Centre for Internet and Society

Fake Narendra Modi apps aplenty, but it’s up to users to protect themselves

praskrishna — 2016-12-10T04:24:24Z

The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded.

The article was published by Indian Express on December 2, 2016. Pranesh Prakash was quoted. Also see Nandini Yadav's blog post in BGR on December 3, 2016.

The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded.

A “Narendra Modi” app, purportedly offered by the Government of India, caught the attention of Internet expert Pranesh Prakash on Thursday as the app developer was found to be using a Bangladesh-based web host and e-mail address. Suggesting that this could be the work of a con-artist, Prakash underlined that granting access to fake apps could lead to security breach. The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded. The original NaMo, however, only gets access to read, modify and delete the user’s media files. The “fake” app was downloaded more than 1 lakh times and has an average rating of 4.4 from over 2,000 reviews. A simple search on the play store throws up dozens of Narendra Modi apps, some even calling themselves fake apps. The original app was published by Narendramodi.in and Government Of India. But there are scores of other apps trying to imitate the original.

Pranesh, who is Policy Director at The Centre for Internet and Society, also questioned how users can differentiate between fake and genuine apps when even the official app was registered using a gmail address. While the Government of India Narendra Modi app has been published using info@narendramodi.press, the one by Narendramodi.in has been published using a simple Gmail app. He also highlighted how the play store was flooded with fake banking apps, with one such “SBI app” gaining full access to the user’s files. Incidentally, the fake Modi Ki Note app which has been in the limelight since the demonetisation on high value notes and issue of new ones itself has many duplicates.

In the last two days, the Congress and its vice-president Rahul Gandhi fell victim to hacking as their verified Twitter accounts were compromised. Profane content was shared from both accounts, targeting the Gandhi and his family. This lead to the Congress questioning Prime Minister Narendra Modi’s digital India push as security remains a huge concern.

For more details visit https://cis-india.org/internet-governance/news/indian-express-december-2-2016-fake-narendra-modi-apps-aplenty-but-it-is-up-to-users-to-protect-themselves

Facial Recognition Technology in India

Elonnai Hickok, Pallavi Bedi, Aman Nair and Amber Sinha — 2021-09-02T16:21:24Z

The Human Rights, Big Data and Technology Project, University of Essex, UK and the Centre for Internet & Society (CIS) have jointly published a research paper on facial recognition technology. Authors, Elonnai Hickok, Pallavi Bedi, Aman Nair and Amber Sinha, examine technological tools such as CCTV and FRT which are increasingly being deployed by the government.

Executive Summary

Over the past two decades there has been a sustained effort at digitising India’s governance structure in order to foster development and innovation. The field of law enforcement and safety has seen significant change in that direction, with technological tools such as Closed Circuit Television (CCTV) and Facial Recognition Technology (FRT) increasingly being deployed by the government.

Yet for all its increased use, there is still a lack of a coherent legal and regulatory framework governing FRT in India. Towards informing such a framework, this paper seeks to document present uses of FRT in India, specifically by law enforcement agencies and central and state governments, understand the applicability of existing legal frameworks to the use of FRT, and define key areas that need to be addressed when using the technology in India. We also briefly look at how the coverage of FRT has increased beyond law enforcement; it now covers educational institutions, employment purposes, and it is now being used for providing Covid-19 vaccines.

We begin by examining use cases of FRT systems by various divisions of central and state governments. In doing so, it becomes apparent that there is a lack of uniform standards or guidelines at either the state or central level - leading to different FRT systems having differing standards of applicability and scope of use. And while the use of such systems seems to be growing at a rapid rate, questions around their legality persist.

It is unclear whether the use of FRT is compliant with the fundamental right to privacy as affirmed by the Supreme Court in 2017 in Puttaswamy. While the right to privacy is not an absolute right, for the state to curtail this right, the restrictions will have to comply with a three-fold requirement— first, being the need for explicit legislative mandate in instances where the government looks to curtail the right. However, the FRT systems we have analysed do not have such a mandate and are often the result of administrative or executive decisions with no legislative blessing or judicial oversight.

We further locate the use of FRT technology within the country’s wider legislative, judicial and constitutional frameworks governing surveillance. We also briefly articulate comparative perspectives on the use of FRT in other jurisdictions. We further analyse the impact of the proposed Personal Data Protection Bill on the deployment of FRT. Finally, we propose a set of recommendations to develop a path forward for the technology’s use which include the need for a comprehensive legal and regulatory framework that governs the use of FRT. Such a framework must take into consideration the necessity of use, proportionality, consent, security, retention, redressal mechanisms, purpose limitation, and other such principles. Since the use of FRT in India is also at a nascent stage, it is imperative that there is greater public research and dialogue into its development and use to ensure that any harms that may arise in the field are mitigated.

Click to download the entire research paper here

For more details visit https://cis-india.org/internet-governance/blog/hrbdt-and-cis-august-31-2021-facial-recognition-technology-in-india

Facial Recognition Technology in India

Elonnai Hickok, Pallavi Bedi, Aman Nair and Amber Sinha — 2021-09-02T16:17:44Z

For more details visit https://cis-india.org/internet-governance/facial-recognition-technology-in-india.pdf

Facebook: Limiting access to social media can restrict freedom of speech

praskrishna — 2013-08-08T04:07:38Z

In its counter-affidavit to the PIL in the Delhi high court, Facebook has argued that limiting access to social media can limit an individual's freedom of speech and expression.

Kim Arora's article was published in the Times of India on August 1, 2013. Sunil Abraham is quoted.

The PIL, among other things, deals with the issue of minors accessing Facebook services, arguing that under the Indian Contract Act 1872, minors can't enter into a contract. The PIL will be heard next on Friday.

Last year, the UN Human Rights Council had passed a resolution declaring access to Internet as a human right. Facebook has argued making a similar point for access to social media. "The Internet is increasingly becoming a platform for citizens including minors to interact and voice their opinions and, therefore, a meaningful interpretation of the right to freedom of speech and expression would include the freedom to access social media," the counter-affidavit says.

"It can be argued that in a technologically mediated society, social media and communication infrastructure is essential to exercise freedom of expression," says Sunil Abraham, director, Bangalore-based Center for Internet and Society.

Cyber lawyer Pavan Duggal sees it as "hyperbole". "The issue still remains that a minor doesn't have the capacity to act under the Contract Act," he says. Lawyers say that if a contract is entered into for free service in exchange of personal information, it is a "consideration" (like cash or kind) under the Indian Contract Act 1872. The Act says, "All agreements are contracts if they are made by the free consent of parties competent to contract, for a lawful consideration and with a lawful object, and are not hereby expressly declared to be void." It then lists minors as incompetent to contract, and says, "The agreement, if any party is minor, is void ab initio." However, Abraham points out that "It is not an offence to enter a void contract."

To weed out fake profiles and children's profiles, the PIL, filed by former RSS ideologue K N Govindacharya, argues that "obligation is cast upon Facebook and other social networking sites to verify the authenticity of each and every subscribers (sic) which is mandatory for Mobile companies in telecommunication sector.

Mumbai-based professor of law Saurav Datta feels this sort of authentication could have serious privacy implications. "There is no way they can verify users without impinging on their privacy. The goal of the PIL is wrong. We need to protect children, not keep people out," says Datta.

Abraham says that a possible way to deal with this can be on the lines of Canadian privacy law where a privacy commissioner can raise such concerns with the service provider directly.

For more details visit https://cis-india.org/news/the-times-of-india-aug-1-2013-kim-arora-facebook-limiting-access-to-social-media-can-restrict-freedom-of-speech

Facebook, Google deny spying access

praskrishna — 2013-07-02T10:18:48Z

The CEOs of Facebook and Google on Saturday categorically denied that the US National Security Agency had "direct access" to their company servers for snooping on Gmail and Facebook users. But both acknowledged that the companies complied with the 'lawful' requests made by the US government and shared user data with sleuths.

The article by Javed Anwer was published in the Times of India on June 9, 2013. Pranesh Prakash is quoted.

In a post titled "What the ...?" Google's official blog, CEO Larry Page wrote, "We have not joined any program that would give the US governmentâ€”or any other governmentâ€”direct access to our servers. We had not heard of a program called PRISM until yesterday."

A few hours later, Facebook CEO Mark Zuckerberg responded. "Facebook is not and has never been part of any program to give the US or any other government direct access to our servers... We hadn't even heard of PRISM before yesterday," he wrote on his page at the social media site.

According to a few PowerPoint slides allegedly leaked by an NSA official, nine technology companies - Google, AOL, Apple, Yahoo, Microsoft, Skype, Facebook, YouTube and PalTalk - are providing the US government easy access to user data. While all companies have denied being part anything called PRISM, Facebook and Google have been most vocal about it.

A few hours after Facebook and Google statements, the New York Times said in a report that technology companies had "opened discussions with national security officials about developing technical methods to more efficiently and securely share the personal data of foreign users".

"In some cases, they (companies) changed their computer systems to do so," noted the NYT report.

The statements by the CEOs have done little to allay privacy fears. "The denials from the companies look highly coordinated, including similar phrases in all their responses. I don't think they are lying outright, though the NYT report suggests that they are telling a half-truth. They may not provide the US government 'direct access' to all their servers, but may be providing indirect access, or may just be responding to very broad FISA orders," said Pranesh Prakash, a policy director with Centre for Internet and Society in India.

On Friday US president Barack Obama had tacitly acknowledged NSA surveillance programmes aimed at non-US citizens. "You can't have a hundred per cent security and also then have a hundred per cent privacy and zero inconvenience. You know, we're going to have to make some choices as a society," he told reporters in the US.

Page and Zuckerberg also called on the governments to be more open about surveillance programmes. "The level of secrecy around the current legal procedures undermines the freedoms we all cherish," wrote Page.

Added Zuckerberg, "We strongly encourage all governments to be much more transparent about all programs aimed at keeping the public safe. It's the only way to protect everyone's civil liberties and create the safe and free society we all want over the long term."

For more details visit https://cis-india.org/news/times-of-india-javed-anwer-june-9-2013-facebook-google-deny-spying-access

Facebook to pay Indians to give up privacy: Experts raise questions

Geetika Mantri — 2019-06-22T04:01:26Z

Facebook has launched a voluntary, opt-in program, which monetarily compensates users in exchange for their data.

The blog post by Geetika Mantri was published in the Newsminute on June 14, 2019. Pranesh Prakash was quoted.

On June 11, 2019, Facebook announced ‘Study,’ its market research app for Android users in US and India, which pays users who allow it to monitor how they use the applications on their phone.

The Study app will collect data on the apps installed on a participant’s phone, the amount of time spent using those apps, the participant’s country, device and network type and app activity names, which may show Facebook the names of app features the participants are using. It promises not to collect user IDs, passwords, or any of the participant’s content, such as photos, videos or messages and has assured that the information will neither be sold to third parties nor used to target ads. Facebook says it also won’t add the data collected to the user’s Facebook account if they have one. Read more about it here.

It’s clear that this is a voluntary, opt-in program, which monetarily compensates users in exchange for them giving up some of their privacy. A Facebook spokesperson told TNM that the payments will be made on a monthly basis through PayPal, but the amount and the rate were not disclosed. “Our partner, Applause, will handle all compensation,” Facebook said.

And while experts point out that Facebook is certainly not the first company that wants to do market research by collecting user data, the new proposal raises some pertinent questions about privacy and consent.

Not illegal, but what’s the end goal?

“It is clear that market research apps invade people’s privacy,” states Pranesh Prakash, a fellow at the Centre for Internet and Society. “However, asking people to opt-in for market research is not uncommon. And if consent is given, it is legal. There is nothing wrong with people participating in this as long as they are aware.”

That being said, Pranesh also points out that in many cases, market research such as this has led to useful insights about user behaviour and can contribute to public policy as well. However, in Facebook’s case, it is likely that the findings will be used internally and will not be made public.

When asked about the purpose of this data collection, Facebook said it was to make better products.

“Like many companies, we use market research to help us understand trends and build better products. This information is incredibly important to us because knowing how people use apps helps us prioritise and build better experiences for people,” a Facebook spokesperson said, adding that they are maintaining complete transparency.

No strong data privacy laws in India

While there is a requirement for participants to consent to share data with Study app, what makes Indian users vulnerable is that the country does not strong data privacy laws. The Data Privacy Bill 2018, modelled on the General Data Protection Regulations (GDPR) of the European Union, is yet to become a law and is riddled with loopholes in its present form.

Nitish Chandan, a cyber-security specialist, points out that though the Supreme Court deemed privacy a fundamental right of Indian citizens last year, the jurisprudence itself has not evolved – no major company or entity has been punished so far for a data breach.

“Had the Data Protection Bill been passed, there would have been a clear mandate for companies who want to process personal data as well as purpose limitation, meaning they can only process data for certain purposes and not others,” Nitish says.

And while the data collection is legal because consent is obtained, Nitish points out a strong data protection law would have barred from it being used for unethical purposes such as mass profiling. The Data Protection Bill for instance, under section 33 (1), bars large-scale profiling or any processing which carries the risk of “significant harm to data principles” unless the data fiduciary undertakes a data protection impact assessment in India.

Further, while purpose limitation breaches can be picked up by watchdogs, common people are unlikely to realise this and read the fine print, Nitish adds.

What conditions is consent being sought in?

Nayantara R, Programme Manager–Freedom of Expression at the Internet Democracy Project, tells TNM that Facebook’s decision to launch Study raises some very important questions.

"With calls for informed consent while giving away data, something like Study seems to satisfy many requirements. The app will clearly state what data is collected when a user opens it, etc. But the problem is approaching consent in an individualised manner, without questioning if there are structural conditions that enable giving consent. A useful parallel to draw is conversations on consent in the context of sexual relations. We question the power dynamics and surrounding circumstances in the giving of consent there. The Study app is a good case to confront what is the kind of consent we are after," she explains.

Nayantara argues that consent has to be situated in the larger ecosystem of power play. The situation is made complex by the monetary incentive. If a person needs the money and therefore consents to give up their privacy to a large company – how freely is that consent given? And is it a fair trade?

“These questions don’t have easy answers but are the conversations that we need to start having,” Nayantara states. “This is not so much about whether Facebook's motives are bad. The more important question it raises is about the demands that civil society has been making: consent, compensation in exchange for the labour on platforms etc,” she observes.

The Facebook spokesperson’s response indicated that the company has been aware of these debates and demands: “We’ve learned that what people expect when they sign up to participate in market research has changed and we’ve built this app to match those expectations.”

Not Facebook’s first time collecting data

This is not the first time that Facebook has launched an app for market research – its now-defunct Research app, launched in 2016, was rolled back after an investigation by Tech Crunch that revealed the app had violated Apple’s policies. The app had asked users to download a VPN onto their devices, ‘trust’ it (requiring users to give it permission), and could, if it wanted, access personal information of users, including private messages on social media apps, chats from instant messaging apps (inclusive of photos and videos), emails, web browsing history and even the present location of the person, by tapping into another app using the location feature.

This app – that also paid users up to $20 per month in gift cards to share their data – came under even more fire because it didn’t just target adults. People from age 13 to age 35 were eligible to download this app. Investigations also revealed that Facebook had ended up collecting some non-targeted data as well.

Additionally, it also bought the Onavo Protect app in 2014, which projected itself as a privacy app providing free VPN to users and allowing them to minimise their data plan usage. However, the app was collecting information on users, providing Facebook with deep analytics about which apps the users were using. The app was eventually discontinued after the data snooping was discovered.

Facebook seems to have learnt from these experiences. “We’re offering transparency, compensating all participants and keeping people’s information safe and secure,” a company spokesperson said. However, Tech Crunch reportedthat Study – which is only for users above the age of 18 – too could give Facebook crucial insights into competitors and features it could invest in on its own platforms based on what was popular on other apps users are using.

For more details visit https://cis-india.org/internet-governance/news/geetika-mantri-june-14-2019-the-news-minute-facebook-to-pay-indians-to-give-up-privacy

Facebook Privacy Design Sprint

Admin — 2018-12-04T16:28:41Z

Pranav Bidare and Saumyaa Naidu participated in the Facebook Privacy Design Sprint on Friday, November 30, 2018.

For more details visit https://cis-india.org/internet-governance/news/facebook-privacy-design-sprint

Facebook Data for Good in New Delhi

Admin — 2019-07-31T02:10:23Z

When data is shared responsibly with the communities that need it, it can improve well being and save lives. Anubha Sinha participated in a session organized by Facebook on 29 July 2019 at University of Chicago Center in New Delhi.

Click to download the brochure

For more details visit https://cis-india.org/internet-governance/news/facebook-data-for-good-delhi

Facebook Data for Good in Bangalore

Admin — 2019-07-31T02:14:06Z

When data is shared responsibly with the communities that need it, it can improve well being and save lives. Shweta Mohandas participated in a session organized by Facebook on 25 July 2019 at Indian Institute of Science in Bangalore.

For more details visit https://cis-india.org/internet-governance/news/facebook-data-for-good-in-bangalore

Facebook breach: Privacy advocates in India seek stronger data laws

Admin — 2018-03-20T23:37:04Z

Privacy advocates in India underlined the urgent need for stronger data privacy laws in India with the debate coming under focus after reports alleged that British data analysis firm Cambridge Analytica had tapped into the profiles of more than 50 million Facebook users, without their permission, during the last US elections.

The article by Surabhi Agarwal and Devina Sengupta was published in the Economic Times on March 20, 2018. Pranesh Prakash was quoted.

Advocates of data privacy told ET that even in India — where issues around data privacy have been on the boil — voter opinion may be targeted by using their personal information without their approval. “The government has not moved with necessary pace on data protection,” said advocate Apar Gupta.

“Election commission (EC) has not taken up this issue of data protection for regulatory scrutiny. EC has in the past issued guidelines to protect election integrity and restrained exit polls and also required candidates to disclose social media handles. However, much more needs to be done,” he added.

His concerns around India’s voting process being potentially vulnerable to similar influence like in the US come amid a “case study” on the Cambridge Analytica website said the company had worked for Indian political parties as well.

It said that the British firm was “contracted to undertake an indepth electorate analysis for the Bihar Assembly Election in 2010…Our client achieved a landslide victory, with over 90% of total seats targeted by CA being won”.

Media reports quoted sources at Cambridge Analytica, and its Indian partner, Oveleno Business Intelligence, as saying that the local company was in talks with leading Indian political parties for a pact for their 2019 parliamentary poll campaigns.

“This shows integrity of elections and voter trust may be undermined through data analytics and target voters on the basis of their personal data,” said Gupta Pranesh Prakash, policy director at Center for Internet and Society, said India urgently needs a strong data protection regulation, that require companies to have oversight and pin liabilities on them if they fail to have oversight over data they transact with.

“So, in this case for instance, the companies that provided Cambridge Analytica DATA are seriously culpable and Facebook --right now it is unclear if under any current law it is culpable --there are some discussions in the US etc. Regardless of it, they should be required to exercise greater diligence when it comes to personable data that they have taken consent for,” said Prakash.

“Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook. If these reports are true, it's a serious abuse of our rules.

All parties involved — including the SCL Group/Cambridge Analytica, Christopher Wylie and Aleksandr Kogan — certified to us that they destroyed the data in question. In light of new reports that the data was not destroyed, we are suspending these three parties from Facebook, pending further information. We will take whatever steps are required to see that the data in question is deleted once and for all —and take action against all offending parties.”

In a statement to ET, Facebook said there was no breach of its data base and that protecting people’s information was core to the company. “Like all app developers, Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” Paul Grewal, VP & Deputy General Counsel, Facebook said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-20-2018-surabhi-agarwal-devina-sengupta-facebook-breach-privacy-advocates-in-india-seek-stronger-data-laws

Facebook and its Aversion to Anonymous and Pseudonymous Speech

Jessamine Mathew — 2014-07-04T07:53:07Z

Jessamine Mathew explores Facebook's "real name" policy and its implications for the right to free speech.

The power to be unidentifiable on the internet has been a major reason for its sheer number of users. Most of the internet can now be freely used by anybody under a pseudonym without the fear of being recognised by anybody else. These conditions allow for the furtherance of free expression and protection of privacy on the internet, which is particularly important for those who use the internet as a medium to communicate political dissent or engage in any other activity which would be deemed controversial in a society yet not illegal. For example, an internet forum for homosexuals in India, discussing various issues which surround homosexuality may prove far more fruitful if contributors are given the option of being undetectable, considering the stigma that surrounds homosexuality in India, and the recent setting-aside of the Delhi High Court decision reading down Section 377 of the Indian Penal Code. The possibility of being anonymous or pseudonymous exists on many internet fora but on Facebook, the world’s greatest internet space for building connections and free expression, there is no sanction given to pseudonymous accounts as Facebook follows a real name policy. And as the recent decision of a New York judge, disallowing Facebook from contesting warrants on private information of over 300 of its users, shows, there are clear threats to freedom of expression and privacy.

On the subject of using real names, Facebook’s Community Standards states, “Facebook is a community where people use their real identities. We require everyone to provide their real names, so you always know who you're connecting with. This helps keep our community safe.” Facebook’s Marketing Director, Randi Zuckerberg, bluntly dismissed the idea of online anonymity as one that “has to go away” and that people would “behave much better” if they are made to use their real names. Apart from being a narrow-minded statement, she fails to realise that there are many different kinds of expression on the internet, from stories of sexual abuse victims to the views of political commentators, or indeed, whistleblowers, many of whom may prefer to use the platform without being identified. It has been decided in many cases that humans have a right to anonymity as it provides for the furtherance of free speech without the fear of retaliation or humiliation (see Talley v. California).

While Facebook’s rationale behind wanting users to register for accounts with their own names is based on the goal of maintaining the security of other users, it is still a serious infraction on users’ freedom of expression, particularly when anonymous speech has been protected by various countries. Facebook has evolved from a private space for college students to connect with each other to a very public platform where not just social connections but also discussions take place, often with a heavily political theme. Facebook has been described as instrumental in the facilitation of communication during the Arab Spring, providing a space for citizens to effectively communicate with each other and organise movements. Connections on Facebook are no longer of a purely social nature but have extended to political and legal as well, with it being used to promote movements all through the country. Even in India, Facebook was the most widely adopted medium, along with Twitter and Facebook, for discourse on the political future of the country during, before and after the 2014 elections. Earlier in 2011, Facebook was used intensively during the India Against Corruption movement. There were pages created, pictures and videos uploaded, comments posted by an approximate of 1.5 million people in India. In 2012, Facebook was also used to protest against the Delhi gang rape with many coming forward with their own stories of sexual assault, providing support to the victim, organising rallies and marches and protesting about the poor level of safety of women in Delhi.

Much like its content policy, Facebook exhibits a number of discrepancies in the implementation of the anonymity ban. Salman Rushdie found that his Facebook account had been suspended and when it was reinstated after he sent them proof of identity, Facebook changed his name to the name on his passport, Ahmed Rushdie instead of the name he popularly goes by. Through a series of tweets, he criticised this move by Facebook, forcing him to display his birth name. Eventually Facebook changed his name back to Salman Rushdie but not before serious questions were raised regarding Facebook’s policies. The Moroccan activist Najat Kessler’s account was also suspended as it was suspected that she was using a fake name. Facebook has also not just stopped at suspending individual user accounts but has also removed pages and groups because the creators used pseudonyms to create and operate the pages in question. This was seen in the case of Wael Ghonim who created a group which helped in mobilizing citizens in Egypt in 2011. Ghonim was a Google executive who did not want his online activism to affect his professional life and hence operated under a pseudonym. Facebook temporarily removed the group due to his pseudonymity but later reinstated it.

While Facebook performs its due diligence when it comes to some accounts, it has still done nothing about the overwhelmingly large number of obviously fake accounts, ranging from Santa Claus to Jack the Ripper. On my own Facebook friend list, there are people who have entered names of fictional characters as their own, clearly violating the real name policy. I once reported a pseudonymous account that used the real name of another person. Facebook thanked me for reporting the account but also said that I will “probably not hear back” from them. The account still exists with the same name. The redundancy of the requirement lies in the fact that Facebook does not request users to upload some form identification when they register with the site but only when they suspect them to be using a pseudonym. Since Facebook also implements its policies largely only on the basis of complaints by other users or the government, the real name policy makes many political dissidents and social activists the target of abuse on the internet.

Further, Articles 21 and 22 of the ICCPR grant all humans the right to free and peaceful assembly. As governments increasingly crack down on physical assemblies of people fighting for democracy or against legislation or conditions in a country, the internet has proved to be an extremely useful tool for facilitating this assembly without forcing people to endure the wrath of governmental authorities. A large factor which has promoted the popularity of internet gatherings is the way in which powerful opinions can be voice without the fear of immediate detection. Facebook has become the coveted online space for this kind of assembly but their policies and more particularly, faulty implementation of the policies, lead to reduced flows of communication on the site.

Of course, Facebook’s fears of cyberbullying and harassment are likely to materialise if there is absolutely no check on the identity of users. A possible solution to the conflict between requiring real names to keep the community safe and still allowing individuals to be present on the network without the fear of identification by anybody would be to ask users to register with their own names but still allowing them to create a fictional name which would be the name that other Facebook users can see. Under this model, Facebook can also deal with the issue of safety through their system of reporting against other users. If a pseudonymous user has been reported by a substantial number of people for harassment or any other cause, then Facebook may either suspend the account or remove the content that is offensive. If the victim of harassment chooses to approach a judicial body, then Facebook may reveal the real name of the user so that due process may be followed. At the same time, users who utilise the website to present their views and participate in the online process of protest or contribute to free expression in any other way can do so without the fear of being detected or targeted. Safety on the site can be maintained even without forcing users to reveal their real names to the world. The system that Facebook follows currently does not help curb the presence of fake accounts and neither does it promote completely free expression on the site.

For more details visit https://cis-india.org/internet-governance/blog/facebook-and-its-aversion-to-anonymous-and-pseudonymous-speech

Eye on Mumbai

praskrishna — 2016-10-02T10:22:20Z

The feeds will be beamed to a video wall that stretches 21 feet across at the police’s command and control room.

The article by Tariq Engineer was published in Mumbai Mirror today. Sunil Abraham was quoted.

When seven bombs exploded on local trains between Khar and Borivali killing 209 people and injuring 714 in 2006, the Maharashtra police looked for CCTV footage but couldn’t find any because no cameras existed at railway stations back then.

When terrorists landed near Machimar colony in Cuffe Parade in 2008 and proceeded to slaughter hundreds of people in the city, CCTV footage was found only at the Taj and Trident hotels, Chhatrapati Shivaji Terminus and near the Times of India building. Places like Cama Hospital, Nariman House and Leopold Café were simply off the grid.

When Mumbai journalist J Dey was gunned down in Powai in 2011, the police obtained CCTV footage from a shopping centre nearby but it was so blurry, it was useless.

In each of these situations, a fully functioning high-definition CCTV system could have altered the outcome or aided the investigation in critical ways. That glaring gap in Mumbai’s security has now been filled by the Mumbai City Surveillance Project, which officially goes live today.

Over the last 20 months, a total of 4697 cameras have been installed at 1510 locations around Mumbai city. In addition to these, another 146 will survey the Bandra Kurla Complex. The tender for the project was issued in 2015 and won by a consortium led by construction major Larsen & Toubro with MTNL, CMS Computers and Infinova, which supplied the cameras, as partners.

The project is actually an outcome of the 26/11 attacks, having been recommended by the Ram Pradhan Committee, which was appointed to evaluate the city administration’s responses to the terror strike. According to Additional Chief Secretary (Home) KP Bakshi these cameras will ensure roughly 80 per cent of Mumbsi will be watched 24 hours a day, seven days a week. The city’s inhabitants will now have to be on their best behaviour.

“It was the police’s call to decide what they want to observe,” Bakshi said. “Do they want to look at the traffic or at a place where people gamble or do a lot of drinking?” The policeman in charge of selection of spots for installation of cameras was former additional commissioner of police Vasant Dhoble. Calling him a “game-changer”, one of the project managers said it was thanks to Dhoble that all the locations were surveyed in just twoand-a-half months. Dhoble was also instrumental in ensuring that the cameras were installed at the appropriate angles.

While the initial estimate was for 6,000 cameras, it was eventually determined that 4,697 were sufficient at this stage. The cameras have been placed on poles similar to street lights — 2290 of them — some with multiple cameras. “Let’s say there is a pole at Haji Ali Juice Center,” Bakshi said. “It may have three cameras — one looking towards Heera Panna, the other looking towards Mahalaxmi, the third looking towards Worli.”

The vast majority of the cameras — roughly 4200 — will be fixed and stare unblinkingly in one direction. The other 500 will be PTZ, or pan/tilt/zoom cameras, so those watching can scan an area or take a closer look at something that seems suspicious. All of the cameras can see in high definition, with visibility ranging from 50m to 120m. Some of them also have thermal imaging and night vision.

According to those involved in the project, the cameras have been built to withstand the rigours of Mumbai’s weather — specifically the heat and rain. Larsen & Toubro and CMS Computers are responsible for the maintenance of the system. Once the system is fully operational, the target is to have 99% of the cameras live at all times barring accidents. The responsibility for this lies with the service providers.

A smart system

The software that runs the cameras includes a Picture Intelligence Unit (PIU) that will conduct facial recognition analysis. If there is an image of a wanted person in the database, the program will scan the footage for matches and send a signal if it finds any. It will also send an alert if it notices a suspicious object, say one that has been left unattended for a pre-specified amount of time, so the cops can check it out. Tracking police vehicles — like you can follow the path of an Uber or Ola — is yet another feature, so if there is trouble, the nearest vehicle can be dispatched.

By Bakshi’s reckoning, if it is a small crime, then the police should be on the scene in five to ten minutes. If it is something like a bomb blast, then a Quick Response Team will be deployed, which will take a little longer – say 10 to 15 minutes.

Who will be watching you?

The feeds from these cameras will be fed to a video wall that stretches 21 feet across in a control room that has been set up in the Commissioner of Police Headquarters at Crawford Market. The footage will be monitored by about 20 observers who have been specially trained for the job.

However, a project manager said, watching the wall for more than eight minutes “would make anyone mad” because it is so chaotic. Therefore, each observer has his own workstation with three computer screens where he can only watch the feeds he has been assigned.

Entry to the control room is also strictly monitored. It requires five fingerprint access just to get in the room and a thumb print to turn individual workstations on. Mobile phones and personal effects are banned and the computers have no USB ports, so data can’t be copied.

In addition, there are viewing screens in each of the additional commissioner’s zonal offices and in all 23 police stations and roughly 200 observers will eventually be required to operate them. A project manager said he hoped to have a 60-40 or 50-50 split between male and female observers. The observers are monitored by the police, who will decide what actions to take depending on what alerts are generated.

The manpower is being provided by CMS Computers, with applicants having their resumes verified by the police. Observers will spend anywhere from four to six weeks in training before they get on the job, one of the project managers said.

Keeping the data secure

The images from the standard cameras will be stored for 90 days, while those taken with PTZ cameras will be stored for 30 days. “If you store for longer periods, it involves more cost,” Bakshi said. “We feel that if something has to be reported to us, it will be reported within 90 days.”

MTNL has set up a data centre in Worli and a disaster recovery centre in Belapur. If something goes wrong in Worli, there will still be connectivity via Belapur. Both centres have been “tied-up” to make the data as safe as possible. At the test lab at Larsen & Toubro’s project headquarters in Mallet Bunder, they even have a rodent detection device that broadcasts an ultrasonic frequency to drive away rats and stop them from chewing up the wires.

False starts

The project took some time to get off the ground because getting the details worked out was a painstaking elaborate process, former Maharashtra chief secretary ( home) Amitabh Rajan, told Mumbai Mirror. The committee wanted to make sure everything was transparent and that there were no allegations against the project. Control and security were also zealously guarded. “No compromise on security, not even cost,” Rajan said. “Like titration in chemistry, we eventually got the right concentration.”

There was also a battle between a lobby that wanted the system to be set up using dedicated fibre optic cables, and a lobby of technology providers that wanted to use wireless technology. The cops backed cables, which are not only safer but make it easy to add additional bandwidth, whereas wireless networks have limited bandwidth. It was a battle the cops would eventually win but at the cost of time.

The tender process didn’t go smoothly either. Larsen and Toubro were actually the winners of the fourth tender the Maharashtra government put forward. The first tender had to be cancelled because the winning consortium had not properly disclosed its ownership structure — one of the companies turned out to be controlled by a subsidiary of Reliance Industries. The second was cancelled when the vendor’s bank guarantee cheque of Rs 2 crore bounced and the owner disappeared. He was eventually found and arrested two years later.

The third tender received no bidders because it did not offer up-front payment for capital expenditure, according to then IT secretary Rajesh Aggarwal, who was part of the committee. It was finally on the fourth occasion, when the committee decided to offer a certain percentage of the project cost at the start and the rest over the remaining five years as maintenance fees, that a deal could be sealed.

Coordination headache

The next hurdle was coordinating the work between all the different organisations that populate Mumbai. The final total was around 35 or 40 bodies, including the Municipal Corporation of Greater Mumbai (MCGM), BEST and Reliance Power, the police, MMRDA, the Government of India and the High Court. “To explain to everyone that it is a security project and please don’t go by normal rules, you have to give concessions for all these things, all this co-ordination was a big job,” Bakshi said.

It led to delays, which is why the project had to take the extraordinary step of getting permission from the MCGM to dig up roads during the monsoon to lay the fibre-optic cables. It was the only way the project could make its deadline.

“If we had done it like a normal project, it would have taken five years,” an engineer said.

A question of privacy

Two experts in privacy issues that Mirror spoke to said that such a system is in the public interest, but safeguards must be built to prevent abuse. “If the data falls into the wrong hands, it can create havoc,” said Pavan Duggal, an expert in the field of cyber law. “Large scale surveillance of the public should not be the norm, it should be the exemption to the norm.” he said. “It can create unease and lessen the enjoyment of living in a democratic society.”

According to Sunil Abraham, director of the Centre for Internet and Society, the biggest problem is that India does not have an “omnibus privacy law”.

Instead, it has about 50 different laws across sectors and therefore privacy regulations are not consistent, which has created a legal thicket. “110 countries have passed privacy laws to European Union standards. India is really far behind,” he said.

He also listed a number of principles that he hoped the project would abide by, such as the principles of notice (CCTV cameras should be advertised as such), of openness (details of the system should be made public), security (“if you don’t have security, you can’t ensure privacy”) and of access (“we should have a right to get the footage of ourselves”). He also warned against the footage being shared between different security agencies without due process.

Additional Chief Secretary (Home) Bakshi said most of these principles were part of the system. There would be boards demarcating the CCTV cameras, the system would be publicly launched, it was being made as secure as possible and footage could be handed over depending on the circumstances. “If it is your own, then no problem,” Bakshi said. “If it is someone else’s then there are privacy issues. Is it because of criminal intent or you want to track your girlfriend’s other boyfriend to see if he is following her? These are issues. If you want yours, on merit we can give. No issue.”

Another concern Abraham raised is unique to India and the Aadhaar card, which uses biometric data as passwords, not identification. Since the CCTV cameras are high resolution, it raises the risk of someone recreating your iris or finger prints from a captured image and then “somebody could empty your Aadhaarlinked bank accounts,” Abraham said.

This is not as far-fetched as it sounds. Abraham pointed out that in 2014 a member of the Chaos Collective Club, the largest association of hackers in Europe, recreated the finger print of a German minister from a photograph they took of her hand.

“Other risks are smaller, a revealing photograph or someone trying to blackmail you,” Abraham said.

Not just for crime

The camera feed has other applications too, beginning with traffic management. An automatic number plate recognition system will be installed as well. If you look around the corner, don’t see a cop and jump a light, you could still get in trouble. “6000 [sic] police in the sky are watching you and you will get a challan sitting at home,” Aggarwal said. Other uses include tracking of encroachments by the Municipal Corporation of Greater Mumbai which will have an additional viewing centre. Also garbage disposal and other civic issues such as water logging and a subject dear to Mumbai citizens — potholes. “Somebody complains that this road has a pothole, immediately you can zoom in and see that yes, there is a pothole on this road,” Bakshi said.

There is also a provision to allow a further 103 locations to plug-in and play. For example, if the Taj Mahal Hotel wants the police to survey the hotel for a period of time, the hotel’s CCTV system can be hooked up to the main control room within 48 hours. The same goes for the airport or the railway stations.

Effect of CCTV surveillance

Worldwide the academic literature on CCTV surveillance suggests its effectiveness, especially on crime prevention, is uncertain or limited. “Post crime it really, really helps,” Aggarwal said, “but for prevention, we have to wait and watch. If it reduces sexual harassment for example, then that is priceless. Time will tell how people try to beat the system and how the system tries to catch up.”

Joint Commissioner of Police, Law and Order, Deven Bharti said he was already seeing an improvement in traffic management and in prevention and detection of crimes thanks to the 3000-plus cameras that were live when Mirror spoke to him two days ago, though he said he could not provide details. “The system is working to our satisfaction,” Bharti said.

Bakshi said the effects of the system should start showing roughly a month after the project is fully operational. “In Pune, results started being seen within a month. Once all 4700 [cameras] are live, you will start seeing the results on traffic violations, street crimes, and at general discipline level. [First] Let the people know they are under surveillance, that they are completely covered in Mumbai by CCTV.”

The total cost of the project is Rs 1008 crore. Out of this, about Rs 400 crore has already been spent. The balance will be paid out in regular installments until October 2021. At that point the Maharashtra government and Mumbai police will take complete control of the project. “We presume that in five years’ time, we will have enough trained people to run it ourselves,” Bakshi said.

For more details visit https://cis-india.org/internet-governance/news/mumbai-mirror-tariq-engineer-october-2-2016-eye-on-mumbai

Extending Aadhaar to more areas is a hare-brained idea, it should be dropped

praskrishna — 2016-08-24T03:05:01Z

News reports that the mandatory use of Aadhaar could be extended to a host of new areas are extremely disturbing. According to these reports, the Unique Identification Authority of India (UIDAI) has identified 20 new areas for which Aadhaar can be made mandatory. This includes registration of companies and NGOs, insurance, competitive examinations and property and vehicle registration.

The article by Seetha was published in First Post on August 23, 2016. CIS article by Pranesh Prakash and Amber Sinha was quoted.

If this happens, then it confirms the worst suspicions of all those who are opposed to Aadhaar – and this spans ideological divides – that it can be used to seriously compromise individual privacy.

A villager scanning fingerprint for Aadhaar. Reuters file photo

The defenders of Aadhaar – mainly the previous and current governments, the UIDAI and Nandan Nilekani, the father of the Aadhaar – have always argued that these concerns are exaggerated. They have pointed out that Aadhaar does not take any details that are not already in the public domain – name, date of birth and permanent address – and that the biometric data is not shared with any of the authorities that seek verification by Aadhaar. That data remains with the UIDAI and it only confirms that a person with a particular Aadhaar number is who he claims he is.

But Aadhaar’s opponents have argued that the extensive use of Aadhaar allows disparate bits of information to be linked and this could become a genuine concern if this hare-brained idea gets official approval.

Now, there is certainly no doubt that Aadhaar is, in the absence of anything better, the best technological tool for establishing identity. It is not entirely fool-proof – there are issues relating to the fingerprints of manual labourers and iris scan of aged people or those with cataract – a solution needs to be found for this. According to this report by the Centre for Internet and Society, there was fingerprint authentication failure in 290 of 790 ration card holders in Andhra Pradesh who did not lift rations, and there was an ID mismatch in 93 instances. These problems notwithstanding, there is no denying that Aadhaar has helped in significantly containing (perhaps not entirely eliminating) the problem of identity theft for diversion of government doles and other benefits.

So making Aadhaar compulsory for such cases is perfectly justifiable. Indeed, the Act giving legal status to Aadhaar is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

Mandatory quoting of Aadhaar can even be justified in the cases where duplication or falsification of identity can be used by criminals or those who fall foul of the law. Passports, for example, can be brought under the ambit of Aadhaar. Or even driving licences. A person whose licence has been suspended for repeated traffic violations should not be allowed to get another one under the same name or an assumed name.

But why should it be mandatory for bank accounts, if an individual is not interested in getting government doles? The quoting of Aadhaar for property transactions also does not make sense. If the idea is to prevent fraudulent transactions, it will not be foolproof. A person intending to sell an already sold property or one he does not own can do so even with an Aadhaar number, since people are allowed to own more than one piece of property. What will prevent this from happening is compulsory registration and digitisation of records as well as mandatory property titling; there has been little progress on both.

When filing of income tax returns is not possible without a PAN, there is little rationale for making Aadhaar mandatory for filing returns and even for PAN. It is not clear how quoting of Aadhaar is going to help in ensuring that fly-by-night companies and NGOs do not get established.

The insistence of Aadhaar on purchase of vehicles, landline and mobile phone connections and demat accounts is seriously violative of individual privacy and has enormous potential for misuse. The Act does give the government unbridled power to access data in the name of national security. This itself is worrying, since it can allow security agencies to go an random fishing expeditions to access personal financial transactions. Making it mandatory for even buying cars and phone connections (even though it is not illegal to own more than one vehicle or telephone connection) makes it even riskier – private agencies get access to one’s Aadhaar number. Forget security agencies, even unscrupulous private persons can track an individual’s personal activities, especially financial transactions.

As it is, investigating agencies want to tap Aadhaar and biometric data at the drop of a hat. The UIDAI had to approach the Supreme Court in 2014 against a Goa High Court order ordering it to share biometric details of everyone enrolled in the state for solving a gang rape case. Even after the Supreme Court ruled in favour of UIDAI, a Kerala special investigation team wanted it to share biometric details to solve another rape case. If Aadhaar now becomes mandatory for a host of financial and other transactions, the points of potential privacy breaches only increase.

The move to extend the mandatory use of Aadhaar has to be stopped in its tracks. The mandatory use should be limited to delivery of government welfare benefits and doles (after ensuring that glitches are eliminated) and security-related services like passports. For everything else, it should be purely voluntary. There can be no compromise on this.

For more details visit https://cis-india.org/internet-governance/news/first-post-august-23-2016-seetha-extending-aadhaar-to-more-areas-is-a-hare-brained-idea-it-should-be-dropped

Explore money apps but watch your data

praskrishna — 2017-06-08T12:46:11Z

Financial apps may appear to be free but before you install them, read their privacy policies to know what you may be signing away.

The article by Shaikh Zoaib Saleem was published in Livemint on June 8, 2017. Pranesh Prakash was quoted.

With the increasing usage of smartphones and other smart devices, our use of and dependence on mobile applications also increases. These apps, while being installed on your device, ask for a lot of permissions. Most users do not take a detailed look at all the permissions being granted to any particular app’s publisher. Moreover, even fewer users look at the privacy policies and terms of use of apps, which detail how the publisher intends to utilize the data you share.

In most cases, the data collected is analysed and used for targeted marketing campaigns by the apps’ publishers, based on the users’ profiles and habits. Read more about it here: bit.ly/2q3ByA3. While this phenomena is spread across the board for all categories of apps, we take a look at the privacy policies and terms of use of the top 10 Android financial apps in India (top 10 as of June 1, according to App Annie, a mobile apps market research company based in California). The 10 apps are: PhonePe, BHIM, SBI Anywhere Personal, Kotak – 811 and Mobile Banking, JioMoney Wallet, Money View Money Manager, State Bank Buddy, Bank Balance Check, All Bank Balance Enquiry, iMobile by ICICI Bank.

Collecting information

The common theme across privacy policies of these apps is that the information is collected to enhance customer experience while using an app, respond to customer complaints and resolve disputes. Another theme is tracking consumer behaviour. For instance, PhonePe, in its privacy policy states, “We may automatically track certain information about you based upon your behaviour on our app. We use this information to do internal research on our users’ demographics, interests, and behaviour to better understand, protect and serve our users. This information is compiled and analysed on an aggregated basis.”

Similarly, the privacy policy of BHIM app says, “…once you give us your personal information, you are not anonymous to us. We may automatically track certain information about you based upon your behaviour on our app to the extent we deem fit.” It further adds that if you choose to transact on the app, then “we collect information about your transaction behaviour.” All the apps collect some or the other information like device IDs and location.

Sharing Information

The information gathered by the apps is not just used by these companies themselves, but also shared with third parties, subsidiaries, parent companies and agents of the companies. iMobile by ICICI Bank, for instance, in its privacy policy states that the bank will limit the collection and use of customer information only on a need-to-know basis to deliver better service to the customers. “ICICI Bank may use and share the information provided by the customers with its affiliates and third parties for providing services and any service-related activities such as collecting subscription fees for such services, and notifying or contacting the customers regarding any problem with, or the expiration of, such services. In this regard, it may be necessary to disclose the customer information to one or more agents and contractors of ICICI Bank and their sub-contractors, but such agents, contractors, and sub-contractors will be required to agree to use the information obtained from ICICI Bank only for these purposes,” the policy reads.

Similarly, PhonePe in its privacy policy has said that the company may share personal information with its other corporate entities and affiliates. “We and our affiliates will share/sell some or all of your personal information with another business entity should we (or our assets) plan to merge with, or be acquired by that business entity, or re-organization, amalgamation, restructuring of business. Should such a transaction occur that other business entity (or the new combined entity) will be required to follow this privacy policy with respect to your personal information,” it reads.

While installing, the Kotak app seeks your “irrevocable consent” to its privacy policy, which, among others things, states: “We may disclose the customer information to third parties for following, among other purposes, and will make reasonable efforts to bind them to obligation to keep the same secure and confidential and an obligation to use the information for the purpose for which the same is disclosed, and you hereby give your irrevocable consent for the same.”

JioMoney Wallet, while disclosing upfront that the publishing company and its affiliates do not sell or rent personal information to any third-party entities, also adds that the company “engages a number of vendors, consultants, contractors and takes support of our group companies or affiliates. We may provide our partners access to or share your personal information to enable them to provide the services subscribed by you.” Terms and conditions of the BHIM app state: “For the protection of both the parties, and as a tool to correct misunderstandings, the user understands, agrees and authorises NPCI, at its discretion, and without further prior notice to the user, to monitor and record any or all telephone conversations between the user(s) and NPCI only.”

It is imperative to note that most of these apps announce it upfront in their privacy policies that the policy could change anytime without prior information to the users. At the same time, it should be noted that sharing of some data is required for proper functioning of many apps. While most app publishers may not misuse the data being gathered, you should know exactly what data is being used.

Pranesh Prakash, policy director at the Centre for Internet and Society said that their research outputs show that laws to deal with misuse of personal data are very weak in India. “We need a strong privacy law to address these issues, of which we have proposed a citizens’ draft. Clearly, the prevailing situation shows that the industry is not taking enough initiative on self-regulation. At the same time, even the government isn’t taking much interest in consumer protection.”

For more details visit https://cis-india.org/internet-governance/news/livemint-june-8-2017-shaikh-zoaib-saleem-explore-money-apps-but-watch-your-data

Experts' committee moots law to protect privacy

praskrishna — 2012-10-22T10:18:34Z

In its report submitted to the Planning Commission on Thursday, the first ever experts’ group to identify the privacy issues and prepare a report to facilitate authoring of the privacy bill, has said that existing laws have created an ‘unclear regulatory regime’ which allows a state to be intrusive.

Saikat Datta's article was published in DNA on October 19, 2012

The report has been prepared by experts led by justice AP Shah, former chief justice of the Delhi high court.

In its exceptions to the proposed law on privacy, the experts’ group has recommended that national security, public order and disclosures made in ‘public interest’ will be exempted from the limitations of privacy. Several members of the group unsuccessfully argued to bring in the Intelligence agencies which are empowered to legally tap phones, intercept emails and conduct surveillance on citizens under the ambit of the Privacy Act.

The report, a copy of which is available with DNA, recognises that there are major differences in the existing laws that permit intrusive phone-tapping or surveillance of private citizens by the government.The group feels that “these differences have created an unclear regulatory regime that is inconsistent, non-transparent, and prone to misuse and does not provide remedy or compensation to aggrieved individuals.”

Therefore, the group has recommended that when the government conducts any intrusive surveillance like phone tapping, it must adhere to the principles of proportionality, legality and remain within the boundaries of a democratic state.

“The limitation (on tapping phones, etc) should be in proportion to the harm that has been caused or will be caused,” the report states.

Interestingly, the report also exempts the disclosure of personal or private information for journalistic or historical and scientific purposes from being curbed under the proposed Privacy Act. Interestingly, this will give journalists a legal cover from being hauled up under the proposed privacy laws when they file stories.

The government is keen to enact a privacy law quickly because of two major issues. The fallout of the leakage of the tapes of Niira Radia speaking to industry heads like Ratan Tata which led to a renewed clamour for a comprehensive Privacy Act. Ironically, anything related to phone-tapping has now been left out of the provisions of such an Act.

The other reason was the pressure from the industry that is keen to get business from abroad that deals with sensitive personal data. In the absence of any personal data protection laws, Indian companies were not getting any business from European or American firms. With this law, India can look forward to getting substantial business that involves personal data.

With this framework in mind the experts’ group has recommended that notice be given to any individual from whom personal information will be sought. With intrusive government projects like the UID or the NATGRID, the group was worried that this kind of massive data in the hands of the government could turn this into a police state.

It has also mandated that the choice and consent of the individual must be taken before collecting this information. Also, there has to be a limitation on collecting this information and anything that has been collected will use the data for only a limited purpose. A data controller should be appointed to collect, maintain and use the data under strict stipulations.

Therefore, the data controller will be made accountable for any lapse in handling or disclosure of the data. To ensure that this kind of control can be exercised, the group has suggested the appointment of privacy commissioners who will adjudicate on any matter of illegal disclosures and mete out server punishment.

Recommendations

National security, public order and disclosures made in ‘public interest’ will be exempted from the limitations of privacy
The limitation (on tapping phones, etc) should be in proportion to the harm caused or will be caused
Disclosure of personal or private information for journalistic or historical and scientific purposes should be exempted from being curbed under the proposed Act
Notice be given to individual from whom information has to be sought
A data controller should be appointed to collect, maintain and use the data
Privacy commissioners who will adjudicate on any matter of illegal disclosures be appointed

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned.

For more details visit https://cis-india.org/news/dna-india-october-19-2012-saikat-datta-experts-committee-moots-law-to-protect-privacy