Centre for Internet and Society

Mastering the Art of Keeping Indians Under Surveillance

bhairav — 2015-08-23T12:26:48Z

In its first year in office, the National Democratic Alliance government has been notably silent on the large-scale surveillance projects it has inherited. This ended last week amidst reports the government is hastening to complete the Central Monitoring System (CMS) within the year.

The article was published in the Wire on May 30, 2015.

In a statement to the Rajya Sabha in 2009, Gurudas Kamat, the erstwhile United Progressive Alliance’s junior communications minister, said the CMS was a project to enable direct state access to all communications on mobile phones, landlines, and the Internet in India. He meant the government was building ‘backdoors’, or capitalising on existing ones, to enable state authorities to intercept any communication at will, besides collecting large amounts of metadata, without having to rely on private communications carriers.

This is not new. Legally sanctioned backdoors have existed in Europe and the USA since the early 1990s to enable direct state interception of private communications. But the laws of those countries also subject state surveillance to a strong regime of state accountability, individual freedoms, and privacy. This regime may not be completely robust, as Edward Snowden’s revelations have shown, but at least it exists on paper. The CMS is not illegal by itself, but it is coloured by the compromised foundation of Indian surveillance law upon which it is built.

Surveillance and social control

The CMS is a technological project. But technology does not exist in isolation; it is contextualised by law, society, politics, and history. Surveillance and the CMS must be seen in the same contexts.

The great sociologist Max Weber claimed the modern state could not exist without monopolising violence. It seems clear the state also entertains the equal desire to monopolise communications technologies. The state has historically shaped the way in which information is transmitted, received, and intercepted. From the telegraph and radio to telephones and the Internet, the state has constantly endeavoured to control communications technologies.

Law is the vehicle of this control. When the first telegraph line was laid down in India, its implications for social control were instantly realised; so the law swiftly responded by creating a state monopoly over the telegraph. The telegraph played a significant role in thwarting the Revolt of 1857, even as Indians attempted to destroy the line; so the state consolidated its control over the technology to obviate future contests.

This controlling impulse was exercised over radio and telephones, which are also government monopolies, and is expressed through the state’s surveillance prerogative. On the other hand, because of its open and decentralised architecture, the Internet presents the single greatest threat to the state’s communications monopoly and dilutes its ability to control society.

Interception in India

The power to intercept communications arises with the regulation of telegraphy. The first two laws governing telegraphs, in 1854 and 1860, granted the government powers to take possession of telegraphs “on the occurrence of any public emergency”. In 1876, the third telegraph law expanded this threshold to include “the interest of public safety”. These are vague phrases and their interpretation was deliberately left to the government’s discretion.

This unclear formulation was replicated in the Indian Telegraph Act of 1885, the fourth law on the subject, which is currently in force today. The 1885 law included a specific power to wiretap. Incredibly, this colonial surveillance provision survived untouched for 87 years even as countries across the world balanced their surveillance powers with democratic safeguards.

The Indian Constitution requires all deprivations of free speech to conform to any of nine grounds listed in Article 19(2). Public emergencies and public safety are not listed. So Indira Gandhi amended the wiretapping provision in 1972 to insert five grounds copied from Article 19(2). However, the original unclear language on public emergencies and public safety remained.

Indira Gandhi’s amendment was ironic because one year earlier she had overseen the enactment of the Defence and Internal Security of India Act, 1971 (DISA), which gave the government fresh powers to wiretap. These powers were not subject to even the minimal protections of the Telegraph Act. When the Emergency was imposed in 1975, Gandhi’s government bypassed her earlier amendment and, through the DISA Rules, instituted the most intensive period of surveillance in Indian history.

Although DISA was repealed, the tradition of having parallel surveillance powers for fictitious emergencies continues to flourish. Wiretapping powers are also found in the Maharashtra Control of Organised Crime Act, 1999 which has been copied by Karnataka, Andhra Pradesh, Arunachal Pradesh, and Gujarat.

Procedural weaknesses

Meanwhile, the Telegraph Act with its 1972 amendment continued to weather criticism through the 1980s. The wiretapping power was largely exercised free of procedural safeguards such as the requirements to exhaust other less intrusive means of investigation, minimise information collection, limit the sharing of information, ensure accountability, and others.

This changed in 1996 when the Supreme Court, on a challenge brought by PUCL, ordered the government to create a minimally fair procedure. The government fell in line in 1999, and a new rule, 419A, was put into the Indian Telegraph Rules, 1951.

Unlike the United States, where a wiretap can only be ordered by a judge when she decides the state has legally made its case for the requested interception, an Indian wiretap is sanctioned by a bureaucrat or police officer. Unlike the United Kingdom, which also grants wiretapping powers to bureaucrats but subjects them to two additional safeguards including an independent auditor and a judicial tribunal, an Indian wiretap is only reviewed by a committee of the original bureaucrat’s colleagues. Unlike most of the world which restricts this power to grave crime or serious security needs, an Indian wiretap can even be obtained by the income tax department.

Rule 419A certainly creates procedure, but it lacks crucial safeguards that impugn its credibility. Worse, the contours of rule 419A were copied in 2009 to create flawed procedures to intercept the content of Internet communications and collect metadata. Unlike rule 419A, these new rules issued under sections 69(2) and 69B(3) of the Information Technology Act 2000 have not been constitutionally scrutinised.

Three steps to tap

Despite its monopoly, the state does not own the infrastructure of telephones. It is dependent on telecommunications carriers to physically perform the wiretap. Indian wiretaps take place in three steps: a bureaucrat authorises the wiretap; a law enforcement officer serves the authorisation on a carrier; and, the carrier performs the tap and returns the information to the law enforcement officer.

There are many moving parts in this process, and so there are leaks. Some leaks are cynically motivated such as Amar Singh’s lewd conversations in 2011. But others serve a public purpose: Niira Radia’s conversations were allegedly leaked by a whistleblower to reveal serious governmental culpability. Ironically, leaks have created accountability where the law has failed.

The CMS will prevent leaks by installing servers on the transmission infrastructure of carriers to divert communications to regional monitoring centres. Regional centres, in turn, will relay communications to a centralised monitoring centre where they will be analysed, mined, and stored. Carriers will no longer perform wiretaps; and, since this obviates their costs of compliance, they are willing participants.

In its annual report of 2012, the Centre for the Development of Telematics (C-DOT), a state-owned R&D centre tasked with designing and creating the CMS, claimed the system would intercept 3G video, ILD, SMS, and ISDN PRI communications made through landlines or mobile phones – both GSM and CDMA.

There are unclear reports of an expansion to intercept Internet data, such as emails and browsing details, as well as instant messaging services; but these remain unconfirmed. There is also a potential overlap with another secretive Internet surveillance programme being developed by the Defence R&D Organisation called NETRA, no details of which are public.

Culmination of surveillance

In its present state, Indian surveillance law is unable to bear the weight of the CMS project, and must be vastly strengthened to protect privacy and accountability before the state is given direct access to communications.

But there is a larger way to understand the CMS in the context of Indian surveillance. Christopher Bayly, the noted colonial historian, writes that when the British set about establishing a surveillance apparatus in colonised India, they came up against an established system of indigenous intelligence gathering. Colonial rule was at its most vulnerable at this point of intersection between foreign surveillance and indigenous knowledge, and the meeting of the two was riven by suspicion. So the colonial state simply co-opted the interface by creating institutions to acquire local knowledge.

The CMS is also an attempt to co-opt the interface between government and the purveyors of communications; because if the state cannot control communications, it cannot control society. Seen in this light, the CMS represents the natural culmination of the progression of Indian surveillance. No challenge against it that does not question the construction of the modern Indian state will be successful.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-may-30-2015-bhairav-acharya-mastering-the-art-of-keeping-indians-under-surveillance

Masking personal data to protect privacy crucial for India, say experts

Admin — 2017-12-16T14:27:34Z

Finding a way to protect privacy is critical, with the Supreme Court hearing petitions challenging the mandatory linking of Aadhaar to avail various social and welfare benefits.

The article by Deepti Govind was published in Livemint on December 11, 2017

Using the concept of de-identification to protect an individual’s right to privacy and creating laws that constantly re-evaluates the difference between harmful and good use of data is crucial for India, according to an expert panel on data privacy.

That could mean developing a token system that lets the Unique Identification Authority of India (UIDAI) hold a master-list of data through Aadhaar, while generating token numbers for all other Know Your Customer (KYC) requirements, suggested the panel at the Global Technology Summit hosted by think-tank Carnegie India.

“If we can implement de-identification principles in government collection and storage of data, even if that data is displayed on the website it cannot be correlated to an individual. And if it can’t be correlated to an individual then immediately that data is not as dangerous as it could be,” said Rahul Matthan, partner at Trilegal and a Mint columnist.

In theory, de-identification could include anything from deleting or masking personal identifiers, like names, to generalizing or suppressing others, like an individual’s pin code.

Finding a way to protect privacy is critical for India, with the Supreme Court hearing petitions challenging the mandatory linking of Aadhaar to avail various social and welfare benefits.

One of the grounds for challenge is that the use of biometric information of an individual encroaches upon the individual’s privacy.

The Centre for Internet and Society, a Bengaluru-based research organisation, proposed that the UIDAI use tokens for KYC requirements. Under this method an individual can use a smart card and a personal identification number (PIN), rather than biometrics, at a UIDAI-controlled booth and generate a token number. That token number can be submitted to a telephone operator or a bank.

“UIDAI is currently considering this. They call it the dummy or virtual Aadhaar numbers. Under this a single agency cannot pull off the surveillance completely by themselves. So there is both a technical and institutional check,” said Sunil Abraham, executive director of the Centre for Internet and Society.

Another method could be shifting the emphasis to revoking consent rather than grant of consent to collect and store data.

This could be done using the same method that currently exists to filter unwanted calls and messages on phones via the do-not-disturb registry. But over and above these, creating the right regulatory framework is important.

“It has become absolutely necessary to have in place a law which governs the usage of misuse of data,” said former Supreme Court justice B.N. Srikrishna.

Srikrishna used to head a 10-member committee of experts constituted by the government to study various issues related to data protection, make specific suggestions on the principles to be considered and suggest a draft data protection bill.

The data protection law must balance the interests of all three stakeholders—the common citizens, data collectors and the state—and not focus on just one or two, Srikrishna said on Friday. There should also be methods in place to penalize or impose fines on companies or agencies in case of data breaches or misuses, he added. But imposing fines is not the ideal solution, according to experts.

“It’s really critical that we think about building in incentives to do better. If every violation results in a huge penalty, for instance, then the posture of companies will be a secretive, protective, legal defence posture rather than one that strives to constantly improve practices and technologies,” said Facebook Inc.’s global deputy chief privacy officer, Stephen Deadman.

For more details visit https://cis-india.org/internet-governance/news/masking-personal-data-to-protect-privacy-crucial-for-india-say-experts

Marco Civil da Internet: Brazil’s ‘Internet Constitution’

geetha — 2014-06-19T10:38:10Z

On March 25, 2014, Brazil's lower house of parliament passed bill no. 2126/2011, popularly known as Marco Civil da Internet. The Marco Civil is a charter of Internet user-rights and service provider responsibilities, committed to freedom of speech and expression, privacy, and accessibility and openness of the Internet. In this post, the author looks at the pros and cons of the bill.

Introduction:

Ten months ago, Edward Snowden’s revelations of the U.S. National Security Agency’s extensive, warrantless spying dawned on us. Citizens and presidents alike expressed their outrage at this sweeping violation of their privacy. While India’s position remained carefully neutral, or indeed, supportive of NSA’s surveillance, Germany, France and Brazil cut the U.S. no slack. Indeed, at the 68th session of the United Nations General Assembly, Brazilian President Dilma Rousseff (whose office the NSA had placed under surveillance) stated, “Tampering in such a manner in the affairs of other countries is a breach of International Law and is an affront to the principles that must guide the relations among them, especially among friendly nations.” Brazil, she said, would “redouble its efforts to adopt legislation, technologies and mechanisms to protect us from the illegal interception of communications and data.”

Some may say that Brazil has lived up to its word. Later this month, Brazil will be host to NETmundial, the Global Multi-stakeholder Meeting on the Future of Internet Governance, jointly organized by the Brazilian Internet Steering Committee (CGI.br) and the organization /1Net. The elephantine invisible presence of Snowden vests NETmundial with the hope and responsibility of laying the ground for a truly multi-stakeholder model for governing various aspects of the Internet; a model where governments are an integral part, but not the only decision-makers. The global Internet community, comprising users, corporations, governments, the technical community, and NGOs and think-tanks, is hoping devise a workable method to divest the U.S. Government of its de facto control over the Internet, which it wields through its contracts to manage the domain name system and the root zone.

But as Internet governance expert Dr. Jeremy Malcolm put it, these technical aspects do not make or break the Internet. The real questions in Internet governance underpin the rights of users, corporations and netizens worldwide. Sir Tim Berners-Lee, when he called for an Internet Bill of Rights, meant much the same. For Sir Tim, an open, neutral Internet is imperative if we are to keep our governments open, and foster “good democracy, healthcare, connected communities and diversity of culture”. Some countries agree. The Philippines envisaged a Magna Carta for Internet Freedom, though the Bill is pending in the Philippine parliament.

Marco Civil da Internet:

Last week, on March 25, 2014, the Brazilian Chamber of Deputies (the lower house of parliament) passed the Marco Civil da Internet, bill 2126/2011, a charter of Internet rights. The Marco Civil is considered by the global Internet community as a one-of-a-kind bill, with Sir Tim Berners-Lee hailing the “groundbreaking, inclusive and participatory process has resulted in a policy that balances the rights and responsibilities of the individuals, governments and corporations who use the Internet”.

The Marco Civil’s journey began with a two-stage public consultation process in October 2009, under the aegis of the Brazilian Ministry of Justice’s Department of Legislative Affairs, jointly with the Getulio Vargas Foundation’s Center for Technology and Society of the Law School of Rio de Janeiro (CTS-FGV). The collaborative process involved a 45-day consultation process in which over 800 comments were received, following which a second consultation in May 2010 received over 1200 comments from individuals, civil society organizations and corporations involved in the telecom and technology industries. Based on comments, the initial draft of the bill was revamped to include issues of popular, public importance, such as intermediary liability and online freedom of speech.

An official English translation of the Marco Civil is as yet unavailable. But an unofficial translation (please note that the file is uploaded on Google Drive), triangulated against online commentary on the bill, reveals that the following issues were of primary importance:

The fundamentals:

The fundamental principles of the Marco Civil reveal a commitment to openness, accessibility neutrality and democratic collaboration on the Internet. Art. 2 (see unofficial translation) sets out the fundamental principles that form the basis of the law. It pledges to adhere to freedom of speech and expression, along with an acknowledgement of the global scale of the network, its openness and collaborative nature, its plurality and diversity. It aims to foster free enterprise and competition on the Internet, while ensuring consumer protection and upholding human rights, personality development and citizenship exercise in the digital media in line with the network’s social purposes. Not only this, but Art. 4 of the bill pledges to promote universal access to the Internet, as well as “to information, knowledge and participation in cultural life and public affairs”. It aims to promote innovation and open technology standards, while ensuring interoperability.

The Marco Civil expands on its commitment to human rights and accessibility by laying down a “discipline of Internet use in Brazil”. Art. 3 of the bill guarantees freedom of expression, communication and expression of thoughts, under the terms of the Federal Constitution of Brazil, while at the same time guaranteeing privacy and protection of personal data, and preserving network neutrality. It also focuses on preserving network stability and security, by emphasizing accountability and adopting “technical measures consistent with international standards and by encouraging the implementation of best practices”.

These principles, however, are buttressed by rights assured to Internet users and responsibilities of and exceptions provided to service providers.

Rights and responsibilities of users and service providers:

Net neutrality:

Brazil becomes one of the few countries in the world (joining the likes of the Netherlands, Chile and Israel in part) to preserve network neutrality by legislation. Art. 9 of the Marco Civil requires all Internet providers to “to treat any data package with isonomy, regardless of content, origin and destination, service, terminal or application”. Not only this, but Internet providers are enjoined from blocking, monitoring or filtering content during any stage of transmission or routing of data. Deep packet inspection is also forbidden. Exceptions may be made to discriminate among network traffic only on the basis of essential technical requirements for services-provision, and for emergency services prioritization. Even this requires the Internet provider to inform users in advance of such traffic discrimination, and to act proportionately, transparently and with equal protection.

Data retention, privacy and data protection:

The Marco Civil includes provisions for the retention of personal data and communications by service providers, and access to the same by law enforcement authorities. However, record, retention and access to Internet connection records and applications access-logs, as well as any personal data and communication, are required to meet the standards for “the conservation of intimacy, private life, honor and image of the parties directly or indirectly involved” (Art. 10). Specifically, access to identifying information and contents of personal communication may be obtained only upon judicial authorization.

Moreover, where data is collected within Brazilian territory, processes of collection, storage, custody and treatment of the abovementioned data are required to comply with Brazilian laws, especially the right to privacy and confidentiality of personal data and private communications and records (Art. 11). Interestingly, this compliance requirement is applicable also to entities incorporated in foreign jurisdictions, which offer services to Brazilians, or where a subsidiary or associate entity of the corporation in question has establishments in Brazil. While this is undoubtedly a laudable protection for Brazilians or service providers located in Brazil, it is possible that conflicts may arise (with penal consequences) between standards and terms of data retention and access by authorities in other jurisdictions. In the predictable absence of harmonization of such laws, perhaps rules of conflicts of law may prove helpful.

While data retention remained a point of contention (Brazil initially sought to ensure a 5-year data retention period), under the Marco Civil, Internet providers are required to retain connection records for 1 year under rules of strict confidentiality; this responsibility cannot be delegated to third parties (Art. 13). Providers providing the Internet connection (such as Reliance or Airtel in India) are forbidden from retaining records of access to applications on the Internet (Art. 14). While law enforcement authorities may request a longer retention period, a court order (filed for by the authority within 60 days from the date of such request) is required to access the records themselves. In the event the authority fails to file for such court order within the stipulated period, or if court order is denied, the service provider must protect the confidentiality of the connection records.

Though initially excluded from the Marco Civil, the current draft passed by the Chamber of Deputies requires Internet application providers (such as Google or Facebook) to retain access-logs for their applications for 6 months (Art. 15). Logs for other applications may not be retained without previous consent of the owner, and in any case, the provider cannot retain personal data that is in excess of the purpose for which consent was given by the owner. As for connection records, law enforcement authorities may request a greater retention period, but require a court order to access the data itself.

These requirements must be understood in light of the rights that the Marco Civil guarantees to users. Art. 7, which enumerates these user-rights, does not however set forth their content; this is probably left to judicial interpretation of rights enshrined in the Federal Constitution. In any event, Art. 7 guarantees to all Internet users the “inviolability of intimacy and privacy”, including the confidentiality of all Internet communications, along with “compensation for material or moral damages resulting from violation”. In this regard, it assures that users are entitled to a guarantee that no personal data or communication shall be shared with third parties in the absence of express consent, and to “clear and complete information on the collection, use, storage, treatment and protection of their personal data”. Indeed, where contracts violate the requirements of inviolability and secrecy of private communications, or where a dispute resolution clause does not permit the user to approach Brazilian courts as an alternative, Art. 8 renders such contracts null and void.

Most importantly, Art. 7 states that users are entitled to clear and complete information about how connection records and access logs shall be stored and protected, and to publicity of terms/policies of use of service providers. Additionally, Art. 7 emphasizes quality of service and accessibility to the Internet, and forbids suspension of Internet connections except for failure of payments. Read comprehensively, therefore, Arts. 7-15 of the Marco Civil prima facie set down robust protections for private and personal data and communications.

An initial draft of the Marco Civil sought to mandate local storage of all Brazilians’ data within Brazilian territory. This came in response to Snowden’s revelations of NSA surveillance, and President Rousseff, in her statement to the United Nations, declared that Brazil sought to protect itself from “illegal interception of communications and data”. However, the implications of this local storage requirement was the creation of a geographically isolated Brazilian Internet, with repercussions for the Internet’s openness and interoperability that the Marco Civil itself sought to protect. Moreover, there are implications for efficiency and business; for instance, small businesses may be unable to source the money or capacity to comply with local storage requirements. Also, they lead to mandating storage on political grounds, and not on the basis of effective storage. Amid widespread protest from corporations and civil society, this requirement was then withdrawn which, some say, propelled the quick passage of the bill in the Chamber of Deputies.

Intermediary liability:

Laws of many countries make service providers liable for third party content that infringes copyright or that is otherwise against the law (such as pornography or other offensive content). For instance, Section 79 of the Indian Information Technology Act, 2000 (as amended in 2008) is such a provision where intermediaries (i.e., those who host user-generated content, but do not create the content themselves) may be held liable. However, stringent intermediary liability regimes create the possibility of private censorship, where intermediaries resort to blocking or filtering user-generated content that they fear may violate laws, sometimes even without intimating the creator of the infringing content. The Marco Civil addresses this possibility of censorship by creating a restricted intermediary liability provision. Please note, however, that the bill expressly excludes from its ambit copyright violations, which a copyright reforms bill seeks to address.

At first instance, the Marco Civil exempts service providers from civil liability for third party content (Art. 18). Moreover, intermediaries are liable for damages arising out of third party content only where such intermediaries do not comply with court orders (which may require removal of content, etc.) (Art. 19). This leaves questions of infringement and censorship to the judiciary, which the author believes is the right forum to adjudicate such issues. Moreover, wherever identifying information is available, Art. 20 mandates the intermediary to appraise the creator of infringing content of the reasons for removal of his/her content, with information that enables the creator to defend him- or herself in court. This measure of transparency is particularly laudable; for instance, in India, no such intimation is required by law, and you or I as journalists, bloggers or other creators of content may never know why our content is taken down, or be equipped to defend ourselves in court against the plaintiff or petitioner who sought removal of our content. Finally, a due diligence requirement is placed on the intermediary in circumstances where third party content discloses, “without consent of its participants, of photos, videos or other materials containing nudity or sexual acts of private character”. As per Art. 21, where the intermediary does not take down such content upon being intimated by the concerned participant, it may be held secondarily liable for infringement of privacy.

This restricted intermediary liability regime is further strengthened by a requirement of specific identification of infringing content, which both the court order issued under Art. 20 and the take-down request under Art. 21 must fulfill. This requirement is missing, for instance, under Section 79 of the Indian Information Technology Act, which creates a diligence and liability regime without requiring idenfiability of infringing content.

Conclusion:

Brazil’s ‘Internet Constitution’ has done much to add to the ongoing discussion on the rights and responsibilities of users and providers. By expressly adopting protections for net neutrality and online privacy and freedom of expression, the Marco Civil may be considered to set itself up as a model for Internet rights at the municipal level, barring a Utopian bill of rights. Indeed, in an effusive statement of support for the bill, Sir Tim Berners-Lee stated: “If Marco Civil is passed, without further delay or amendment, this would be the best possible birthday gift for Brazilian and global Web users.”

Of course, the Marco Civil is not without its failings. Authors say that the data retention requirements by connection and application providers, with leeway provided for law enforcement authorities to lengthen retention periods, is problematic. Moreover, the discussions surrounding data localization and a ‘walled-off’ Internet that protects against surveillance ignores the interoperability and openness that forms the core of the Internet.

On the whole, though, the Marco Civil may be considered a victory, on many counts. It is possibly the first successful example of a national legislation that is the outcome of a broad, consultative process with civil society and other affected entities. It expressly affirms Brazil’s commitment to the protection of privacy and freedom of expression, as well as to Internet accessibility and the openness of the network. It aims to eliminate the possibility of private censorship online, while upholding privacy rights of users. It seeks to reduce the potential for abuse of personal data and communication by government authorities, by requiring judicial authorization for the same. In a world where warrantless government spying extends across national border, such a provision is novel and desirable. One hopes that, when the global Internet community sits down at its various fora to identify and enumerate principles for Internet governance, it will look to the Marco Civil as an example of standards that governments may adhere to, and not necessarily resort to the lowest common denominator standards of international rights and protections.

For more details visit https://cis-india.org/internet-governance/blog/marco-civil-da-internet

Mapping the Legal and Regulatory Frameworks of the Ad-Tech Ecosystem in India

vipul — 2025-04-24T14:52:29Z

The main purpose of regulations in any sector is essentially twofold, one is to ensure that the interests of the general public or consumers are protected, and the other is to ensure that the sector itself flourishes and grows. Too much regulation may possibly stifle the commercial potential of any sector, whereas too little regulation runs the risk of leaving consumers vulnerable to harmful practices.

In this paper, we try to map the legal and regulatory framework dealing with Advertising Technology (Adtech) in India as well as a few other leading jurisdictions. Our analysis is divided into three main parts, the first being general consumer regulations, which apply to all advertising irrespective of the media – to ensure that advertisements are not false or misleading and do not violate any laws of the country. This part also covers the consumer laws which are specific to malpractices in the technology sector such as Dark Patterns, Influencer based advertising, etc.

The second part of the paper covers data protection laws in India and how they are relevant for the Adtech industry. The Adtech industry requires and is based on the collection and processing of large amounts of data from the users. It is therefore important to discuss the data protection and consent requirements that have been laid out in the spate of recent data protection regulations, which have the potential to severely impact the Adtech industry.

The last part of the paper covers the competition angle of the Adtech industry. Like with social media intermediaries, the Adtech industry in the world is also dominated by two or three players and such a scenario always lends itself easily to anti-competitive practices. It is therefore imperative to examine the competition law framework to see whether the laws as they exist are robust enough to deal with any possible anti competitive practices that may be prevalent in the Adtech sector.

The research was reviewed by Pallavi Bedi, it can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/mapping-the-legal-and-regulatory-frameworks-of-the-ad-tech-ecosystem-in-india

Mandatory Aadhaar card for govt scholarships violates SC order

praskrishna — 2016-07-30T15:55:38Z

There seems to be no end to the government’s legal troubles.

The article by Neelam Pandey and Aloke Tikku was published in the Hindustan Times on July 15, 2016. Sunil Abraham was quoted.

The human resource development (HRD) ministry has made Aadhaar mandatory for government scholarship and fellowship from this academic year, a move that violates the Supreme Court’s order.

Under this decision, the government will transfer the funds to the students’ bank accounts only after they submit their Aadhaar number.

The court had last August barred the government from using Aadhaar for any purpose other than distributing food grain and cooking fuel such as kerosene and LPG. The SC had gone further to rule that production of Aadhaar would not be condition for obtaining any benefits due to a citizen.

It was this SC order that prompted the government to push the Aadhaar law through Parliament to ensure that the court’s restriction did not come in the way of expanding the direct benefit transfer project.

The law – that was passed by Parliament – gave the government powers to make Aadhaar mandatory for receiving any benefit, facility or service that involved any expenditure from the public exchequer.

But most provisions of the Aadhaar law have not come into force yet.

This week, it notified provisions that enabled it to appoint the chairperson of the Unique Identification Authority of India (UIDAI) that issues the 12-digit unique number and set up offices in cities outside Delhi.

“This appears to be contempt of court,” said Sunil Abraham, head of the Bengaluru-headquartered advocacy group, Centre for Internet and Society.

Thomas Mathew, one of the petitioners in the case pending before the Supreme Court, agreed. “I am going to move a contempt petition against the HRD ministry and UGC,” Mathew said, pointing that oil companies were also forcing people to get Aadhaar.

The UGC directive to central universities sets July-end as the deadline for scholars at central universities to get their Aadhaar number. Many scholars who did not have an Aadhaar number said the fellowship were an important source of income for them to get by.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-neelam-pandey-aloke-tikku-july-15-2016-mandatory-aadhaar-card-for-govt-scholarships-violates-sc-order

Making Voices Heard: Privacy, Inclusivity, and Accessibility of Voice Interfaces in India

shweta — 2019-12-18T12:10:05Z

We believe that voice interfaces have the potential to democratise the use of internet by addressing barriers such as accessibility concerns, lack of abilities of reading and writing on digital text interfaces, and lack of options for people to interact with digital devices in their own languages. Through the Making Voice Heard Project supported by Mozilla Corporation, we will examine the current landscape of voice interfaces in India.

Download the project announcement cards (shown above): Card 01, Card 02, and Card 03

Making Voices Heard: Project Announcement

Although voice enabled interfaces are being deployed there is a need to understand how they are beneficial, and what have been important knowledge gaps and challenges in their development, adoption, use, and regulation. Through the Making Voice Heard Project supported by Mozilla Corporation, we will be examining the current landscape of voice interfaces in India, and seek to address the following questions:

What is the broad (sectoral and functional) typology of available voice interfaces in Indian languages? How widely are these voice interfaces (in Indian languages) used, and what barriers prevent their further adoption and use?
What are concerns related to privacy and data protection that emerge with the growth of voice interfaces? What kind of protocols for data processing may need to be built into the design of these interfaces?
How accessible are these interfaces for persons with disabilities (PWDs)? What kinds of accessibility features, especially for Indian languages, may need to be developed to ensure effective use of voice technologies by PWDs?
Where do challenges in these three areas intersect? For instance, is compromising on users’ privacy, including weak or missing data protection regulations, required to create comprehensive speech datasets that may help develop better accessibility features, and address linguistic barriers?

In order to approach these questions we have begun mapping the various developers and users of voice interfaces in India. In the next stage of the process we will be looking at these interfaces through the lens of privacy, language, accessibility, and design. In order to add to the mapping and questions, we will be conducting interviews and workshops with users, developers, designers and researchers of voice interfaces in India, including the Common Voice team at Mozilla.

We hereby invite researchers, developers and designers of voice interfaces to speak to us and help inform the study. You may contact Shweta Mohandas at shweta@cis-india.org.

- Shweta Mohandas, Saumyaa Naidu, Puthiya Purayil Sneha, and Sumandro Chattapadhyay (project team)

For more details visit https://cis-india.org/raw/making-voices-heard-project-announcement

Making Voices Heard

shweta — 2022-06-27T16:18:36Z

We are happy to announce the launch of our final report on the study ‘Making Voices Heard: Privacy, Inclusivity, and Accessibility of Voice Interfaces in India. The study was undertaken with support from the Mozilla Corporation.

We believe that voice interfaces have the potential to democratise the use of the internet by addressing limitations related to reading and writing on digital text-only platforms and devices. This report examines the current landscape of voice interfaces in India, with a focus on concerns related to privacy and data protection, linguistic barriers, and accessibility for persons with disabilities (PwDs).

The report features a visual mapping of 23 voice interfaces and technologies publicly available in India, along with a literature survey, a policy brief towards development and use of voice interfaces and a design brief documenting best practices and users’ needs, both with a focus on privacy, languages, and accessibility considerations, and a set of case studies on three voice technology platforms. Read and download the full report here

Credits

Research: Shweta Mohandas, Saumyaa Naidu, Deepika Nandagudi Srinivasa, Divya Pinheiro, and Sweta Bisht.

Conceptualisation, Planning, and Research Inputs: Sumandro Chattapadhyay, and Puthiya Purayil Sneha.

Illustration: Kruthika NS (Instagram @theworkplacedoodler). Website Design Saumyaa Naidu. Website Development Sumandro Chattapadhyay, and Pranav M Bidare.

Review and Editing: Puthiya Purayil Sneha, Divyank Katira, Pranav M Bidare, Torsha Sarkar, Pallavi Bedi, and Divya Pinheiro.

Copy Editing: The Clean Copy

For more details visit https://cis-india.org/internet-governance/blog/making-voices-heard

Making the Powerful Accountable

chinmayi — 2014-01-30T06:43:41Z

If powerful figures are not subjected to transparent court proceedings, the opacity in the face of a critical issue is likely to undermine public faith in the judiciary.

Chinmayi Arun's Op-ed was published in the Hindu on January 29, 2014.

It is odd indeed that the Delhi High Court seems to believe that sensational media coverage can sway the Supreme Court into prejudice against one of its own retired judges. Justice Manmohan Singh of the Delhi High Court has said in Swatanter Kumar v. Indian Express and others that the pervasive sensational media coverage of the sexual harassment allegations against the retired Supreme Court judge 'may also result in creating an atmosphere in the form of public opinion wherein a person may not be able to put forward his defence properly and his likelihood of getting fair trial would be seriously impaired.' This Delhi High court judgment has drawn upon the controversial 2011 Supreme Court judgment in Sahara India Real Estate Corp. Ltd v. SEBI (referred to as the Gag Order case here) to prohibit the media from publishing headlines connecting retired Justice Swatanter Kumar with the intern's allegations, and from publishing his photograph in connection with the allegations.

Although the Gag Order judgment was criticised at the time that it was delivered Swatanter Kumar v. Indian Express illustrates its detractors' argument more vividly that anyone could have imagined.

Sukumar Muralidharan wrote of Gag Order case that the postponement (of media coverage) order remedy that it created, could become an "instrument in the hands of wealthy and influential litigants, to subvert the course of open justice".

Here we find that although a former Supreme Court judge is pitted against a very young former intern within a system over which he once presided, Justice Manmohan Singh seems to think that it is the judge who is danger of being victimised.

The Swatanter Kumar judgment was enabled by both the Gag Order case as well as the 1966 Supreme Court judgment in Naresh Sridhar Mirajkar v. State of Maharashtra, which in combination created a process for veiling court proceedings. Naresh Mirajkar stated that courts' inherent powers extend to barring media reports and comments on ongoing trials in the interests of justice, and that such powers do not violate the right to freedom of speech; and the Gag Order case created an instrument - the 'postponement order' - for litigants, such that they can have media reports of a pending case restricted. The manner in which this is used in the Swatanter Kumar judgment raises very worrying questions about how the judiciary views the boundaries of the right to freedom of expression, particularly in the context of reporting court proceedings.

Broad power to restrict reporting

The Gag Order case was problematic: it used arguments for legitimate restraints on media reporting in exceptional circumstances, to permit restrictions on media reporting of court proceedings under circumstances 'where there is a real and substantial risk of prejudice to fairness of the trial or to proper administration of justice'. The Supreme Court refused to narrow this or clarify what publications would fall within this category. It merely stated that this would depend on the content and context of the offending publication, and that no 'straightjacket formula' could be created to enumerate these categories. This leaves higher judiciary with a broad discretionary power to decide what amounts to
legitimate restraints on media reporting, using an ambiguous standard. Exercise of this power to veil proceedings involving powerful public figures whose actions have public implications, imperils openness and transparency when they are most critical.

Court proceedings are usually open to the public. This openness serves as a check on the judiciary, and ensures public faith in the judiciary. In countries as large as ours, media coverage of important cases ensures actual openness of court proceedings - we are able to follow the arguments made by petitioners who ask that homosexuality be decriminalised, the trial of suspected terrorists and alleged murderers, and the manner in which our legal system handles sexual harassment complaints filed by young women.

When court proceedings are closed to the public (known as 'in-camera' trials) or when media dissemination of information about them is restricted, the openness and transparency of court proceedings is compromised. Such compromise of transparency does take place in many countries, to protect the rights of the parties involved, or prevent miscarriage of justice. For example, child-participants are protected by holding trials in-camera; names of parties to court proceedings are withheld to protect their privacy sometimes; and in countries where juries determine guilt, news coverage that may prejudice the jury is also restricted.

The damage done

Although the Supreme Court stated in principle that the openness of court proceedings should only be restricted where strictly necessary, this appears to lend itself to very varied interpretation. For example, it is very difficult for some of us to understand why it was strictly necessary to restrict media coverage of sexual harassment proceedings in the Swatanter Kumar case. J. Manmohan Singh on the other hand seems to believe that the adverse public opinion will affect the retired judge's chance of getting a fair trial. His judgment also seems to indicate his concern that the sensational headlines will impact the public confidence in the Supreme Court.

The Delhi High Court's apprehension about the effects of the newspaper coverage on the reputation of the judge did not need to translate into a prior restraint on media coverage. They may better have been addressed later, by evaluating a defamation claim pertaining to published material. The larger concerns about the reputation of the judiciary are better addressed by openness: if powerful public figures, especially those with as much influence as a former Supreme Court judge are not subjected to transparent court proceedings, the opacity in the face of such a critical issue is likely to undermine public faith in the judiciary as an institution.Such opacity undermines the purpose of open courts. It is much worse for the reputation of the judiciary than publicised complaints about individual judges.

Since the Delhi High Court ruling, there has been little media coverage of the sexual harassment case. Suppression of media coverage leaves the young woman comparatively isolated. Wide coverage of the harassment complaint involving Justice Ganguly, helped the intern in that case find support. The circulation of information enabled other former interns as well as a larger network of lawyers and activists, reach out to her. This is apart from the general pressure to be fair that arises when a case is being followed closely by the public. Media coverage is often critical to whether someone relatively powerless is able to assert her rights against a very powerful person. This is why media freedom is sacred to democracies.

If the Supreme Court was confident that the high courts in India would use their broad discretionary power under the Gag Order case sparingly and only in the interests of justice, the Swatanter Kumar case should offer it grounds to reconsider. Openness and freedom of expression are not meant to be diluted to protect the powerful - they exist precisely to ensure that even the powerful are held accountable by state systems that they might otherwise be able to sway.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-january-29-2014-chinmayi-arun-making-the-powerful-accountable

Making Aadhaar Mandatory: Gamechanger For Governance?

praskrishna — 2016-03-24T06:50:10Z

Why a programme that both the Congress and the BJP have hailed as transformational has divided Parliament this week? The Aadhaar Bill which was passed this week aims at facilitating government benefits and subsidies to citizens said Finance Minister Arun Jaitley.

Yet it became a reason for the Rajya Sabha to raise key questions. On the panel - Chandan Mitra, Rajya Sabha MP, BJP; Ajoy Kumar, Spokesperson, Congress; Tathagat Sathapathy, Lok Sabha MP, Biju Janata Dal; Rajeev Chandrashekhar, Rajya Sabha MP; Sunil Abraham, Executive Director, Centre for Internet & Society; and Shekhar Gupta, Senior Journalist.

Video

Link to NDTV website

For more details visit https://cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance

Lost your phone? Here's how you can make your mobile theft-proof

praskrishna — 2017-01-19T02:40:21Z

Losing a phone has become even more costly after the government's push for a cashless society.

The article by Sanjay Kumar Singh was published in the Business Standard on January 16, 2017. Udbhav Tiwari was quoted. Read the full article on Press Reader. Udbhav Tiwari was quoted.

Prime Minister Narendra Modi, while pitching for cashless transactions, has coined a new phrase — your mobile is a bank. If you really want to use your mobile phone as a bank, remember the costs of losing it are much higher. Earlier, if you lost your mobile phone, there was the risk of misuse of personal data. Now, with most gadgets also carrying mobile wallet apps, there is the added risk of serious financial loss. A number of security solutions, available in the form of external security software or in-built into the phone, can help you track the device, lock it and minimise the probability of misuse.

First, it should give you some satisfaction that if your device is of recent vintage, someone stealing your phone will not be able to use it. Earlier, thieves would wipe the data on the phone (if it had a pin), set up a new account, and use it. But if it is an Apple phone that came out after 2014 or a phone with Android 6.0 Marshmallow or higher operating system (OS), the server will ask for login information of the first account (with which the owner had initially set up the phone). Only then will it allow someone to set up a second account on the same device. Since that information is not likely to be available to the thief, the phone will be of little use to him.

Track your device

Both Apple and Android have in-built features that allow you to track your device if it gets lost. In Apple it is called 'Find my phone' and on Android, 'Android device manager'. When you log in through your Apple or Google account while setting up the phone, this feature gets enabled by default. After your phone is stolen, go online and type 'Find my phone' or 'Android device manager'. Use your account credentials to log in. As long as your phone is on and is connected to the Internet, it will broadcast its location. If it has been switched off or can't connect to the Internet, you will only be able to see the last location from where it transmitted.

Antivirus software for mobile phones also offer tracking features. "Using our mobile security software, users can locate their lost device on a map or receive the location coordinates through an SMS," says Ritesh Chopra, country manager, Norton by Symantec. These software also enable you to lock the lost device remotely either from the antivirus software's web site or by sending an SMS. Chopra informs that you can also remotely delete all the data stored either on the device or its memory card. Users can also trigger an alarm if they think their device is still in the vicinity. "Some antivirus software also allow you to take snapshots of the illegal user once the original user has reported it as stolen," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru.

Take preventive security measures

How well your phone and the data on it are protected after theft will, however, depend on the security measures you adopt proactively while the phone is in your possession.

Install a password: The first stage of protection you should adopt is a pin, pattern lock, or password for your mobile phone. If you don't set up a pin, everything that doesn't require a second level of authentication is available to anyone who gets possession of your device. If you lose your laptop but have logged out of your email or social networking account, the thief can't access them. But on mobile phones most of these services don't require a second level of authentication.

Most alarming from a financial standpoint is the fact that most mobile wallets don't ask for a password before allowing you to transact (Paytm has introduced one recently). "If you have a mobile wallet and don't have a pin on your phone and it gets stolen, the thief can easily transfer money from your wallet to another," says Tiwari. Most mobile and net banking apps, however, require a login and password every time you want to access them, and are hence safer.

Set a pin promptly--a strong one that can't be easily guessed. Numbers associated with you, such as your birthday, are a strict no-no. If your phone carries especially sensitive or important data, eschew pins altogether and use a detailed password with a diverse combination of characters.

Nowadays you can also deploy fingerprint-based unlocking feature on your phone. "By using Fonetastic for the Android platform, you can set the fingerprint unlock feature on your phone," informs Sanjay Katkar, managing director and chief technology officer, Quick Heal Technologies.

Encrypt data on your device: Even if you set up a pin or password, the data on your mobile phone is not protected. Hackers can bypass it and gain access to your files. To protect data, OS developers like Google and Apple encrypt data. The device encryption feature works using something unique on your device, such as its serial number, and your pin. Even if someone gets access to your files via a computer, they will not be able to open them. These files will open only on your phone, and for that they will need your pin, password or pattern lock (presuming you have set one).

In all iOS phones, the moment you set your pin, all files get automatically encrypted. In any Android phone purchased within the last one year (that runs on Android 6.0 Marshmallow by default), the same holds true. But if you have an older Android phone or OS version, you need to enable this feature manually. Go to Settings, then to Security, find an option called 'Encrypt phone' and click on it.

Install an app lock: Some security apps allow you to lock the apps on your phone and also encrypt the files produced by those apps. When you start an app, the security app will ask for a pin. And when you exit an app, it will encrypt the files stored within the app. Go to Google Play or iStore and type 'encrypted file storage' to get the most popular lock-and-encrypt apps. "If you use device-level encryption, you may not need these apps, as the former locks and encrypts the entire device," says Tiwari

For more details visit https://cis-india.org/internet-governance/news/business-standard-january-16-2017-sanjay-kumar-singh-lost-your-phone-here-is-how-you-can-make-your-mobile-theft-proof

Locating Constructs of Privacy within Classical Hindu Law

Ashna Ashesh and Bhairav Acharya — 2015-01-01T13:56:04Z

This white paper seeks to locate privacy in Classical Hindu Law, and by doing so, displace the notion that privacy is an inherently ‘Western’ concept that is the product of a modernist legal system.

Introduction: Conceptions of Privacy

Because of the variance exhibited by the various legal, social, and cultural aspects of privacy, it cannot be easily defined. As a legal concept, privacy may form a constitutional claim, a statutory entitlement, a tortious action or an equitable remedy. As a constitutional claim, privacy is either an explicitly recognised right that is capable of independent enforcement, read into a pre-existing right , or located within the penumbra of a larger right. Statutory recognition of privacy may be afforded by both criminal and civil statutes. The offence of criminal defamation for instance, is perceived as an act of violating an individual's privacy by tarnishing his or her reputation. Similarly the provision of in camera trials for divorce proceedings is an illustration of a civil statute implicitly recognising privacy. As a tortious claim the notion of privacy is commonly understood in terms of the right against trespass of property. Equity, co-terminus with a statutory mandate or in isolation, may also be a source of privacy.

Most legal conceptions of privacy in everyday use in India originated from the English common law. Other constitutional and statutory constructions of privacy, even when not found in the common law, arise within a broader modernist system of law and justice that originated in Europe. During the European colonisation of India, the British (and, in a different manner, the French ) attempted to recreate the common law in India through the establishment of a new legal and courts system, and the wholesale importation of the European idea of law. The very notion of privacy, as well as its legal conception, is a product of this legal modernity. In post-colonial societies, the argument against the right to privacy is usually premised on its perceived alien-ness - as a foreign idea brought by colonisers and imposed on a traditionalist society that favoured communitarian living over individual rights - in an effort to discredit it.

The fallacy of this argument lies in its ignorance of the cultural plurality of privacy. To begin with, the idea that is connoted by the modernist notion of privacy pre-dated the introduction of common law in India. By the time of the Enlightenment, Hindu law and Islamic law were established legal systems with rich histories of jurisprudence and diverse schools of law within them, each with their own juristic techniques and rules of interpretation. While neither Hindu law nor Islamic law use a term that readily translates to "privacy", thereby precluding a neat transposition of meanings between them, the notion of privacy existed and can be located in both the legal traditions. In this paper, the term 'privacy' is used to describe both the modernist notion that arises from the principle of personal autonomy as well as the diverse pre-modern concepts in Hindu and Islamic jurisprudence that resemble or relate to this notion. These pre-modern concepts are diverse, and do not permit an easy analysis. For instance, the Manusmriti, which is a source of classical Hindu law, prohibits bathing in tanks that belong to other men. Additionally it prohibits the use of wells, gardens, carriages, beds, seats and houses without the owner's permission. These prohibitions are not driven by the imperatives of privacy alone. The rationale is that in using others' belongings one appropriates a portion of their sins. Hence, these privacy protections are linked to an ideal of purity. Islamic law also restricts the use or misappropriation of another's property. However, this prohibition is designed to protect private property; it has no ideological link to purity.

This paper attempts to locate constructs of privacy in classical Hindu law. The purpose of this exercise is not to privilege one legal system over another. Therefore, we do not intend to normatively assess the existing modernist discourse on privacy. We simply seek to establish the existence of alternate notions of privacy that pre-date modernity and the common law.

The scope of the paper is confined to locating privacy in classical Hindu law. The materials within the realm of classical Hindu law, relevant to this exercise are- the sruti, smriti, and acara. Sruti comprises of the Vedas, Brahmanas, Aranyakas and the Upanishads. It is considered to symbolise the spirit of Hindu law and is not the source of any positivist command as such. Smriti involves various interpretations of the sruti, We have however restricted ourselves to the Dharmashastras in this realm. Acara refers to the body of customary practices.

The review of the material at hand however, is not exhaustive. The reasons for this are twofold- first, given the vast expanse of Hindu jurisprudence, the literature review has been limited; second, there is a limited availability of reliable English translations of ancient legal treatises.

This paper is divided into two parts. The first part of this paper deals with the interface of colonisation with Hindu law and elucidates the nature of Hindu law. With the advent of colonialism, classical Hindu law was gradually substituted by a modernist legal system. Exploring the characteristics of modernity, the factors that contributed to the displacement of classical Hindu law will be identified.

One of the factors that contributed to the displacement was the uncertainty that characterised classical Hindu law. Classical Hindu law was an amalgamation of three sources, as. In an attempt to rule out the uncertainty, and the lack of positive command, the modernisation of Hindu law was brought about. Accordingly this part shall also examine the nature of Hindu law. Furthermore it shall determine whether the application of codified modern Hindu law, is informed by the precepts of classical Hindu law.

Having explicated the nature of Hindu law, the next part will focus on identifying instances of privacy in classical Hindu law.

Before ascertaining specific instances, however, this part will lay down a general understanding of privacy as it existed then. It will be demonstrated that regardless of the absence of an equivalent term, an expectation of privacy existed.

The specific illustrations of privacy will then be mapped out.

Given the different aspects wherein an expectation of privacy exists, there is also a possibility of competing claims. In the event that such conflicts arise, this part will attempt to resolve the same.

Part 1: The Transmogrification of the Nature of Hindu Law

The evolution of Hindu jurisprudence can be charted through three phases- classical, colonial, and modern.

In the classical phase, it was embodied by the Dharmashastra which elaborated on customary practices, legal procedure, as well as punitive measures. The Dharamshastra was accompanied by the Vedas, and acara. Whether this body of jurisprudence could be called 'law' in the strict modernist sense of the term is debatable.

Modernity has multifarious aspects. However, we are concerned with modernity in the context of legal systems, for the purpose of this paper. The defining attribute of a modernist legal system is the need for positivist precepts that are codified by a legislature. The underlying rationale for formalised legislation is the need for certainty in law. Law is to be uniformly applied within the territory. The formalised legislation is to be enforced by hierarchized courts. Furthermore this codified law can be modified through provisions for amendment, if need be.

This modernist understanding is what informs the English common law. With the advent of colonialism, common law was imported to India. The modernist legal system was confronted by plural indigenous legal systems here that were starkly different in nature. In the given context, the relevant indigenous system is classical Hindu law. The classical precepts were interpreted by the British. These interpretations coupled with the sources of Classical Hindu law, constituted colonial Hindu law.

It is pertinent to note that these interpretations were undertaken through a modernist lens. The implication was the attempted modernisation of a traditional legal system.

The traditional system of Classical Hindu law did not exhibit any of the introduced features. To begin with not all of classical Hindu law was text based. The problem with the textual treatises was threefold. First, they were not codes enacted by a legislature, but written by various scholars. Second, they were not phrased as positivist precepts. Third, their multiplicity was accompanied with the lack of an established hierarchy between these texts.

Additionally classical Hindu law was the embodiment of dharma, which in itself was an amorphous concept. The constitutive elements ofdharma were law, religious rites, duties and obligations of members of a community, as well as morality. These elements do not however, exhaustively define dharma. There exist varying definitions of dharma, and in some cases even ancient texts dealing with dharma fail to articulate its definition. This is on account of the fact that the meaning of dharma, varied depending on the in which it is used Owing to the fact that classical Hindu jurisprudence was informed by dharma, the former was an amalgamation of law, religion and morality. Therefore it was categorised as jurisprudence that lacked the secularity exhibited by modern positivist law.

The co-existence of law and morality in classical Hindu law has led to various debates regarding its nature. Before explicating the nature of classical Hindu law, its sources must be elaborated on. As referred to, the sources are sruti, smriti, and acara.

Sruti is constituted by the Vedas, Brahmanas, Aranyakas, and Upanishads. Vedas are divine revelations that contain no positive precept per se. They are considered as the spirit of law, and believed to be the source of the rules of dharma. The Vedas are constituted by the Rigveda, Samveda, Yajurveda and Athravaveda. Based on the Vedic texts, treatises have been written elucidating religious practices. These texts are known as the Brahmanas. The Aranyakas and the Upanishads engage in philosophical enquiries of the revelation in the Vedas.

Interpretations of the Sruti by various scholars are embodied in the Smriti. The connotations of smriti are twofold. First, it implies knowledge transmitted through memory, as opposed to knowledge directly revealed by divinity. Additionally, it is the term used to collectively reference the Dharmasutras and Dharmashastra.

Dharmasutras were essentially interpretations of revelation in only prose form, or a mixture of prose and verse. They detailed the duties and rituals to be carried out by a person, through the four stages, of his or her life. The duties laid down also varied depending on the caste of a person. They also laid down guidelines for determining punishments.

Dharmasastras on the other hand were in the verse form. Though their subject matter coincided with the Dharmasutra in terms of domestic duties and rituals, they had a wider ambit. The Dharmasastras also dealt with subjects such as statecraft, legal procedure for adjudicating disputes. In a limited way, they marked the diversification from strictly religious precepts, from those that were legal in nature. For instance the Manusmriti was an amalgamation of law and ritual. The Yajnawalkya Samhita however, has separate parts that deal with customary practices, legal procedure, and punitive measures. The Narada Smriti, in turn deals only with legal procedure and rules of adjudication.

It is opined that in due course of time, the Aryan civilisation diversified. Their life and literature were no longer limited to sacrificial practices, but took on a more 'secular' form. The Arthashastra is evidence of such diversification. Unlike the Dharmashastra, it deals with strategies to be employed in governance, regulations with regard to urban planning, commercialisation of surrogacy, espionage, among other things.

The third source of classical Hindu law, acara refers to customary practices and their authoritativeness was determined by the people. Their prevalence over textual tradition is contentious. Some opine that acara prevails over textual traditions. However, the opposing school of thought believes that customary practices prevail only if the text is unclear or disputed.

Other sources of classical Hindu law include the itihas (epics such as the Mahabharata and Ramayana), and digests written by scholars.

Given the diversity of sources and its non-conformity to positivism, the nature of classical Hindu law is a heavily contested issue. For instance, with regard to the legal procedure in the Dharmashastra, Maynes opines that these rules qualified as law in the modernist sense. Ludo Rocher however, opines that textual treatises would not qualify as law. Classical Hindu law can admittedly not be identified as strictly legal or strictly moral. However, it does in a limited way recognise the distinction between legal procedure and morality. This is to say, it is not merely a source of rituals, but also lays down precepts that are jurisprudentially relevant.

On account of its non-conformity with characteristics of a modernist legal system, classical Hindu law was displaced by its colonial version. The British attempted to accomplish this though the process of codification. The colonial attempts to codify Hindu law were carried forward by the Indian government post-independence. The result was the Hindu Code Bill. The context in which this codification took place must be examined in order to better comprehend this transmogrification. Post-independence, the idea of a Uniform Civil Code had been debated. However it was at odds with the Nehruvian notion of secularity. The codification of Hindu personal law was an attempt at modernising it, without infringing on the religious freedom of Hindus. The idea was to confine the influence of religion to the private sphere. What emerged was the Hindu Code Bill, which served as the blueprint for the Hindu Marriage Act, the Hindu Succession Act, the Hindu Minority and Guardianship Act and, the Hindu Adoption and Maintenance Act. Colonial Hindu law was thus displaced by modern Hindu law.

As Galanter observes however, modernisation through legislations may formalise or even modify classical precepts, but cannot erase them completely. For instance, Section 7 of the Hindu Marriage Act, which prescribes the ceremonial requirements for a Hindu marriage, replicates those prescribed in Classical Hindu law. Additionally a plethora of judicial decisions have relied on or taken into consideration, precepts of ancient Hindu jurisprudence.

It is evident thus that ancient precepts still inform modern Hindu law. Given their relevance, it would be erroneous to write off classical Hindu law as completely irrelevant in a modernist context.

Part II: Precepts of Privacy in Classical Hindu Law

As referred to, we have not come across a terminological equivalent of the term 'privacy' in the course of our research. The linguistic lacuna is admittedly a hurdle in articulating the pre-modern understanding of privacy as found in Hindu jurisprudence. It is not however, an argument against the very existence of privacy. The lack of pre-modern terminology necessitates the usage of modern terms in classifying the aspects of privacy detailed in Hindu jurisprudence.

Thus, broadly speaking, the aspects of privacy we have culled out from the material at hand are those of physical space/ property, thought, bodily integrity, information, communication, and identity. As will be demonstrated these aspects overlap on occasion and are by no means an exhaustive indication. In order to contextualise these aspects within the realm of Hindu jurisprudence, they are detailed below through specific illustrations.

A. Privacy of physical Space/ property

Akin to the modern legal system that first understood privacy in proprietary terms, Hindu jurisprudence too accorded importance to privacy in terms of physical space. This is further illustrated by the similarity between the common law notion of a man's house being his castle, and the institutional primacy accorded by the Naradsmriti to the household . The common denominator here is the recognition of a claim to privacy against the sovereign. This claim operated against society at large as well. For instance, an individual caught trespassing on someone else's property was liable to be fined.

These religious precepts were supplemented by those reflected in texts such as the Arthashastra. By way of illustration the house building regulations prescribed by it are largely informed by the recognition of a need for privacy. To begin with, a person's house should be built at a suitable distance from a neighbour's house, to prevent any inconvenience. In addition the house's doors and windows should ideally not face a neighbours doors and windows directly. The occupants of the house should ensure the doors and windows are suitably covered. Furthermore in the absence of a compelling justification, interference in a neighbour's affairs is penalised.Juxtaposed to religious texts that often perceived privacy as a concept driven by the imperative of purity, the Arthashastra is reflective of a secular connotation of privacy.

Though the household was privileged as the foundational institution in Hindu jurisprudence, claims of privacy extend beyond one's house to other physical objects as well, regardless of whether they were extensions of the household or not. For instance, both the Yajnawalkya Samhita and the Manusmriti condemn the usage of another person's property without his or her permission.

What is noteworthy in the context of personal property is that in an era infamous for the denigration of women, Hindu jurisprudence recognised a woman's claim over property. This property, also known as Stridhana, had varied definitions. In the Yajnawalkya Samhita for instance, it is conceptualised as, "What has been given to a woman by the father, the mother, the husband or a brother, or received by her at the nuptial fire, or given to her on her husband's marriage with another wife, is denominated Stridhana or a woman's property". In the Manusmriti, it is defined as "What was given before the nuptial fire, what was given on the bridal procession, what was given in token of love, and what was received from her brother, mother, or father, that is called the sixfold property of a woman".

Beyond mere cognizance of proprietary rights however, these precepts were also informed by the notion of exclusivity. Consequently, a woman's husband or his family were precluded from using her Stridhana, unless they were in dire straits. Additionally it was a sin for a woman's relatives to use her wealth even if the same was done unknowingly.

B. Privacy of Thought

In addition to the aspect of physical space, a claim to privacy vis-a-vis the intangible realm of thought was afforded by Hindu jurisprudence. In the modern context the link between solitude and privacy has been recognised as early as 1850 by Warren and Brandeis. The key distinction is that in the modern era this need for solitude was seen as a function of the increasing invasion of privacy. In the pre-modern era however, solitude was considered essential for self-actualisation, and not as a response to the increasing invasion of the private realm. Meditation in solitude was perceived as enabling existence in the highest state of being. In fact a life in solitude was identified as a pre-requisite for being liberated.

Though solitude itself is intangible, engaging in meditation would require a tangible solitary space. This is where the privacy of thought overlapped with the aspect of privacy of space. Accordingly, the Arthashastra prescribed that forest areas be set aside for meditation and introspection. It also recognised the need for ascetics to live within these spaces harmoniously, without disturbing each other.

It is evident, that as far as the aspects of privacy were concerned, there were no watertight compartments.

C. Privacy with respect to bodily integrity

A claim to privacy of thought can only be substantively realised when complemented by the notion of privacy with respect to bodily integrity, as corporeal existence serves as a precursor to mental well-being. The inference drawn from the relevant precepts concerning this aspect is that they were largely women-centric. Arguably they were governed by a misplaced patriarchal notion that women's modesty needed to be protected. At best they could be considered as implicit references to an expectation of privacy.

The Manusmriti states, "But she who…goes to public spectacles or assemblies, shall be fined six krishnalas". Restrictions operating during a woman's menstruation were twofold. Her family was prohibited from seeing her. Additionally cohabitation with such a woman was also forbidden. It should be pointed out that that these constructs had little to do with a woman's expectation of privacy. They were forbidden due to the attached implications of impurity that would vest in the defaulter. A woman's autonomy with regard to her body was not regarded as a factor meriting consideration.

However, there were constructs, albeit limited, which were more egalitarian in their approach and did recognise her autonomy. They established that women do have an expectation of privacy in terms of bodily integrity. Sexual assault was considered as an offence. Evidence of this is found in the Yajnawalkya Samhita which states, "If many persons know a woman against her will, each of them should be made to pay a fine of twenty four panas". In addition, the Arthashastra vested in commercial sex workers the right to not be held against their will. Further it expressly states that even a commercial sex worker cannot be forced to engage in sexual intercourse.

Women could make a claim to privacy not only against society at large, but also against their husbands. Ironically, while our contemporary legal system (i.e., the Indian legal system) fails to criminalise marital rape, the Manusmriti considered it an offence. Additionally, husbands were also prohibited from looking at their wives when the latter were in a state of relaxation.

D. Privacy of Information and Communication

While the three aspects explicated above were by and large restricted to the individual, the privacy of information and communication has been largely confined by Hindu jurisprudence to the realm of the sovereign. Both the Manusmriti and the Arthashastra acknowledge the importance of a secret council that aids the king in deliberations. These deliberations are to be carried on in a solitary place that was well-guarded. The decisions made in these deliberations are to be revealed on a need to know basis. That is to say, only persons concerned with the implementation of these decisions are to be informed. The Manusmriti also provides for private deliberation by the king on matters not involving governance. It provides, "At midday or midnight , when his mental and bodily fatigues are over, let him deliberate, either with himself alone or with his ministers on virtue, pleasure, and wealth".

Apart from governance, privacy of information also pertained to certain types of documents that were considered private in nature. These are documents that involve transactions such as partition, giving of a gift, purchase, pledge and debt. What is interesting about this precept is the resemblance it bears to the common law notion of privity. The common characteristic of the documents referred to, is that they concerned transactions undertaken between two or more persons. The rights or obligations arising from these transactions were confined to the signatories of these documents. It could be possible that the privatisation of these documents was aimed at guarding against disruption of transactions via third party intrusions.

The limited reference to private communications is found within the realm of governance, within the context of privacy of information. The only illustration of this that we have come across is the precept in the Arthashastra that requires intelligence to be communicated in code.

E. Privacy of Identity

The final aspect that warrants detailing is the privacy of identity. The notion of privacy of identity can be understood in two ways. The first deals with protection of personal information that could be traced back to someone, thus revealing his or her identity. The second recognises the component of reputation. It seeks to prevent the misappropriation or maligning of a person's identity and thus reputation. In ancient Hindu jurisprudence there is evidence of recognition of the latter. An illustration of the same is offered by the precept which states "For making known the real defects of a maiden, one should pay a fine of a hundred panas". Another precept prescribes that false accusations against anyone in general are punishable by a fine. Additionally, there is also a restriction operating against destroying or robbing a person of his or her virtue. In the modern context, the above would be understood under the rubric of defamation. These precepts are indicative of the fact that defamation was recognised as an offence way before the modern legal system afforded cognizance to the same.

Conclusion

The dominant narrative surrounding the privacy debate in India is that of the alien-ness of privacy. This paper has attempted to displace the notion that privacy is an inherently 'Western' concept that is the product of a modernist legal system. No doubt the common understanding of the legal conception of privacy is informed by modernity. In fact, the research conducted in support of this paper has been synthesised from privacy information through a modernist lens. The fact still remains however, that privacy is an amorphous context, and its conceptions vary across cultures.

To better appreciate the relevance of Classical Hindu law in a modernist context, the nature of Hindu law must be examined first. While Hindu jurisprudence might not qualify as law in the positivist sense of the term, its precepts continue to inform India's statues and judicial pronouncements.

Privacy is subjective and eludes a straitjacketed definition. On occasion this elusiveness is a function of its overlapping and varying aspects. At other times it stems from a terminological lacuna that complicates the explication of privacy. These impediments notwithstanding, it is abundantly clear that the essence of privacy is reflected in Hindu culture and jurisprudence. This may give pause to thought to those who seek to argue that 'collectivist' cultures do not value privacy or exhibit the need for it.

Daniel J. Solove, A Taxonomy of Privacy, University of Pennsylvania Law Review, Vol. 154(3), January 2006.

Id.

Upendra Baxi, Who Bothers About the Supreme Court: The Problem of Impact of Judicial Decisions, available at http://clpr.org.in/wp-content/uploads/2013/08/whobothersabouttheSupremeCourt.pdf (Last visited on December 23, 2014) (The enforceability of rights often sets their individual enjoyment apart from their jurisprudential value); In India, the reading of privacy into Article 21 has not resulted in a mechanism to enforce a standalone right to privacy, See R.H. Clark, Constitutional Sources of the Penumbral Right to Privacy, available at http://digitalcommons.law.villanova.edu/cgi/viewcontent.cgi?article=2046&context=vlr (Last visited on December 23, 2014) (In the United States, the right to privacy was located in the penumbra of the right to personal autonomy).

See PUCL v. Union of India, AIR 1997 SC 568.

See Griswold v. Connecticut, 381 U.S. 479 (1965); Lawrence v. Texas, 539 U.S. 558 (2003).

See The Indian Penal Code, 1850, Section 499.

See The Hindu Marriage Act, 1955 Section 22; The Special Marriage Act, 1954, Section 33.

Bhairav Acharya & Vidushi Marda, Identifying Aspects of Privacy in Islamic Law, available at http://cis-india.org/internet-governance/blog/identifying-aspects-of-privacy-in-islamic-law (Last visited on December 23, 2014).

See Robert Lingat, The Classical Law of India (1973).

Donald R. Davis, Jr., The Spirit of Hindu Law (2010) (This importation must be viewed against the backdrop of the characteristics of the era of Enlightenment wherein primacy was accorded to secular reason and the positivist conception of law. Davis observes "One cannot deny the increasing global acceptance of a once parochial notion of law as rules backed by sanctions enforced by the state. This very modern, very European notion of law is not natural, not a given; it was produced at a specific moment in history and promulgated systematically and often forcibly through the institutions of what we now call the nation-state, especially those nations that were also colonial powers.)"; But see Alan Gledhill, The Influence of Common Law and Equity on Hindu Law Since 1800, available at http://www.jstor.org/stable/755588 (Last visited on December 23, 2014); Werner Menski, Sanskrit Law: Excavating Vedic Legal Pluralism, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1621384 (Last visited on December 23, 2014) (However, this replacement of traditional legal systems did not extend to personal laws. Personal laws in India continue to be community-based, sometimes un-codified, draw from a diverse set of simultaneously applicable sources and traditional schools of jurisprudence.).

Supra note 8, Acharya & Marda.

Privacy International, A New Dawn: Privacy in Asia, available at https://www.privacyinternational.org/reports/a-new-dawn-privacy-in-asia/background (Last visited on December 28, 2013) ("It is only recently that the debate around privacy was stuck in this "collectivist" vs. "individualistic" cultural discourse…we discovered that privacy concerns and the need for safeguards were often embedded deeply in a nation, and not just as a response to a modern phenomenon.").

Privacy International, A New Dawn: Privacy in Asia, available at https://www.privacyinternational.org/reports/a-new-dawn-privacy-in-asia/background (Last visited on December 28, 2013)

J. Duncan M. Derrett, The Administration of Hindu Law by the British, available at http://www.jstor.org/stable/177940 (Last visited on December 23, 2014).

Manusmriti, Chapter IV, 201.

Manusmriti, Chapter IV, 202.

Id.

Wael B. Hallaq, An Introduction to Islamic Law 31 (2009).

Donald R. Davis, Jr., The Spirit of Hindu Law (2010).

Marc Galanter, The Displacement of Traditional Law in Modern India, Journal of Social Issues, Vol. XXIV, No. 4, 1968.

Id.

Supra note 20, Galanter.

Supra note 10, Menski.

Werner Menski, Hindu Law: Beyond Tradition and Modernity (2003).

Id.

Ashcroft as cited in Werner Menski, Hindu Law: Beyond Tradition and Modernity (2003).

Supra note 20, Galanter.

Id.

Id .

Supra note 19, Davis.

Id.

Id .

J. Duncan M. Derrett, Introduction to Modern Hindu Law (1963); Supra note 19, Davis.

Supra note 9, Lingat.

Id.

John D. Mayne, Hindu Law (1875).

Id.

Supra note 49, Mayne.

Id.

Supra note 19, Davis.

Id.

Supra note 49, Mayne.

Ludo Rocher, Studies in Hindu Law and Dharamasastra (2012).

For instance the Yajnawalkya Samhita has clear delineations in its chapters, segregating customary practices, legal procedure and punitive measures.

Madhu Kishwar, Codified Hindu Law: Myth and Reality, available at http://www.jstor.org/stable/4401625 (Last visited on December 23, 2014).

Id .

Supra note 59.

Id.

Supra note 20, Galanter.

See The Hindu Marriage Act, 1955, Section 7.

Saroj Rani v. Sudarshan Kumar Chadda, AIR 1984 SC 1562 (reflected the importance accorded by classical Hindu law to marital stability); M Govindaraju v. K Munisami Goundu 1996 SCALE (6) 13(The Supreme Court looked to ancient Shudra custom to adjudicate on a matter of adoption); Rajkumar Patni v. Manorama Patni, II (2000) DMC 702 (The Madhya Pradesh High Court, relied on the definition of Stridhan by Manu.).

Supra note 8, Acharya & Marda.

Semayne v. Gresham, 77 Eng. Rep. 194, 195; 5 Co. Rep. 91, 195 (K.B. 1604).

As cited in Julius Jolly, The Minor Law Books 164 (1889), ("A householder's house and field are considered as the two fundamentals of his existence. Therefore let not the king upset either of them; for that is the root of the householders").

Manmath Nath Dutt, The Dharamshastra - Hindu Religious Codes, Volume 1, 103 (1978) (Yajnawalkya Samhita, Chapter II 235-236: "He…who opens the doors of a closed house [without the permission of the master]…should be punished with fifty panas. Such is the law.").

L.N. Rangarajan, Kautalya: The Arthashastra 371 (1992) ("O be built at a suitable distance from the neighbours property so as not to cause inconvenience to the neighbour").

Id ., ("…doors and windows shall be made so as not to cause annoyance by facing a neighbour's door or window directly").

Supra note 72, Rangarajan, ("when the house is occupied the doors and windows shall be suitably covered").

Id., 376.

See Manusmriti, Chapter IV, 201-202.

Supra note 71, Dutt, 27 (Yajnawalkya Samhita, Chapter I , 160: "One should avoid the bed, seat, garden-house and the conveyance belonging to another person.").

Supra note 71, Dutt, 89 (Yajnawalkya Samhita, Chapter II, 146).

Manusmriti, Chapter IX, 194.

Supra note 71, Dutt Volume 2, 276 (Angiras Samhita, Chapter I, 71).

Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, Harvard Law Review, Vol. IV, December 15, 1890, No.5.

Id.

Manusmriti, Chapter IV, 258; Supra note 71, Dutt, 134 (Yajnawalkya Samhita Chapter III, 111: "Having withdrawn the mind, understanding, retentive faculty and the senses from all their objects, the soul, the lord…should be meditated upon.").

Manu Chapter VI, 44.

Supra note 71, Dutt, 186 (Harita Chapter VII, 6: "Situated in a solitary place with a concentrated mind, he should, till death mediate on the atman, that is situated both in the mind and the external world… ").

Supra note 72, Rangarajan, (Arthashastra, 2.2.2).

Supra note72, Rangarajan, (Arthashastra 3.16.33-36).

Manusmriti IX, 84

Supra note 71, Dutt, Volume 2, 350 (Samvarta Samhita,163).

Supra note 71, Dutt, Volume 1, 112 (Yajnawalkya Samhita, Chapter II, 291).

Supra note 71, Dutt, Volume 1, 113 (Yajnawalkya Samhita, Chapter II, 294).

Supra note 72, Ranjarajan (Arthashastra 2.27.14).

Supra note 72, Rangarajan (Arthashastra 4.13.38).

Manusmriti, X, 62

Manusmriti Part VII, Supra note 101, Rangarajan (Arthashastra 1.15.2-5, 1.15.13-17).

Supra note 72, Rangarajan (Arthashastra 1.15.2-5 : The scrutiny of governance related affairs was take place in a secluded and well-guarded spot, where it could not be overheard. No unauthorised person was allowed to approach these meetings.).

Supra note 72, Rangarajan (Arthashastra 1.15.13-17: "…Only those who have to implement it should know when the work is begun or when it has been completed.").

Supra note 72, Rangarajan.

Supra note 71, Dutt, Volume 1, 112 (Yajnawalkya Samhita, Chapter II, 292).

Supra note 71, Dutt, Volume 4, 919 (Vishnu Samhita, Chapter LII, 16).

For more details visit https://cis-india.org/internet-governance/blog/loading-constructs-of-privacy-within-classical-hindu-law

Living in a Fish Bowl

praskrishna — 2014-07-16T07:15:22Z

Though India needs a comprehensive law on the right to privacy, it may not be ready for something as avant garde as the “right to be forgotten” on the Internet, argues Shuma Raha

The article by Shuma Raha was published in the Telegraph on July 16, 2014. Sunil Abraham gave his inputs.

If you do a Google search for journalist and television personality Barkha Dutt, a raft of scurrilous information about her pops up. It isn’t tucked away somewhere on the 10th page either — it’s all up front, right there in “autosuggest”, almost prompting you to go and check it out. And thanks to Google’s search algorithm, the more people click on that link, it further strengthens the score for that “hit”.

Dutt says she has brought the matter to the attention of Google, but to no avail. “I have lost interest in the whole struggle,” she says. “But Google definitely needs to do something about the slanderous, inaccurate, fictional information out there that creates a narrative of its own.”

Well, in Europe at least, the tech giant has taken a step in that direction. Late last month, it started erasing search results that threw up information deemed to be “irrelevant”, “outdated” or “excessive”. The move came after the European Court of Justice ruled that Internet search engines would have to allow people the “right to be forgotten” in specific cases and accordingly, take down information about them.

The European Court ruling has triggered a huge debate since an individual’s right to be forgotten seems to be at complete loggerheads with people’s right to know. Nevertheless, it’s a landmark decision when it comes to right to privacy on the Internet. After all, the online space has perma-memory and inaccurate or irrelevant or outdated information about a person can be embedded there forever, damaging him or her in manifold ways.

So how far are we in India from securing the right to be forgotten on the Internet?

The short answer to that is, very far. That is because India does not have a well-defined privacy regime wherein one could envisage a court of law handing out a similar — and some would say a somewhat radical — order on a Google or a Bing. “The right to be forgotten is a bit too advanced for us,” says Sunil Abraham, director, Centre for Internet and Society, a non-profit organisation that works on policy issues relating to freedom of expression and privacy. “After all, we are yet to come up with a privacy and data protection regime that implements the best practices of European countries.”

Adds Apar Gupta, a Delhi-based lawyer, who has written extensively on privacy issues, “Sector specific privacy legislation do exist, but they do not provide substantive rights or efficient remedy in case of violations.”
No one disputes that India should get a right to privacy law, especially one that relates to the collection, processing and use of personal data. Right now the government’s surveillance mechanisms like the Central Monitoring System and the Lawful Interception and Monitoring Systems allow security agencies and income tax authorities to intercept communication, snoop on phone conversations, read emails and SMSes with little or no safeguards for privacy protection.

A right to privacy bill has, in fact, been in the works since as early as 2011. But the government has been dragging its feet over it. Early this year, a new version of the draft bill was “leaked” to the press. But few are happy with it. On the positive side, it raises the penalty for unlawful interception of communication (from Rs 1 lakh to Rs 2 crore) and increases penalties for other offences such as obtaining personal data under false pretexts. But crucially, it almost wholly exempts intelligence agencies from the purview of the law, thereby allowing them unbridled access to personal information. Of course, no one knows if this “leaked” draft is indeed the official one.

Experts say that the government should really formulate a right to privacy law based on the recommendations of a committee chaired by Justice A.P. Shah. The report, which was published in 2012, proposes that the right to privacy be statutorily extended to all Indians. It recommends, among other things, the appointment of privacy commissioners and the formulation of certain “national privacy principles” such as taking the consent of the individual prior to the collection of data, allowing him the choice to withdraw such consent, limiting the use of personal information to the stated purpose and so on. The privacy principles would apply to all data collectors in both private and public sectors.
There are, of course, a number of provisions in existing laws that relate to privacy. For example, Rule 419A of the Indian Telegraph Rules, 1951, sets down certain privacy safeguards such as maintaining details about the officer ordering an intercept of telecommunication.

Moreover, Section 66E of the Information Technology Act, 2000, prescribes “punishment for the violation of privacy” (in the context of capturing “private” images of a person without his or her consent); Section 43A lays down that a “body corporate” will be liable to pay compensation in case it fails to protect personal data gathered in the course of its operation; and Section 79 stipulates that “intermediaries” — entities such as Google, Facebook, Twitter — would have to take down any information stored or transmitted by them that is found to be grossly harassing, defamatory, blasphemous, obscene, pornographic and so on, within 36 hours of being notified.

Of course, this section of the IT Act has been roundly criticised as arbitrary and Draconian, but that is another story.
The point is that despite the fair number of privacy provisions, in the absence of a comprehensive law, the untrammelled and unauthorised use of personal data cannot be ruled out. “Every country in the world collects personal data. But once the data are collected for a particular purpose they should not be used for any other purpose. The law has to be in a position to catch the violators,” says Kamlesh Bajaj, CEO of Data Security Council of India, an organisation that works to promote data protection and privacy best practices.

As always, the key issue is that an individual’s right to privacy has to be balanced with public interest. And it is in that context that experts feel that even if India were to have a privacy law, it is probably not ready for something akin to the European Court ruling on the right to be forgotten. As Gupta says, “It raises a real danger of public personalities blocking legitimate journalism on grounds of privacy. This is specially true in a country like India which permits a high degree of illegality in the name of secrecy and confidentiality.”

Abraham agrees with that view. “I’m not sure if the right to be forgotten will enhance privacy or usher in a level of censorship,” he says.

As Europe grapples with that debate, India’s privacy warriors are asking for something far more fundamental — a comprehensive law that guarantees the right to privacy to all.

For more details visit https://cis-india.org/news/the-telegraph-july-16-2014-living-in-a-fish-bowl

Live Chat: Aadhaar: An identity crisis?

praskrishna — 2015-04-03T06:54:25Z

The Aadhaar card is not compulsory for citizens and "no person should be denied any benefits or ‘suffer’ for not having the Aadhaar cards issued by Unique Identification Authority of India," the Supreme Court ruled on Monday.

The live chat was published in the Hindu on March 17, 2015. Sunil Abraham took part in the discussions.

Four years after Aadhaar was launched – and touted as a panacea to access social services and subsidies – its users continue to be dogged by an array of problems ranging from technical glitches to procedural delays. And those who do not have an Aadhaar card find themselves quizzed by government authorities.

The Hindu’s Tamil Nadu edition today highlighted the challenges ordinary citizens - both those who have cards and those who do not – face, be it from non-availability of application forms or glitches in the biometrics process.

We will be hosting a live chat on Aadhaar at 5 pm today. You can pose questions and share your views with Sunil Abraham, Executive Director of Bangalore-based research organisation, Centre for Internet and Society; K. Gopinath, Professor at the Computer Science and Automation Department at the Indian Institute of Science (IISc) and The Hindu’s K. Venkatraman.

Comment From Anon

What could have happened such that the current government, who were once in the opposition, were members of the parliamentary committee that strongly opposed UIDAI, now suddenly wants to use it everywhere? What could have transpired such that the PM got so convinced that it would help its citizens more than it could potentially harm?

Sunil Abraham: Usually the party that is in power is pro-surveillance and anti-censorship and the opposition is pro-privacy and pro-free speech. After the elections - if the parties swap positions as a result of the mandate - then they usually also swap positions on surveillance and censorship. This phenomenon is not specific to India.

K. Gopinath: The leakage in the current models is very high. Hence, the attraction.

The issue earlier was whether there was some costs to the use of sw (esp. proprietary) from outside the country. Probably, these have been addressed.

Comment From Saurabh

Aadhaar was supposed to be a good 2 factor authentication mechanism, what happens to it now ?

Sunil Abraham: Aadhaar architecture was designed to allow for multiple authentication factors. Unfortunately biometrics is a poor authentication factor since it cannot be revoked. Any two-factor authentication scheme where one factor is biometrics is in reality only a one-factor scheme. Pin code as with credit cards and debit cards would have been much more secure for authentication.

K Venkataramanan: It will continue to be relevant, but is unlikely to be mandatory for quite some time.

K. Gopinath: Real-time 2-factor auth (biometrics, signatures) are not easy, esp over Internet, and would require a much longer rollout

Comment From Saurabh

I did not get Aadhar for myself or my family. Does this mean, I will not have to as yet.

Sunil Abraham: As per the UIDAI - Aadhaar is not mandatory. Also according to the latest remarks from the Supreme Court - Aadhaar should not be made mandatory without enabling law. But many state and central government agencies have ignored the comments made by the SC and have made Aadhaar mandatory for various programmes and schemes.

The Hindu: Is Aadhaar virtually redundant now following the SC order? Nothing more than an expensive experiment?

K. Gopinath: I think it will be used as an addl auth mechanism (just like elec./ph. receipts). May be once the technology is demo'ed properly (it has not been done seriously anywhere else), it will be taken up again.

Comment From Abubacker

I am an NRI and need to have Aadhaar Card? How to obtain Appointmet - I am from Tuticorin, Tamil Nadu

K Venkataramanan: Your family member or representative living in Tuticorin may apply for Aadhaar through the local body. It may be possible to get a date for recording biometrics. However, you have to come down here for recording biometric details.

Comment From Kishore J

Why is Govt. not able to legalize the Aadhar, I'm assuming the only reason Supreme court keeps blocking it is because its not a law passed by Parliament ?

K. Gopinath: SC goes by the constitution. If there is some concern someone is being "excluded", they will block it.

Sunil Abraham: The NIA bill was proposed in parliament and then referred to a Standing Committee. Our summary and detailed feedback to the Bill is available here: http://cis-india.org/intern... The Standing Committee harshly criticized the Bill. See: http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf After which the Bill has not been reworked by the UIDAI or the Planning Commission /Niti Aayog for re-presentation to the Parliament.

Sunil Abraham: No - it is not just an expensive experiment. It is much more dangerous - it is what security experts call a Honey Pot. A centralized repository of biometrics harvested from residents of India. These biometrics can be used to authenticate transactions in the UIDAI database and other services. If there is a breach - then this huge collection of authentication factors will end us in the hands of criminal elements or some foreign state.

Comment From vaz

Aadhar is a joke, i have so many IDs and i cannot get any benefits out of it, it is simply wasting time, if Govt really want mandate make it easy for people, i pay taxes and Govt should treat me like one , i can not waste my time standing in queues to get that card, get me time slot and don't waste my time.

Sunil Abraham: This is because the process of registration has been outsourced to private agencies. These private agencies have futher outsourced to others and so on and so forth. Consequently, there is very poor management and quality control by these agencies. If indeed corruption was a priority - we should have tackled high-ticket corruption first. We could have had biometric registration just for only the politicians and bureaucrats. We could use biometric authentication with them to create a non-repudiable audit trail of subsidies flowing from the Centre to the Panchayat. Unfortunately, we tried to register everybody simultaneously and that has resulted in poor quality of biometrics and demographic data. We have visited some of the registration centre and have seen the reality on the ground.

Comment From Guest

I have been threatened by Gas Agency people if i don't link Aadhar to Bank Account, won't be given a refilling cylinder.Is this a right one?

K Venkataramanan: There is an option for getting DBT even without Aadhaar. The bank account and the gas agency consumer account can be linked without Aadhar. Please check www.mylpg.in for knowing how to apply for DBT registration without Aadhaar

The Hindu: Your views Prof Gopinath? Do you see it as a biometrics Honey Pot too?

K. Gopinath: From a security pov, it is certainly risky. It needs really robust technologies before one can think of rolling out. For example, we have "denial of service" attacks. ie, a service can be shut out by random bombardment of msgs. Most curr large scale systems are designed to handle it but some cannot handle it if large numbers collude. This only prevents access to service but other attacks can exfiltrate (take out) data, modify data, etc.

The Hindu: And Mr. Venkataramanan, your thoughts?

Comment From kuldeep singh chauhan

We need a strong law for data security. Aadhar is collecting data but there is no provision except some provisions of IT Act and IPC for data security.

K. Gopinath: Yes, the legislation is weak or unnecessarily vague (eg. the IT2000 act) or too broad in scope. I think what we need is a citizen's charter for data access, security and privacy. Also, what needs to be done when systems do not work!

Sunil Abraham: There are two interpretations of Sec. 43A of the IT Act. Acccording to most experts it only applies to Body Corporates in other words it does not apply to the Government when it plays the role of a data controller. According to an order issued by the IT Secy of Maharastra [the court of first instance for 43A of ITA] -this section will also apply to the Government. But beyond that order we have no clarity on this question.

Comment From Pavan

With no privacy laws, isn't it a bad idea to store citizen's data in a database? We all know how inept our government is in ensuring any security/privacy.

Sunil Abraham: With or without laws. Centralized approaches to identity/authentication management are much more fragile and vulnerable compared to decentralized options. The Internet is secured by digital signatures - there is no centralized repository of all these signatures. Therefore there is no centralized point of failure for the Internet. If the Aadhaar project was based on Smart Cards instead of Biometrics - then just like the Internet it would be robust without a central point of failure. http://cis-india.org/intern...

K. Gopinath: Storing all info in a single place is a big security risk. It needs very robust technologies (such as replication and "secret sharing protocols") that work inspite of failures. These have been done here and there but doing it on a large scale requires care.

Comment From Kunal Soni

SC Adhar card recommendations, ok Got it! But what about the banks for example SBI who ask for adhar cards stating its the bank's rule? Who's going to answer the question as they would never listen to common man and they never did.

Comment From Sandeep

Hi,May be it is a strong message, but what exactly is the need to make/introduce the Adhaar card, which is not recognizable worldwide? Why dont we make our passport smart enough and reduce it to a chip as in Europe. This will also enable everyone to get enrolled in our administrative system. Basically, we are only repeating the entire process with no international recognition.

Comment From Krishna Rao

Need to make it mandatory in the lines of SSN in US. Else it would be very difficult to manage and ensure the subsidies and benefits reach the really deserved section.

Comment From Ramesh

It is a great concept it all information like property purchases, tax returns, ration card, pf, esi, bank accounts , rail, air tickets are all linked. will reduce corrupt practice considerably. It should be the main identity of an Indian

Comment From arun

@Sunil what are the privacy safeguards that are in place currently regarding protection of information collected by the government and private agencies designated for this?

Sunil Abraham: Do you mean legal or technical?

K Venkataramanan: @The Hindu: Yes, there are serious privacy issues involved in a centralised database. However, their is a counter-view that this is no different from any other data base available in the hands of the government such as the one relating to PAN. The main concern of those worried about the privacy problem in Aadhaar is that data collection is done by private agencies, and details such as biometric data could be misused

The Hindu: Sunil, a question for you from arun

Comment From Pawan

Govt should give it legal recognition and give legal guarantee about the usage and storage of the data... After that there would be no concern related to identity security or enforcing it on the people.. People would trust it and come forward to register for it.

Sunil Abraham: Legal recognition and guarantees are not sufficient. You cannot use the law to fix poor technology design. The security of the Internet is not a function of good law. It is a function of good technological design.

Comment From Pappan

the so called Europe, US an other developed countries already have Social security numbers, why cant we just look at it like that?

Sunil Abraham: Social Security Number are an additional identifier. The database just contains a collection of identifiers. If that database is compromised the information cannot be used to authenticate transactions. This is very unlike the UIDAI centralized database which is a collection of authentication factors. Think of it as a database filled with the passwords of all Indian residents.

K Venkataramanan: @Kunal Soni - SBI can't insist on it as of now. The person who issued any circular to that effect may be hauled up in court

Comment From Guest

I have two questions. First, why is the honourable supreme court strking down aadhar, on what grounds? Second, how can the government come around those objections and allay the courts fears/objections? The informed panelists may please give their opinions too. Thank you

Sunil Abraham: There are 3 sets of petitioners who are being heard by the SC in the combined case. Some of them associated with the right are arguing that the UID is a threat to national security as it legitimizes illegal immigrants. Those associated with the left are arguing that it is a violation of the right to privacy. Still other who are ex-officers from the armed forces are arguing that the project is mired in corrupt practices.

K Venkataramanan: The Court has not struck down Aadhaar. It has only passed interim orders protecting the access to services of those who have not yet had them.

Comment From Aashish Gupta

Aadhaar was supposed to usher in portability of benefits. That is, you could migrate to a different state and still get the benefit you deserved.

Sunil Abraham: The Aadhaar database only contains information that identifies you and also allow you to authenticate against that database. It does not indicate eligibility for various schemes/subsidies. The migration across State level eligibility lists has to be done by the State. It is not a functionality provided by the UIDAI.

Comment From Ramesh

Supreme Court should have suggested a better option instead of coming down heavily on the Aadhar Card. The card will straight eliminate multiple rations cards and voter ids.

Sunil Abraham: The previous technology adopted by the NDA government - smart cards or SCOSTA [for the MNIC]. This technology option is free from many of the flaws of UIDAI's current design.

Comment From Mrigesh

Why is Aadhaar needed? I am for a middle class or for the elite class?

Comment From Geetha

Has the government (or concerned agencies/departments) formulated any policy on using the Aadhar information collected? For instance, what agency can use the information, under what conditions, with whose approval, for what limited purposes? Is this policy publicly available?

Sunil Abraham: No. Anyone who is approved by the UIDAI as a legitimate can use the KYC API. Absolutely anyone can use the Authentication API. There is no policy on what data collection/retention practices must be adhered to by the users of both these APIs.

Comment From Arun Jayapal

Has the government ever considered/analyzed a way to link the existing resources (such as ration card, DL, passport, voter id, etc.,) and not have come up with a completely new system (aadhaar). Is this not an absolute waste of time and resources?

Sunil Abraham: Yes, you are absolutely right. The government should have used biometrics as a means to dedup an existing high value database like the Electoral Rolls or more importantly the PAN Card database. That would have been better RoI for our anti-corruption Rupee.

K Venkataramanan: @Ramesh The Court has come down heavily on only officials who insist on Aadhar for delivery of services when there are clear orders that it should not be mandatory

Comment From George J

I'm an NRI. I presently work and live in a country where the first order of business on landing/Birth is to register one self and get a unique ID number and ID. This the case for expats as well as residents be they foreigners or Citizens. The registration process includes collection of Biometric data. This single No and Id is used for everything from Bank Accounts to School Admissions. It is good that India is doing something similar. It is high time people with multiple ration cards, Passports and the like are weeded out and provided a single verifiable identity. Data Security is of essence and necessary safeguards are available.

Sunil Abraham: Could you name the country? And can you use biometrics your country to authenticate transactions in a centralized database for all sorts of transactions? If yes, then the technology design in your country is as poor as in ours and it is only a question of time when the centralized database leaks.

Comment From Aashish Gupta

Apart from the Honey Pot, Aadhaar does not serve its primary purpose: tackling corruption. Most pilots of Aadhaar have crash landed, and as a result, state governments have created their own simpler systems to tackle corruption.

Sunil Abraham: See: http://www.thehindu.com/opi... If the authentication match is not working [1:1 match]. Then basically the dedup will not work [1:n] match. That is why they are doing demographic dedup before biometric dedup - because they know that the biometric dedup is fallible.

Comment From Balu

A citizenship card , backed with a strond database is a must for every citixen . Some serious thoughts should be done in this matter at the earliest , instead of wasting time and money on different schemes .

Sunil Abraham: We should use decentralized Internet scale technologies based on open standards that are already proven. If we had used smart cards based on SCOSTA or EMV standard we would be in a much better place.

Comment From PRASHANTH

Comment From vikash

supreme court should not have to push such legal hurdles given that the 750 million card has already been generated.A lot of money has been investad in the project

Comment From Saket

Aaadhar card is full of errors. At the place where I got registered person was issuing it in a hurry which creates lots of typing errors in DOB and Place.

Comment From Aashish Gupta

The supreme court has not struck down aadhaar, it has said that aadhaar cannot be mandatory. This is to make sure that people who do not have an aadhaar card do not miss out on their entitlements.

Comment From Ramesh

Aadhaar should be made mandatory with necessary safeguards. Unless there is an ultimatum and time frame to get the card it will never be implemented. Even now many do not know where to get it done.

Comment From Aadharam

Could you clarify whether this is an interim order or a final order on Aadhar? Is there scope for a retraction/shift on the Supreme Court's part?

Comment From Onkar Tiwari

Why supreme court doesnt understand Adhar is necessary? it can curb corruption. it wll reduce corruption specially in manrega where people enters fake details and grab the money.

K Venkataramanan: It is only an interim order. The Court will, hopefully, resolve the questions raised by the petitioners about privacy and data security issues

Comment From George J

I have taken Aadhar Card. The procedure asks the applicant themselves to verify the data entered for typing mistakes etc. before being uploaded, in fact where I registered they had asked for a sign off on the final data on a printout. So how errors can creep in is beyond me. However the photography equipment and skill of the data entry operator leave much to be desired as the mug shot is not very kind to me!

Comment From Guest

There should be a guide line which need to be followed as it is in the hands of private partners who are also ask for bribe from the poor people for the aadhar and they have no other option to pay for it as they thought that this only can help them to get the govt. facilities and subsidies.

K Venkataramanan: @Onkar Tiwari, It is up to the government to convince the court that Aadhaar will help curb corruption, and how. The Court is unlikely to stop the use of technology to improve delivery of services and curb corruption.

Comment From v subrahmanian

help line over phone and the email correspondence is total waste.. they themselves are helpless. Any query has never been replied to the caller's satisfaction. Getting them on line itself is a challenge. It's so complex. Of course, every eligible citizen of this complex country must have the identity card. Why not if it is done through employer in case of organized salaried employees?

Comment From Ramakrishna Rao

Hi !! I request the panelists to kindly sum up in few 4 or 5 points the reasons/grounds on which the parliamentary committee has rejected the aadhar

Comment From Guest

The agencies who are collecting data for Aadhar Card are not doing good. The aadhar card is full with many kind of errors including Name and DOB.. Even a person is able to register twice under this scheme.

The Hindu: Mr. Venkataramanan would you like to respond to Ramakrishna Rao?

Comment From Guest

@K Gopinath - how robust is the de-duplication UID claims to have. And in real time transactions, is it possible to authenticate n request without 'false positives' or 'negatives'?

K. Gopinath: Dedup claims assume “good” conditions. For example, a farmhand may have rough skin, etc that may make the fingerprints problematic. 1% errors have been reported in the past. Real time txns: I think the current Aadhar is not geared for it. The connectivity is not there. Also, with fingerprint technologies, the ability to check large number of fingerprints for a match is not good enough. It has never been scaled to the extent that is being planned.

Comment From Sandeep

Still not sure if Aadhaar then other ID cards not needed ? Or Still all along with Aadhaar ? then what is meaning of Aadhaar ? Only for LPG connection? Why not govt making Aadhaar is mandatory in all other fields as well , As Govt spent huge money for Aadhaar

Comment From Guest

@ Sunil - How plausible is the idea that govt can use UID data to profile public?

Comment From Sushubh

I for one is very happy that at least the Supreme Court is not falling for this privacy infringing scam. People defending this card here on this platform needs to read more about it.

Comment From Guest

Govt. created panic among public regarding adhaar. Public is highly annoyed with the way the government is handling this adhaar project. Only court reprimands,govt. backtracks as far as the adhaar is concerned. It is high time for govt. to have serious insight into this.

K Venkataramanan: The parliamentary committee on Finance had objected to the UID being extended to non-citizens on the ground that it may end up in illegal immigrants getting Aadhaar numbers.

It had also questioned the rollout ofthe scheme before legislation was passed. It had objected to its implementation without regard to its consequences.

Comment From Srinivasa

I believe Nandan Nilkeni had mentioned certain very good examples of the system flagging duplicates. So I assume the system is robust. We need to make it mandatory for all services delivery and have suitable policy and technology to protect data.

Sunil Abraham: I don't think we can go by the assurance of someone no longer associated with the project. It is not persons that keep us safe it is proper technology and law.

The Hindu: Welcome back Sunil! Lots of questions await you

K Venkataramanan: The committee had said UIDAI had no conceptual clarity, no proper assessment of the costs involved, and that it could end up in the hands of private agencies, that the technology was untested and the UID may not meet the objectives for which it was conceived

Sunil Abraham: Sorry I was logged out.

Comment From Guest

There was a recent news in The Hindu about linking of Adhar cards to election voter ID cards in Andhra Pradesh. Do you think that adopting such moves by every state result in mandating the procedure eventually?

Comment From Guest

First Passport then PAN , voter id and now adahar, in any country there is only passport and SSN, why india needs so many identity cards

K. Gopinath: The PAN database has been problematic just as the voter id. Hence, every technology cycle, a new system is usually attempted that attempts to be "better" than the before. However, this requires care which is not in good supply in the govt where the "lowest" bidder wins or outsourcing happens.

The Hindu: We have Prof Gopinatha back too. Sorry about that technical glitch.

Comment From Deepak Vasudevan

Why are different apex agencies managing Aadhar like UIDAI, Census and NPR? There should be one root (apex) body and others should report onto it.

Sunil Abraham: Yes. The division of work between UIDAI and NPR is not very clear and has added to the confusion.

K Venkataramanan: The parliamentary standing committee, too pointed out the overlap of functions involving UIDAI and NPR

The Hindu: There was this question for you earlier on the thread @K Gopinath - how robust is the de-duplication UID claims to have. And in real time transactions, is it possible to authenticate n request without 'false positives' or 'negatives'?

Comment From Guest

When Union Of India aimed to greater transparency... these are the road blocks they get... If Aadhar is not mandatory... then make Voter ID, PAN Card, Ration card also not mandatory in their respective Govt Businesses ... make self declaration as mandatory .. lets go to the stone age in this Information age. Instead SC should direct the center to come up with procedure to accommodate legitimate citizens of India into the scheme in a time bound manner and frame policies to avoid misuse of the personal data. are we looking the current world Information age thru the same old glasses... it is time to adopt the change...

Sunil Abraham: Indeed we need more transparency. But privacy protections must be inversely proportionate to power and as Julian Assange says transparency requirements should be directly proportionate to power See: http://openup2014.org/priva...

K Venkataramanan: Linking Aadhaar and voter ID cards is also being tried out in other states It is only one more means of eliminating fake voters or duplicates, but is unlikely tobe a ground to make Aadhaar mandatory

Comment From Ganesh

@Mr.Sunil, The current technology adopted for UIDAI is not good compared to last regime?

Sunil Abraham: Please see my our open letter on this question http://cis-india.org/intern...

Comment From Madhavan R

Just because UPA government bring this, its not good for NDA to object it.. STOP wasting our money.. Just try to make best out of it..

Sunil Abraham: Pouring more money into a failed project will not save it. It has serious technological flaw and without addressing it we are just making a bad situation worse.

Comment From George J

Currently all embassy's are collecting biometric data when you apply for a visa. Most of this collection is done by private parties on behalf of the respective governments. So if an Indian has travelled abroad the chances of his Biometric data being available to foreign govts is 99%. So what is the big scare about this? The need that it should be secure and should not be misused is sacrosanct. with the kind of revelations that have been made about mass eavesdropping I think people should get used to living in glass houses!

Comment From Pappan

@Sunil, please clarify about your comment on technology inadequecy

Comment From Yuvaraj

I strongly support Adhaar card implemenataion. intially they may face challeneges but for the long run its very effective mechanism to monitor every thing

Sunil Abraham: Monitoring everything means you monitor nothing. The bigger the haystack the harder it is to find the needle. Good surveillance practices means targetting survelliance not en masse data collection.

Comment From Guest

It is heard that privacy of citizens is at stake with adhaar card. can panelists respond to this?

Sunil Abraham: I have dealt with your question here: http://www.business-standar...

Comment From Srinivasa

That comparison of the two standards (SCOSTA and Aadhar) made interesting reading. Why not a system where you collect biometrics and iris and then issue a SCOSTA card? the biometrics and iris can be used to remove duplicates and maintain a clean registry by failing the duplicate SCOSTA cards. And all further transactions will only need a card based access.

Comment From Loganathan

This is one the worst move by any government in the center to remember. With no motive for the card, they introduced just to add to the loss in exchequer and there is no benefit out of it. Many have wrong data entered against their name and totally the waste one of all

Comment From Sabari Arasu

I am aware of someone who is not Indian citizen got Aadhar card for himself and his family. This scares me a lot as anyone(read Bangaladheshis, Sri Lankans, Pakintanis, etc..) can get Aadhar card. Is there a measure taken by Government to identify these issues?

Sunil Abraham: This is possible because the technology [biometrics] cannot verify citizenship. Even worse biometrics can be imported from foreign countries and can be used to create resident ghosts. This is because the technology cannot even verify if the person in India. We will need surveillance cameras at every point of registration to take care of this possible fraud.

Comment From Chandra Sekhar

Aadhaar card was a huge opportunity for the government to improve the efficiency of governance.It was a challenging task and required great amount accuracy.The way this project was executed is a question mark on efficiency of governance.

The Hindu: Sunil, Venkatramanan, Gopinath - would you agree that Aadhaar was an opportunity to improve governance? @chandra sekhar

Comment From Guest

Freebee lovers/netas will always oppose when you want to implement some thing which might deny them the benefit.

Sunil Abraham: Any evidence to backup this statement?

Comment From Guest

if the ASDHAAR is nt necessary as per SC then why everywhere it is being preferred identity such as Subsidy, Passport etc.

Sunil Abraham: Preference is not the same as a mandatory requirement.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-march-17-2015-aadhaar-an-identity-crisis

LITD 17 Committee, Bureau of Indian Standards Meeting

praskrishna — 2016-10-07T01:38:00Z

Vanya Rakesh attended the LITD-17 committee meeting (committee on Information Systems Security and Biometrics) organised by the Bureau of Indian Standards on 23 September 2016 in Bengaluru.

The agenda for the meeting included presentation of the draft data privacy standard for India which was proposed before the BIS and its members. Elonnai Hickok and Vanya are a part of the drafting committee for the same. The draft standard was accepted by BIS and would now be circulated for further comments. Click here to read the Agenda.

For more details visit https://cis-india.org/internet-governance/news/litd-17-committee-bureau-of-indian-standards-meeting

List of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament

Amber Sinha, Sumandro Chattapadhyay, Sunil Abraham, and Vanya Rakesh — 2016-03-21T08:50:09Z

On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. Based on these concerns, and numerous others, we submitted an initial list of recommendations to the Members of Parliaments to highlight the aspects of the Bill that require immediate attention.

Download the submission letter: PDF.

Text of the Submission

On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for all Indian to enroll for Aadhaar in order to receive any subsidy, benefit, or service from the Government whose expenditure is incurred from the Consolidate Fund of India. Apart from the issue of centralisation of the national biometric database leading to a deep national vulnerability, the Bill also keeps unaddressed two serious concerns regarding the technological framework concerned:

Identification without Consent: Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used to correct the problems in the technological design of the project.
Fallible Technology: The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. The technology has been tested and found feasible only for a population of 200 million. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. For the current Indian population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. [1]

Based on these concerns, and numerous others, we sincerely request you to ensure that the Bill is rigorously discussed in Rajya Sabha, in public, and, if needed, also by a Parliamentary Standing Committee, before considering its approval and implementation. Towards this, we humbly submit an initial list of recommendations to highlight the aspects of the Bill that require immediate attention:

Implement the Recommendations of the Shah and Sinha Committees: The report by the Group of Experts on Privacy chaired by the Former Chief Justice A P Shah [2] and the report by the Parliamentary Standing Committee on Finance (2011-2012) chaired by Shri Yashwant Sinha [3] have suggested a rigorous and extensive range of recommendations on the Aadhaar / UIDAI / NIAI project and the National Identification Authority of India Bill, 2010 from which the majority sections of the Aadhaar Bill, 2016, are drawn. We request that these recommendations are seriously considered and incorporated into the Aadhaar Bill, 2016.
Authentication using the Aadhaar number for receiving government subsidies, benefits, and services cannot be made mandatory: Section 7 of the Aadhaar Bill, 2016, states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. This sharply contradicts the claims made by UIDAI earlier that the Aadhaar number is “optional, and not mandatory”, and more importantly the directive given by the Supreme Court (via order dated August 11, 2015). The Bill must explicitly state that the Aadhaar number is only optional, and not mandatory, and a person without an Aadhaar number cannot be denied any democratic rights, and public subsidies, benefits, and services, and any private services.
Vulnerabilities in the Enrolment Process: The Bill does not address already documented issues in the enrolment process. In the absence of an exhaustive list of information to be collected, some Registrars are permitted to collect extra and unnecessary information. Also, storage of data for elongated periods with Enrollment agencies creates security risks. These vulnerabilities need to be prevented through specific provisions. It should also be mandated for all entities including the Enrolment Agencies, Registrars, CIDR and the requesting entities to shift to secure system like PKI based cryptography to ensure secure method of data transfer.
Precisely Define and Provide Legal Framework for Collection and Sharing of Biometric Data of Citizens: The Bill defines “biometric information” is defined to include within its scope “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition gives broad and sweeping discretionary power to the UIDAI / Central Government to increase the scope of the term. The definition should be exhaustive in its scope so that a legislative act is required to modify it in any way.
Prohibit Central Storage of Biometrics Data: The presence of central storage of sensitive personal information of all residents in one place creates a grave security risk. Even with the most enhanced security measures in place, the quantum of damage in case of a breach is extremely high. Therefore, storage of biometrics must be allowed only on the smart cards that are issued to the residents.
Chain of Trust Model and Audit Trail: As one of the objects of the legislation is to provide targeted services to beneficiaries and reduce corruption, there should be more accountability measures in place. A chain of trust model must be incorporated in the process of enrolment where individuals and organisations vouch for individuals so that when a ghost is introduced someone has can be held accountable blame is not placed simply on the technology. This is especially important in light of the questions already raised about the deduplication technology. Further, there should be a transparent audit trail made available that allows public access to use of Aadhaar for combating corruption in the supply chain.
Rights of Residents: There should be specific provisions dealing with cases where an individual is not issued an Aadhaar number or denied access to benefits due to any other factor. Additionally, the Bill should make provisions for residents to access and correct information collected from them, to be notified of data breaches and legal access to information by the Government or its agencies, as matter of right. Further, along with the obligations in Section 8, it should also be mandatory for all requesting entities to notify the individuals of any changes in privacy policy, and providing a mechanism to opt-out.
Establish Appropriate Oversight Mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down that shall act as the guiding principles for such oversight mechanisms. The provision should include data minimisation, and “necessity and proportionality” principles as guiding principles for any exceptions to Section 29.
Establish Grievance Redressal and Review Mechanisms: Currently, there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body. An independent national grievance redressal body with state and district level bodies under it, should be set up. Further, the NIAI Bill, 2010, provided for establishing an Identity Review Committee to monitor the usage pattern of Aadhaar numbers. This has been removed in the Aadhaar Bill 2016, and must be restored.

Endnotes

[1] See: http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf.

[2] See: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

[3] See: http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf.

For more details visit https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016