Centre for Internet and Society

The Digital Divide: pros and cons of Modi's latest big initiative

praskrishna — 2015-07-06T02:11:56Z

Prime Minister Narendra Modi inaugurated the Digital India (DI) initiative on 1 July, at an event attended by scores of government officials as well as industry leaders.

The blog post by Suhas Munshi was published in Catch News on July 2, 2015. Sunil Abraham is quoted.

The initiative

Digital India aims to make all citizens digitally literate. Bring e-governance to every doorstep.

Corporates have promised to invest Rs 4.5 lakh crore in the initiative.

This is greater than the total spend on all govt schemes. It is equivalent to 1/4th of the national budget.

The positives

It will be a boost to industry; both large and small enterprises.

It will ostensibly create a lot of jobs.

It's ideal if citizens can connect directly with the government.

The negatives

Will the initiative be genuinely inclusive?

How will corporates recover their costs? Will the promised investments end up as bad loans from banks?

Who will handle the personal data of so many citizens; will it be efficient?

Who will the vendors be?

Will the proposed digital lockers for official documentation be reliable?

Will the initiative give the govt a tool to conduct mass surveillance?

The alternative focus

Some experts feel the govt should concentrate on giving people access to basic necessities like water, power and sewage.

The backbone of the project, the National Optical Fibre Network, has already run into massive infrastructure issues.

The programme aims to make all citizens digitally literate and bring the internet and e-governance to all sections of the society.

Like Modi's past initiatives, this too has polarised opinion, in this case on the government's aggressive push for e-governance.

While some advise patience before arriving at a verdict, others think it isn't too early to begin celebrations.

Astronomical budget

Most of the funds for this initiative are expected to come from the private sector. The total investments promised by big corporates, according to Modi, is Rs 4.5 lakh crore.

That is an astonishing number - it is equivalent to a quarter of the country's budget.

If true, then the amount spent on this project will be way over the total money spent on all of the government's 66 central sponsored schemes.

However, India hasn't been able to deliver on the last big welfare scheme promised - the Food Security Act, two years after it was passed in Parliament.

Investments promised by corporates add up to Rs 4.5 lakh crore, which is one-fourth of India's total budget

This scheme, which is set to cost the country Rs 1.25 lakh crore, aims to provide subsidised food grains to two-thirds of the populace.

The immediate concern experts have expressed with the budget is the possible intervention of the private sector.

The big corporate houses that have promised these staggering investments, would also be looking to recover them.

"As I see it, effectively a new sector is being created for this initiative. While it is good, when the private sector comes in to support big government projects, we also have to examine what the recovery model for those investments are. Hopefully, more details about investments will be made available," said Subrata Das, Executive Director, Centre for Budget and Governance Accountability.

Boost to industry

The initiative has already received a massive thumbs up from the industry. Corporate leaders made a beeline to praise the initiative.

RIL chairman Mukesh Ambani said that with Digital India, the government has moved faster than industry. He added that Reliance Jio Infocomm will invest Rs 2,50,000 crore as part of the Digital India programme.

"Tata Consultancy Services (TCS) has partnered with the government for projects like Passport Seva and income tax e-filing, as well as state-level projects," said Cyrus Mistry, chairman of Tata Group, at the event.

Azim Premji, Wipro chairman, was quoted as saying the initiative will democratise the nation and "break down the digital divide in India".

He added that the level of skills of India's people will have to be significantly improved in order to make full use of the new initiative.

Kumar Mangalam Birla, chairman of the Aditya Birla Group, said it would leverage its Idea Cellular network of 165 million subscribers across 3,50,000 towns and villages in India to provide mobile-based healthcare and education services, as well as weather forecasting advisories and 'mandi' prices to over one million farmers.

The company will also launch a mobile wallet and payment bank as well as invest over $2 billion in the next five years in various internet-based sectors.

There seems to be a consensus on the kind of platform DI will provide to small entrepreneurs and the massive job opportunities it will create.

"Who has not heard about their computer engineer friends trying to develop a product in their spare time? These small entrepreneurs will get a lot of help if they are brought to a common platform with big companies and if lack of resources don't impede their work. Besides, as government starts to spend, there will be a severe need for hardware technicians, network operators, data entry operators," said Manish Sabharwal, chairman, Teamlease.

Rajeev Chandrasekhar, independent lawmaker in the Rajya Sabha, says DI is not only essential for the idea of 'minimum government, maximum governance', it is a big boost for the Indian IT industry.

"It is absolutely essential for good governance that as many people as possible are put directly in touch with their government. One of the biggest achievements, I think, will be in connecting 700 million people, so far sequestered, with the rest of the country. This obviously helps small entrepreneurs with launching their startups and bringing in a healthy workforce into the folds of this scheme," he said.

Many sunrise sectors before have similarly promised job growth that has not materialised. It remains to be seen how much of this euphoria plays out in concrete terms.

Privacy concerns

Therefore, while there's been a lot of positive buzz, not everyone is sold on the initiative.

Concerns are being raised about the handling of personal data of so many citizens.

There is a question about the reliability of the digital lockers in which all citizens will have their official documentation, and the anxiety of the data falling into the wrong hands.

"Of course, the concern with respect to privacy is legitimate and urgent.

Since the data the government will collect will be very large in terms of volume and can be misused, the reliability of the government's systems will have to be quite high.

So let's wait to see the nuts and bolts of the programme," said Apar Gupta, a senior lawyer specialising in information technology.

According to Reetika Khera, associate professor, economics at IIT Delhi, applications like digital lockers will make it easier for government to conduct mass surveillance.

There are questions over the reliability of digital lockers and about data falling into the wrong hands

"Programmes like Aadhar, digi-locker, central monitoring system (of mobile calls) etc are creating and enabling a massive surveillance infrastructure in India that will put NSA's PRISM, XKeyScore etc to shame.

"For instance, if Aadhaar is linked to your mobile number, bank account, travel details, the government can build a profile of each person at the click of a mouse. This is especially worrying because data protection and privacy laws are weak or non-existent," she said.

Sunil Abraham, executive director of Bangalore-based research organisation Centre for Internet and Society, also agrees with the concerns but is optimistic about the safeguards being put in place.

"There is a very mature draft of the Privacy Bill at the Department of Personnel and Training which will hopefully be introduced into Parliament after some rounds of public consultation and feedback.

"This, along with appropriate architectural and technological changes to e-governance services, will mitigate privacy concerns," said Abraham.

Misplaced priorities?

Then there is an argument that the less-privileged sections of society may need basic social services before they're considered for internet inclusion.

"What is true at the ground is that many people still don't have access to basic services, so while I think this is a good initiative, it should be part of our medium-term strategy.

"To begin with, we should focus on setting up basic infrastructure and extending water, power and sewer lines to most of the country," said Amitabh Kundu, retired JNU professor, who's advising the government on various projects.

Apar Gupta wonders how the government intends to bring people who are semi-literate, with no access to internet, within the fold of this e-governance project.

"Extending social welfare schemes to this section of people solely through digital medium is not viable," he said.

Some feel that the whole DI initiative is a mass-scale feel-good exercise. The argument is that using technology to 'uplift' the masses isn't a new idea, and is introduced periodically, and turns out to be largely ineffective.

"From the looks of it, this initiative seems to be nothing but techno-optimism. There is a belief that new technologies will, by themselves, transform the social world, but this doesn't happen.

"Techno-optimism, which we have seen before, is no different to traditional forms of governance, and over time, turns out to be nothing but a public relations exercises. An exercise to make governance visible to masses," said Ravi Sundaram, professor at the Centre for the Study of Developing Societies (CSDS).

Infrastructure issues

A project of this ambition and magnitude is bound to run into difficulties and, just a day after the launch, The Indian Express reported that the National Optical Fibre Network, the backbone of the initiative, is way behind schedule.

The project was supposed to be completed by December 2016. Initially, the 2014-15 target was to execute the work for one lakh gram panchayats, which was later halved to 50,000.

However, up until March 2015, only about 20,000 gram panchayats have been covered.

The primary problem is the cascading delays faced by central agencies, and when the active intervention of states was sought, 'right of way' charges have become the bone of contention.

Lack of contractors to do specialised work is also turning out to be an issue.

Thus, it won't be a stretch to say that while the initiative sounds like a great thing, doubts over its proper execution will continue till there is some concrete success to show for it.

For more details visit https://cis-india.org/internet-governance/news/catch-news-july-2-2015-the-digital-divide-pros-and-cons-of-modi-s-latest-big-initiative

The Difficult Balance of Transparent Surveillance

kovey — 2013-07-15T04:23:35Z

Is it too much to ask for transparency in data surveillance? On occasion, companies like Microsoft, Facebook, and the other silicon valley giants would say no. When customers join these services, each company provides their own privacy statement which assures customers of the safety and transparency that accompanies their personal data.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.

So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”[1]

So we must unpack the idea of transparency.

First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?

Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.[2]

But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.

Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.” [a] Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.[3]

Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook [a], Apple [b], Microsoft[c], and Google [d]) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14^th, “We have not received any national security orders of the type that Verizon was reported to have received.” [c] Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.

Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.

But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS[4] but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.[5]

Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the petition as an Indian agency is not involved.”[5][6]

The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.

For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.[7] India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.[8] It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.

The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.[5] If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.

Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of who citizens prefer spying over them.

Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.[9] Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”[c]

[1]. http://digitaldueprocess.org/

[2]. http://bit.ly/151Ue1H

[3]. http://bit.ly/12XDb1Z

[4]. http://ti.me/11Xh08V

[5]. Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh [attached]

[6]. http://bit.ly/1aXWdbU

[7]. http://1.usa.gov/qafcXe

[8]. http://bit.ly/114hcCX

[9]. http://bit.ly/156wspI

[a]. Facebook Statement: http://bit.ly/ZQDcn6

[b]. Apple Statement: http://bit.ly/1akaBuN

[c]. Microsoft Statement:http://bit.ly/1bFIt31

[d]. Google Statement: http://bit.ly/16QlaqB

For more details visit https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance

The Design & Technology behind India’s Surveillance Programmes

udbhav — 2017-01-20T15:56:44Z

There has been an exponential growth in the pervasive presence of technology in the daily lives of an average Indian citizen over the past few years. While leading to manifold increase in convenience and connectivity, these technologies also allow for far greater potential for surveillance by state actors.

While the legal and policy avenues of state surveillance in India have been analysed by various organisations, there is very little available information about the technology and infrastructure used to carry out this surveillance. This appears to be largely, according to the government, due to reasons of national security and sovereignty.^[1] This blog post will attempt to paint a picture of the technological infrastructure being used to carry out state surveillance in India.

Background
The revelations by Edward Snowden about mass surveillance in mid-2013 led to an explosion of journalistic interest in surveillance and user privacy in India.^[2] The reports and coverage from this period, leading up to early 2015, serve as the main authority for the information presented in this blog post. The lack of information from official government sources as well as decreasing public spotlight on surveillance since that point of time generally have both led to little or no new information turning up about India’s surveillance regime since this period. However, given the long term nature of these programmes and the vast amounts of time it takes to set them up, it is fairly certain that the programmes detailed below are still the primary bedrock of state surveillance in the country, albeit having become operational and inter-connected only in the past 2 years.

The technology being used to carry out surveillance in India over the past 5 years is largely an upgraded, centralised and substantially more powerful version of the surveillance techniques followed in India since the advent of telegraph and telephone lines: the tapping & recording of information in transit.^[3] The fact that all the modern surveillance programmes detailed below have not required any new legislation, law, amendment or policy that was not already in force prior to 2008 is the most telling example of this fact. The legal and policy implication of the programmes illustrated below have been covered in previous articles by the Centre for Internet & Society which can be found here,^[4] here^[5] and here.^[6] Therefore, this post will solely concentrate on the technological design and infrastructure being used to carry out surveillance along with any new developments in this field that the three source mentioned would not have covered from a technological perspective.

The Technology Infrastructure behind State Surveillance in India

The programmes of the Indian Government (in public knowledge) that are being used to carry out state surveillance are broadly eight in number. These exclude specific surveillance technology being used by independent arms of the government, which will be covered in the next section of this post. Many of the programmes listed below have overlapping jurisdictions and in some instances are cross-linked with each other to provide greater coverage:

Central Monitoring System (CMS)
National Intelligence Grid (NAT-GRID)
Lawful Intercept And Monitoring Project (LIM)
Crime and Criminal Tracking Network & Systems (CCTNS)
Network Traffic Analysis System (NETRA)
New Media Wing (Bureau of New and Concurrent Media)

The post will look at the technological underpinning of each of these programmes and their operational capabilities, both in theory and practice.

Central Monitoring System (CMS)

The Central Monitoring System (CMS) is the premier mass surveillance programme of the Indian Government, which has been in the planning stages since 2008^[7] Its primary goal is to replace the current on-demand availability of analog and digital data from service providers with a “central and direct” access which involves no third party between the captured information and the government authorities.^[8] While the system is currently operated by the Centre for Development of Telematics, the unreleased three-stage plan envisages a centralised location (physically and legally) to govern the programme. The CMS is primarily operated by Telecom Enforcement and Resource Monitoring Cell (TERM) within the Department of Telecom, which also has a larger mandate of ensuring radiation safety and spectrum compliance.

The technological infrastructure behind the CMS largely consists of Telecom Service Providers (TSPs) and Internet Service Providers (ISPs) in India being mandated to integrate Interception Store & Forward (ISF) servers with their Lawful Interception Systems required by their licences. Once these ISF servers are installed they are then connected to the Regional Monitoring Centres (RMC) of the CMS, setup according to geographical locations and population. Finally, Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS) itself, essentially allowing the collection, storage, access and analysis of data collected from all across the country in a centralised manner. The data collected by the CMS includes voice calls, SMS, MMS, fax communications on landlines, CDMA, video calls, GSM and even general, unencrypted data travelling across the internet using the standard IP/TCP Protocol.^[9]

With regard to the analysis of this data, Call Details Records (CDR) analysis, data mining, machine learning and predictive algorithms have been allegedly implemented in various degrees across this network.^[10] This allows state actors to pre-emptively gather and collect a vast amount of information from across the country, perform analysis on this data and then possibly even take action on the basis of this information by directly approaching the entity (currently the TERM under C-DOT) operating the system. ^[11] The system has reached full functionality in mid 2016, with over 22 Regional Monitoring Centres functional and the system itself being ‘switched on’ post trials in gradual phases.^[12]

National Intelligence Grid (NATGRID)

The National Intelligence Grid (NATGRID) is a semi-functional^[13] integrated intelligence grid that links the stored records and databases of several government entities in order to collect data, decipher trends and provide real time (sometimes even predictive) analysis of data gathered across law enforcement, espionage and military agencies. The programme intends to provide 11 security agencies real-time access to 21 citizen data sources to track terror activities across the country. The citizen data sources include bank account details, telephone records, passport data and vehicle registration details, the National Population Register (NPR), the Immigration, Visa, Foreigners Registration and Tracking System (IVFRT), among other types of data, all of which are already present within various government records across the country.^[14]

Data mining and analytics are used to process the huge volumes of data generated from the 21 data sources so as to analyse events, match patterns and track suspects, with big data analytics^[15] being the primary tool to effectively utilise the project, which was founded to prevent another instance of the September, 2011 terrorist attacks in Mumbai. The list of agencies that will have access to this data collection and analytics platform are the Central Board of Direct Taxes (CBDT), Central Bureau of Investigation (CBI), Defense Intelligence Agency (DIA), Directorate of Revenue Intelligence (DRI), Enforcement Directorate (ED), Intelligence Bureau (IB), Narcotics Control Bureau (NCB), National Investigation Agency (NIA), Research and Analysis Wing (RAW), the Military Intelligence of Assam , Jammu and Kashmir regions and finally the Home Ministry itself.^[16]

As of late 2015, the project has remained stuck because of bureaucratic red tape, with even the first phase of the four stage project not complete. The primary reason for this is the change of governments in 2014, along with apprehensions about breach of security and misuse of information from agencies such as the IB, R&AW, CBI, and CBDT, etc.^[17] However, the office of the NATGRID is now under construction in South Delhi and while the agency claims an exemption under the RTI Act as a Schedule II Organisation, its scope and operational reach have only increased with each passing year.

Lawful Intercept And Monitoring Project

Lawful Intercept and Monitoring (LIM), is a secret mass electronic surveillance program operated by the Government of India for monitoring Internet traffic, communications, web-browsing and all other forms of Internet data. It is primarily run by the Centre for Development of Telematics (C-DoT) in the Ministry of Telecom since 2011.^[18]

The LIM Programme consists of installing interception, monitoring and storage programmes at international gateways, internet exchange hubs as well as ISP nodes across the country. This is done independent of ISPs, with the entire hardware and software apparatus being operated by the government. The hardware is installed between the Internet Edge Router (PE) and the core network, allowing for direct access to all traffic flowing through the ISP. It is the primary programme for internet traffic surveillance in India, allowing indiscriminate monitoring of all traffic passing through the ISP for as long as the government desires, without any oversight of courts and sometimes without the knowledge of ISPs.^[19] One of the most potent capabilities of the LIM Project are live, automated keyword searches which allow the government to track all the information passing through the internet pipe being surveilled for certain key phrases in both in text as well in audio. Once these key phrases are successfully matched to the data travelling through the pipe using advanced search algorithms developed uniquely for the project, the system has various automatic routines which range from targeted surveillance on the source of the data to raising an alarm with the appropriate authorities.

LIM systems are often also operated by the ISPs themselves, on behalf of the government. They operate the device, including hardware upkeep, only to provide direct access to government agencies upon requests. Reports have stated that the legal procedures laid down in law (including nodal officers and formal requests for information) are rarely followed^[20] in both these cases, allowing unfettered access to petabytes of user data on a daily basis through these programmes.

Crime and Criminal Tracking Network & Systems (CCTNS)

The Crime and Criminal Tracking Network & System (CCTNS) is a planned network that allows for the digital collection, storage, retrieval, analysis, transfer and sharing of information relating to crimes and criminals across India.^[21] It is supposed to primarily operate at two levels, one between police stations and the second being between the various governance structures around crime detection and solving around the country, with access also being provided to intelligence and national security agencies.^[22]

CCTNS aims to integrate all the necessary data and records surrounding a crime (including past records) into a Core Application Software (CAS) that has been developed by Wipro.^[23] The software includes the ability to digitise FIR registration, investigation and charge sheets along with the ability to set up a centralised citizen portal to interact with relevant information. This project aims to use this CAS interface across 15, 000 police stations in the country, with up to 5, 000 additional deployments. The project has been planned since 2009, with the first complete statewide implementation going live only in August 2016 in Maharashtra. ^[24]

While seemingly harmless at face value, the project’s true power lies in two main possible uses. The first being its ability to profile individuals using their past conduct, which now can include all stages of an investigation and not just a conviction by a court of law, which has massive privacy concerns. The second harm is the notion that the CCTNS database will not be an isolated one but will be connected to the NATGRID and other such databases operated by organisations such as the National Crime Records Bureau, which will allow the information present in the CCTNS to be leveraged into carrying out more invasive surveillance of the public at large.^[25]

Network Traffic Analysis System (NETRA)

NETRA (NEtwork TRaffic Analysis) is a real time surveillance software developed by the Centre for Artificial Intelligence and Robotics (CAIR) at the Defence Research and Development Organisation. (DRDO) The software has apparently been fully functional since early 2014 and is primarily used by Indian Spy agencies, the Intelligence Bureau (IB) and the Research and Analysis Wing (RAW) with some capacity being reserved for domestic agencies under the Home Ministry.

The software is meant to monitor Internet traffic on a real time basis using both voice and textual forms of data communication, especially social media, communication services and web browsing. Each agency was initially allocated 1000 nodes running NETRA, with each node having a capacity to analyse 300GB of information per second, giving each agency a capacity of around 300 TB of information processing per second.^[26] This capacity is largely available only to agencies dealing with External threats, with domestic agencies being allocated far lower capacities, depending on demand. The software itself is mobile and in the presence of sufficient hardware capacity, nothing prevents the software from being used in the CMS, the NATGRID or LIM operations.

There has been a sharp and sudden absence of public domain information regarding the software since 2014, making any statements about its current form or evolution mere conjecture.

Analysis of the Collective Data

Independent of the capacity of such programmes, their real world operations work in a largely similar manner to mass surveillance programmes in the rest of the world, with a majority of the capacity being focused on decryption and storage of data with basic rudimentary data analytics.^[27] Keyword searches for hot words like 'attack', 'bomb', 'blast' or 'kill' in the various communication stream in real time are the only real capabilities of the system that have been discussed in the public domain,^[28] which along with the limited capacity of such programmes^[29] (300 TB) is indicative of basic level of analysis that is carried on captured data. Any additional details about the technical details about how India’s surveillance programmes use their captured data is absent from the public domain but they can presumed, at best, to operate with similar standards as global practices.^[30]

Capacitative Global Comparison

As can be seen from the post so far, India’s surveillance programmes have remarkably little information about them in the public domain, from a technical operation or infrastructure perspective. In fact, post late 2014, there is a stark lack of information about any developments in the mass surveillance field. All of the information that is available about the technical capabilities of the CMS, NATGRID or LIM is either antiquated (pre 2014) or is about (comparatively) mundane details like headquarter construction clearances.^[31] Whether this is a result of the general reduction in the attention towards mass surveillance by the public and the media^[32] or is the result of actions taken by the government under the “national security” grounds under as the Official Secrets Act, 1923^[33] can only be conjecture.

However, given the information available (mentioned previously in this article) a comparative points to the rather lopsided position in comparison to international mass surveillance performance. While the legal provisions in India regarding surveillance programmes are among the most wide ranging, discretionary and opaque in the world^[34] their technical capabilities seem to be anarchic in comparison to modern standards. The only real comparative that can be used is public reporting surrounding the DRDO NETRA project around 2012 and 2013. The government held a competition between the DRDO’s internally developed software “Netra” and NTRO’s “Vishwarupal” which was developed in collaboration with Paladion Networks.^[35] The winning software, NETRA, was said to have a capacity of 300 GB per node, with a total of 1000 sanctioned nodes.^[36] This capacity of 300 TB for the entire system, while seemingly powerful, is a miniscule fragment of 83 Petabytes traffic that is predicted to generated in India per day.^[37] In comparison, the PRISM programme run by the National Security Agency in 2013 (the same time that the NETRA was tested) has a capacity of over 5 trillion gigabytes of storage^[38], many magnitudes greater than the capacity of the DRDO software. Similar statistics can be seen from the various other programmes of NSA and the Five Eyes alliance,^[39] all of which operated at far greater capacities^[40] and were held to be minimally effective.^[41] The questions this poses of the effectiveness, reliance and proportionality of the Indian surveillance programme can never truly be answered due to the lack of information surrounding capacity and technology of the Indian surveillance programmes, as highlighted in the article. With regard to criminal databases used in surveillance, such as the NATGRID, equivalent systems both domestically (especially in the USA) and internationally (such as the one run by the Interpol)^[42] are impossible due to the NATGRID not even being fully operational yet.^[43]

Conclusion

Even if we were to ignore the issues in principle with mass surveillance, the pervasive, largely unregulated and mass scale surveillance being carried in India using the tools and technologies detailed above have various technical and policy failings. It is imperative that transparency, accountability and legal scrutiny be made an integral part of the security apparatus in India. The risks of security breaches, politically motivated actions and foreign state hacking only increase with the absence of public accountability mechanisms. Further, opening up the technologies used for these operations to regular security audits will also improve their resilience to such attacks.

^[1] http://cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law

^[2] http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/

^[3] https://www.privacyinternational.org/node/818

^[4] http://cis-india.org/internet-governance/blog/state-of-cyber-security-and-surveillance-in-india.pdf

^[5] http://cis-india.org/internet-governance/blog/security-surveillance-and-data-sharing.pdf

^[6] http://cis-india.org/internet-governance/blog/paper-thin-safeguards.pdf

^[7] http://pib.nic.in/newsite/PrintRelease.aspx?relid=54679 & http://www.dot.gov.in/sites/default/files/English%20annual%20report%202007-08_0.pdf

^[8] http://ijlt.in/wp-content/uploads/2015/08/IJLT-Volume-10.41-62.pdf

^[9] http://www.thehindu.com/scitech/technology/in-the-dark-about-indias-prism/article4817903.ece

^[10] http://cis-india.org/internet-governance/blog/india-centralmonitoring-system-something-to-worry-about

^[11] https://www.justice.gov/sites/default/files/pages/attachments/2016/07/08/ind195494.e.pdf

^[12] http://www.datacenterdynamics.com/content-tracks/security-risk/indian-lawful-interception-data-centers-are-complete/94053.fullarticle

^[13] http://natgrid.attendance.gov.in/ [Attendace records at the NATGRID Office!]

^[14] http://articles.economictimes.indiatimes.com/2013-09-10/news/41938113_1_executive-order-nationalintelligence-grid-databases

^[15] http://www.business-standard.com/article/current-affairs/natgrid-to-use-big-data-analytics-to-track-suspects-1

^[16] http://sflc.in/wp-content/uploads/2014/09/SFLC-FINAL-SURVEILLANCE-REPORT.pdf

^[17] http://indiatoday.intoday.in/story/natgrid-gets-green-nod-but-hurdles-remain/1/543087.html

^[18] http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece

^[19] ibid

^[20] http://www.thehoot.org/story_popup/no-escaping-the-surveillance-state-8742

^[21] http://ncrb.gov.in/BureauDivisions/CCTNS/cctns.htm

^[22] ibid

^[23] http://economictimes.indiatimes.com/news/politics-and-nation/ncrb-to-connect-police-stations-and-crime-data-across-country-in-6-months/articleshow/45029398.cms

^[24] http://indiatoday.intoday.in/education/story/crime-criminal-tracking-network-system/1/744164.html

^[25] http://www.dailypioneer.com/nation/govt-cctns-to-be-operational-by-2017.html

^[26] http://articles.economictimes.indiatimes.com/2012-03-10/news/31143069_1_scanning-internet-monitoring-system-internet-data

^[27] Surveillance, Snowden, and Big Data: Capacities, consequences, critique: http://journals.sagepub.com/doi/pdf/10.1177/2053951714541861

^[28] http://www.thehindubusinessline.com/industry-and-economy/info-tech/article2978636.ece

^[29] See previous section in the article “NTRO”

^[30] Van Dijck, José. "Datafication, dataism and dataveillance: Big Data between scientific paradigm and ideology." Surveillance & Society 12.2 (2014): 197.

^[31] http://www.dailymail.co.uk/indiahome/indianews/article-3353230/Nat-Grid-knots-India-s-delayed-counter-terror-programme-gets-approval-green-body-red-tape-stall-further.html

^[32] http://cacm.acm.org/magazines/2015/5/186025-privacy-behaviors-after-snowden/fulltext

^[33] https://freedomhouse.org/report/freedom-press/2015/india

^[34] http://blogs.wsj.com/indiarealtime/2014/06/05/indias-snooping-and-snowden/

^[35] http://articles.economictimes.indiatimes.com/2012-03-10/news/31143069_1_scanning-internet-monitoring-system-internet-data

^[36] http://economictimes.indiatimes.com/tech/internet/government-to-launch-netra-for-internet-surveillance/articleshow/27438893.cms

^[37] http://trak.in/internet/indian-internet-traffic-8tbps-2017/

^[38] http://www.economist.com/news/briefing/21579473-americas-national-security-agency-collects-more-information-most-people-thought-will

^[39] http://www.washingtonsblog.com/2013/07/the-fact-that-mass-surveillance-doesnt-keep-us-safe-goes-mainstream.html

^[40] http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/

^[41] Supra Note 35

^[42] http://www.papillonfoundation.org/information/global-crime-database/

^[43] http://www.thehindu.com/opinion/editorial/Revive-NATGRID-with-safeguards/article13975243.ece

For more details visit https://cis-india.org/internet-governance/blog/the-design-technology-behind-india2019s-surveillance-programmes

The dark side of future tech: Where are we headed on privacy, security, truth?

Admin — 2018-12-30T09:24:40Z

#2018 Year-End Special: We now live in a time when devices listen, chips track your choices, and governments can watch from behind a barcode. How do we navigate this world?

The article by Dipanjan Sinha was published in the Hindustan Times on December 29, 2018. Pranesh Prakash was quoted.

“One of the definitions of sanity is the ability to tell real from unreal. Soon we’ll need a new definition,” Alvin Toffler, author of the 1970 bestseller Future Shock, once said.

Privacy. Security. Freedom. Democracy. History. News — the lines between the real and unreal are blurring in each of these fields.

Fake news is helping decide elections; history being rewritten as it happens; rumour has become identical in look, feel and distribution to the actual news.

Devices that listen, governments that watch you from behind a barcode, chips that track where you go, what you eat, how you feel — these used to be the stuff of dystopian novels.

In April, the world learnt of the Chinese government’s social credit system, a programme currently in the works that would employ private technology platforms and local councils to use personal data to assign a social score to every registered citizen.

Behave as the state wants you to, and you could get cheaper loans, easier access to education; it’s unclear what the consequences could be for those who do the opposite, but discredits are likely for bad behaviours that range from smoking in non-smoking zones to buying ‘too many’ video games, and being critical of the government.

We’ve seen this before — totalitarian governments where the individual is under constant surveillance by a state that pretends this is for the greater good. But the last time we came across it, it was fiction — George Orwell’s 1984, set in a superstate where thought police took their orders from a totalitarian leader with a friendly name, Big Brother.

CATCH-22

“Just because you’re paranoid doesn’t mean they aren’t out to get you,” Joseph Heller said, in Catch-22, a novel so layered that you’re never sure which bits are true. Who gets access to the data your phone collects? What is the government watching for, after they’ve assigned citizens unique IDs?

It feels good to be able to criticise China, still something of an anomaly in a global community that is largely democratic and free-market, but the UK had a National Identity Cards Act from 2006 to 2010; India has the Aadhar project; Brazil has had the National Civil Identification document since 2017; Germany, a national identity card since 2010, and Colombia has had one since 2013.

They’re collecting biometric data, assigning numbers to citizens and building national registers — with not much word on what’s in them, who has access, or how secure they are.

“To ask what the risk is with accumulating such big data is like asking what the risk is with computers. They are both embedded in our lives,” says Pranesh Prakash, a fellow at the thinktank Centre for Internet and Society.

Security is just the base layer in the pyramid if risks. There is also the risk of discrimination — whether in terms of benefits, employment, or something like marriage, Prakash says. There is the risk of bad data leading to worse discrimination; there is the risk of public profiling.

“The question here is about transparency,” Prakash says. “The questions of what the data contains, who it is accessed by or sold do, how much of it there is, and what the purpose is of collecting it — need to be clearly answered.”

OPERATION THEATRE

New questions are being asked in the field of medicine as well. Where do you draw the line on designer babies? Should parents get to edit the genes of their child-to-be? How much ought we to tinker — do you stop at mutations, or go on to decide hair colour and intellect?

As it becomes cheaper and easier to sequence DNA, the questions over the next steps — of interpreting and analysing the data — will become more complex, says K VijayRaghavan, principal scientific adviser to the government of India, and former director of the National Centre for Biological Sciences. “From here on, with the data deluge, deciding what and how to do it will become fiendishly complex. Especially as commercial interests become involved.”

We have rules and laws for the use of DNA information in research, but corresponding laws that regulate how one can use personal whole genome information in the public space are still being framed. “The data-privacy discussion will soon get to the genomic-data space,” VijayRaghavan says. “Data sharing is needed for patients to benefit. Yet data privacy is needed to prevent exploitative use. It’s a conundrum, and there are no easy answers.”

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-dipanjan-sinha-december-29-2018-the-dark-side-of-future-tech

The Dangers Of Aadhaar-Based Payments That No One Is Talking About

praskrishna — 2017-01-17T14:39:53Z

Less than three months ago, India’s banking sector was hit by a data breach which compromised 32 lakh debit cards and led to fraudulent transactions worth Rs 1.3 crore.

The article by Mayank Jain was published by Bloomberg on January 17, 2017. Sunil Abraham was quoted.

The incident started a debate around security of payment systems. But the debate had just about begun when the government’s demonetisation decision dragged attention away from it. Now as the dust settles and as the government starts to push newer means of digital payments, the focus is back on the security of systems being seen as an alternative to cash.

One such system is Aadhaar-based payments which could potentially allow citizens to pay anytime anywhere with the tap of a finger.

In theory, it sounds simple.

The Aadhaar-based payment system runs on the existing Aadhaar infrastructure through which a person’s biometrics are used to authenticate the user. Once authenticated, the user can transfer funds directly from one bank account to another without going through a mobile wallet or a card.

The payment system requires a smartphone, a working internet connection and a biometric authentication device with the merchant. The customer needn’t have a card or a phone as long as he or she has an Aadhaar-seeded bank account.

National Payments Corporation of India has developed this payments infrastructure over the existing Aadhaar-Enabled Payments System, the railroad on which the public distribution system has been functioning for years now.

Amitabh Kant, chief executive officer of the government policy think tank NITI Aayog said, earlier this month, that all cards and point-of-sale machines will become redundant in the country in the next two-and-a-half years as Aadhaar-based payments become popular.

A Double-Edged Sword

While payments authenticated by biometrics sound like a good idea in a country where less than one in three people actually own a smartphone, there are fears that integrating biometrics with digital payments could prove to be a security headache.

The first part of the problem is that Aadhaar, while effective, is not a fool-proof method of authentication and identification failures are not uncommon. Building a payment system atop the Aadhaar system will simply transfer some of these vulnerabilities.

The possibility of transaction failures due to a biometric mismatch are real, admitted a former high-ranking official from the Unique Identification Authority of India (UIDAI) who spoke to BloombergQuint on the condition of anonymity.

Officially, the false reject rate – rejection of a biometric when it’s actually correct – is set at a maximum of 2 percent for devices that get certified from the UIDAI. On the ground, however, failure rates vary widely, said the official quoted above.

According to the official statistics on UIDAI, more than 16 lakh Aadhaar-authentication requests failed in the past week. The type of errors encountered ranged from the biometric data not matching the database to demographic details not checking out.

The failure rates on Aadhaar Enabled Payment System for interbank transactions (which is a part of all Aadhaar authentication requests) were found to be as high as 60 percent by the Watal Committee on digital payments which published its report in December.

Additionally, newer security threats may also emerge if the scope of Aadhaar is widened. These include identity theft if a person’s biometrics are compromised from the payment system, phishing attempts, and the difficulty in revoking access once biometric information is compromised.

Biometrics aren’t an exact science, the official quoted above said, while adding that possible glitches have to be weighed against the benefits of offering a widely accessible non-cash mode of payment to citizens.

How Easy Is It To Beat The System?

Sunil Abraham, executive director of Bangalore based research organisation Center for Internet and Society (CIS) said that one way to assess how secure a system is to understand the cost and effort that goes into breaching it.

In the case of Aadhaar-based payment systems, the costs may not be high.

“There’s the gummy finger method which essentially requires some Fevicol or gum to duplicate someone’s fingerprint which can be enough to transact on someone’s behalf without them being there,” said Abraham in a phone conversation with BloombergQuint. “An average person can’t clone a smart card. Just fevicol and glue can help you make a gummy finger. The biometric lobby will say that advanced scanners defeat the gummy finger attack but more advanced scanners are also more expensive.”

Also, using more sensitive devices could push up the instance of false rejection of transactions, said Abraham.

There are other concerns. Like the fact that devices used for Aadhaar identification could store personal information, which, in turn, could be susceptible to a breach.

There are five main components in an Aadhaar app transaction – the customer, the vendor, the app, the back-end validation software, and the Aadhaar system itself. There are also two main external concerns – the security of the data at rest on the phone and the security of the data in transit. At all seven points, the customer’s data is vulnerable to attack.
Bhairav Acharya, Program Fellow, New America

Acharya, who works at a U.S.-based think tank called New America and focuses on cyber-law, said the key concern is that Aadhaar data can be stolen and misused.

“The app and validation software are insecure, the Aadhaar system itself is insecure, the network infrastructure is insecure, and the laws are inadequate.”

The biometric data collected on the authentication device at a merchant location can potentially be stored on the device as well as the smartphone of a merchant for a long time. Abraham added that there is a possibility that non-certified devices will enter the market, which can store data and use it in the future to do fraudulent transactions.

The concerns over potential misuse of biometric data by private agencies has also been highlighted by the Supreme Court of India. Earlier this month, the apex court refused to expedite the hearing on a petition regarding Aadhaar being utilised for multiple use cases by private companies. It, however, observed that private agencies collecting biometric data “is not a great idea”.

Deficient Privacy Laws

Apar Gupta, a Delhi-based lawyer working on cyber security, says that the lack of strong privacy protecting provisions is another concern that should be kept in mind while moving towards an Aadhaar-based payment system.

“The data stays for a long time with the stakeholders in the system. The requesting agency can keep it for seven years and the UIDAI can store it for five years. There are insufficient safeguards and there’s an absence of privacy law and an independent privacy regulator,” he said.

Acharya agreed.

India does not have the necessary laws to deal with a decentralised, biometrically-authenticated, mobile payments system, according to Acharya.

“Moreover, current laws and policies regarding the Aadhaar project, particularly the centralised database, are inadequate from the point of view of data security and end-user privacy,” he said.

Abraham of CIS said the issue is wider than Aadhaar. The problem is the lack of a strong data security law.

We only have a minimal data security law under the Section 43A of the Information and Technology Act which only applies to the private sector. There’s no law that applies to the government. Even 43A has not been applied consistently. There’s no place for you to go and complain if your identity has been compromised.
Sunil Abraham, Executive Director, Centre for Internet & Society

Gupta noted that, in the event of an identity threat, avenues of recourse are also limited. He said the best option is an appeal in the civil court, which is a long drawn out process.

In final analysis, according to Abraham, credit and debit cards are easier to secure as access can be revoked quickly.

“The trouble with biometrics is that the chain of trust is harder to establish because too many people can get access to biometrics and then you need to devise these convoluted solutions like hardware secure zones,” Abraham said.

“So the advantage of going with a smart card is that it can be easily re-secured, but with biometrics, once I compromise it, it’s lifelong.”

For more details visit https://cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about

The crown of thorns that awaits Facebook’s India MD hire

Admin — 2018-07-29T02:00:23Z

Between 2015 to 2017, Facebook nearly doubled its user base to about 250 million in India. The two other popular Facebook products, WhatsApp and Instagram, became swimmingly popular in the country, too – the messaging platform counts 200 million users here and the photos and videos sharing app some 60 million.

The article by Sunny Sen and Jayadevan PK was published by Factor Daily on July 25, 2018. Sunil Abraham was quoted.

By advertising metrics, such a reach – buttressed by usage through the day – is unprecedented and unrivalled. That should make Facebook India the most powerful advertising platform in the country. And, by corollary, its managing director or CEO among the most powerful executives in India, right?

Yes, except that no such person exists.

The corner room position at Facebook India has been unoccupied since October last year despite an extensive search (even on LinkedIn), a $2-million compensation package, and the immense power that comes with the job.

Long, winding months of search – there have been extensive meetings with more than half a dozen shortlisted candidates – are yet to culminate in an announcement that will tell the Indian advertising and media world who will lead Facebook in India, the social media giant’s second-largest market by several metrics.

Why? To put it simply, a yawning trust deficit and the difficulty in fixing it. A deficit that Facebook faces with almost all stakeholders in its ecosystem: users, regulators, advertisers, publishers, and agencies.

In India, the trust gap with regulators began to form with founder Mark Zuckerberg’s pet Free Basics program of early 2015 that ran afoul of net neutrality principles. India’s telecom regulator intervened and the project was ultimately shuttered in February 2016.

Facebook tried to change public perception of Free Basics by running multi-million advertising campaigns.

Facebook tried to change public perception of Free Basics by running multi-million advertising campaigns – billboards, newspaper advertisements, and the works – but the scepticism and opposition from large swathes of the startup ecosystem, proponents of net neutrality, and many Facebook users saw it in. Facebook also has an important case in the Supreme Court from last year, where petitioners have challenged the sharing of data between Facebook, WhatsApp, and third parties. If that was not all, the Cambridge Analytica scandal from early 2018 has all but singed the company’s reputation – its actions in the country have been questioned by the government with one minister even saying he would subpoena Zuckerberg if needed. The recent spate of lynchings, some traced to rumours that spread on WhatsApp, had the government asking the messaging platform what it is doing to stop the killings.

Facebook’s troubles with publishers is well documented. First, it was accused of promoting clickbaity content that forced people to spend more and more time on the platform. After Facebook changed news feed algorithms to show more of friends and family related content and less of news, publishers who had dived headlong into the Facebook ecosystem felt jilted. “Media companies are not making much money from Facebook. DB Corp has said that it is not getting enough revenue from social media so it is taking its content off the platforms… it will try to drive traffic directly to its own websites,” said Abneesh Roy, senior vice president at Edelweiss Capital, a Mumbai investment bank.

“Media companies are not making much money from Facebook. DB Corp has said that it is not getting enough revenue from social media so it is taking its content off the platforms”

Agencies, who often play a cosy role mediating between the buyers of advertisement space or time and the sellers, don’t like digital platforms such as Facebook and Google because both ultimately aim to disintermediate agencies through a set of self-service tools. The suspicion is rooted in commissions that are squeezed by the digital platforms: while print, TV and other media platforms pay a generous 15% or more commission on ad billings, agencies receive only 2% to 4 % from Facebook and 8% to 10% from Google. The digital platforms get away – or, at least, have gotten away so far thanks to the scale and low costs they operate at.

Overall, all this makes Facebook look ogreish that it – and, importantly, its people – may not be in real life. But, American writer Terry Goodkind’s “Reality is irrelevant; perception is everything

” holds true more than ever in the times we live and public perception is hurting the company in India. At least a dozen people, both from within, close and around the company, have told FactorDaily that while user metrics continue to grow strongly in India, especially on the back of an upsurge of data use in India in the last two years (thanks to Reliance Jio), Facebook India is a little at sea. “Facebook needs a face like Rajan Anandan is for Google,” is how one person with close knowledge of the situation put it. Anandan is vice president, South East Asia and India for Google and is its face for the company in this part of the world.

Facebook did not respond to a request mailed for comments.

Hotshot names all but…

Facebook is said to have interviewed – a few of these conversations continue – some of the top names from the India corporate landscape for its India CEO position: Star India MD Sanjay Gupta; Ajit Mohan, CEO, Hotstar; Sameer Nair, CEO, Applause Entertainment, part of the Aditya Birla Group; D Shivakumar, group president, strategy at the Aditya Birla Group; Tata Sky MD Harit Nagpal; Sudhanshu Vats, Viacom18 group CEO; and Sudhir Sitapati, executive director-refreshments at Hindustan Unilever. The hiring conversations even covered Srivatsa Krishna, an Indian Administrative Service officer who was the Karnataka IT secretary until last year.

Some of these people confirmed to FactorDaily they had been reached out to by Facebook and the headhunter Spencer Stuart it has engaged for the task, one denied it, and others didn’t respond to requests for comment.

Mohan and Nair have an edge, according to a hiring firm source and one of the other candidates. “We have heard quite a few names but it seems that Ajit Mohan is a front-runner. He has successfully built Hotstar,” a Facebook insider told FactorDaily, on the condition of anonymity because he is not authorised to speak with the media.

A person with knowledge of the job position said that Facebook was gravitating towards someone with experience in the media industry. “They believe that they are in the content game and want to build that cache,” the person said describing his conversations with David Fischer, Facebook’s vice president of business and marketing partnerships, who is leading the CEO search.

More details were not immediately available on what Facebook wants in a person for the role. “I’m sorry but Spencer Stuart is under confidentiality agreements and may not talk about its work,” a spokesperson for the headhunter said on email.

Facebook’s India leadership crisis, ironically, comes from its stupendous success in the country. India was more a development outpost for the social media giant when it started here in 2010 with a centre in Hyderabad. Kirthiga Reddy, its first Indian employee, transitioned into a market-facing India managing director role when Facebook saw its user base here explode a couple of years later. “She did a great job with setting the foundations of relationships with the big advertisers and agencies here,” said the person with knowledge of the open CEO position quoted earlier. Her successor Umang Bedi, too, was into a sales-heavy role with demand for ad inventory going through the roof at Facebook India.

But, with its growing presence – the company closed calendar 2017 with $700 million in sales, including spots bought by small businesses by swiping a credit card which typically gets registered outside India – the role of the India managing director now has to change, Facebook seems to have acknowledged. When Reddy’s successor, Bedi was the managing director, India, he reported into Dan Neary, vice president for Asia Pacific at Facebook. Neary’s boss was Carolyn Everson, vice president, global marketing solutions at Facebook, who, in turn, reported to Fischer.

“For David, India is a big thing. Sheryl (Sandberg) brought him from Google… He understands India well,” said a second source close to Facebook. Sources say Facebook is thinking of making the reporting relationship of the India MD directly into Fischer cutting two layers from the hierarchy.

“You need a grown-up to lead the market. The kind of role (of a sales head) didn’t help anymore,” said a third source, close to Facebook. “It was like a merry-go-round, especially with the kind of problems (Facebook) India was facing from FreeBasics to fake news.”

The missing hand at the wheel

Without a country head, Facebook India is missing on a lot of things. Like any other country head, the role of the new India head will be that of an ambassador at Facebook’s headquarters in Menlo Park, California. A map-tap approach of a leader achieving numbers isn’t enough. “It is very bad for FB or any company to go headless in a rapidly growing market like India,” said Kavil Ramachandran, Thomas Schmidheiny chair professor of family business and wealth management, Indian School of Business.

The leader will not only have to lobby for investments but also show that India is not a problem child. The company will have to have a growth story of every app and every product that gets rolled out in India. “Why shouldn’t there be a product coming out of India to fight fake news and why does everything have to go up to Dublin,” the third source said. Dublin is where Facebook does a lot of its development work in Europe.

Apart from Facebook Lite, there is no other product that is aimed at the Indian user. Google, in contrast, offers a slew of them like YouTube Go and Google Tez and projects such as Google Wifi or Internet Saathis – all initiatives rooted or aimed at India. Even Apple, with all its premium swag, is looking at India to build maps and brought out the iPhone SE to stay relevant among Indian buyers.

Ramachandran helps put the difficulty of finding someone to fill Facebook’s India MD position – Bedi announced his resignation last October – in context. “Typically, this happens when the job is not attractive for various reasons. In the case of FB, it can’t be money. Then what? Most likely, potential legal implications of any action that may not be under the control of the country head. If the head office does something and the company is breaching the country’s law, the local head will be liable or potentially so. (Cambridge) Analytica is a case in point,” he said.

“Headquarters has a lot to learn from the India team in terms of sophistication and honesty in the regulatory debate. The Californian ideology has run its course.”

Then, there is the question of building trust in a sullied platform. “Basically Facebook has lost consumer trust over the years because they don’t consistently tell the truth, the whole truth and nothing but the truth. Headquarters has a lot to learn from the India team in terms of sophistication and honesty in the regulatory debate. The Californian ideology has run its course,” said Sunil Abraham, executive director of Bengaluru-based Centre for Internet and Society. The California reference is to the brazen manner in which San Francisco-based platforms have grown unmindful of the law and societal norms at times.

At the end of the day, Facebook is valuable to customers as it is able to tell brands what customers want and thus help target ads. The internal thinking, some of which finds some takers in the advertising fraternity, is that Facebook has headroom in sales growth waiting to be grabbed. They point to Google’s India revenues of over $1 billion or nearly Rs 6,900 crore, and projections for the Indian digital ad market of some Rs 19,000 crore by 2020. The real value of the Indian digital ad market is actually a lot more: the estimates understate what is actually made because many companies register their ad revenue in tax havens to lower the incidence of tax on them.

But signing on potential revenues is easier said than done. “In the past one year, our digital ad spend has grown five times. Almost two-thirds of that increased spending has gone to Google,” said a marketing executive with a large two-wheeler company, hinting that Facebook has lost at least a large portion of the incremental revenue. He did not want his name taken in this story because the company doesn’t disclose how it splits its ad spends.

The marketing head of a leading carmaker said that Facebook is very good when it comes to narrowly targeting people but search-based advertising is still big in India. Many of his company’s dealers prefer campaigns on Google and “that is why a large portion of digital revenue is being cornered by Google,” this executive said.

The CEO of a consumer durables company said being on Facebook was “unsexy” now. “There has been so much of trust issues with Facebook that I don’t want my product to be seen there so often… I have scaled down on my Facebook budget,” the CEO said without sharing more details.

An image makeover, then, will be the new India MD’s biggest task and global bosses don’t want it lost in the hierarchical process that most MNCs operate in. The bosses want someone who can take India from $500 million to $5 billion. Fast.

Preparing an organisation for that kind of growth means resourcing it with people who have handled scale in the past or have the potential to do so. Take the example of Nokia – now gone and buried as a brand but 10 years ago, it was India’s biggest MNC. When Shivakumar, now with Aditya Birla Group, was hired as its India managing director in 2006, Nokia had understood the potential that the country offered. The goal was to grow operations of half a billion dollars manifold. Nokia India became a company with $4 billion in sales in the 2008-2009 period. One way to assess that performance is to check where the team that delivered the vision is today. Vipul Sabharwal, whose five-year stint with Nokia ended in 2011 as sales director is now managing director of Luminous Power. V Ramnath, who also left Nokia as its sales director in 2013 is managing director, Racold Thermo. Vineet Taneja, head of marketing at Nokia when he is left in 2010, is now CEO of Dyson in India after stints in between at Bharti Airtel and Samsung India. Poonam Kaul, former director of communications at Nokia, is director of marketing at Apple India now.

Large operations need capable people and Facebook is missing its go-to person in India badly. This is evident in its ask of the CEO candidate here and the changes it is willing to put in place. Gurprriet Siingh, senior client partner with headhunter Korn Ferry, said that there are three reasons why the India head role has been moved closer to the US: to speed up decision-making, to signal the importance of India, and to give context to the individual of what is expected. “A managing director’s role is to manage investors, customers, sales, regulators and government relations,” Siingh added.

With great powers come great responsibilities. That line, immortalised in Spiderman movies, will be playing on the minds of the person who signs up for the Facebook India job. With one tweak: “With great powers come great responsibilities. And, a lot to do.”

For more details visit https://cis-india.org/internet-governance/news/factor-daily-sunny-sen-and-jayadevan-pk-july-25-2018-the-crown-of-thorns-that-awaits-facebook-india-md-hire

The Criminal Law Amendment Bill 2013 — Penalising 'Peeping Toms' and Other Privacy Issues

divij — 2013-07-12T12:17:06Z

The pending amendments to the Indian Penal Code, if passed in their current format, would be a huge boost for individual physical privacy by criminalising stalking and sexually-tinted voyeurism and removing the ambiguities in Indian law which threaten the privacy and dignity of individuals.

The author, Divij Joshi is a law student at NLS and is interning with CIS for its privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

What is the Criminal Law (Amendment) Bill, 2013? What will it change?
The Criminal Law (Amendment) Bill is a bill which is to be introduced in the Indian Parliament, which will replace the Criminal Law (Amendment) Ordinance, 2013[1] currently in force, and aims at amending the existing provisions in criminal law in order to improve the safety of women. The Bill seeks to make changes to the Indian Penal Code, the Code of Criminal Procedure, and the Indian Evidence Act. The Bill will introduce unprecedented provisions in the Indian Penal Code which would criminalise sexual voyeurism and stalking and would amend legal provisions to protect the privacy of individuals, such as discontinuing the practice of examination of the sexual history of the victim of a sexual assault for evidence. With instances of threats to individual privacy on the rise in India, [2] it is high time that the criminal law expands its scope to deal with offences which violate physical privacy.

What threats to privacy will the Act address?
The Act will address the following violations of physical privacy:

Stalking
Draft provision: The ordinance introduces the offence of stalking under Section 345D of the Indian Penal Code, and makes it punishable by imprisonment of not less than one year, which may extend to three years, and a fine. The provision prescribes that ‘Whoever follows a person and contacts, or attempts to contact such person to foster personal interaction repeatedly, despite a clear indication of disinterest by such person, or whoever monitors the use by a person of the internet, email or any other form of electronic communication, or watches or spies on a person in a manner that results in a fear of violence or serious alarm or distress in the mind of such person, or interferes with the mental peace of such person.’ Hence, under the new law, constant, unwanted interaction of any one person with another, for any reason, can be made punishable, if the actions results in fear of violence or distress in any person, or interferes with their mental peace.

Current law and need for amendment: Stalking is generally characterized by unwanted and obsessive harassment or persecution of one person by another. Stalking can be a physical act such as constantly following a person, or can be done through electronic means — usually the internet (known as cyberstalking). Stalking may or may not be an act which physically threatens the security of an individual; however, it can cause mental trauma and fear to the person being stalked. Stalking is a blatant intrusion into an individual’s privacy, where the stalker attempts to establish relationships with their victim which the victim does not consent to and is not comfortable with. The stalker also intrudes into the victim’s private life by collecting or attempting to collect personal information the victim may not want to disclose, such as phone numbers or addresses, and misusing it. If the stalker is left undeterred to continue such actions, it can even lead to a threat to the safety of the victim. Cyber-stalking is a phenomenon which can prove to be even more invasive and detrimental to privacy, as most cyber-stalkers attempt to gain access to private information of the victims so that they can misuse it. Stalking, in any form, degrades the privacy of the victim by taking away their choice to use their personal information in ways they deem fit. [3] Recognizing stalking as an offence would not only protect the physical privacy rights of the victims, but also nip potentially violent crimes in the bud.

Many nations including Australia, the United States of America and Japan have penal provisions which criminalise stalking. [4] In India however, there is no appropriate response to stalking as an offence — either in its physical or electronic forms. The Information Technology Act, the legislation purported to deal with instances of cyber-crimes, overlooks instances of breach of online privacy and stalking which does not lead to publication of obscene images or other obvious manifestations of physical or mental threat. The general provision under which victims of stalking can file complaints is Section 509 of the Indian Penal Code (IPC), which states that — ‘Whoever, intending to insult the modesty of any woman, utters any word, makes any sound or gesture, or exhibits any object, intending that such word or sound shall be heard, or that such gesture or object shall be seen, by such woman, or intrudes upon the privacy of such woman, shall be punished with simple imprisonment for a term which may extend to one year, or with fine, or with both.’There are several problems with using this section as a response to stalking. Without a particular definition of what comes under the scope of ‘intrusion of privacy’ under this section, there is reluctance both for the victim to approach the police and for the police to file the complaint. Usually the offence is coupled with some other form of harassment or violence, and the breach of privacy and trauma is not considered as a separate offence. For example, if a person is continuously following or trying to contact you without your consent or approval, but does not physically threaten or insult you, there is no protection in law against such a person. Hence, as pointed out, there is a need to recognize the breach of privacy as a separate ground of offence, notwithstanding other physical or mental grounds. Secondly, the provisions of this section require the criminal to have the ‘intent of insulting the modesty of a woman’. Aside from the difficulties in adjudging the ‘modesty’ of a woman, the provision limits the scope of harassment to only that which intends to insult the modesty of a woman and excludes any other intention as criminal behaviour. The present law amends these problems by disregarding the reason or intent for the behaviour, and by clearly defining the elements of the offence and making stalking as a stand-alone, punishable offence.

Sexual Voyeurism

Draft provision: The Act will add Section 345D to the Indian Penal Code, which reads as follows — ‘Whoever watches, or captures the image of, a woman engaging in a private act in circumstances where she would usually have the expectation of not being observed either by the perpetrator or by any other person at the behest of the perpetrator shall be punished on first conviction with imprisonment of either description for a term which shall not be less than one year, but which may extend to three years, and shall also be liable to fine, and be punished on a second or subsequent conviction, with imprisonment of either description for a term which shall not be less than three years, but which may extend to seven years, and shall also be liable to fine.

Explanation 1.–– For the purposes of this section, “private act” includes an act carried out in a place which, in the circumstances, would reasonably be expected to provide privacy, and where the victim's genitals, buttocks or breasts are exposed or covered only in underwear; or the victim is using a lavatory; or the person is doing a sexual act that is not of a kind ordinarily done in public.

Explanation 2.–– Where the victim consents to the capture of images or any act, but not to their dissemination to third persons and where such image or act is disseminated, such dissemination shall be considered an offence under this section.’

The provision seeks to protect victims of voyeurism, who have been watched, or recorded, without their consent and under circumstances where the victim could reasonably expect privacy, and where the victim’s genitals, buttocks or breasts have been exposed. A reasonable expectation of privacy means that in the circumstances, whether in a public or a private place, the victim has a reasonable expectation that she is not being observed engaging in private acts such as disrobing or sexual acts. The test of reasonable expectation of privacy can be derived from similar provisions in voyeurism laws across the world, and also section 66E of the Information Technology Act.[5] It is particularly important because voyeurism does not necessarily take place in private places like the victims home, but also in public spaces where there is generally an expectation that exposed parts of one’s body are not viewed by anyone.

Current law and need for amendment: A ‘voyeur’ is generally defined as "a person who derives sexual gratification from the covert observation of others as they undress or engage in sexual activities." [6] Voyeurism is the act of a person who, usually for sexual gratification, observes, captures or distributes the images of another person without their consent or knowledge. With the development in video and image capturing technologies, observation of individuals engaged in private acts in both public and private places, through surreptitious means, has become both easier and more common. Cameras or viewing holes may be placed in changing rooms or public toilets, which are public spaces where individuals generally expect a reasonable degree of privacy, and where their body may be exposed. Voyeurism is an act which blatantly defies reasonable expectations of privacy that individuals have about their bodies, such as controlling its exposure to others.[7] Voyeurism is an offence to both the privacy as well as the dignity of a person, by infringing upon the right of individuals to control the exposure of their bodies without their consent or knowledge, either through unwarranted observation of the individual, or through distribution of images or videos against the wishes or without the knowledge of the victim.

Voyeurism is a criminal offence in many jurisdictions across the world such as Australia,[8] the United States,[9] Canada,[10] and the UK,[11] which criminalise either the capturing of certain images, or observation of individuals, or both. In India, the capturing, distribution and transferring of images of ‘private areas’ of a person’s body, under circumstances where the person would have a reasonable expectation of privacy that their body would not be exposed to public view, is punishable with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both. However, this does not cover instances where a person observes another in places and situations where they do not consent to being observed. The inclusion of voyeurism as an offence in the IPC would close several loopholes in the voyeurism law and hopefully be a precedent for the state to better work towards securing the bodily privacy of its citizens.

Examination of Sexual History and Privacy
Draft provision: The amendment to Section 53A of the Indian Evidence Act in the Bill reads, “In a prosecution for an offence under section 354, section 354A, section 354B, section 354C, sub-section (1) or sub-section (2) of section 376, section 376A, section 376B, section 376C, section 376D or section 376E of the Indian Penal Code or for attempt to commit any such offence, where the question of consent is in issue, evidence of the character of the victim or of such person’s previous sexual experience with any person shall not be relevant on the issue of such consent or the quality of consent.”

A similar proviso is added to Section 376 of the Indian Evidence Act.

According to the above provision, in a trial for sexual assault or rape the evidence supplied of a victim’s previous sexual experience or her ‘character’ would not be admissible as relevant evidence to determine the fact of the consent or the quality of the consent.

Current law and need for amendment: The Indian Evidence Act is the legislation which governs the admissibility of evidence in the different courts. In cases of rape or sexual assault and related crimes, the evidence of consent often considered is not just that of the consent of the woman in the act at that time itself, but rather her previous sexual experience and “promiscuous character”. Even though it has been widely censured by the highest court,[12] such practices continue to dominate and prejudice the justice of victims of sexual assault and harassment.[13] The examination of the victim’s sexual history in court is an unwarranted intrusion into their privacy through public disclosure of the sexual history and details of her sexual life, which causes potential embarrassment and sexual stereotyping of the victim, especially in a conservative, patriarchal society like in India. With the new amendments, such evidence will not be permitted in a court of law, hence, it will act as a safeguards against defendants attempting to influence the court's decision through disparaging the ‘character’ of the victim, and will protect the disclosure of intimate, personal details like previous sexual encounters of the victim.

Conclusion
Privacy, crime, and safety of women are intricately linked in any legal system. An essential part of the security of citizens is the safety of their privacy and personal information. If any legal system does not protect the privacy — both of body and of information — of its people, there will always be insecurity in such a system. With the recent debates on women’s safety, several crucial privacy and security issues have been raised, such as the criminalization of voyeurism and stalking, which is a huge boost for privacy rights of citizens in India, and it is hopeful that the government will continue the trend of considering privacy issues along when addressing security concerns for the state.

Update to the Criminal Law Amendment Bill 2013 - Penalising Peeping Toms and other privacy issues

The Criminal Law (Amendment) Bill, 2013, was made into law on April 3, 2013. Several provisions under the Act differ from the provisions in the ordinance. Under the Act, unlike in the Ordinance, the terms or watches or spies on a person in a manner that results in a fear of violence or serious alarm or distress in the mind of such person, or interferes with the mental peace of such person are not included as a part of the offence of stalking. Hence, the offence is limited to the physical act of following or contacting a person, provided that there has been a clear sign of disinterest, or to monitoring the use by a woman of the internet, email or any other forms of electronic communication.

Hence, from the confusing language of the provision, it would seem that the offence of stalking related to monitoring of activities of a woman is restricted to the monitoring of online communications, and not physical acts. The caveat of such monitoring having to cause serious alarm, distress or interference with the mental peace of the victim is also removed. The removal of unwaranted intrusion through watching or spying of a person, and indeed, the removal of any subjective test to determine the effect of stalking is a departure from stalking provisions accross the world, and is a setback for individual privacy, because stalking per se is a privacy offence, relating not only to the physical interference but also the mental harassment it causes to the victims.

The provision has also increased the puinishment for the crime in the first offence to upto three years, and subsequently to upto five years. Further, the provisions sought to be included within Section 53A and Section 376 of the Indian Evidence Act are now included in Section 146 of the Act.

Link to the Criminal Law (Amendment) Act, 2013

[1]. Criminal Law (Amendment) Ordinance, 2013, available at http://mha.nic.in/pdfs/criminalLawAmndmt-040213.pdf

[2]. http://bit.ly/10nMSTT

[3]. Anita Gurumurthy and Nivedita Menon, Violence against Women via Cyberspace, Economic and Political Weekly, 44 (40), 19, (October, 2009).

[4]. For example, see laws listed http://bit.ly/126hBpO

[5]. Section 66E, The Information Technology Act, 2000: ‘66E. Punishment for violation of privacy.- Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.

Explanation - For the purposes of this section--

(a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means;
(c) “private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
(d) “publishes” means reproduction in the printed or electronic form and making it available for public;
(e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that--(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
(ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

[6]. Oxford English Dictionary, available at http://bit.ly/YN2ZvI

[7]. Lance Rothenberg, Rethinking Privacy: Peeping Toms, Video Voyeurs, and the failure of criminal law to recognize a reasonable expectation of privacy in the public space, American University Law Review, 49, 1127, (1999).

[8]. Section 91J, Crimes Act, 1910: "A person who, for the purpose of obtaining sexual arousal or sexual gratification, observes a person who is engaged in a private act without the consent of the person being observed to being observed for that purpose, and knowing that the person being observed does not consent to being observed for that purpose, is guilty of an offence."

[9]. Video Voyeurism Protection Act, 2004.

[10]. Section 162, Criminal Code of Canada: " (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if
(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;
(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or
(c) the observation or recording is done for a sexual purpose.

[11]. Section 67, Sexual Offences Act, 2003.

[12]. http://bit.ly/10nNDwg

[13]. http://reut.rs/13CIDXU

For more details visit https://cis-india.org/internet-governance/blog/the-criminal-law-amendment-bill-2013

The Constitutionality of Indian Surveillance Law: Public Emergency as a Condition Precedent for Intercepting Communications

bedaavyasa — 2014-08-04T04:52:42Z

Bedavyasa Mohanty analyses the nuances of interception of communications under the Indian Telegraph Act and the Indian Post Office Act. In this post he explores the historical bases of surveillance law in India and examines whether the administrative powers of intercepting communications are Constitutionally compatible.

Introduction

State authorised surveillance in India derives its basis from two colonial legislations; §26 of the Indian Post Office Act, 1898 and §5 of the Telegraph Act, 1885 (hereinafter the Act) provide for the interception of postal articles[1] and messages transmitted via telegraph[2] respectively. Both of these sections, which are analogous, provide that the powers laid down therein can only be invoked on the occurrence of a public emergency or in the interest of public safety. The task of issuing orders for interception of communications is vested in an officer authorised by the Central or the State government. This blog examines whether the preconditions set by the legislature for allowing interception act as adequate safeguards. The second part of the blog analyses the limits of discretionary power given to such authorised officers to intercept and detain communications.

Surveillance by law enforcement agencies constitutes a breach of a citizen’s Fundamental Rights of privacy and the Freedom of Speech and Expression. It must therefore be justified against compelling arguments against violations of civil rights. Right to privacy in India has long been considered too ‘broad and moralistic’[3] to be defined judicially. The judiciary, though, has been careful enough to not assign an unbound interpretation to it. It has recognised that the breach of privacy has to be balanced against a compelling public interest [4] and has to be decided on a careful examination of the facts of a certain case. In the same breath, Indian courts have also legitimised surveillance by the state as long as such surveillance is not illegal or unobtrusive and is within bounds [5]. While determining what constitutes legal surveillance, courts have rejected “prior judicial scrutiny” as a mandatory requirement and have held that administrative safeguards are sufficient to legitimise an act of surveillance. [6]

Conditions Precedent for Ordering Interception

§§5(2) of the Telegraph Act and 26(2) of the Indian Post Office Act outline a two tiered test to be satisfied before the interception of telegraphs or postal articles. The first tier consists of sine qua nons in the form of an “occurrence of public emergency” or “in the interests of public safety.” The second set of requirements under the provisions is “the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence.” While vesting the power of interception in administrative officials, the sections contemplate a legal fiction where a public emergency exists and it is in the interest of sovereignty, integrity, security of the state or for the maintenance of public order/ friendly relations with foreign states. The term “public emergency,” however, has not been clearly defined by the legislature or by the courts. It thus vests arbitrary powers in a delegated official to order the interception of communication violating one’s Fundamental Rights.

Tracing the History of the Expression “Public Emergency”

The origins of the laws governing interception can be traced back to English laws of the late 19th Century; specifically one that imposed a penalty on a postal officer who delayed or intercepted a postal article.[7] This law guided the drafting of the Indian Telegraph Act in 1885 that legitimised interception of communications by the state. The expression “public emergency” appeared in the original Telegraph Act of 1885 and has been adopted in that form in all subsequent renderings of provisions relating to interception. Despite the contentious and vague nature of the expression, no consensus regarding its interpretation seems to have been arrived at. One of the first post-independence analyses of this provision was undertaken by the Law Commission in 1968. The 38th Law Commission in its report on the Indian Post Office Act, raised concerns about the constitutionality of the expression. The Law Commission was of the opinion that the term not having been defined in the constitution cannot serve as a reasonable ground for suspension of Fundamental Rights.[8] It further urged that a state of public emergency must be of such a nature that it is not secretive and is apparent to a reasonable man.[9] It thus challenged the operation of the act in its then current form where the determination of public emergency is the discretion of a delegated administrative official. The Commission, in conclusion, implored the legislature to amend the laws relating to interception to bring them in line with the Constitution. This led to the Telegraph (Amendment) Act of 1981. Questions regarding the true meaning of the expression and its potential misuse were brought up in both houses of the Parliament during passing of the amendment. The Law Ministry, however, did not issue any additional clarifications regarding the terms used in the Act. Instead, the Government claimed that the expressions used in the Act are “exactly those that are used in the Constitution.” [10] It may be of interest to note here that the Constitution of India, neither uses nor defines the term “public emergency.” Naturally, it is not contemplated as a ground for reasonably restricting Fundamental Rights provided under Article 19(1). [11] Similarly, concerns regarding the potential misuse of the powers were defended with the logically incompatible and factually inaccurate position that the law had not been misused in the past.[12]

Locating “Public Emergency” within a Proclamation of Emergency under the Constitution (?)

Public emergency in not equivalent to a proclamation of emergency under Article 352 of the Constitution simply because it was first used in legislations over six decades before the drafting of the Indian Constitution began. Besides, orders for interception of communications have also been passed when the state was not under a proclamation of emergency. Moreover, public emergency is not the only prerequisite prescribed under the Act. §5(2) states that an order for interception can be passed either on the occurrence of public emergency or in the interest of public safety. Therefore, the thresholds for the satisfaction of both have to be similar or comparable. If the threshold for the satisfaction of public emergency is understood to be as high as a proclamation of emergency then any order for interception can be passed easily under the guise of public safety. The public emergency condition will then be rendered redundant. Public emergency is therefore a condition that is separate from a proclamation of emergency.

In a similar vein the Supreme Court has also clarified[13] that terms like “public emergency” and “any emergency,” when used as statutory prerequisites, refer to the occurrence of different kinds of events. These terms cannot be equated with one another merely on the basis of the commonality of one word.

The Supreme Court in Hukam Chand v. Union of India,[14] correctly stated that the terms public emergency and public safety must “take colour from each other.” However, the court erred in defining public emergency as a situation that “raises problems concerning the interest of the public safety, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or the prevention of incitement to the commission of an offence.” This cyclic definition does not lend any clarity to the interpretive murk surrounding the term. The Act envisages public emergency as a sine qua non that must exist prior to a determination that there is a threat to public order and sovereignty and integrity of the state. The court’s interpretation on the other hand would suggest that a state of public emergency can be said to exist only when public order, sovereignty and integrity of the state are already threatened. Therefore, while conditions precedent exist for the exercise of powers under §5(2) of the Act, there are no objective standards against which they are to be tested.

Interpretation of Threshold Requirements

A similar question arose before the House of Lords in Liversidge v. Anderson.[15] The case examined the vires of an Act that vested an administrative authority with the conditional power to detain a person if there was reasonable cause to believe that the person was of hostile origin. Therein, Lord Atkin dissenting with the majority opinion stated in no unclear terms that power vested in the secretary of state was conditional and not absolute. When a conditional authority is vested in an administrative official but there aren’t any prescriptive guidelines for the determination of the preconditions, then the statute has the effect of vesting an absolute power in a delegated official. This view was also upheld by the Supreme Court in State of Madhya Pradesh v. Baldeo Prasad.[16] The court was of the opinion that a statute must not only provide adequate safeguards for the protection of innocent citizens but also require the administrative authority to be satisfied as to the existence of the conditions precedent laid down in the statute before making an order. If the statute failed to do so in respect of any condition precedent then the law suffered from an infirmity and was liable to be struck down as invalid.[17] The question of the existence of public emergency, therefore being left to the sole determination of an administrative official is an absolute and arbitrary power and is ultra vires the Constitution

Interestingly, in its original unamended form, §5 contained a provisio stating that a determination of public emergency was the sole authority of the secretary of state and such a finding could not be challenged before a court of law. It is this provision that the government repealed through the Telegraph (Amendment) Act of 1981 to bring it in line with Constitutional principles. The preceding discussion shows that the amendment did not have the effect of rectifying the law’s constitutional infirmities. Nonetheless, the original Telegraph Act and its subsequent amendment are vital for understanding the compatibility of surveillance standards with the Constitutional principles. The draconian provisio in the original act vesting absolute powers in an administrative official illustrates that the legislative intent behind the drafting of a 130 year law cannot be relied on in today’s context. Vague terms like public emergency that have been thoughtlessly adopted from a draconian law find no place in a state that seeks to guarantee to its citizens rights of free speech and expression.

Conclusion

Interception of communications under the Telegraph Act and the Indian Post office act violate not only one’s privacy but also one’s freedom of speech and expression. Besides, orders for the tapping of telephones violate not only the privacy of the individual in question but also that of the person he/she is communicating with. Considering the serious nature of this breach it is absolutely necessary that the powers enabling such interception are not only constitutionally authorised but also adequately safeguarded. The Fundamental Rights declared by Article 19(1) cannot be curtailed on any ground outside the relevant provisions of Cls. 2-6.[18] The restrictive clauses in Cls. (2)-(6) of Article 19 are exhaustive and are to be strictly construed.[19] Public emergency is not one of the conditions enumerated under Article 19 for curtailing fundamental freedoms. Moreover, it lacks adequate safeguards by vesting absolute discretionary power in a non-judicial administrative authority. Even if one were to ignore the massive potential for misuse of these powers, it is difficult to conceive that the interception provisions would stand a scrutiny of constitutionality.

Over the course of the last few years, India has been dangerously toeing the line that keeps it from turning into a totalitarian surveillance state. [20] In 2011, India was the third most intrusive state[21] with 1,699 requests for removal made to Google; in 2012 that number increased to 2529[22]. The media is abuzz with reports about the Intelligence Bureau wanting Internet Service Providers to log all customer details [23] and random citizens being videotaped by the Delhi Police for “looking suspicious.” It becomes essential under these circumstances to question where the state’s power ends and a citizens’ privacy begins. Most of the information regarding projects like the CMS and the CCTNS is murky and unconfirmed. But under the pretext of national security, government officials have refused to divulge any information regarding the kind of information included within these systems and whether any accountability measures exist. For instance, there have been conflicting opinions from various ministers regarding whether the internet would also be under the supervision of the CMS [24]. Even more importantly, citizens are unaware of what rights and remedies are available to them in instances of violation of their privacy.

The intelligence agencies that have been tasked with handling information collected under these systems have not been created under any legislation and therefore not subject to any parliamentary oversight. Attempts like the Intelligence Services (Powers and Regulation) Bill, 2011 have been shelved and not revisited since their introduction. The intelligence agencies that have been created through executive orders enjoy vast and unbridled powers that make them accountable to no one[25]. Before, vesting the Indian law enforcement agencies with sensitive information that can be so readily misused it is essential to ensure that a mechanism to check the use and misuse of that power exists. A three judge bench of the Supreme Court has recently decided to entertain a Public Interest Litigation aimed at subjecting the intelligence agencies to auditing by the Comptroller and Auditor General of India. But the PIL even if successful will still only manage to scratch the surface of all the wide and unbridled powers enjoyed by the Indian intelligence agencies. The question of the constitutionality of interception powers, however, has not been subjected to as much scrutiny as is necessary. Especially at a time when the government has been rumoured to have already obtained the capability for mass dragnet surveillance such a determination by the Indian courts cannot come soon enough.

[1] Indian Post Office Act, 1898, § 26

[2] Indian Telegraph Act, 1885 § 5(2)

[3] PUCL v. Union of India, AIR 1997 SC 568

[4] Govind vs. State of Madhya Pradesh, (1975) 2 SCC 148

[5] Malak Singh vs. State Of Punjab & Haryana, AIR 1981 SC 760

[6] Supra note 3

[7] Law Commission, Indian Post Office Act, 1898 (38^th Law Commission Report) para 84

[8] ibid

[9] id

[10] Lok Sabha Debates , Minister of Communications, Shri H.N. Bahuguna, August 9, 1972

[11] The Constitution of India, Article 358- Suspension of provisions of Article 19 during emergencies

[12] Lok Sabha Debates , Minister of Communications, Shri H.N. Bahuguna, August 9, 1972

[13] Hukam Chand v. Union of India, AIR 1976 SC 789

[14] ibid

[15] Liversidge v. Anderson [1942] A.C. 206

[16] State of M.P. v. Baldeo Prasad, AIR 1961 (SC) 293 (296)

[17] ibid

[18] Ghosh O.K. v. Joseph E.X. Air 1963 SC 812; 1963 Supp. (1) SCR 789

[19] Sakal Papers (P) Ltd. v. Union of India, AIR 1962 SC 305 (315); 1962 (3) SCR 842

[20] See Notable Observations- July to December 2012, Google Transparency Report, available at http://www.google.com/transparencyreport/removals/government/ (last visited on July 2, 2014) (a 90% increase in Content removal requests by the Indian Government in the last year)

[21] Willis Wee, Google Transparency Report: India Ranks as Third ‘Snoopiest’ Country, July 6, 2011 available at http://www.techinasia.com/google-transparency-report-india/ (last visited on July 2, 2014)

[22] See Notable Observations- July to December 2012, Google Transparency Report, available at http://www.google.com/transparencyreport/removals/government/ (last visited on July 2, 2014) (a 90% increase in Content removal requests by the Indian Government in the last year)

[23] Joji Thomas Philip, Intelligence Bureau wants ISPs to log all customer details, December 30, 2010 http://articles.economictimes.indiatimes.com/2010-12-30/news/27621627_1_online-privacy-internet-protocol-isps (last visited on July 2, 2014)

[24] Deepa Kurup, In the dark about ‘India’s Prism’ June 16, 2013 available at http://www.thehindu.com/sci-tech/technology/in-the-dark-about-indias-prism/article4817903.ece

[25] Saikat Dutta, We, The Eavesdropped May 3, 2010 available at http://www.outlookindia.com/article.aspx?265191 (last visited on July 2, 2014)

For more details visit https://cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law

The Centre for Internet and Society’s comments and recommendations to the: The Digital Data Protection Bill 2022

Shweta Mohandas and Pallavi Bedi — 2023-01-20T02:35:30Z

The Centre for Internet & Society (CIS) published its comments and recommendations to the Digital Personal Data Protection Bill, 2022, on December 17, 2022.

High Level Comments

1. Rationale for removing the distinction between personal data and sensitive personal data is unclear.

All the earlier iterations of the Bill as well as the rules made under Section 43A of the Information Technology Act, 2000^{^[1]} had classified data into two categories; (i) personal data; and (ii) sensitive personal data. The 2022 version of the Bill has removed this distinction and clubbed all personal data under one umbrella heading of personal data. The rationale for this is unclear, as sensitive personal data means such data which could reveal or be related to eminently private data such as financial data, health data, sexual orientations and biometric data. Considering the sensitive nature of the data, the data classified as sensitive personal data is accorded higher protection and safeguards from processing, therefore by clubbing all data as personal data, the higher protection such as the need for explicit consent to the processing of sensitive personal data, the bar on processing of sensitive personal data for employment purposes has also been removed.

2. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified.^{^[2]} It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.

The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within which the Board shall be established and specific Rules and regulations notified. Considering that certain provisions have been deferred to Rules that have to be framed by the Central government, the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill. Provisions such as Section 10(1) which deals with verifiable parental consent for data of children, Section 13 (1) which states the manner in which a Data Principal can initiate a right to correction, the process of selection and functioning of consent manager under 3(7) are few such examples, that when the Act becomes applicable, the data principal will have to wait for the Rules to Act of these provisions, or to get clarity on entities created by the Act.

The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.

We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Board. This is important to give full and effective effect to the right of privacy of the individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.

The Board must ensure that Data Principals and Fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment into force. This will allow the Data Fiduciaries to align their practices with the provisions of this new legislation and the Board will also have time to define and determine certain provisions that the Bill has left the Board to define. Additionally enforcing penalties for offenses initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders which now could include data principals as well, from paying a high price. This will relieve the fear of smaller companies and startups and individuals who might fear processing data for the fear of paying penalties for offenses.

3. Independence of Data Protection Board of India.

The Bill proposes the creation of the Data Protection Board of India (Board) in place of the Data Protection Authority. In comparison with the powers of the Board with the 2018 and 2019 version of Personal Data Protection Bill, we witness an abrogation of powers of the Board to be created, in this Bill. Under Clause 19(2), the strength and composition of the Board, the process of selection, the terms and conditions of appointment and service, and the removal of its Chairperson and other Members shall be such as may be prescribed by the Union Government at a later stage. Further as per Clause 19(3), the Chief Executive of the Board will be appointed by the Union Government and the terms and conditions of her service will also be determined by the Union Government. The functions of the Board have also not been specified under the Bill, the Central Government may assign the functions to be performed by the Board.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate, ability to act swiftly, and resources. The political nature of personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Board are independent of the Executive.

Chapter Wise Comments and Recommendations

CHAPTER I- PRELIMINARY

● Definition: While the Bill has added a few new definitions to the Bill including terms such as gains, loss, consent manager etc. there are a few key definitions that have been removed from the earlier versions of the Bill. The removal of certain definitions in the Bill, eg. sensitive personal data, health data, biometric data, transgender status, creating a legal uncertainty about the application of the Bill.

With respect to the existing definitions as well the definition of the term ‘harm’ has been significantly reduced to remove harms such as surveillance from the ambit of harms. In addition, with respect of the definition of the term of harms also, the 2019 version of the Bill under Clause 2 (20) the definition provides a non exhaustive list of harms, by using the phrase “harms include”, however in the new definition the phrase has been altered to “harm”, in relation to a Data Principal, means”, thereby removing the possibility of more harms that are not apparent currently from being within the purview of the Act. We recommend that the definition of harms be made into a non-exhaustive list.

CHAPTER II - OBLIGATIONS OF DATA FIDUCIARY

Notice: The revised Clause on notice does away with the comprehensive requirements which were laid out under Clause 7 of the PDP Bill 2019. The current clause does not mention in detail what the notice should contain, while stating that that the notice should be itemised. While it can be reasoned that the Data Fiduciary can find the contents of the notice throughout the bill, such as with the rights of the Data Principal, the removal of a detailed list could create uncertainty for Data Fiduciaries. By leaving the finer details of what a notice should contain, it could cause Data Fiduciaries from missing out key information from the list, which in turn provide incomplete information to the Data Principal. Even in terms of Data Fiduciaries they might not know if they are complying with the provisions of the bill, and could result in them invariably being penalised. In addition to this by requiring less work by the Data Fiduciary and processor, the burden falls on the Data Principal to make sure they know how their data is processed and collected. The purpose of this legislation is to create further rights for individuals and consumers, hence the Bill should strive to put the individual at the forefront.

In addition to this Clause 6(3) of the Bill states “The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution of India.” While the inclusion of regional language notices is a welcome step, we suggest that the text be revised as follows “The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English and in any language specified in the Eighth Schedule to the Constitution of India.” While the main crux of notice is to let the person know before giving consent, notice in a language that a person cannot read would not lead to meaningful consent.

Consent

Clause 3 of the Bill states “request for consent would have the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.” Ideally this provision should be a part of the notice and should be mentioned in the above section. This is similar to Clause 7(1)(c) of the draft Personal Data Protetion Bill 2019 which requires the notice to state “the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;”.

Deemed Consent

The Bill introduces a new type of consent that was absent in the earlier versions of the Bill. We are of the understanding that deemed consent is used to redefine non consensual processing of personal data. The use of the term deemed consent and the provisions under the section while more concise than the earlier versions could create more confusion for Data Principals and Fiduciaries alike. The definition and the examples do not shed light on one of the key issues with voluntary consent - the absence of notice. In addition to this the Bill is also silent on whether deemed consent can be withdrawn or if the data principal has the same rights as those that come from processing of data they have consented to.

Personal Data Protection of Children

The age to determine whether a person has the ability to legally consent in the online world has been intertwined with the age of consent under the Indian Contract Act; i.e. 18 years. The Bill makes no distinction between a 5 year old and a 17 year old- both are treated in the same manner. It assumes the same level of maturity for all persons under the age of 18. It is pertinent to note that the law in the offline world does recognise that distinction and also acknowledges the changes in the level of maturity. As per Section 82 of the Indian Penal Code read with Section 83, any act by a child under the age of 12 shall not be considered as an offence. While the maturity of those aged between 12–18 years will be decided by court (individuals between the age of 16–18 years can also be tried as adults for heinous crimes). Similarly, child labour laws in the country allow children above the age of 14 years to work in non-hazardous industry

There is a need to evaluate and rethink the idea that children are passive consumers of the internet and hence the consent of the parent is enough. Additionally, the bracketing of all individuals under the age of 18 as children fails to look at how teenages and young people use the internet. This is more important looking at the 2019 data which suggests that two-thirds of India’s internet users are in the 12–29 years age group, with those in the 12–19 age group accounting for about 21.5% of the total internet usage in metro cities. Given that the pandemic has compelled students and schools to adopt and adapt to virtual schools, the reliance on the internet has become ubiquitous with education. Out of an estimated 504 million internet users, nearly one-third are aged under 19. As per the Annual Status on Education Report (ASER) 2020, more than one-third of all schoolchildren are pursuing digital education, either through online classes or recorded videos.

Instead of setting a blanket age for determining valid consent, we could look at alternative means to determine the appropriate age for children at different levels of maturity, similar to what had been developed by the U.K. Information Commissioner’s Office. The Age Appropriate Code prescribes 15 standards that online services need to follow. It broadly applies to online services "provided for remuneration"—including those supported by online advertising—that process the personal data of and are "likely to be accessed" by children under 18 years of age, even if those services are not targeted at children. This includes apps, search engines, social media platforms, online games and marketplaces, news or educational websites, content streaming services, online messaging services.

The reservation to definition of child under the Bill has also been expressed by some members of the JPC through their dissenting opinion. MP Ritesh Pandey stated that keeping in mind the best interest of the child the Bill should consider a child to be a person who is less than 14 years of age. This would ensure that young people could benefit from the advances in technology without parental consent and reduce the social barriers that young women face in accessing the internet. Similarly Manish Tiwari in his dissenting note also observed that the regulation of the processing of data of children should be based on the type of content or data. The JPC Report observed that the Bill does not require the data fiduciary to take fresh consent of the child, once the child has attained the age of majority, and it also does not give the child the option to withdraw their consent upon reaching the majority age. It therefore, made the following recommendations:

Registration of data fiduciaries, exclusively dealing with children’s data. Application of the Majority Act to a contract with a child. Obligation of Data fiduciary to inform a child to provide their consent, three months before such child attains majority Continuation of the services until the child opts out or gives a fresh consent, upon achieving majority. However, these recommendations have not been incorporated into the provisions of the Bill. In addition to this the Bill is silent on the status of non consensual processing and deemed consent with respect to the data of children.

We recommend that fiduciaries who have services targeted at children should be considered as significant Data Fiduciaries. In addition to this the Bill should also state that the guardians could approach the Data Protection Board on behalf of the child. With these obligations in place, the age of mandatory consent could be reduced and the data fiduciary could have an added responsibility of informing the children in the simplest manner how their data will be used. Such an approach places a responsibility on Data Fiduciaires when implementing services that will be used by children and allows the children to be aware of data processing, when they are interacting with technology.

Chapter III-RIGHTS AND DUTIES OF DATA PRINCIPAL

Rights of Data Principal

Clause 12(3) of the Bill while providing the Data Principal the right to be informed of the identities of all the Data Fiduciaries with whom the personal data has been shared, also states that the data principal has the right to be informed of the categories of personal data shared. However the current version of the Bill provides only one category of data that is personal data.

Clause 14 of the Bill talks about the Right of Grievance Redressal, and states that the Data Principal has the right to readily available means of registering a grievance, however the Bill does not provide in the Notice provisions the need to mention details of a grievance officer or a grievance redressal mechanism. It is only the additional obligations on significant data fiduciary that mentions the need for a Data Protection officer to be the contact for the grievance redressal mechanism under the provisions of this Bill. The Bill could ideally re-use the provisions of the IT Act SPDI Rules 2011 in which Section 5(7) states “Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provider of information expeditiously but within one month ' from the date of receipt of grievance.”

The above framing would not only bring clarity to the data fiduciaries on what process to follow for a grievance redressal, it also would reduce the significant burden of theBoard.

Duties of Data Principals

The Bill while entisting duties of the Data Principal states that the “Data Principal shall not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board”, however it is very difficult for a Data Principal to and even for the Board to determine what constitutes a “frivolous grievance”. In addition to this the absence of a defined notice provision and the inclusion of deemed consent would mean that the Data Fiduciary could have more information about the matter than the Data Principal. This could mean that the fiduciary could prove that a claim was false or frivolous. Clause 21(12) states that “At any stage after receipt of a complaint, if the Board determines that the complaint is devoid of merit, it may issue a warning or impose costs on the complainant.” In addition to this Clause 25(1) states that “ If the Board determines on conclusion of an inquiry that non- compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance.” The use of the term “person” in this case includes data which could mean that they could be penalised under the provisions of the Bill, which could also include not complying with the duties.

CHAPTER IV- SPECIAL PROVISIONS

Transfer of Personal Data outside India

Clause 17 of the Bill has removed the requirement of data localisation which the 2018 and 2019 Bill required. Personal data can be transferred to countries that will be notified by the central government. There is no need for a copy of the data to be stored locally and no prohibition on transferring sensitive personal data and critical data. Though it is a welcome change that personal data can be transferred outside of India, we would highlight the concerns in permitting unrestricted access to and transfer of all types of data. Certain data such as defence and health data do require sectoral regulation and ringfencing of the transfer of data.

Exemptions

Clause 18 of the Bill has widened the scope of government exemptions. Blanket exemption has been given to the State under Clause 18(4) from deleting the personal data even when the purpose for which the data was collected is no longer served or when retention is no longer necessary. The requirement of proportionality, reasonableness and fairness have been removed for the Central Government to exempt any department or instrumentality from the ambit of the Bill. By doing away with the four pronged test, this provision is not in consonance with test laid down by the Supreme Court and are also incompatible with an effective privacy regulation. There is also no provision for either a prior judicial review of the order by a district judge as envisaged by the Justice Srikrishna Committee Report or post facto review by an oversight committee of the order as laid down under the Indian Telegraph Rules, 1951^{^[3]} and the rules framed under Information Technology Act^{^[4]}. The provision states that such processing of personal data shall be subject to the procedure, safeguard and oversight mechanisms that may be prescribed.

^{^[1]} Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

^{^[2]} Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6) The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f) security safeguards under section 31; (g) research purposes under section 45;(h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

^{^[3]} Rule 419A (16): The Central Government or the State Government shall constitute a Review Committee.

Rule 419 A(17): The Review Committee shall meet at least once in two months and record its findings whether the directions issued under sub-rule (1) are in accordance with the provisions of sub-section (2) of Section 5 of the said Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above it may set aside the directions and orders for destruction of the copies of the intercepted message or class of messages.

^{^[4]} Rule 22 of Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009: The Review Committee shall meet at least once in two months and record its findings whether the directions issued under rule 3 are in accordance with the provisions of sub-section (2) of section 69 of the Act and where the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issue an order for destruction of the copies, including corresponding electronic record of the intercepted or monitored or decrypted information.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-recommendations-to-digital-data-protection-bill

The Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018

Shweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti Trikanand — 2018-07-20T13:55:46Z

The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments.

Click to download the file here

As India moves towards greater digitization, and technology becomes even more pervasive, there is a need to ensure the privacy of the individual as well as hold the private and public sector accountable for the use of personal data. Towards enabling public discourse and furthering the development a privacy framework for India, a group of lawyers and policy analysts backed by the Internet Freedom Foundation (IFF) have put together a draft a citizen's bill encompassing a citizen centric privacy code that is based on seven guiding principles.^{^[1]} This draft builds on the Citizens Privacy Bill, 2013 that had been drafted by CIS on the basis of a series of roundtables conducted in India.^{^[2]} Privacy is one of the key areas of research at CIS and we welcome this initiative and hope that our comments make the Act a stronger embodiment of the right to privacy.

Section by Section Recommendations

Preamble

Comment: The Preamble specifies that the need for privacy has increased in the digital age, with the emergence of big data analytics.

Recommendation: It could instead be worded as ‘with the emergence of technologies such as big data analytics’, so as to recognize the impact of multiple technologies and processes including big data analytics.

Comment: The Preamble states that it is necessary for good governance that all interceptions of communication and surveillance be conducted in a systematic and transparent manner subservient to the rule of law.

Recommendation: The word ‘systematic’ is out of place, and can be interpreted incorrectly. It could instead be replaced with words such as ‘necessary’, ‘proportionate’, ‘specific’, and ‘narrow’, which would be more appropriate in this context.

Chapter 1 Preliminary

Section 2: This Section defines the terms used in the Act.

Comment: Some of the terms are incomplete and a few of the terms used in the Act have not been included in the list of definitions.

Recommendations:

The term “effective consent” needs to be defined. The term is first used in the Proviso to Section 7(2), which states “Provided that effective consent can only be said to have been obtained where...:”It is crucial that the Act defines effective consent especially when it is with respect to sensitive data.
The term “open data” needs to be defined. The term is first used in Section 5 that states the exemptions to the right to privacy. Subsection 1 clause ii states as follows “the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes which may be classified as open data by the Privacy Commission”. Hence the term open data needs to be defined in order to ensure that there is no ambiguity in terms of what open data means.
The Act does not define “erasure”, although the term erasure does come under the definition of destroy (Section 2(1)(p)). There are some provisions that use the word erasure , hence if erasure and destruction mean different acts then the term erasure needs to be defined, otherwise in order to maintain uniformity the sections where erasure is used could be substituted with the term “destroy” as defined under this Act.
The definition of “sensitive personal data” does not include location data and identification numbers. The definition of sensitive data must include location data as the Act also deals in depth with surveillance. With respect to identification numbers, the Act needs to consider identification numbers (eg. the Aadhaar number, PAN number etc.) as sensitive information as this number is linked to a person's identity and can reveal sensitive personal data such as name, age, location, biometrics etc. Example can be taken from Section 4(1) of the GDPR^{^[3]} which identifies location data as well as identification numbers as sensitive personal data along with other identifies such as biometric data, gender race etc.
The Act defines consent as the “unambiguous indication of a data subject’s agreement” however, the definition does not indicate that there needs to be an informed consent. Hence the revised definition could read as follows “the informed and unambiguous indication of a data subject’s agreement”. It is also unclear how this definition of consent relates to ‘effective consent’. This relationship needs to be clarified.
The Act defines ‘data controller’ in Section 2(1)(l) as “ any person including appropriate government..”. In order to remove any ambiguity over the definition of the term person, the definition could specify that the term person means any natural or legal person.
The Act defines ‘data processor’ in Section (2(1)(m) as “means any person including appropriate government”. In order to remove any ambiguity over the definition of the term ‘any person’, the definition could specify that the term person means any natural or legal person.

CHAPTER II

Right to Privacy

Section 5: This section provides exemption to the rights to privacy.

Comment: Section 5(1)(ii) states that the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes are exempted from the provisions of the right to privacy. This clause also states that this data may be classified as open data by the Privacy Commission. This section hence provides individuals the immunity from collection, storage, processing and dissemination of data of another person. However this provision fails to state what specific activities qualify as non commercial use.

Recommendation: This provision could potentially be strengthened by specifying that the use must be in the public interest. The other issue with this subsection is that it fails to define open data. If open data was to be examined using its common definition i.e “data that can be freely used, modified, and shared by anyone for any purpose”^{^[4]} then this section becomes highly problematic. As a simple interpretation would mean that any personal data that is collected, stored, processed or disseminated by a natural person can possibly become available to anyone. Beyond this, India has an existing framework governing open data. Ideally the privacy commissioner could work closely with government departments to ensure that open data practices in India are in compliance with the privacy law.

CHAPTER III

Protection of Personal Data

PART A

Notice by data controller

Section 6: This section specifies the obligations to be followed by data controllers in their communication, to maintain transparency and lays down provisions that all communications by Data Controllers need to be complied with.

Comment: There seems to be a error in the Proviso to this section. The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part shall may be refused when the Data Controller is, unable to identify or has a well founded basis for reasonable doubts as to the identity of the Data Subject or are manifestly unfounded, excessive and repetitive, with respect to the information sought by the Data Subject ”.

Recommendation: The proviso could read as follows “The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part may be refused when the Data Controller is…”. We suggest the use of the ‘may’ as this makes the provision less limiting to the rights of the data controller.

Additionally, it is not completely clear what ‘included but not limited to...’ would entail. This could be clarified further.

PART B

CONSENT OF DATA SUBJECTS

Section 10: This section talks about the collection of personal data.

Comment: Section 10(3) lays down the information that a person must provide before collecting the personal data of an individual.

Comment: Section 10(3)(xi) states as follows “the time and manner in which it will be destroyed, or the criteria used to Personal data collected in pursuance of a grant of consent by the data subject to whom it pertains shall, if that consent is subsequently withdrawn for any reason, be destroyed forthwith: determine that time period;”. There seems to be a problem with the sentence construction and the rather complex sentence is difficult to understand.

Recommendation: This section could be reworked in such as way that two conditions are clear, one - the time and manner in which the data will be destroyed and two the status of the data once consent is withdrawn.

Comment: Section 10(3)(xiii) states that the identity and contact details of the data controller and data processor must be provided. However it fails to state that the data controller should provide more details with regard to the process for grievance redressal. It does not provide guidance on what type of information needs to go into this notice and the process of redressal. This could lead to very broad disclosures about the existence of redress mechanisms without providing individuals an effective avenue to pursue.

Recommendation: As part of the requirement for providing the procedure for redress, data controllers could specifically be required to provide the details of the Privacy Officers, privacy commissioner, as well as provide more information on the redressal mechanisms and the process necessary to follow.

Section 11:This section lays out the provisions where collection of personal data without prior consent is possible.

Comment: Section 11 states “Personal data may be collected or received from a third party by a Data Controller the prior consent of the data subject only if it is:..”. However as the title of the section suggests the sentence could indicate the situations where it is permissible to collect personal data without prior consent from the data subject”. Hence the word “without” is missing from the sentence. Additionally the sentence could state that the personal data may be collected or received directly from an individual or from a third party as it is possible to directly collect personal data from an individual without consent.

Recommendation:The sentence could read as “Personal data may be collected or received from an individual or a third party by a Data Controller without the prior consent of the data subject only if it is:..”.

Comment: Section 11(1)(i) states that the collection of personal data without prior consent when it is “necessary for the provision of an emergency medical service or essential services”. However it does not specify the kind or severity of the medical emergency.

Recommendation: In addition to medical emergency another exception could be made for imminent threats to life.

Section 12: This section details the Special provisions in respect of data collected prior to the commencement of this Act.

Comment: This section states that all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force. Unless consent is obtained afresh within two years or that the personal data has been anonymised in such a manner to make re-identification of the data subject absolutely impossible. However this process can be highly difficult and impractical in terms of it being time consuming, expensive particularly, in cases of analog collections of data. This is especially problematic in cases where the controller cannot seek consent of the data subject due to change in address or inavailability or death. This will also be problematic in cases of digitized government records.

Recommendation: We suggest three ways in which the issue of data collected prior to the Act can be handled. One way is to make a distinction on the data based on whether the data controller has specified the purpose of the collection before collecting the data. If the purpose was not defined then the data can be deleted or anonymised. Hence there is no need to collect the data afresh for all the cases. The purpose of the data can also be intimated to the data subject at a later stage and the data subject can choose if they would like the controller to store or process the data.The second way is by seeking consent afresh only for the sensitive data. Lastly, the data controller could be permitted to retain records of data, but must necessarily obtain fresh consent before using them. By not having a blanket provision of retrospective data deletion the Act can address situations where deletion is complicated or might have a potential negative impact by allowing storage, deletion, or anonymisation of data based on its purpose and kind.

Comment: Section (2)(1)(i) of the Act states that the data will not be destroyed provided that effective consent is obtained afresh within two years. However as stated earlier the Act does not define effective consent.

Recommendation: The term effective consent needs to be defined in order to bring clarity to this provision.

PART C

FURTHER LIMITATIONS ON DATA CONTROLLERS

Section 16: This section deals with the security of personal data and duty of confidentiality.

Comment: Section 16(2) states “ Any person who collects, receives, stores, processes or otherwise handles any personal data shall be subject to a duty of confidentiality and secrecy in respect of it.” Similarly Section 16(3) states “data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control. However apart from the duty of confidentiality and secrecy the data collectors and processors could also have a duty to maintain the security of the data.” Though it is important for confidentiality and secrecy to be maintained, ensuring security requires adequate and effective technical controls to be in place.

Recommendation: This section could also emphasise on the duty of the data controllers to ensure the security of the data. The breach notification could include details about data that is impacted by a breach or attach as well as the technical details of the infrastructure compromised.

Section 17: This section details the conditions for the transfer of personal data outside the territory of India.

Comment: Section 17 allows a transfer of personal data outside the territory of India in 3 situations- If the Central Government issues a notification deciding that the country/international organization in question can ensure an adequate level of protection, compatible with privacy principles contained in this Act; if the transfer is pursuant to an agreement which binds the recipient of the data to similar or stronger conditions in relation to handling the data; or if there are appropriate legal instruments and safeguards in place, to the satisfaction of the data controller. However, there is no clarification for what would constitute ‘adequate’ or ‘appropriate’ protection, and it does not account for situations in which the Government has not yet notified a country/organisation as ensuring adequate protection. In comparison, the GDPR, in Chapter V^{^[5]}, contains factors that must be considered when determining adequacy of protection, including relevant legislation and data protection rules, the existence of independent supervisory authorities, and international commitments or obligations of the country/organization. Additionally, the GDPR allows data transfer even in the absence of the determination of such protection in certain instances, including the use of standard data protection clauses, that have been adopted or approved by the Commission; legally binding instruments between public authorities; approved code of conduct, etc. Additionally, it allows derogations from these measures in certain situations: when the data subject expressly agrees, despite being informed of the risks; or if the transfer is necessary for conclusion of contract between data subject and controller, or controller and third party in the interest of data subject; or if the transfer is necessary for reasons of public interest, etc. No such circumstances are accounted for in Section 17.

Recommendation: Additionally, data controllers and processors could be provided with a period to allow them to align their policies towards the new legislation. Making these provisions operational as soon as the Act is commenced might put the controllers or processors guilty of involuntary breaching the provisions of the Act.

Section 19: This section states the special provisions for sensitive personal data.

Comment: Section 19(2) states that in addition to the requirements set out under sub-clause (1), the Privacy Commission shall set out additional protections in respect of:i.sensitive personal data relating to data subjects who are minors; ii.biometric and deoxyribonucleic acid data; and iii.financial and credit data.This however creates additional categories of sensitive data apart from the ones that have already been created.^{^[6]} These additional categories can result in confusion and errors.

Recommendation: Sensitive data must not be further categorised as this can lead to confusion and errors. Hence all sensitive data could be subject to the same level of protection.

Section 20: This section states the special provisions for data impact assessment.

Comment: This section states that all data impact assessment reports will be submitted periodically to the State Privacy commission. This section does not make provisions for instances of circumstances in which such records may be made public. Additionally the data impact assessment could also include a human rights impact assessment.

Recommendation: The section could also have provisions for making the records of the impact assessment or relevant parts of the assessment public. This will ensure that the data controllers / processors are subjected to a standard of accountability and transparency. Additionally as privacy is linked to human rights the data impact assessment could also include a human rights impact assessment. The Act could further clarify the process for submission to State Privacy Commissions and potential access by the Central Privacy Commission to provide clarity in process.

Section 20 requires controllers who use new technology to assess the risks to the data protection rights that occur from processing. ‘New technology’ is defined to include pre-existing technology that is used anew. Additionally, the reports are required to be sent to the State Privacy Commission periodically. However, there is no clarification on the situations in which such an assessment becomes necessary, or whether all technology must undergo such an assessment before their use. Additionally, the differentiation between different data processing activities based on whether the data processing is incidental or a part of the functioning needs to be clarified. This differentiation is necessary as there are some data processors and controllers who need the data to function; for instance an ecommerce site would require your name and address to deliver the goods, although these sites do not process the data to make decisions. This can be compared to a credit rating agency that is using the data to make decisions as to who will be given a loan based on their creditworthiness. Example can taken from the GDPR, which in Article 35, specifies instances in which a data impact assessment is necessary: where a new technology, that is likely to result in a high risk to the rights of persons, is used; where personal aspects related to natural persons are processed automatically, including profiling; where processing of special categories of data (including data revealing ethnic/racial origin, sexual orientation etc), biometric/genetic data; where data relating to criminal convictions is processed; and with data concerning the monitoring of publicly accessible areas. Additionally, there is no requirement to publish the report, or send it to the supervising authority, but the controller is required to review the processor’s operations to ensure its compliance with the assessment report.

Recommendation: The reports could be sent to a central authority, which according to this Act is the Privacy Commission, along with the State Privacy Commission. Additionally there needs to be a differentiation between the incidental and express use of data. The data processors must be given at least a period of one year after the commencement of the Act to present their impact assessment report. This period is required for the processors to align themselves with the provisions of the Act as well as conduct capacity building initiatives.

PART C

RIGHTS OF A DATA SUBJECT

Section 21: This section explains the right of the data subject with regard to accessing her data. It states that the data subject has the right to obtain from the data controller information as to whether any personal data concerning her is collected or processed. The data controller also has to not only provide access to such information but also the personal data that has been collected or processed.

Comment: This section does not provide the data subject the right to seek information about security breaches.

Recommendation: This section could state that the data subject has the right to seek information about any security breaches that might have compromised her data (through theft, loss, leaks etc.). This could also include steps taken by the data controller to address the immediate breach as well as steps to minimise the occurrence of such breaches in the future.^{^[7]}

CHAPTER IV

INTERCEPTION AND SURVEILLANCE

Section 28: This section lists out the special provisions for competent organizations.

Comment: Section 28(1) states ”all provisions of Chapter III shall apply to personal data collected, processed, stored, transferred or disclosed by competent organizations unless when done as per the provisions under this chapter ”.This does not make provisions for other categories of data such as sensitive data.

Recommendation: This section needs to include not just personal data but also sensitive data, in order to ensure that all types of data are protected under this Act.

Section 30: This section states the provisions for prior authorisation by the appropriate Surveillance and Interception Review Tribunal.

Comment: Section 30(5) states “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception, or where communications relate to medical, journalistic, parliamentary or legally privileged material may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission as to the necessity for the interception and the safeguards providing for minimizing the material intercepted to the greatest extent possible and the destruction of all such material that is not strictly necessary to the purpose of the interception.” This section needs to state why these categories of communication are more sensitive than others. Additionally, interceptions typically target people and not topics of communication - thus medical may be part of a conversation between two construction workers and a doctor will communicate about finances.

Recommendation: The section could instead of singling out “medical, journalistic, parliamentary or legally privileged material” state that “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission.

Section 37: This section details the bar against surveillance.

Comment: Section 37(1) states that “no person shall order or carry out, or cause or assist the ordering or carrying out of, any surveillance of another person”. The section also prohibits indiscriminate monitoring, or mass surveillance, unless it is necessary and proportionate to the stated purpose. However, it is unclear whether this prohibits surveillance by a resident of their own residential property, which is allowed in Section 5, as the same could also fall within ‘indiscriminate monitoring/mass surveillance’. For instance, in the case of a camera installed in a residential property, which is outward facing, and therefore captures footage of the road/public space.

Recommendation: The Act needs to bring more clarity with regard to surveillance especially with respect to CCTV cameras that are installed in private places, but record public spaces such as public roads. The Act could have provisions that clearly define the use of CCTV cameras in order to ensure that cameras installed in private spaces are not used for carrying out mass surveillance. Further, the Act could address the use of emerging techniques and technology such as facial recognition technologies, that often rely on publicly available data.

CHAPTER V

THE PRIVACY COMMISSION

Section 53: This section details the powers and functions of the Privacy Commission.

Comment: Section 53(2)(xiv) states that the Privacy Commission shall publish periodic reports “providing description of performance, findings, conclusions or recommendations of any or all of the functions assigned to the Privacy Commission”. However this Section does not make provisions for such reporting to happen annually and to make them publicly available, as well as contain details including financial aspects of matters contained within the Act.

Recommendation: The functions could include a duty to disclose the information regarding the functioning and financial aspects of matters contained within the Act. Categories that could be included in such reports include: the number of data controllers, number of data processors, number of breaches detected and mitigated etc.

CHAPTER IX

OFFENCES AND PENALTIES

Sections 73 to 80: These sections lay out the different punishments for controlling and processing data in contravention to the provisions of this Act.

Comment: These sections, while laying out different punishments for controlling and processing data in contravention to the provisions of this Act, mets out a fine extending upto Rs. 10 crore. This is problematic as it does not base these penalties on the finer aspects of proportionality, such as offences that are not as serious as the others.

Recommendation: There could be a graded approach to the penalties based on the degree of severity of the offence.This could be in the form of name and shame, warnings and penalties that can be graded based on the degree of the offence.
----------------------------------------------------------------------

Additional thoughts: As India moves to a digital future there is a need for laws to be in place to ensure that individual's rights are not violated. By riding on the push to digitization, and emerging technologies such as AI, a strong all encompassing privacy legislation can allow India to leapfrog and use these emerging technologies for the benefit of the citizens without violating their privacy. A robust legislation can also ensure a level playing field for data driven enterprises within a framework of openness, fairness, accountability and transparency.

^{^[1]} These seven principles include: Right to Access, Right to Rectification, Right to Erasure And Destruction of Personal Data,Right to Restriction Of Processing, Right to Object, Right to Portability of Personal Data,Right to Seek Exemption from Automated Decision-Making.

^{^[2]}The Privacy (Protection) Bill 2013: A Citizen’s Draft, Bhairav Acharya, Centre for Internet & Society, https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft

^{^[3]}General Data Protection Regulation, available at https://gdpr-info.eu/art-4-gdpr/.

^{^[4]} Antonio Vetro, Open Data Quality Measurement Framework: Definition and Application to Open Government Data, available at https://www.sciencedirect.com/science/article/pii/S0740624X16300132

^{^[5]} General Data Protection Regulation, available at https://gdpr-info.eu/chapter-5/.

^{^[6]} Sensitive personal data under Section 2(bb) includes, biometric data; deoxyribonucleic acid data;
sexual preferences and practices;medical history and health information;political affiliation;
membership of a political, cultural, social organisations including but not limited to a trade union as defined under Section 2(h) of the Trade Union Act, 1926;ethnicity, religion, race or caste; and
financial and credit information, including financial history and transactions.

^{^[7]} Submission to the Committee of Experts on a Data Protection Framework for India, Amber Sinha, Centre for Internet & Society, available at https://cis-india.org/internet-governance/files/data-protection-submission

For more details visit https://cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018

The Centre for Internet and Society’s comments and feedback to the: Digital Personal Data Protection Rules 2025

Pallavi Bedi, Vipul Kharbanda, Shweta Mohandas, Anubha Sinha and Isha Suri — 2025-03-06T02:06:44Z

The Centre for Internet & Society (CIS) submitted its comments and feedback to the Digital Personal Data Protection Rules 2025 initiated by the Indian government.

Rule 3 - Notice given by data fiduciary to data principal - Under Section 5(2) of the DPDP Act, when the personal data of the data principal has been processed before the commencement of the Act, then the data fiduciary is required to give notice to the data principal as soon as reasonably practicable. However, the Rules fail to specify what is meant by reasonably practicable. The timeline for a notice in such circumstances is unclear.

In addition, under Rule 3(a) the phrase “be presented and be understandable independently” is ambiguous. It is not clear whether the consent notice has to be presented independently of any other information or whether it only needs to be independently understandable and can be presented along with other information.
In addition to this we suggest that the need for “privacy by design” mentioned in the earlier drafts is brought back, with the focus on preventing deceptive design practices (dark patterns) being used while collecting data.

Rule 4 - Registration and obligations of Consent Manager- The concept of independent consent managers, similar to account aggregators in the financial sector, and consent manager platforms in the EU is a positive step. However, the Act and the Rules need to flesh out the interplay between the Data Fiduciary and the Consent Managers in a more detailed manner, for example, how does the data fiduciary know if a data principal is using a consent manager, and under what circumstances can the data fiduciary bypass the consent manager, what is the penalty/consequence, etc.

Rule 6 - Reasonable security safeguards - While we appreciate the guidance provided in terms of the measures for security such as “encryption, obfuscation or masking or the use of virtual tokens”, it would also be good to refer to the SPDI Rules and include the example of the The international Standard IS/ISO/IEC 27001 on Information Technology - Security Techniques - Information Security Management System as an illustration to guide data fiduciaries.

Rule 7 - Intimation of personal data breach - As per the Rules, the data fiduciary on becoming aware of any personal data breach is required to notify the data principal and the Data Protection Board without delay; a plain reading of this Rule suggests that data fiduciary has to report the breach almost immediately, and this could be a practical challenge. Further, the absence of any threshold (materiality, gravity of the breach, etc) for notifying the data principal means that the data fiduciary will have to inform the data principal about even an isolated data breach which may not have an impact on the data principal. In this context, we recommend the Rule be amended to state that the data fiduciary should be required to inform the Data Protection Board about every data breach, however the data principal should be informed depending on the gravity and materiality of the breach and when it is likely to result in high risk to the data principal.

Whilst the Rules have provisions for intimation of data breach, there is no specific provision requiring the Data Fiduciary to take all steps necessary to ensure that the Data Fiduciary has taken all necessary measures to mitigate the risk arising out of the said breach. Although there is an obligation to report any such measures to the Data Principal (Rule 7(1)(c)) as well as to the DPBI (Rule 7(2)(b)(iii)), there is no positive obligation imposed on the Data Fiduciary to take any such mitigation measures. The Rules and the Act merely presume that the Data Fiduciary would take mitigation measures, perhaps that is the reason why there are notification requirements for such breach, however the Rules and the Act do not put any positive obligation on the Data Fiduciary to actually implement such measures. This would lead to a situation where a Data Fiduciary may not take any measures to mitigate the risks arising out of the data breach, and be in compliance with its legal obligations by merely notifying the Data Principal as well as the DPBI that no measures have been taken to mitigate the risks arising from the data breach. In addition, the SPDI Rules state that in an event of a breach the body corporate is required to demonstrate that they had implemented reasonable security standards. This provision could be incorporated in this Rule to emphasize on the need to implement robust security standards which is one of the ways to curb data breaches from happening, and ensure that there is a protocol to mitigate the breach.

Rule 10 - Verifiable consent for processing of personal data of child or of person with disability who has a lawful guardian - The two mechanisms provided under the Rules to verify the age and identity of parents pre-suppose a high degree of digital literacy on the part of the parents. They may either give or refuse consent without thinking too much about the consequences arising out of giving or not giving consent. As there is always a risk of individuals not providing the correct information regarding their age or their relationship with the child, platforms may have to verify every user’s age; thereby preventing users from accessing the platform anonymously. Further, there is also a risk of data maximisation of personal data rather than data minimisation; i.e parents may be required to provide far more information than required to prove their identity. One recommendation/suggestion that we propose is to remove the processing of children's personal data from the ambit of this law, and instead create a separate standalone legislation dealing with children’s digital rights. Another important issue to highlight here is the importance of the Digital Protection Board and its capacity to levy fines and impose strictures on the platforms. We have seen from examples from other countries that platforms are forced to redesign and provide for better privacy and data protection mechanisms when the regulator steps in and imposes high penalties

Rule 12 - Additional obligations of Significant Data Fiduciary - The Rules do not clarify which entities will be considered as a Significant Data Fiduciary, leaving that to the government notifications. This creates uncertainty for data fiduciaries, especially smaller organisations that might not be able to set up the mechanisms and people for conducting data protection impact assessment, and auditing. The Rule provides that SDFs will have to conduct an annual Data Protection Impact Assessment. While this is a step in the right direction, the Rules are currently silent on the granularity of the DPIA. Similarly for “audit” the Rules do not clarify what type of audit is needed and what the parameters are. It is therefore imperative that the government notifies the level of details that the DPIA and the audit need to go into in order to ensure that the SDFs actually address issues where their data governance practices are lacking and not use the DPIA as a whitewashing tactic.There is also a need to reduce some of the ambiguity with regards to the parameters, and responsibilities in order to make it easier for startups and smaller players to comply with the regulations. In addition, while there is a need to protect data and increase responsibility on organisations collecting sensitive data or large volumes of data, there is a need to look beyond compliance and look at ways that preserve the rights of the data principal. Hence significant data fiduciaries should also be given the added responsibility of collecting explicit consent from the data principal, and also have easier access for correction of data, grievance redressal and withdrawal of consent.

Rule 14 - Processing of personal data outside India - As per section 16 of the Act the government could, by notification, restrict the transfer of data to specific countries as notified. This system of a negative list envisaged under the Act appears to have been diluted somewhat by the use of the phrase “any foreign State” under the Rules. This ambiguity should be addressed and the language in the Rules may be altered to bring it in line with the Act. Further, the rules also appear to be ultra vires to the Act. As per the DPDP Act, personal data could be shared to outside India, except to countries which were on the negative list, however, the dilution of the provision through the rules appears to have now created a white list of countries; i.e. permissible list of countries to which data can be transferred.

Rule 15 Exemption from Act for research, archiving or statistical purposes- While creating an exception for research and statistical purposes is an understandable objective, the current wording of the provision is vague and subject to mischief. The objective behind the provision is to ensure that research activities are not hindered due to the requirements of taking consent, etc. as required under the Act. However the way the provision is currently drafted, it could be argued that a research lab or a research centre established by a large company, for e.g. Google, Meta, etc. could also seek exemptions from the provisions of this Act for conducting “research”. The research conducted may not be shared with the public in general and may be used by the companies that funded/established the research centre. Therefore there should be further conditions attached to this provision, that would keep such research centers outside the purview of the exemption. Conditions such as making the results of the research publicly available, public interest, etc. could be considered for this purpose.

Rule 22 - Calling for Information from data fiduciary or intermediary - This rule read with the seventh schedule appears to dilute the data minimisation and purpose limitation provisions provided for in the Act. The wide ambit of powers appears to be in contravention of the Supreme Court judgement in the Puttaswamy case, which places certain restrictions on the government while collecting personal data. This “omnibus” provision flouts guardrails like necessity and proportionality that are important to safeguard the fundamental right to privacy.

It should be clarified whether this rule is merely an enabling provision to facilitate sharing of information, and only designated competent authorities as per law can avail of this provision. Need for Confidentiality

Additionally, the rule mandates that the government may “require the Data Fiduciary or intermediary to not disclose” any request for information made under the Act. There is no requirement of confidentiality indicated in the governing section, i.e. section 36, from which Rule 22 derives its authority. Talking about the avoidance of secrecy in government business, the Supreme Court in the State of U.P. v. Raj Narain, (1975) 4 SCC 428 has held that
“In a government of responsibility like ours, where all the agents of the public must be responsible for their conduct, there can but few secrets. The people of this country have a right to know every public act, everything, that is done in a public way, by their public functionaries. They are entitled to know the particulars of every public transaction in all its bearing. The right to know, which is derived from the concept of freedom of speech, though not absolute, is a factor which should make one wary, when secrecy is claimed for transactions which can, at any rate, have no repercussions on public security (2). To cover with [a] veil [of] secrecy the common routine business, is not in the interest of the public. Such secrecy can seldom be legitimately desired. It is generally desired for the purpose of parties and politics or personal self-interest or bureaucratic routine. The responsibility of officials to explain and to justify their acts is the chief safeguard against oppression and corruption.”
In order to ensure that state interests are also protected, there may be an enabling provision whereby in certain instances confidentiality may be maintained, but there has to be a supervisory mechanism whereby such action may be judged on the anvil of legal propriety.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-and-feedback-to-digital-personal-data-protection-rules-2025

[···]

kaeru — 2025-11-19T17:19:28Z

For more details visit https://cis-india.org/internet-governance/blog/

The Centre for Internet & Society Joins the Global Network Initiative

praskrishna — 2012-04-25T09:13:50Z

The Global Network Initiative (GNI) is pleased to announce its newest member, the Centre for Internet & Society based in Bangalore, India. A technology policy research institute, CIS brings to GNI in-depth expertise on global Internet governance as well as online freedom of expression and privacy in India.

"We are delighted to add our first member based in India and welcome CIS’s engagement in support of transparency and accountability in technology," says GNI Executive Director Susan Morgan. "GNI's Principles for responsible company behavior apply globally, but require an appreciation of unique local contexts if they are to take hold. CIS will provide invaluable insight as we consider opportunities to work with India's burgeoning ICT industry."

"India’s ICT sector is one of the most dynamic worldwide, " says CIS Executive Director Sunil Abraham, "but rapid technological advances have raised anxieties around issues including hate speech, political criticism, and obscene content at a time when Indian institutions for the protection of free expression are under strain. We look forward to working with GNI's member organizations on these challenging issues."

CIS an independent, non-profit, research organization which is involved in research on the emerging field of the Internet and its relationship to the society, CIS brings together scholars, academics, students, programmers and scientists to engage in a large variety of Internet issues. CIS also runs different academic and research programs and is receptive to new ideas and collaborations, projects and campaigns for the public.

Leslie Harris, GNI Board Member and President and CEO of the Center for Democracy and Technology says: "The addition of CIS not only increases GNI’s global reach, it significantly enhances the initiative’s capacity around shared learning and policy engagement, not just in India, but on internet policy around the world."

Click to read the original published on the Global Network Initiative website.

For more details visit https://cis-india.org/internet-governance/cis-joins-gni

The Central Monitoring System: Some Questions to be Raised in Parliament

bhairav — 2013-09-25T10:30:10Z

The following are some model questions to be raised in the Parliament regarding the lack of transparency in the central monitoring system.

Preliminary

The Central Monitoring System (CMS) is a Central Government project to intercept communications, both voice and data, that is transmitted via telephones and the internet to, from and within India. Owing to the vast nature of this enterprise, the CMS cannot be succinctly described and the many issues surrounding this project are diverse. This Issue Brief will outline preliminary constitutional, legal and technical concerns that are presented by the CMS.
At the outset, it must be clearly understood that no public documentation exists to explain the scope, functions and technical architecture of the CMS. This lack of transparency is the single-largest obstacle to understanding the Central Government’s motives in conceptualising and operationalizing the CMS. This lack of public documentation is also the chief reason for the brevity of this Issue Note. Without making public the policy, law and technical abilities of the CMS, there cannot be an informed national debate on the primary concerns posed by the CMS, i.e the extent of envisaged state surveillance upon Indian citizens and the safeguards, if any, to protect the individual right to privacy.

Surveillance and Privacy

Surveillance is necessary to secure political organisation. Modern nation-states, which are theoretically organised on the basis of shared national and societal characteristics, require surveillance to detect threats to these characteristics. In democratic societies, beyond the immediate requirements of national integrity and security, surveillance must be targeted at securing the safety and rights of individual citizens. This Issue Brief does not dispute the fact that democratic countries, such as India, should conduct surveillance to secure legitimate ends. Concerns, however, arise when surveillance is conducted in a manner unrestricted and unregulated by law; these concerns are compounded when a lack of law is accompanied by a lack of transparency.
Technological advancement leads to more intrusive surveillance. The evolution of surveillance in the United States resulted, in 1967, in the first judicial recognition of the right to privacy. In Katz v. United States the US Supreme Court ruled that the privacy of communications had to be balanced with the need to conduct surveillance; and, therefore, wiretaps had to be warranted, judicially sanctioned and supported by probable cause. Katz expanded the scope of the Fourth Amendment of the US Constitution, which protected against unreasonable searches and seizures. Most subsequent US legal developments relating to the privacy of communications from surveillance originate in the Katz judgement. Other common law countries, such as the United Kingdom and Canada, have experienced similar judicial evolution to recognise that the right to privacy must be balanced with governance.

Right to Privacy in India

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around the homes of suspects. In the latter case, the Supreme Court found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011) that de-criminalised consensual homosexual acts; however, this judgment has been appealed to the Supreme Court.

Issues Pertaining to the CMS

While judicial protection from physical surveillance was cursorily dealt with in the Kharak Singh and Gobind cases, the Supreme Court of India directly considered the issue of wiretaps in the PUCL case. Wiretaps in India primarily occur on the strength of powers granted to certain authorities under section 5(2) of the Indian Telegraph Act, 1885. The Court found that the Telegraph Act, and Rules made thereunder, did not prescribe adequate procedural safeguards to create a “just and fair” mechanism to conduct wiretaps. Therefore, it laid down the following procedure to conduct wiretaps:

(a) the order should be issued by the relevant Home Secretary (this power is delegable to a Joint Secretary),
(b) the interception must be carried out exactly in terms of the order and not in excess of it,
(c) a determination of whether the information could be reasonably secured by other means,
(d) the interception shall cease after sixty (60) days.

Therefore, prima facie, any voice interception conducted through the CMS will be in violation of this Supreme Court judgement. The CMS will enforce blanket surveillance upon the entire country without regard for reasonable cause or necessity. This movement away from targeted surveillance to blanket surveillance without cause, conducted without statutory sanction and without transparency, is worrying.
Accordingly, the following questions may be raised, in Parliament, to learn more about the CMS project:

Which statutes, Government Orders, notifications etc deal with the establishment and maintenance of the CMS?
Which is the nodal agency in charge of implementing the CMS?
What are the powers and functions of the nodal agency?
What guarantees exist to protect ordinary Indian citizens from intrusive surveillance without cause?
What are the technical parameters of the CMS?
What are the consequences for misuse or abuse of powers by any person working in the CMS project?
What recourse is available to Indian citizens against whom there is unnecessary surveillance or against whom there has been a misuse or abuse of power?

For more details visit https://cis-india.org/internet-governance/blog/central-monitoring-system-questions-to-be-asked-in-parliament

The Audacious ‘Right to Be Forgotten’

kovey — 2013-07-31T10:08:55Z

There has long been speculation over the permanency of our online presence. Posting about excessively-personal details, commenting in a way which is later embarrassing, being caught in unflattering public photos; to our chagrin, all of these unfortunate situations often persist on the web, and can continue to haunt us in future years.

Perhaps less dire, what if someone decides that she no longer wants the history of her internet action stored in online systems?

So far, there has been confusion over what should be done, and what realistically can be done about this type of permanent presence on a platform as complex and international in scope as the internet. But now, the idea of a right to be forgotten may be able to define the rights and responsibilities in dealing with unwanted data.

The right to be forgotten is an interesting and highly contentious concept currently being debated in the new European Union Data Protection Regulations.[1]

The Data Protection Regulation Bill was proposed in 2012 by EU Commissioner Viviane Reding and stands to replace the EU’s previous Data Protection law, which was enacted in 1995. Referred to as the “right to be forgotten” (RTBF), article 17 of the proposal would essentially allow an EU citizen to demand service providers to “take all reasonable steps” to remove his or her personal data from the internet, as long as there is no “legitimate” reason for the provider to retain it.[1] Despite the evident emphasis on personal privacy, the proposition is surrounded by controversy and facing resistance from many parties. Apparently, there are a range of concerns over the ramifications RTBF could bring.

Not only are major IT companies staunchly opposed to the daunting task of being responsible for the erasure of data floating around the web, but governments like the United States and even Great Britain are objecting the proposal as well.[2],[3]

From a commercial aspect, IT companies and US lobbying forces view the concept of RTBF as a burden and a waste of resources for service providers to implement. Largely due to the RTBF clause, the new EU Data Protection proposal as a whole has witnessed intense, “unprecedented” lobbying by the largest US tech companies and US lobby groups[4],[5]. From a different angle, there are those like Great Britain, whose grievances with the RTBF are in its overzealous aim and insatiable demands.[2] There are doubts as to whether a company will even be able to track down and erase all forms of the data in question. The British Ministry of Justice stated, "The UK does not support the right to be forgotten as proposed by the European commission. The title raises unrealistic and unfair expectations of the proposals."[2] Many experts share these feasibility concerns. The Council of European Professional Informatics Societies (CEPIS) wrote a short report on the ramifications of cloud computing practices in 2011, in which it conformed, “It is impossible to guarantee complete deletion of all copies of data. Therefore it is difficult to enforce mandatory deletion of data. Mandatory deletion of data should be included into any forthcoming regulation of Cloud Computing services, but still it should not be relied on too much: the age of a ‘Guaranteed complete deletion of data’, if it ever existed has passed."[6]

Feasibility aside, the most compelling issue in the debate over RTBF is the demanding challenge of balancing and prioritizing parallel rights. When it comes to forced data erasure, conflicts of right to be forgotten versus freedom of speech and expression easily arises. Which right takes precedence over the other?

Some RTBF opponents fear that RTBF will hinder freedom of speech. They have a valid point. What is the extent of personal data erasure? Abuse of RTBF could result in some strange, Orwellian cyberspace where the mistakes or blemishes of society are all erased or constantly amended, and only positivity fills the internet. There are reasonable fears that a chilling effect may come into play once providers face the hefty noncompliance fines of the Data Protection law, and begin to automatically opt for customer privacy over considerations for freedom of expression. Moreover, what safeguards may be in place to prevent politicians or other public figures from removing bits of unwanted coverage?

Although these examples are extreme, considerations like these need to be made in the development of this law. With the amount of backlash from various entities, it is clear that a concept like the right to be forgotten could not exist as a simple, generalized law. It needs refinement.

Still, the concept of a RTBF is not without its supporters. Viktor Mayer-Schönberger, professor of Internet Governance at Oxford Internet Institute, considers RTBF implementation feasible and necessary, saying that even if it is difficult to remove all traces of an item, "it might be in Google's back-up, but if 99% of the population don't have access to it you have effectively been deleted."[7] Additionally, he claims that the undermining of freedom of speech and expression is "a ridiculous misstatement."[7] To him, the right to be forgotten is tied intricately to the important and natural process of forgetting things of the past.

Moreover, the Data Protection Regulation does mention certain exceptions for the RTBF, including protection for "journalistic purposes or the purpose of artistic or literary expression." [1] The problem, however, is the seeming contradiction between the RTBF and its own exceptions. In practice, it will be difficult to reconcile the powers granted by the RTBF with the limitations claimed in other sections of the Data Protection Regulation.

Currently, the are a few clean and straight forward implementations of RTBF. One would be the removal of mined user data which has been accumulated by service providers. Here, invoking the right would be possible once a person has deleted accounts or canceled contracts with a service (thereby fulfilling the notion that the service no longer has "legitimate" reason to retain the data). Another may be in the case of personal data given by minors who later want their data removed, which is an important example mentioned in Reding’s original proposal.[4] These narrow cases are some of the only instances where RTBF may be used without fear of interference with other social rights. Broader implementations of the RTBF concept, under the current unrefined form, may cause too many conflicting areas with other freedoms, and especially freedom of expression.

Overall, the Right to Be Forgotten is a noble concept, born out of concern for the citizen being overpowered by the internet. As an early EU publication states, "The [RTBF] rules are about empowering people, not about erasing past events or restricting the freedom of the press."[8] But at this point, too many clear details seem to be lacking from the draft design of the RTBF. There is concern that without proper deliberation, the concept could lead to unforeseen and undesirable outcomes. Privacy is a fundamental right that deserves to be protected, but policy makers cannot blindly follow the ideals of one right to the point where it interferes with other aspects of society.

Fortunately, recent amendment proposals have attempted some refinement of the bill. Jeffrey Rosen writes in the Stanford Law Review about a certain key concept that could help legitimize the right, namely an amendment proposing that only personally contributed data may be rescinded.[9] This would help avoid interference with others’ rights to expression, and provide limitations on the extent of right to be forgotten claims. As Leslie Harris, president of the Center for Democracy and Technology wrote in the Huffington Post, amendments are needed which can specifically define personal data in the RTBF sense; thereby distinguishing which type of data is allowed to be removed.[10] In the upcoming months, the European Parliament will be considering such amendments to the proposal. This time will be crucial as it will determine if the development of the right to be forgotten will make it a viable option for the EU’s 500 million citizens.

But even after terms are defined and after safeguards are established, this underling philosophical question remains:

Should a person be able to reclaim the right to privacy after willingly giving it up in the first place?

The RTBF is obviously a contentious topic, one which may need to be gauged individually by nation states; it will soon be revealed if the EU becomes the first to adopt the right. If RTBF fails to pass in European parliament, I would hope that it at least serves to remind people of the permanence of the data which they add to the internet, further incentivizing careful consideration of what one yields to the web. Rights frequently evolve and expand to meet societal or technological advances. If we are to expand the concept of privacy, however, then we must do so with proper consideration, so that privacy may not gain disproportionate power over other rights, or vice versa.

[1]. http://bit.ly/WSZvHv

[2]. http://bit.ly/YxKaNJ

[3]. http://tcrn.ch/YdH82f

[4]. http://bit.ly/196E8qj

[5]. http://bit.ly/wJKWTZ

[6]. http://bit.ly/15aoknF

[7]. http://bit.ly/Z3JbRU

[8]. http://bit.ly/xfodhI

[9]. http://bit.ly/13uyda5

[10]. http://huff.to/16P2XIS

For more details visit https://cis-india.org/internet-governance/blog/the-audacious-right-to-be-forgotten