematic of two kinds of duties - first order duties that requires we protect ourselves for the sake of others, and second order, derivative duties that we protect ourself. Through the essay, she relies on the Kantian framework of categorical imperative to build the moral thrust of her arguments. Kantian view of paternalism would justify those acts which interfere with an individual's autonomy in order to prevent her from exercising her autonomy irrationally, and draw her towards rational end that agree with her conception of good.^{^[19]} However, Allen goes one step further and she locates the genesis for duties to both others (perfect duties) and oneself (imperfect duties) in the categorical imperative . Her main thesis is that there are certain situations where we have a moral duty to protect our own privacy where failure to do so would have an impact on either specific others or the society, at large.

Issues

Having built this interesting and somewhat controversial premise, Allen does not sufficiently expand upon it to present a nuanced solution. She provides a number of anecdotes but does not formulate any criteria for when privacy duties could be self-regarding. Her test for what kinds of paternalistic acts are justified is also extremely broad. She argues for paternalism where is protects privacy rights that "enhance liberty, liberal ways of life, well-being and expanded opportunity." She does not clearly define the threshold for when policy should move from incentives to regulatory mandate nor does she elaborate upon what forms paternalism would both serve the purpose of protecting privacy as well as ensuring that there is no unnecessary interference with the rights of individual.^{^[20]}

Nudge and libertarian paternalism

What is nudge?

In 2006, Richard Thaler and Cass Sunstein published their book Nudge: Improving decisions about health, wealth and happiness. ^{^[21]} The central thesis of the book is that in order to make most of decisions, we rely on a menu of options made available to us and the order and structure of choices is characterised by Thaler and Sunstein as "choice architecture." According to them, the choice architecture has a significant impact on the choices that we make. The book looks at examples from a food cafeteria, the position of restrooms and how whether the choice is to opt-in or opt-out influences the retirement plans that were chosen. This choice architecture influences our behavior without coercion or a set of incentives, as conventional public policy theory would have us expect. The book draws on work done by cognitive scientists such as Daniel Kahneman^{^[22]} and Amos Tversky^{^[23]} as well as Thaler's own research in behavioral economics. ^{^[24]} The key takeaway from cognitive science and behavioral economics used in this book is that choice architecture influences our actions in anticipated ways and leads to predictably irrational behavior. Thaler and Sunstein believe that this presents a great potential for policy makers. They can tweak the choice architecture in their specific domains to influence the decisions made by its subjects and nudge them towards behavior that is beneficial to them and/or the society.

The great attraction of the argument made by Thaler and Sunstein is that it offers a compromise between forbearance and mandatory regulation. If we identify the two ends of the policy spectrum as - a) paternalists who believe in maximum interference through legal regulations that coerce behavior to meet the stated goals of the policy, and b) libertarians who believe in the free market theory that relies on the individuals making decisions in their best interests, 'nudging' falls somewhere in the middle, leading to the oxymoronic yet strangely apt phrase, "libertarian paternalism." The idea is to design choices in such as way that they influence decision-making so as to increase individual and societal welfare. In his book, The Laws of Fear, Cass Sunstein argues that the anti-paternalistic position is incoherent as "there is no way to avoid effects on behavior and choices."

The proponents of libertarian paternalism refute the commonly posed question about who decides the optimal and desirable results of choice architecture, by stating that this form of paternalism does not promote a perfectionist standard of welfare but an individualistic and subjective standard. According to them, choices are not prohibited, cordoned off or made to carry significant barriers. However, it is often difficult to conclude what it is that is better for the welfare of people, even from their own point of view. The claim that nudges lead to choices that make them better off by their own standards seems more and more untenable. What nudges do is lead people towards certain broad welfare which the choice-architects believe make the lives of people better in the longer term.^{^[25]}

How nudges could apply to privacy?

Our previous post echoes the assertion made by Thaler and Sunstein that the traditional rational choice theory that assumes that individuals will make rationally optimal choices in their self interest when provided with a set of incentives and disincentives, is largely a fiction. We have argued that this assertion holds true in the context of privacy protection principles of notice and informed consent. Daniel Solove has argued that insights from cognitive science, particularly using the theory of nudge would be an acceptable compromise between the inefficacy of privacy self-management and the dangers of paternalism.^{^[26]} His rationale is that while nudges influence choice, they are not overly paternalistic in that they still give the individual the option of making choices contrary to those sought by the choice architecture. This is an important distinction and it demonstrates that 'nudging' is less coercive than how we generally understand paternalistic policies.

One of the nudging techniques which makes a lot of sense in the context of the data protection policies is the use of defaults. It relies on the oft-mentioned status quo bias.^{^[27]} This is mentioned by Thaler and Sunstein with respect to encouraging retirement savings plans and organ donation, but would apply equally to privacy. A number of data collectors have maximum disclosure as their default settings and effort in understanding and changing these settings is rarely employed by users. A rule which mandates that data collectors set optimal defaults that ensure that the most sensitive information is subjected to least degree of disclosure unless otherwise chosen by the user, will ensure greater privacy protection.

Ryan Calo and Dr. Victoria Groom explored an alternative to the traditional notice and consent regime at the Centre of Internet and Society, Stanford University.^{^[28]} They conducted a two-phase experimental study. In the first phase, a standard privacy notice was compared with a control condition and a simplified notice to see if improving the readability impacted the response of users. In the second phase, the notice was compared with five notices strategies, out of which four were intended to enhance privacy protective behavior and one was intended to lower it. Shara Monteleone and her team used a similar approach but with a much larger sample size.^{^[29]} One of the primary behavioral insights used was that when we do repetitive activities including accepting online terms and conditions or privacy notices, we tend to use our automatic or fast thinking instead to reflective or slow thinking.^{^[30]} Changing them requires leveraging the automatic behavior of the individuals.

Alessandro Acquisti, Professor of Information Technology and Public Policy at the Heinz College, Carnegie Mellon University, has studied the application of methodologies from behavioral economics to investigate privacy decision-making.^{^[31]} He highlights a variety of factors that distort decision-making such as - "inconsistent preferences and frames of judgment; opposing or contradictory needs (such as the need for publicity combined with the need for privacy); incomplete information about risks, consequences, or solutions inherent to provisioning (or protecting) personal information; bounded cognitive abilities that limit our ability to consider or reflect on the consequences of privacy-relevant actions; and various systematic (and therefore predictable) deviations from the abstractly rational decision process." Acquisti looks at three kinds of policy solutions taking the example of social networking sites collecting sensitive information- a) hard paternalistic approach which ban making visible certain kind of information on the site, b) a usability approach that entails designing the system in way that is most intuitive and easy for users to decide whether to provide the information, c) a soft paternalistic approach which seeks to aid the decision-making by providing other information such as how many people would have access to the information, if provided, and set defaults such that the information is not visible to others unless explicitly set by the user. The last two approaches are typically cited as examples of nudging approaches to privacy.

Another method is to use tools that lead to decreased disclosure of information. For example, tools like Social Media Sobriety Test^{^[32]} or Mail Goggles^{^[33]} serve to block the sites during certain hours set by user during which one expects to be at their most vulnerable, and the online services are blocked unless the user can pass a dexterity examination.^{^[34]} Rebecca Belabako and her team are building privacy enhanced tools for Facebook and Twitter that will provide greater nudges in restricting who they share their location on Facebook and restricting their tweets to smaller group of people.^{^[35]} Ritu Gulia and Dr. Sapna Gambhir have suggested nudges for social networking websites that randomly select pictures of people who will have access to the information to emphasise the public or private setting of a post.^{^[36]} These approaches try to address the myopia bias where we choose immediate access to service over long term privacy harms.

The use of nudges as envisioned in the examples above is in some ways an extension of already existing research which advocates a design standard that makes the privacy notices more easily intelligible.^{^[37]} However, studies show only an insignificant improvement by using these methods. Nudging, in that sense goes one step ahead. Instead of trying to make notices more readable and enable informed consent, the design standard will be intended to simply lead to choices that the architects deem optimal.

Issues with nudging

One of the primary justifications that Thaler and Sunstein put forward for nudging is that the choice architecture is ubiquitous. The manner in which option are presented to us impact how we make decision whether it was intended to do so or not, and that there is no such thing a neutral architecture. This inevitability, according to them, makes a strong case for nudging people towards choices that will lead to their well-being. However, this assessment does not support the arguments made by them that libertarian paternalism nudges people towards choices from their own point of view. It is my contention that various examples of libertarian paternalism, as put forth by Thaler and Sunstein, do in fact interfere with our self-autonomy as the choice architecture leads us not to options that we choose for ourselves in a fictional neutral environments, but to those options that the architects believe are good for us. This substitution of judgment would satisfy the definition by Seana Shiffron. Second, the fact that there is no such things as a neutral architecture, is by itself, not justification enough for nudging. If we view the issue only from the point of view of normative ethics, assuming that coercion and interference are undesirable, intentional interference is much worse than unintentional interference.

However, there are certain nudges that rely primarily on providing information, dispensing advice and rational persuasion.^{^[38]} The freedom of choice is preserved in these circumstances. Libertarians may argue that even these circumstances the shaping of choice is problematic. This issue, J S Blumenthal-Barby argues, is adequately addressed by the publicity condition, a concept borrowed by Thaler and Sunstein from John Rawls.^{^[39]} The principle states that officials should never use a technique they would be uncomfortable defending to the public; nudging is no exception. However, this seems like a simplistic solution to a complex problem. Nudges are meant to rely on inherent psychological tendencies, leveraging the theories about automatic and subconscious thinking as described by Daniel Kahneman in his book, "Thinking Fast, Thinking Slow."^{^[40]} In that sense, while transparency is desirable it may not be very effective.

Other commentators also note that while behavioral economics can show why people make certain decisions, it may not be able to reliably predict how people will behave in different circumstances. The burden of extrapolating the observations into meaningful nudges may prove to be too heavy.^{^[41]} However, the most oft-quoted criticism of nudging is that it will rely on officials to formulate the desired goals towards which the choice architecture will lead us.^{^[42]} The judgments of these officials could be flawed and subject to influence by large corporations.^{^[43]} These concerns echo the best judge argument made against all forms of paternalism, mentioned earlier in this essay. J S Blumenthal-Barby, Assistant Professor at the Center for Medical Ethics and Health Policy, Baylor College of Medicine, also examines the claim that the choice architects will be susceptible to the same biases while designing the choice environment.^{^[44]} His first argument in response to this is that experts who extensively study decision-making may be less prone to these errors. Second, he argues that even with errors and biases, a choice architecture which attempts to the rights the wrongs of a random and unstructured choice environment is a preferable option.^{^[45]}

Conclusion

Most libertarians will find the notion that individuals are prevented from sharing some information about themselves problematic. Anita Allen's idea about self-regarding duties is at odds how we understand rights and duties in most jurisdictions. Her attempt to locate an ethical duty to protect one's privacy, while interesting, is not backed by a formulation of how such a duty would work. While she relies largely on an Kantian framework, her definition of paternalism, as can be drawn from her writing is broader than that articulated by Kant himself. On the other hand, Thaler and Sunstein's book Nudge and related writings by them do attempt to build a framework of how nudging would work and answer some questions they anticipate would be raised against the idea of libertarian paternalism.

By and large, I feel that, Thaler and Sunstein's idea of libertarian paternalism could be justified in the context of privacy and data protection governance. It would be fair to say the first two conditions of de Marneffe under which such acts of paternalism are justified ^{^[46]} are largely satisfied by nudges that ensures greater privacy protection. If nudges can ensure greater privacy protection, its benefits are both substantial and evident. However, the larger question is whether these purported benefits outweigh the costs of loss of self-autonomy. Given the numerous ways in which the 'notice and consent' framework is ineffective and leads to very little informed consent, it can be argued that there is little exercise of autonomy, to begin with, and hence, the loss of self-autonomy is not substantial. Some of the conceptual issues which doubt the ability of nudges to solve complex problems remain unanswered and we will have to wait for more analysis by both cognitive scientists and policy-makers. However, given the growing inefficacy of the existing privacy protection framework, it would be a good idea of begin using some insights from cognitive science and behavioral economics to ensure greater privacy protection.

The current value-neutrality of data protection law with respect of the kind of data collected and its use, and its complete reliance on the data subject to make an informed choice is, in my opinion, an idea that has run its course. Rather than focussing solely on the controls at the stage of data collection, I believe we need a more robust theory of how to govern the subsequent uses of data. This will is the focus of the next part of this series in which I will look at the greater use of risk-based approach to privacy protection.

^{^[1]} With invaluable inputs from Scott Mason.

^{^[2]} Walter Lippmann, The Phantom Public, Transaction Publishers, 1925.

^{^[3]} Jonathan Obar, Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management, Big Data and Society, 2015, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239188

^{^[4]} Anita Allen, Unpopular Privacy: What we must hide?, Oxford University Press USA, 2011.

^{^[5]} Richard Thaler and Cass Sunstein, Nudge, Improving decisions about health, wealth and happinessYale University Press, 2008.

^{^[6]} http://plato.stanford.edu/entries/paternalism/

^{^[7]} Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 29.

^{^[8]} Seana Shiffrin, Paternalism, Unconscionability Doctrine, and Accommodation, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2682745

^{^[9]} Peter de Marneffe, Self Sovereignty and Paternalism, from Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 58.

^{^[10]} Id .

^{^[11]} Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 74.

^{^[12]} Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 115.

^{^[13]} Ibid at 116.

^{^[14]} Anita Allen, Unpopular Privacy: What we must hide?, Oxford University Press USA, 2011.

^{^[15]} Janet Vertasi, My Experiment Opting Out of Big Data Made Me Look Like a Criminal, 2014, available at http://time.com/83200/privacy-internet-big-data-opt-out/

^{^[16]} Anita Allen, Privacy Law: Positive Theory and Normative Practice, available at http://harvardlawreview.org/2013/06/privacy-law-positive-theory-and-normative-practice/ .

^{^[17]} G A Cohen, Self ownership, world ownership and equality, available at http://journals.cambridge.org/action/displayAbstract?fromPage=online&aid=3093280

^{^[18]} Marcus G. Singer, On Duties to Oneself, available at http://www.jstor.org/stable/2379349?seq=1#page_scan_tab_contents; Kurt Baier, The moral point of view: A rational basis of ethics, available at https://www.uta.edu/philosophy/faculty/burgess-jackson/Baier,%20The%20Moral%20Point%20of%20View%20%281958%29%20%28Excerpt%20on%20Ethical%20Egoism%29.pdf .

^{^[19]} Michael Cholbi, Kantian Paternalism and suicide intervention, from Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013.

^{^[20]} Eric Posner, Liberalism and Concealment, available at https://newrepublic.com/article/94037/unpopular-privacy-anita-allen

^{^[21]} Richard Thaler and Cass Sunstein, Nudge, Improving decisions about health, wealth and happinessYale University Press, 2008.

^{^[22]} Daniel Kahneman, Thinking, fast and slow, Farrar, Straus and Giroux, 2011.

^{^[23]} Daniel Kahneman, Paul Slovic and Amos Tversky, Judgment under uncertainty: heuristics and biases, Cambridge University Press, 1982; Daniel Kahneman and Amos Tversky, Choices, Values and Frames, Cambridge University Press, 2000.

^{^[24]} Richard Thaler, Advances in behavioral finance, Russell Sage Foundation, 1993.

^{^[25]} Thaler, Sunstein and Balz, Choice Architecture, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1583509.

^{^[26]} Daniel Solove, Privacy self-management and consent dilemma, 2013 available at http://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2093&context=faculty_publications

^{^[27]} Frederik Borgesius, Behavioral sciences and the regulation of privacy on the Internet, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2513771.

^{^[28]} Ryan Calo and Dr. Victoria Groom, Reversing the Privacy Paradox: An experimental study, available at http://ssrn.com/abstract=1993125

^{^[29]} Shara Monteleon et al, Nudges to Privacy Behavior: Exploring an alternative approahc to privacy notices, available at http://publications.jrc.ec.europa.eu/repository/bitstream/JRC96695/jrc96695.pdf

^{^[30]} Daniel Kahneman, Thinking, fast and slow, Farrar, Straus and Giroux, 2011.

^{^[31]} Alessandro Acquisti, Nudging Privacy, available at http://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-nudging.pdf

^{^[32]} http://www.webroot.com/En_US/sites/sobrietytest/test.php?url=0

^{^[33]} http://google.about.com/od/m/g/mail_goggles.htm

^{^[34]} Rebecca Balebako et al, Nudging Users towards privacy on mobile devices, available at https://www.andrew.cmu.edu/user/pgl/paper6.pdf.

^{^[35]} Id .

^{^[36]} Ritu Gulia and Dr. Sapna Gambhir, Privacy and Privacy Nudges for OSNs: A Review, available at http://www.ijircce.com/upload/2014/march/14L_Privacy.pdf

^{^[37]} Annie I. Anton et al., Financial Privacy Policies and the Need for Standardization, 2004 available at https://ssl.lu.usi.ch/entityws/Allegati/pdf_pub1430.pdf; Florian Schaub, R. Balebako et al, "A Design Space for effective privacy notices" available at https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

^{^[38]} Daniel Hausman and Bryan Welch argue that these cases are mistakenly characterized as nudges. They believe that nudges do not try to inform the automatic system, but manipulate the inherent cognitive biases. Daniel Hausman and Bryan Welch, Debate: To Nudge or Not to Nudge, Journal of Political Philosophy 18(1).

^{^[39]} Ryan Calo, Code, Nudge or Notice, available at

^{^[40]} Daniel Kahneman, Thinking, fast and slow, Farrar, Straus and Giroux, 2011.

^{^[41]} Evan Selinger and Kyle Powys Whyte, Nudging cannot solve complex policy problems.

^{^[42]} Mario J. Rizzo & Douglas Glen Whitman, The Knowledge Problem of New Paternalism, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1310732; Pierre Schlag, Nudge, Choice Architecture, and Libertarian Paternalism, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1585362.

^{^[43]} Edward L. Glaeser, Paternalism and Psychology, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=917383.

^{^[44]} J S BLumenthal-Barby, Choice Architecture: A mechanism for improving decisions

while preserving liberty?, from Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013.

^{^[45]} Id .

^{^[46]} According to de Marneffe, there are three conditions under which such acts of paternalism are justified - the benefits of welfare should be substantial, evident and must outweigh the benefits of self-autonomy. Peter de Marneffe, Self Sovereignty and Paternalism, from Christian Coons and Michael Weber, ed., Paternalism: Theory and Practice; Cambridge University Press, 2013. at 58.

For more details visit https://cis-india.org/internet-governance/blog/a-case-for-greater-privacy-paternalism

आधार नंबर, नाम, पता, बैंक अकाउंट और दूसरी संवेदनशील जानकारियां लीक: CIS रिपोर्ट

praskrishna — 2017-05-20T11:40:49Z

एक तरफ भारत सरकार लोगों से अपना आधार कार्ड बनवाने और उसे जरूरी सर्विसों के साथ जोड़ने की अपील कर रही है. दूसरी तरफ लगातार सरकारी वेबसाइट्स से लोगों की आधार से जुड़ी जानकारियां लीक हो रही हैं. सरकार ने आधार को लगभग सभी सर्विसों के लिए जरूरी करने की तैयारी की है.

This was published by Aaj Tak on May 4, 2017.

ताजा रिसर्च के मुताबिक सरकार के डेटाबेस से लगभग 135 मिलियन आधान नंबर ऑनलाइन लीक हुए हो सकते हैं. इस रिसर्च दी सेंटर फॉर इंटरनेट एंड सोसाइटी (CIS) ने कराया है. इस एजेंसी ने इस रिसर्च को इनफॉर्मेशन सिक्योरिटी प्रैक्टिस ऑफर आधार के नाम से प्रकाशित किया है.

रिपोर्ट के मुताबिक सरकारी पोर्टल्स ने लगभग 135 मिलियन भारतीय नागरिकों के आधार नंबर ऑनलाइन को पब्लिक कर दिया. यानी कोई भी इसे ऐक्सेस कर सके. जाहिर है ऐसे में आधार नंबर के गलत यूज का भी खतरा होता है.

चार सरकारी वेबसाइट जिनमें मनरेगा, सोशल ऐसिस्टेंस प्रोग्राम, डेली ऑनलाइन पेमेंट रिपोर्ट और चंद्रण बीमा स्कीम वेबसाइट शामिल हैं. रिपोर्ट के मुताबिक इन वेबसाइट्स पर यूजर्स के आधार नंबर और फिनांशियल जानकारी जैसे बैंक अकाउंट डीटेल को पब्लिक कर दिया जिसे कोई भी ऐक्सेस कर सकता है.

रिपोर्ट के मुताबिक नेशनल सोशल ऐसिस्टेंस प्रोग्राम की वेबसाइट पर पेंशन धारकों के जॉब कार्ड नंबर, बैंक अकाउंट नंबर, आधार कार्ड नंबर और अकाउंट की स्थिति जैसी संवेदनशील जानकारियां उपलब्ध होती हैं. लेकिन कमजोर सिक्योरिटी की वजह से यह दुनिया के किसी भी इंसान के लिए उपलब्ध हो गई. सिर्फ कुछ क्लिक से ही तमाम संवेदनशील जानकारियां हासिल की जा सकती हैं.

हाल ही में झारखंड सरकार की एक वेबसाइट पर लाखों आधार कार्ड होल्डर्स की जानकारियां लीक हो गईं. इसके अलावा कई राज्यों की सरकारी वेबसाइट पर स्कॉलरशिप पाने वाले स्टूडेंट्स के आधार कार्ड डीटेल्स लीक हो गए. गूगल सर्च के जरिए सिर्फ कुछ कीवर्ड्स यूज करके डीटेल्स कोई भी ढूंढ कर गलत यूज कर सकता है.

इस रिसर्च रिपोर्ट में कहा गया है आधार नंबर, जाती, धर्म, पता, फोटोग्राफ्स और यूजर की आर्थिक जानकारी इस तरह पब्लिक होना इस बात को दर्शाता है कि इसे कितने लचर तरीके से लागू किया गया है.

हाल ही में मानव संसाधन विकास मंत्रालय की वेबसाइट से ऐसे डेटा ऐक्सेल शीट आसानी से गूगल के जरिए डाउनलोड की जा सकती थी. आप इसे चूक करें या लापरवाही, लेकिन इतने नागरिकों का घर तक का पता किसी के पास भी हो सकता है.

क्या आधार नंबर को पब्लिक करना सही है?
आधार ऐक्ट 2016 के मुताबिक किसी नागरिक का आधार डेटा पब्लिश नहीं किया जा सकता. यानी मंत्रालय की वेबसाइट इन डेटा को सिक्योर रखने में नाकामयाब हो रही हैं.

आधार ऐक्ट 2016 के तहत कलेक्ट किया गया कोई भी आधार नंबर या कोर बायोमैट्रिक इनफॉर्मेशन पब्लिक नहीं किया जा सकता और न ही इसे किसी पब्लिक प्लैटफॉर्म पर पोस्ट किया जा सकता है. हालांकि इसके इस्तेमाल कानून के तहत शामिल की गईं एजेंसियां और संस्थाएं कर सकती हैं.

दी वायर की एक रिपोर्ट के मुताबिक एक महीने पहले डेटा रिसर्चर श्रीनीवास कोडाली ने थर्ड पार्टी वेबसाइट के द्वारा गलती लीक किए गए 5-6 लाख लोगों के पर्सनल डेटा के बारे में बताया था. इस डेटा में आधार नंबर, नाम, कास्ट, जेंडर और फोटोज शामिल थे.

सरकार के हमेशा दावा करती है कि आधार सिक्योर है
सरकार लगातार दावा करती है कि आधार सिक्योर है सेफ है और डेटा लीक नहीं हो रहे हैं. लेकिन ये घटनाएं लागातार उन दावों को खोखला साबित कर रही हैं. सवाल यह है कि अब इस रिपोर्ट के बाद सरकार कोई कठोर कदम उठाती है या फिर पहले की तरह लचर सुरक्षा बनी रहेगी.

For more details visit https://cis-india.org/internet-governance/news/aaj-tak-may-4-2017-135-million-aadhaar-number-leaked-by-govt-website-cis-report

क्‍या आधार पर जल्दबाज़ी में है सरकार?

praskrishna — 2017-03-29T03:52:08Z

Amber Sinha took part in a discussion on Aadhaar aired by NDTV on March 27, 2017.

एक जुलाई 2017 से आयकर रिटर्न भरने और पैन नंबर के लिए आधार नंबर देना अनिवार्य हो जाएगा. बिना आधार के अब आयकर रिटर्न नहीं भरा जा सकेगा. जिस किसी के पास पैन कार्ड है उसे एक जुलाई तक आधार नंबर देना होगा. अगर ऐसा नहीं करेंगे तो पैन कार्ड अवैध हो जाएगा. माना जाएगा कि आपके पास पैन कार्ड या पैन नंबर नहीं है. आयकर फार्म और पैन नंबर में आधार को अनिवार्य किये जाने से कई सवाल फिर से उठे हैं. 2009 से लेकर 2017 के बीच आधार के इस्तमाल को लेकर, इसके लीक होने से लेकर अनिवार्य किये जाने के ख़तरे को लेकर कई बहसें सुनी, पचासों लेख पढ़े. दूसरी तरफ हमने समाज में देखा कि आधार को लेकर ग़ज़ब का उत्साह है.

Watch the Video on NDTV

For more details visit https://cis-india.org/internet-governance/news/ndtv-march-27-2017-discussion-on-aadhaar

‘By weakening our security, govt is putting us at risk of espionage’

praskrishna — 2015-10-02T03:09:46Z

After the BlackBerry encryption and IT Act fiascos of recent years, the government last week sent yet another cyber policy howler, the Draft National Encryption Policy, only to withdraw it in the face of severe protests. S. Raghotham and Mayukh Mukherjee spoke with Pranesh Prakash, policy director, Centre for Internet & Society, on the government’s continued misadventures with data privacy and encryption.

This interview of Pranesh Prakash was published in Asian Age on September 27, 2015.

First we had Section 66A in the Information Technology Act. Now we have these attempts at breaking encryption and invading privacy. Your comment.
The Draft National Encryption Policy (DNEP) was not only an invasion of privacy and a restriction on anonymous speech, but was, most importantly, a direct assault on national security. It was quite clearly drafted by people who did not understand encryption, who think that encryption is something that only a handful of people do, without realising that encryption is baked into most of our technologies.

It is clear that the government’s cyber-law division needs people who are better versed in both the law (including constitutional rights) as well as technical aspects of IT. It’s not just Section 66A, but a host of other provisions in the IT Act which display a similar cluelessness. For instance, gaining unauthorised access to a protected system for purposes of defamation is, as per Indian law, sufficient to commit the offence of “cyber terrorism”.

How does this compare with the previous government’s attempts to gain access to BlackBerry communications?
L’affaire BlackBerry concluded with the government realising that while they could get BlackBerry to locate a network operations centre in India, they still couldn’t decrypt everything since BlackBerry Enterprise Service allowed enterprises to control the encryption. However, the government seems to have drawn the wrong lesson from that, and wants to prevent end-users from using encryption the way they have already managed with telecom companies and Internet service providers, who are not allowed to deploy bulk encryption which saves their customers’ data from being intercepted by attackers.

The government seems to be saying, if the US National Security Agency (NSA) doesn’t get you, we will. How are we to respond to this?
If you’re using Gmail, Yahoo Mail, Hotmail, etc., you already have opportunistic traffic-level encryption for email. Ironically, no @deity.gov.in or @nic.in address has even this basic level of encryption. This is the shocking state of affairs even many years after National Informatics Centre (NIC) publicly acknowledged that multiple email accounts that they host were hacked into. National security is a collective form of security — we can’t increase national security by making individuals less secure. We can’t, for instance, improve national security by telling people not to use locks on their houses. That will only decrease security, not increase it. And we are in a situation where our government conducts all their email communications using the online equivalent of postcards, rather than using sealed envelopes. The Central government urgently needs to appoint a group of security experts who work with NIC to shore up our defensive security.

A slide on an NSA programme called BOUNDLESSINFO-RMANT showed that in the month of February 2013, the NSA has collected 12.5 billion data records relating to phone calls from India, far more than what they had collected from China. The fact that our government mandates weak telecom security (by restricting bulk encryption) might account for this. By weakening our security, the government is putting us at greater risk of espionage and at the hands of hackers.

What are some of the ramifications for businesses and individuals if the government were to have keys to all encrypted information as it seeks?
The government, in the DNEP, did not even seek key escrow (which is what the debate was about in the 1990s in the US’ “crypto war”). Here the government more or less sought to tell companies and individuals that they have to keep plain text, making storage-level encryption pointless. This means that all your company’s information — emails, passwords and financial records — would be vulnerable to compromise by hackers. It is like telling a company that it is allowed to own a government-approved safe for storing important documents, but it has to keep a copy of all the important documents outside the safe.

Is the encryption policy fiasco some junior bureaucrat’s ignorance of what he was proposing or is it part of the government’s continued efforts to somehow gain control over information flows?
The government intended to gain greater access to everyday transactions. This would violate citizens’ privacy, which the government has been arguing is not a fundamental right. They went about it in a manner that is absurd in its consequences. The policy would have required you to record every mobile phone call and Skype call, to keep a plain text version of communications, which would harm national security. While I don’t believe the government would intentionally weaken national security, as they would have had this draft policy been carried forward, one cannot say that the government wouldn’t do so wantonly, much in the same way that they haven’t even employed basic security in their email systems.

Do you perceive a higher level of desire in the current government to control information flows?
The Indian government’s pursuance of harmful technology policies is nothing new. However, I hope that as a tech-savvy person heading an ostensibly tech-savvy government, Prime Minister Narendra Modi steps in and halts these deleterious policies. One disappointment of the last year has been the lack of progress on the Privacy Act, which seems to have been shelved for the time being. I believe the government’s motivations are genuine and grounded in the public interest. However, as in any constitutional democracy, the citizenry ought to be engaged in both defining the public interest as well as in debating how we best protect and uphold it within the norms laid down in our Constitution, which includes guarantees of fundamental rights which are inviolable except in limited circumstances.

For most of these policy problems, the best way forward is to ensure that the government follow a system of issuing green papers — essentially non-papers meant to stimulate public discussion — before it issues white papers which contain statements of policy intent, based on which it finally formulates policies or laws. Currently, interaction between policymakers and civil society is far too infrequent. The government needs to inject far more subject-matter expertise into policymaking.

For more details visit https://cis-india.org/internet-governance/news/asian-age-september-27-2015-s-raghotham-and-mayukh-mukherjee-by-weakening-our-security-govt-is-putting-us-at-risk-of-espionage

2012: Privacy Highlights in India

elonnai — 2013-02-12T12:39:05Z

In this blog post, Elonnai Hickok summarizes the top privacy moments of 2012 in India. In doing so she lists out the major ones like the Report of Group of Experts on Privacy, the RIM Standoff, the Nira Radia controversy, the Centralized Monitoring System, Unmanned Aerial Vehicles, NATGRID, CCTNS, the growth of CCTVs, the leaked DNA Profiling Bill, and the UID project.

The Report of Group of Experts on Privacy: In October 2012 the "Report of Group of Experts on Privacy" was published by a governmental committee chaired by Justice A.P. Shah. The report contains recommendations for comprehensive privacy legislation, including defining nine privacy principles, establishing a regulatory framework consisting of privacy commissioners at the regional and central level, and self regulatory organizations, and analyzing the present challenges to privacy in India.[1]

Before the report was published, two draft privacy bills had been leaked to the public, and a concept paper drafted in 2010. The report received mixed reviews from the media, including questions about the relationship between the Right to Information and the Right to Privacy. Before the publishing of the Report, Prime Minister Manmohan Singh recognized that disclosures under the RTI Act could, in some instances, violate individual privacy. In a statement to the public, the Prime Minister stated "citizens’ right to know should definitely be circumscribed if disclosure of information encroaches upon someone's personal privacy. But where to draw the line is a complicated question".[2]

Three months before the report was published, the EU had publicly stated that current data protection provisions in India are not sufficient enough, and that India is not considered to be 'data secure'.[3] If the recommendations in the report are turned into legislation, among other things, individuals in India will have a right to privacy and a right to redress for violations of privacy.

Governmental Interception: In early 2013 it was revealed that the Ministry of Home Affairs ordered interception of 10,000 phones and 1300 email ids during October 2012 to December 2012.[4] Continuing its efforts to access all communications, in May 2012, the Government of India gave service providers a month to develop a method for intercepting calls using VoIP services.[5] In February 2012 the Telecom Department proposed a new set of security guidelines that would allow for real time interception of communications and the tracking of the location of users. Among other things, the proposal establishes telecom security assurance and testing labs for the purpose of testing and certifying telecom equipment.[6] Additionally, in October of 2012, Bharti Airtel refused to wiretap telephones for RAW. The Department of Telecommunications eventually ordered Bharti Airtel to comply with the order, which they did.[7] The events around interception in 2012 show that the Indian government is still trying to gain access to as much information as possible. The constant push for real time access by the government is concerning, as many safeguards are missing from the Indian interception regime such as, penalty to security agencies for unauthorized interception and avenues of redress for the individual.

The RIM Standoff: Since 2008, the Indian government has been negotiating with RIM access to BlackBerry communications. Over the years, a number of solutions have been proposed by RIM and the GoI, yet a final agreement was never reached. Continuing the negotiations, In October 2012, RIM agreed to set up a server in Mumbai, which would allow security agencies to access Blackberry Messenger services.[8] Blackberry also provided a solution that would allow access to Blackberry Internet Services.[9] Following this, the Government of India mandated that Telecom Service Providers must incorporate the Blackberry interception solution, or risk being forced to shut their service by December 31, 2012. In compliance with this order, many service providers have set time frames for incorporation of the interception solution including and installed the necessary software.[10] It is important to note that the lawful access solutions provided do not extend to the Blackberry Enterprise Server.[11] Though it seems that the BlackBerry controversy might be resolved, the solution does not appear to be a long term solution, as BES communications are still not accessible, and the solution is not universal for all international providers. Thus, the Indian government will have to negotiate individually with each provider and service that they currently cannot access communications of.

The Nira Radia Controversy: Continuing the Nira Radia controversy, which began in 2008-2009, in September 2012 the Supreme Court ordered the Income Tax Department to transcribe the 5,831 recorded conversations that were originally intercepted by the department. In January this year, the Supreme Court of India ordered that a "random check" be run through the Radia Tapes to check for instances of possible criminality.[12] This case has become an important moment for privacy in India, as it intersects the dilemma between the right to privacy and public interest. Since 2010, Ratan Tata has been claiming that his right to privacy was violated by the publishing of the leaked tapes.[13] The Supreme Court’s final decision will be important for drawing another contour of how the right to privacy is shaped in India.

The Centralized Monitoring System: In 2012 the Telecom Ministry set aside Rs. 400 crore for the Central Monitoring System, which is projected to be finished by August 2014.[14] The project, which first began in 2007, is envisioned to allow security agencies to bypass service providers and intercept communications on their own. The system is designed to have regional databases and a central database which will be accessible to law enforcement and security agencies. Privacy concerns related to the project include how the system will incorporate current legal regulations for interception in India, as a system that bypasses service providers essentially means that every communication can be read by law enforcement. Furthermore, it is not clear exactly who, and on what conditions will officials be allowed and authorized to access and use the system. The exact capabilities of the system have also not been identified. For example, will the CMS be able to intercept VoIP calls, will it be able to decrypt messages, and will it employ techniques such as Deep Packet Inspection.

Unmanned Aerial Vehicles (UAVs): Since the late 90’s the Defense Research Development Organisation (DRDO) has been developing UAV’s for military purposes, and before this, India was acquiring UAV’s from Israel.[15] Since that time there has been an increase in domestic companies and institutes developing UAVs, and an increase in the procurement of the technology by state police for generic reasons purposes as crowd control, traffic management, and security. For example, in August of 2012 the city of Mumbai used the UAV "Netra", as part of their security protocol during the Raj Thackeray rally to capture and send real time images back to the police. Netra is manufactured by the company Idea Forge.[16] The Mumbai police also used the Netra in September 2012 after the Azad Maidan riots, and again on New Year’s Eve to monitor and track crime such as sexual harassment.[17] Similarly, Chennai city police are looking to procure from Anna University a UAV developed by the Madras Institute of Technology. The UAV will be used to assist in traffic monitoring and control.[18] The increased procurement and use of UAV’s by state police is concerning as there is no clear legal regulation over the deployment of the vehicles. Thus, they have shifted from being used as a tool by the military, and are being used for monitoring traffic, crowd monitoring, etc. Furthermore, the process for authorization for use of the vehicles is not clear, and it is not clear how the captured information is protected and handled. Though UAV’s are clearly a useful tool for the military, for military purposes, the permitted use of them by other actors should be defined and regulated. The use of UAV’s for generic purposes could place individual privacy at risk, because of the amount of information and the level of detail that the vehicles are able to capture without the knowledge of the individual.

The National Intelligence Grid (NATGRID): Plans for the NATGRID project, which was first piloted after the Mumbai attacks, has been continuing forward through 2012 and is envisioned to be operational sometime in 2013. During 2012, a detailed project report was submitted for the project, and in June the government approved Rs. 1,100 crore for purchase of technological equipment.[19] NATGRID is a project that envisions networking 21 databases for purposes of crime investigation including tax, health, and travel information. The information will be accessible to 11 security agencies and law enforcement agencies. Though it has been clarified that NATGRID will ensure that privacy is protected, the design of NATGRID is one that could create potential risks – as it brings together large amounts of personal data for easy access by security agencies. In doing so it could potentially eliminate the steps security agencies must take currently to access information – such as submitting a request and obtaining permission for access. Furthermore, it is unclear how current legal protections such as secrecy clauses in banking legislation will be incorporated and upheld by the NATGRID system. Other questions that the project raises include – though currently there are only eleven agencies listed that will have access to NATGRID – will this list expand? Without a policy in place how will this standard and other standards be enforced?

The Crime and Criminal Tracking Network & System (CCTNS): Though the CCTNS project has been in the works since 2009, a call for companies to develop the technology for the system was taken in early 2012, and pilot projects were launched later that year. The CCTNS is being headed by the National Crime Records Bureau, and will allow for the sharing of crime related information on a national level, in real time. In 2012, the system was allocated 2,000 crores by the government, and currently 2,000 police stations and other offices have been connected under the system.[20]

For example, police in Chhattisgarh,[21] Uttarakhand[22] and Odisha have all been connected to the CCTNS system.[23] Though it will be beneficial for the police to have access to a networked system, it has not been made clear yet what type of security system the project will adopt to ensure that the information is not compromised or accessed without authorization. It has also not been clarified what information will be placed on the database, and will all records be accessible to any individual accessing the system. Because the project is still in pilot stages it is hard to tell if it could put individual privacy at risk. Hopefully, before the project is realized in its full, many of the details will be clarified.

The Growth of CCTVs: Throughout 2012 the use of CCTV’s has continued to grow across India. For example, the Maharashtra government has undertaken a "CCTV surveillance project" in which it is in the process of taking bids for.[24] The state of Karnataka is also planning on installing CCTV cameras in Bangalore and other major cities to help detect incidents of crime.[25] While the Delhi Transport Department is contemplating installing CCTVs in buses,[26] and the Indian Rail Authorities have also decided to install CCTVs throughout stations to increase security.[27] There still does not exist regulation of the use of CCTV cameras, thus it is unclear who can operate a CCTV camera, which departments of the government can mandate for the installation of CCTVs, if public notice must be given that a CCTV camera is in use, and who can access the footage from a CCTV.

Study on Privacy Perceptions: In a study that came out in December 2012 by Ponnurangam K, among other things, it was found that 75 per cent of participants never read the privacy policy on a website – including social networking sites, participants also thought that there was a privacy legislation in place in India, and that individuals in India are most concerned about financial privacy.[28]

The National Counter Terrorism Centre (NCTC): The NCTC was originally created in response to the Mumbai terror attacks, under the Unlawful Prevention Act, 1967. The NCTC was meant to be realized in 2012, but in March, plans for the Centre were put on hold, because of the controversial nature of the project.[29] The Centre was meant to bring Indian intelligence agencies under one umbrella, and analyze and store information related to terrorism. The proposed body has been highly controversial, as states object to the powers given to the Centre and see it as intruding on their powers and jurisdiction. If passed, the NCTC will have the powers of arrest, search and seizure, and the ability to access information from other intelligence agencies.[30]

The Leaked DNA Profiling Bill: In 2012, a version of the DNA Profiling Bill, originally drafted in 2007, was leaked to the public. The Bill is being piloted by the department of biotechnology, and seeks to establish DNA databases at the regional and central level for forensic purposes, yet the Bill does not establish strong protections for the privacy of DNA samples taken and important technical standards for ensuring that DNA samples are not misused or tampered with.[31] What will happen to the Bill in 2013 is yet to be seen, but hopefully it will not be passed without the appropriate safeguards incorporated into its provisions.

The Unique Identification Project and the National Population Registrar: Throughout 2012, the UID has continued to carry out enrollments across the country, and sign MoU's with private sector companies for the adoption of the UID platform. Parallel to the UID project, the NPR project is also being implemented. The NPR seeks to provide every citizen of India with an identity that will be stored in an identity database maintained by the Registrar General and Census Commissioner of India.[32] According to the NPR scheme, individuals who had already enrolled with the UID and given their biometrics would not need to re-submit their biometrics with the NPR. Yet, this has not been the case, and instead individuals are now being required to provide their biometrics for enrollment with the UID and the NPR.[33]

Privacy has been raised as a concern of the UID since the start of the project. For both the UID and the NPR now the transaction record will be stored by agencies, and whether it will be possible to track individuals across databases using their NPR or UID identity?

[1]. The Report of Group of Experts on Privacy. See http://bit.ly/VqzKtr

[2]. Tikku, A., "RTI doesn’t trample upon privacy, says expert panel", Hindustan Times, October 29, 2012, available at http://bit.ly/TNAzRF, last accessed on January 8, 2013.

[3]. Sen, A. India protests European Union study of data laws. Economic Times. July 9, 2012, available at http://bit.ly/Y9ahHs, last accessed on January 8, 2013.

[4]. Harismran, J., Thomas, J. "Home Ministry ordered 10k wire taps in last 90 days, order tapping of 1300 email Ids", The Economic Times, January 3, 2013, available at http://bit.ly/TKk7yN, last accessed on January 7th 2013.

[5].The Economic Times, "Provide solution to intercept VoIP within a month: Govt", May 6, 2012, available at http://bit.ly/VQDQ4k, last accessed on January 7, 2013.

[6]. The Economic Times, "New policy for real time interception to security agencies", February 1, 2012, available at http://bit.ly/11DrlvB, last accessed on January 7, 2013.

[7]. The Economic Times, "RAW irked as Airtel keeps its request for phone tapping on hold", October 21, 2012, available at http://bit.ly/12IujhF, last accessed on January 7, 2013.

[8]. Reyes, D., "RIM installs BlackBerry server in Mumbai", CrackBerry, February 23, 2012, available at http://bit.ly/yBQsSo

[9]. Economic Times, "DoT makes telecom operators fall in line on Blackberry issue", December 30, 2012, available at http://bit.ly/1169ufn

[10]. Economic Times, "MTNL, BSNL fail to give dates for Blackberry interception", October 29, 2012, available at http://bit.ly/1169ufp, last accessed on January 7, 2012.

[11]. The Economic Times, "Telecom companies agreed to provide real-time intercept facilities for BlackBerry smartphones", December 31, 2012, available at http://bit.ly/Y9gjYt, last accessed on January 7, 2012.

[12]. Mahapatra, D., "SC to examine Radia tapes for criminality", Times of India, January 9, 2013, available at http://bit.ly/VD7eWX

[13]. Times of India, "Ratan Tata softens stand on Radia tapes", August 23, 2012, available at http://bit.ly/158CZxl, last accessed on January 7, 2013.

[14]. The Economic Times, "Govt. to place phone tapping system worth Rs. 400 cr by 2014", March 21, 2012, available at http://bit.ly/V2P9q6, last accessed on January 7, 2013.

[15]. Monsonis, G., "UAVs gaining currency with Indian Armed Forces", Indian Defence Review, October 30, 2012, available at http://bit.ly/KVYyIr, last accessed on January 7, 2013.

[16]. Mumbai Mirror, "Raj Thackeray’s mega rally: Unmanned Aerial Vehicle kept an eye on Azed Maidan", Economic Times, August 22, 2012, available at http://bit.ly/PYTGAG, last accessed on January 7, 2013.

[17].Ali, A. & Narayan. V., "Netra cameras to keep a close watch , over New Year’s Eve hotspots", Times of India, December 31, 2012, available at http://bit.ly/Z7orxt, last accessed on January 7, 2013.

[18]. Venugopal, V., "It flies, it swoops, it records and monitors", The Hindu, December 20, 2012, available at http://bit.ly/V89sLo, last accessed January 7, 2013.

[19]. The Economic Times, "Cabinet Committee on Security approves Rs. 1,100 crore for NATGRID", June 14, 2012.

[20]. Mohan, V., "Centre launches pilot project to track criminals", The Times of India, January 5, 2013, available at http://bit.ly/UPk2fh

[21]. The Pioneer, "Civil Lines Police Station gets connected with CCTNS", January 2012, available at http://bit.ly/VRXKGJ

[22]. CIOL Bureau, "CCTNS to be made public through internet: Dehradun DGP", January 4, 2012, available at http://bit.ly/X4JISx, last accessed on January 7, 2013.

[23]. The Hindu, "Odisha to launch CCTNS on January 12", January 7, 2013, available at http://bit.ly/Vd9Ay1, last accessed on January 7, 2013.

[24]. Padmakshan, M., "Maharashtra plans to invite new bids for CCTV surveillance project", September 18, 2012, available at http://bit.ly/VRYrQm, last accessed on January 7, 2013.

[25]. Ashoka, R., "Karnataka to install CCTV cameras in Bangalore, major cities", Economic Times. July 26, 2012, available at http://bit.ly/11Dxt6Z, last accessed on January 7, 2013.

[26]. Economic Times, "Buses to come with CCTV cameras for safety of women: Delhi government", December 17, 2012, available at http://bit.ly/158Gtjo, last accessed on January 7, 2013.

[27]. Economic Times, "Railways to step by security apparatus at stations", February 15, 2012, available at http://bit.ly/11DxSX8, last accessed on January 7, 2013.

[28]. Times of India, "Most Indians ignorant about privacy issues on Facebook, Twitter: Study", December 10, 2012, available at http://bit.ly/X4KVt1, last accessed on January 7, 2013.

[29]. Kumar, H., "Does India Need a National Counter Terrorism Center?", The New York Times, India Ink, February 28, 2012, available at http://nyti.ms/A5VU5P

[30]. Times of India. CM to attend National Counter- Terrorism Centre Meet in Delhi. May 4, 2012, available at http://bit.ly/12IDoH9, last accessed on January 8, 2012.

[31]. Hickok, E., "Rethinking DNA Profiling in India", Economic Political Weekly, October 27, 2012, available at http://bit.ly/TUrH7j, last accessed on January 7, 2013.

[32]. Department of Information Technology, "National Population Register", available at http://bit.ly/12rzyOh

[33]. Pandit, A., "NPR must even if you have Aadhar number", Times of India, October 31, 2012, available at http://bit.ly/Y9oXGq, last accessed on January 8, 2013.

For more details visit https://cis-india.org/internet-governance/privacy-highlights-in-india

135 million aadhaar details, 100 million bank accounts "leaked" from government websites: Researchers

praskrishna — 2017-05-20T06:19:12Z

This was published by Counterview on May 5, 2017.

A top study by the Centre for Internet and Society (CIS) has estimated that “estimated number of aadhaar numbers leaked” through top portals which handle aadhaar “could be around 130-135 million”. Worse, it says, the number of bank accounts numbers leaked would be “around 100 million”.

The study, carried out by researchers Amber Sinha and Srinivas Kodali, adds, “While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used aadhaar for direct bank transfer (DBT) could have leaked personally identifiable information (PII) similarly due to lack of information security practices.”

Pointing out that “over 23 crore beneficiaries have been brought under aadhaar programme for DBT”, the study, titled “Information Security Practices of Aadhaar (Or Lack Thereof)”, says, “Government schemes dashboard and portals demonstrate … dangers of ill-conceived data driven policies and transparency measures without proper consideration to data security measures.”

Claiming to have a closer look at the databases publicly available portals, the researchers identify four of them a pool of other government websites for examination:

A welfare programme by the Ministry of Rural Development, the National Social Assistance Programme (NSAP) portal, even as seeking to provide public assistance to its citizens in case of unemployment, old age, sickness and disablement, offers information about “job card number, bank account number, name, aadhaar number, account frozen status”, the researchers say.

Pointing out that “one of the url query parameters of website showing the masked personal details was modified from nologin to login”, they say, the “control access to login based pages were allowed providing unmasked details without the need for a password.”

In fact, they say, the Data Download Option feature “allows download of beneficiary details mentioned above such as Beneficiary No, Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.”
They add, “The NSAP portal lists 94,32,605 banks accounts linked with aadhaar numbers, and 14,98,919 post office accounts linked with aadhaar numbers. While the portal has 1,59,42,083 aadhaar numbers in total, not all of whom are linked to bank accounts.”

Also giving the example of the national rural job guarantee scheme, popularly called NREGA, the researchers say, its portal provides DBT reports containing “various sub-sections including one called ‘Dynamic Report on Worker Account Detail’,” with details like “Job card number, aadhaar number, bank/postal account number, number of days worked”, and so on.

“As per the NREGA portal, there were 78,74,315 post office accounts of individual workers seeded with aadhaar numbers, and 8,24,22,161 bank accounts of individual workers with aadhaar numbers. The total number of Aadhaar numbers stored by portal are at 10,96,41,502”, they add.

Providig similar instances form two other sources, the researchers insist, “The availability of large datasets of aadhaar numbers along with bank account numbers, phone numbers on the internet increases the risk of financial fraud.”

Underlining that “aadhaar data makes this process much easier for fraud and increases the risk around transactions”, they say, “In the US, the ease of getting Social Security Numbers from public databases has resulted in numerous cases of identity theft. These risks increase multifold in India due the proliferation of aadhaar numbers and other related data available.”

Click to read the original published by Counterview on May 5, 2017.

For more details visit https://cis-india.org/internet-governance/news/counterview-may-5-2017-135-million-aadhaar-details-100-million

135 MEELLION Indian government payment card details leaked

praskrishna — 2017-05-20T11:51:14Z

Legislation coming to beef up Aadhaar card privacy, security.

The article by Richard Chirgwin was published in the Register on May 3, 2017.

If you're enthused about governments operating large-scale online identity projects, here's a cautionary tale: the Indian government's eight-year-old Aadhaar payment card project has leaked a stunning 130 million records.

Aadhaar's role in authenticating and authorising transactions, and as the basis of the country's UID (unique identification database) makes any breach a privacy nightmare.

India's Centre for Internet and Society (CIS) made their estimate public in a report published on Monday.

It's not that there was a breach related to Aahdaar itself: rather, other government agencies were leaking Aadhaar and related data they'd collected for their own purposes.

The research paper drilled down on four government-operated projects: Andhra Pradesh's Mahatma Gandhi National Rural Employment Scheme; the same state's workers' compensation scheme known as Chandranna Bima; the National Social Assistance Program; and an Andhra Pradesh portal of Daily “Online Payment Reports under NREGA” maintained by the National Informatics Centre.

In total, the CIS says, the portals leaked 135 million Aadhaar card records linked to around 100 million bank account numbers.

Given India's enthusiasm to try and eliminate cash, it's a big deal: the Aadhaar card funnels benefits to recipients' linked bank accounts. As the report states: “To allow banking and payments using Aadhaar, banks and government departments are seeding Aadhaar numbers along with bank account details”.

The centre says the leaks represent significant and “potentially irreversible privacy harm”, but worse they also open up a fraud-ready source of personal information.

Online databases examined by the CIS included “numerous instances” of Aadhaar Numbers, associated with personal information.

The Indian government responded through Aruna Sundararajan, secretary at the Union Electronics and Information Technology Ministry, who announced amendments to the country's IT legislation to beef up the system's privacy and security.

“Aadhaar has very strong privacy regulation built into it”, she told the Hindu, but it needs better enforcement.

Sundararajan said those issues will be addressed in the legislative amendments.

For more details visit https://cis-india.org/internet-governance/news/the-register-richard-chirgwin-may-3-2017-135-million-indian-government-payment-card-details-leaked

130 Million at Risk of Fraud After Massive Leak of Indian Biometric System Data

praskrishna — 2017-05-20T12:36:06Z

A series of potentially calamitous leaks in India leave as many as 130 million people at risk of fraud or worse after caches of biometric and other personal data became accessible online.

The article by Dell Cameron was published by Gizmodo on May 3, 2017.

That’s according to a new report from the Bangalore-based Centre for Internet and Society (CIS), which details breaches at four national- and state-run databases, all of which are said to contain purportedly “uniquely-identifying” Aadhaar numbers.

Launched in 2009, the Aadhaar system is an ambitious, albeit flawed program aimed at assigning unique identity numbers, not only to Indian citizens, but everyone who resides and works in the country. It is the largest program of its kind in the world. The 12-digit Aadhaar codes are assigned and maintained in a central database by the Unique Identification Authority of India (UIDAI) and link to biometric data of fingerprint and iris scans combined.

For security purposes, since 2002, all U.S. passports issued to international travelers at embassies and consulates around the world have contained biometric data, including a ten fingerprint scan, contained in a microchip embedded in the back cover. In 2007, the law was extended to cover U.S. citizens, and since at least 2013, so-called “e-passports” have been the standard.

With a very different intention in mind, the Aadhaar system was created to employ biometrics as a means to ensure that Indian residents have access to the social safety net, including programs for welfare, health, and education. But due to the sheer scale—again, the largest biometric project in history—the program has been fraught with controversy since day one. Since inception, more than 1.13 billion Aadhaar numbers have since been assigned, according to UIDAI data. (India has a population of roughly 1.32 billion.)

Former World Bank economist Salman Anees , a member of the Indian National Congress (INC), points to migrant laborers as an example of those the program is intended to help. The often carry no identification, he said, and therefore can rarely prove who they are when traveling from state to state. The purpose of the Aadhaar system, he said, is to provide every Indian with a “digital identity.”

“At least, that was the original idea,” adds Soz.

After the INC was battered in the 2014 general election, plans were put forth to expand the scope of the Aadhaar program, inflaming public concern over security and privacy. “Basically, you take this Aadhaar number and you start seeding different [government] databases,” Soz says. “And that, in effect, creates this huge data structure that people are very uncomfortable with.”

“In some ways,” he continued, “what you have is this amazingly modern system with huge data collection potential—and of course, many positives can come from this, but in the wrong hands it can become a huge problem for India. At the same time, your legal framework, your regulatory framework, your policies and procedures are not there. People aren’t aware of what their rights are. They have no idea what this thing can do.”

One problem, Soz says, is that Aadhaar numbers are not always checked against a cardholder’s fingerprints or iris scans in all cases, defeating its purpose entirely. When someone provides an Aadhaar number to prove their identity online or by phone, for example, their identities cannot adequately verified. In this way, Aadhaar numbers are not wholly unlike Social Security numbers in the United States. Were 130 million Social Security numbers to be leaked online, confidence in the ability to use that number to confirm an Americans’ identities would be shaken, if not destroyed.

Last month, a central government database containing thousands of Aadhaar numbers—as well as dates of birth, addresses, and tax IDs (PAN)—reportedly leaked, exposing thousands of Indian residents to potential abuse. According to The Wire, the information, which was contained in Microsoft Excel spreadsheets, could be easily located on Google.

According to CIS, roughly 130-135 million Aadhaar numbers have now been exposed in this most recent leak. With the growing use of the numbers in areas such as insurance and banking, and without proper mechanisms in place to biometrically confirm the identities of cardholders in every case, the threat of financial fraud is pervasive. “All of these leaks are symptomatic of a significant and potentially irreversible privacy harm,” the report says, noting that such incidents “create a ripe opportunity for financial fraud.”

While Aadhaar is not mandatory everywhere, CIS says, the Indian government continues collecting information about the participants under various social programs. Inevitably, that information is combined with other databases containing even more sensitive data. As that happens, there’s a heightened risk to those whose Aadhaar numbers have been compromised. How the Indian government will address its apparently inadequate security controls before fraud overwhelms the system remains unknown.

Read the full report: Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

For more details visit https://cis-india.org/internet-governance/news/gizmodo-may-3-2017-130-million-at-risk-of-fraud-after-massive-leak-of-indian-biometric-system-data

130 Million Aadhaar Numbers Were Made Public, Says New Report

praskrishna — 2017-05-20T06:32:32Z

The research report looks at four major government portals whose poor information security practices have exposed personal data including bank account details.

The article was published in the Wire on May 1, 2017. This was also mirrored on MensXP.com on May 5, 2017.

Irresponsible information security practices by a major central government ministry and a state government may have exposed up to 135 million Aadhaar numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central government and state government departments.

This new report, released by the Centre for Internet and Society, studied four government databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own NREGA portal and the online dashboard of a state government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The data leaks come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and Aadhaar number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download pption on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the government agency that manages the Aadhaar initiative, in the data leaks.

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these government databases are still leaking data. Over the last two months, some of information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about Aadhaar leaks,” the report notes.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-1-2015-130-million-aadhaar-numbers-were-made-public-says-new-report

20 years of Google: Privacy, fake news and the future

Admin — 2018-08-30T02:49:06Z

Google once directed you to information. Today, it’s often the source of information, using data you and others have shared, often without you realising it. Public knowledge goes where Google takes it. And 20 years on, not everyone’s happy with the journey.

The article by Rachel Lopez was published in Hindustan Times on August 26, 2018. Pranesh Prakash was quoted.

Happy Birthday, Google. The search engine is 20 this year, and what a ride it’s been! When Sergey Brin and Larry Page were developing software that searched better and loaded faster than Explorer, Navigator and AltaVista, the web itself consisted of just 1 lakh websites.

Google’s mission statement was succinct: To organise the world’s information and make it universally accessible. Their corporate code of conduct was even simpler: Don’t be evil.

Perhaps even Google didn’t realise where its mission would take it. The following decade brought Google News, Gmail, Maps and Chrome. By 2014, the internet had grown to 1 billion websites. The search engine, their core product, had become the default homepage of the Internet.

In May this year, Google quietly dropped the ‘Don’t be evil’ tag. The same month, its Android operating system crossed 2 billion monthly active devices. Seven products (including YouTube and Google Play) now reach a combined 1 billion users.

Google once directed you to information. Today, it’s often the source of information (in ads and top-of-the-page blocs), using data you and others have shared, often without you realising it. Public knowledge goes where Google takes it. And 20 years on, not everyone’s happy with the journey.

“The key concern is that Google has grown so big,” says Pranesh Prakash, policy director at Bangalore’s Centre for Internet & Society. “It’s like the classic line from [Spiderman’s] Uncle Ben: With great power comes great responsibility. In Google’s case, its great size is what brought great power to begin with.”

For billions of Google users, the biggest concerns are now of privacy and accountability, says Nikhil Pahwa, founder of Medianama, which analyses digital and telecom businesses. “There are few checks on Google’s ability to take, retain and process information from users,” he says.

Hits and misses

For Google, all is going according to plan. Its search engine is now smart enough to complete your sentences. It’s learning constantly from what you search for, watch, spend on, share and regret; it knows your commute and your vacation plans. And it’s profiting from this knowledge.

In the UK, Google is being sued for bypassing iPhone privacy settings to track and collect data from 4.4 million users in 2011 and 2012. Information on race, physical and mental health, political leanings, sexuality, shopping habits and locations was apparently used to build advertising categories. Google also creates products for the US government, and has user data from around the world. “Any entity that has this much insight into us, and is in a position to use it, whether for the government or commercial gain, is cause for worry,” says Prakash. Most users aren’t worried, and that’s worrying too. We don’t realise how much data is being tracked or collected. The more we share, the more useful Google gets, and the greater its potential for misuse, for mapping say, beef-eaters, online dissenters, LGBT supporters or single women who work late.

The Internet’s other giant, Facebook, recently suspended 400 apps over privacy concerns, admitting that 87 million users may have had data compromised in 2016. Meanwhile, even non-Google apps are capable of hijacking data using software developed by Google. Weather apps look at your photo gallery, ride-sharing software keep tracking you after the ride, games are checking out your texts as you play. Gmail knows your flight timings, how many steps you’ve walked, and your last bank transaction.

Search for tomorrow

Perhaps the biggest concerns are with Google’s artificial intelligence technology, the brand’s great leap forward fuelled by its massive data reserves. The tech is already being criticised for being fed biased data, creating global services that mirror the prejudices of an insular, mostly white, mostly male, tech industry.

Sara Wachter-Boettcher, author of Technically Wrong, which looks at how technology reflects sexism and the biases of the people that create it, says this creates problems. “Google develops tools that other tech companies rely on to build other products,” she says. So its biases spread to other products too. As machines learn, Google is starting to unlearn too.

“Machine unlearning is basically recognising when a machine has learned something inaccurate, or biased, and then erasing that learning,” says Wachter-Boettcher. In Africa, the company (along with Facebook) now funds a Masters course in machine intelligence to improve the industry’s diversity. Last year, Google took its first steps to curb fake news hits on its search engines with tools that allow users to report misleading or offensive content.

But perhaps it’s time to work towards a future in which Google will be monitored in real time, in different countries, rather than depending on the company to offer a fix after a misstep. Prakash believes that the way forward is reimagining an Internet where Google isn’t the first and last word on everything. “This doesn’t mean more companies like Google but searching that happens in a more decentralised way,” he says. “We need to save the web from large monopolies in the long run.”

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-rachel-lopez-august-26-2018-20-years-of-google-privacy-fake-news-and-future

13 crore Aadhaar numbers on four government websites compromised: Report

praskrishna — 2017-05-03T15:19:52Z

The lack of information security practices in key government websites which hosts Personally Identifiable Information (PII) has left citizens of the country more vulnerable to identity theft and financial fraud, a research paper has argued.

The article by Akram Mohammed was published by the New Indian Express on May 2, 2017.

A paper by Amber Sinha and Srinivas Kodali of Centre for Internet and Society analysed four government websites and found that more than 13 crore Aadhaar numbers with related PII were available on the websites, exposing lax security features.

The paper published under Creative Commons is titled ‘Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information’ and was released on Monday.

Sinha and Kodali looked at databases on four government portals -- National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme, Govt. of Andhra Pradesh and Daily Online Payment Reports website of NREGA, Govt. of Andhra Pradesh.

“We chose major government programmes that use Aadhaar for payments and banking transactions. We found sensitive and personal data and information accessible on these portals,” the report said.

Leaked through portals

“Based on the numbers available on the websites, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million.

While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, that have also used Aadhaar for DBT, could have leaked PII similarly due to lack of information security practices,” it said.

They fear that data of over 23 crore beneficiaries under DBT of LPG subsidies could be leaked also. Identity theft and financial fraud “risks increase multifold in India...,” they said.

Aadhaar payments unsafe

In case a financial fraud takes place through Aadhaar enabled Payment System (AePS), the consumer may not be able to assert his claims for compensation due to the terms and conditions around liabilities.

“These terms force the consumer to take liabilities onto oneself than the payment provider..... Regulations and standards around Aadhaar are at a very early and nascent stage causing (an) increase in financial risk for both consumers and banks to venture into AePS,” they added. The authors also pulled up UIDAI for their inability in providing strong legislation against such leaks.

Leaky govt portals

National Social Assistance Programme

PII available - Access to Aadhaar no., name, bank account number, account frozen status 94,32,605 bank accounts linked with Aadhaar

14,98,919 post office accounts linked with Aadhaar numbers.

Though total Aadhaar number is 1,56,42,083, not all are linked to bank accounts

NREGA

PII Details available: Job card no., Aadhaar number, bank/postal account number, no. of days worked, registration no., account frozen status

78,74,315 post office accounts of individual workers seeded with Aadhaar numbers,

8,24,22,161 bank accounts of individual workers with Aadhaar numbers.

10,96,41,502 total number of Aadhaar numbers stored by portal

Other websites

Chandranna Bima Scheme, Govt. of Andhra Pradesh

Daily Online Payment Reports website of NREGA, Govt. of Andhra Pradesh

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-may-2-2017-akram-mohammed-13-crore-aadhaar-numbers-on-four-government-websites-compromised

11th Meeting of Information Systems Security Sectional Committee (LITD 17)

praskrishna — 2017-04-19T02:57:03Z

Udbhav Tiwari represented CIS at this meeting organized by the Bureau of Indian Standards (BIS) at Manak Bhavan, New Delhi on April 13, 2017.

The meeting was the national mirror meeting for the 28th ISO/IEC JTC 1/SC 27 Plenary and Working Group Meetings being held at Hamilton, New Zealand between the April 18 and 25, 2017. The meeting provided a fascinating insight into the government and industry viewpoints on key cyber security and privacy issues, especially on the Aadhaar.

For more details visit https://cis-india.org/internet-governance/news/11th-meeting-of-information-systems-security-sectional-committee-litd-17