Centre for Internet and Society

Counter Surveillance Panel: DiscoTech & Hackathon

praskrishna — 2014-02-28T05:36:15Z

We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.

Overview

Mirroring the call by MIT Civic Media Lab Co-Design Studio, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of DiscoTech.(Discovering Technology)

Agenda

We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy , titled "Privacy for Humanity" at 5.00 p.m.

Introductory Catalyst Sessions

Malavika Jayaram: Fellow at Berkman Center for Internet and Society at Harvard University and the Centre for Internet and Society, Bangalore
Laird Brown: DesiSec Project at the Centre for Internet and Society, Bangalore and University of Toronto
Kaustubh Srikant: Head of Technology, Tactical Technology Collective and Maya Indira Ganesh (Program Director)
Abhay Raj Naik: Assistant Professor, Azim Premji University

Design and Hackathon Lead Catalysts

Yashas Shetty:Faculty@ www.srishti.ac.in and Co-Founder Hackteria.org (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)

Hari Dilip Kumar: Co, Founder, FluxGen: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )

Sharath Chandra Ram: Researcher @ CIS Open Lab and Faculty@Srishti (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing)

Featured Talk and Interactive Closing Session by Smari McCarthy

(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)

Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.

Click to download the flyer invite
Date: Saturday, March 1, 2014
Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)
Venue: Centre for Internet and Society, Bangalore
Map : http://bit.ly /1fcDDLG

Please RSVP due to limited space and logistics for lunch and refreshments

For more details visit https://cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon

February 11: The Day We Fight Back Against Mass Surveillance

divij — 2014-02-14T06:00:05Z

The expansive surveillance being perpetuated by governments and corporations is the single biggest threat to individual liberties in the digital age.

The expanding scope and extent of massive data collection and surveillance undertaken by bodies like the USA’s National Security Agency compromises our privacy and stifles our freedom of speech and expression in its most vital public spheres, affecting the civil liberties of citizens of countries all across the world.

The previous year has been a watershed year for reclaiming the internet as a free and open space, primarily through the exposure of the unwarranted systems of surveillance that threaten it, by whistle-blowers like Edward Snowden and WikiLeaks. Despite all these efforts, they have only managed a dent in the surveillance regimes, which continue unbridled, with the protection of the state and the surveillance industry. The future of a free internet depends upon the systematic challenge of these programs by the millions of internet users they affect.

February 11, 2014 is the day we fight back against mass surveillance. Organized by the Electronic Frontier Foundation, and supported by thousand of organizations like Mozilla and the Centre for Internet and Society, on this day of action, citizens around the world will demand an end to these programs that threaten the freedom of the internet. You can support this cause by signing and supporting the 13 Principles (International Principles on the Application of Human Rights to Communications Surveillance), and contacting your local media, petitioning your local legislators and telling your friends and colleagues about the topic. Publicizing the movement and creating a buzz around it will help spread the message to many others across the internet. Do anything that will make the fight more visible and viable, such as organizing or attending public lectures, or creating tools or memes or art to spread information. For more ways in which you can contribute, and more information on the event, visit the website.

The users of the internet deserve a free and open internet and deserve and end to mass surveillance. If we can make enough noise, make enough of an impact, we can greatly bolster the movement for reclaiming the internet.

For more details visit https://cis-india.org/internet-governance/blog/the-day-we-fight-back-against-mass-surveillance

Is Bhutan selling its soul to Google?

praskrishna — 2014-01-30T12:27:33Z

Migrating Bhutan government’s communications to Google servers, allowing the United States access to confidential data, raises questions

"Bhutan’s adoption of Google Apps is a disastrous decision, and I wouldn’t advocate for it even if it were free," Pranesh Prakash, Policy Director of the Bangalore-based Centre for Internet and Society said.

He added that the project would end up tying Bhutan to a single vendor, Google, since there is no easy way to migrate from Google Apps to another system. "That means that even if in the future some other system is found to be far better than Google, the migration costs would deter the adoption of that system," said Pranesh Prakash, who is also a fellow with the Information Society Project, Yale Law School.

The article by Lucky Wangmo from Thimphu and Pema Seldon form Bangalore was published in Business Bhutan on January 25, 2014. Download Volume 5, Issue 4, NU 15 published by Business Bhutan here.

For more details visit https://cis-india.org/news/business-bhutan-vol-5-issue-4-lucky-wangmo-pema-seldon-is-bhutan-selling-its-soul-to-google

Making the Powerful Accountable

chinmayi — 2014-01-30T06:43:41Z

If powerful figures are not subjected to transparent court proceedings, the opacity in the face of a critical issue is likely to undermine public faith in the judiciary.

Chinmayi Arun's Op-ed was published in the Hindu on January 29, 2014.

It is odd indeed that the Delhi High Court seems to believe that sensational media coverage can sway the Supreme Court into prejudice against one of its own retired judges. Justice Manmohan Singh of the Delhi High Court has said in Swatanter Kumar v. Indian Express and others that the pervasive sensational media coverage of the sexual harassment allegations against the retired Supreme Court judge 'may also result in creating an atmosphere in the form of public opinion wherein a person may not be able to put forward his defence properly and his likelihood of getting fair trial would be seriously impaired.' This Delhi High court judgment has drawn upon the controversial 2011 Supreme Court judgment in Sahara India Real Estate Corp. Ltd v. SEBI (referred to as the Gag Order case here) to prohibit the media from publishing headlines connecting retired Justice Swatanter Kumar with the intern's allegations, and from publishing his photograph in connection with the allegations.

Although the Gag Order judgment was criticised at the time that it was delivered Swatanter Kumar v. Indian Express illustrates its detractors' argument more vividly that anyone could have imagined.

Sukumar Muralidharan wrote of Gag Order case that the postponement (of media coverage) order remedy that it created, could become an "instrument in the hands of wealthy and influential litigants, to subvert the course of open justice".

Here we find that although a former Supreme Court judge is pitted against a very young former intern within a system over which he once presided, Justice Manmohan Singh seems to think that it is the judge who is danger of being victimised.

The Swatanter Kumar judgment was enabled by both the Gag Order case as well as the 1966 Supreme Court judgment in Naresh Sridhar Mirajkar v. State of Maharashtra, which in combination created a process for veiling court proceedings. Naresh Mirajkar stated that courts' inherent powers extend to barring media reports and comments on ongoing trials in the interests of justice, and that such powers do not violate the right to freedom of speech; and the Gag Order case created an instrument - the 'postponement order' - for litigants, such that they can have media reports of a pending case restricted. The manner in which this is used in the Swatanter Kumar judgment raises very worrying questions about how the judiciary views the boundaries of the right to freedom of expression, particularly in the context of reporting court proceedings.

Broad power to restrict reporting

The Gag Order case was problematic: it used arguments for legitimate restraints on media reporting in exceptional circumstances, to permit restrictions on media reporting of court proceedings under circumstances 'where there is a real and substantial risk of prejudice to fairness of the trial or to proper administration of justice'. The Supreme Court refused to narrow this or clarify what publications would fall within this category. It merely stated that this would depend on the content and context of the offending publication, and that no 'straightjacket formula' could be created to enumerate these categories. This leaves higher judiciary with a broad discretionary power to decide what amounts to
legitimate restraints on media reporting, using an ambiguous standard. Exercise of this power to veil proceedings involving powerful public figures whose actions have public implications, imperils openness and transparency when they are most critical.

Court proceedings are usually open to the public. This openness serves as a check on the judiciary, and ensures public faith in the judiciary. In countries as large as ours, media coverage of important cases ensures actual openness of court proceedings - we are able to follow the arguments made by petitioners who ask that homosexuality be decriminalised, the trial of suspected terrorists and alleged murderers, and the manner in which our legal system handles sexual harassment complaints filed by young women.

When court proceedings are closed to the public (known as 'in-camera' trials) or when media dissemination of information about them is restricted, the openness and transparency of court proceedings is compromised. Such compromise of transparency does take place in many countries, to protect the rights of the parties involved, or prevent miscarriage of justice. For example, child-participants are protected by holding trials in-camera; names of parties to court proceedings are withheld to protect their privacy sometimes; and in countries where juries determine guilt, news coverage that may prejudice the jury is also restricted.

The damage done

Although the Supreme Court stated in principle that the openness of court proceedings should only be restricted where strictly necessary, this appears to lend itself to very varied interpretation. For example, it is very difficult for some of us to understand why it was strictly necessary to restrict media coverage of sexual harassment proceedings in the Swatanter Kumar case. J. Manmohan Singh on the other hand seems to believe that the adverse public opinion will affect the retired judge's chance of getting a fair trial. His judgment also seems to indicate his concern that the sensational headlines will impact the public confidence in the Supreme Court.

The Delhi High Court's apprehension about the effects of the newspaper coverage on the reputation of the judge did not need to translate into a prior restraint on media coverage. They may better have been addressed later, by evaluating a defamation claim pertaining to published material. The larger concerns about the reputation of the judiciary are better addressed by openness: if powerful public figures, especially those with as much influence as a former Supreme Court judge are not subjected to transparent court proceedings, the opacity in the face of such a critical issue is likely to undermine public faith in the judiciary as an institution.Such opacity undermines the purpose of open courts. It is much worse for the reputation of the judiciary than publicised complaints about individual judges.

Since the Delhi High Court ruling, there has been little media coverage of the sexual harassment case. Suppression of media coverage leaves the young woman comparatively isolated. Wide coverage of the harassment complaint involving Justice Ganguly, helped the intern in that case find support. The circulation of information enabled other former interns as well as a larger network of lawyers and activists, reach out to her. This is apart from the general pressure to be fair that arises when a case is being followed closely by the public. Media coverage is often critical to whether someone relatively powerless is able to assert her rights against a very powerful person. This is why media freedom is sacred to democracies.

If the Supreme Court was confident that the high courts in India would use their broad discretionary power under the Gag Order case sparingly and only in the interests of justice, the Swatanter Kumar case should offer it grounds to reconsider. Openness and freedom of expression are not meant to be diluted to protect the powerful - they exist precisely to ensure that even the powerful are held accountable by state systems that they might otherwise be able to sway.

(Chinmayi Arun is research director, Centre for Communication Governance, National Law University, Delhi, and fellow, Centre for Internet and Society, Bangalore.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-january-29-2014-chinmayi-arun-making-the-powerful-accountable

TACTIS Symposium 2014

praskrishna — 2014-02-04T07:32:01Z

Tata Consultancy organized the TACTIS Symposium at TCS Siruseri, Chennai on January 28 and 29, 2014. Sunil Abraham participated in the event and gave the key note address.

Click to download the event brochure here

For more details visit https://cis-india.org/news/data-privacy-day-chenna-2014

Data Privacy Day 2014

praskrishna — 2014-02-04T05:34:59Z

January 28 is annually celebrated as Data Privacy Day (DPD). Data Security Council of India (DSCI) organized the annual meeting J N Tata Hall, Bldg 1, Infosys Campus, Infosys Ltd., Electronics City, Bangalore. Elonnai Hickok was a panelist.

Programme Details

2:30 - 3:00 p.m.: Keynote address by Srinath Batni, Member of the Board, Infosys
3:00 - 4:30 p.m.: Panel Discussion on "Privacy today and tomorrow in Indian and Global Context"

Panelists:

M D Sharath, Deputy Superintendent of Police, Cyber Crimes Division, CID Headquarters, Karnataka Police
Srinivas Poosarla, Associate Vice President and Head (Global), Privacy & Data Protection, Infosys Ltd
Joshi Joseph, Senior Information Risk Manager, ING Vyasa Bank
Na.Vijayashankar (Naavi), Information Assurance Consultant
Elonnai Hickok, Policy & Advocacy Associate, Centre for Internet & Society (CIS)

IT Product / Internet services company

Panel will be moderated by Rahul Jain, Principal Consultant, DSCI

4:30- 5:00 p.m.: Presentation on Privacy by Rahul Jain, Principal Consultant, DSCI
5:00- 5:30 p.m.: High Tea

For more info on the event see here.

For more details visit https://cis-india.org/news/data-privacy-day-2014

Surveillance and the Indian Constitution - Part 2: Gobind and the Compelling State Interest Test

pranesh — 2014-01-27T18:03:38Z

Gautam Bhatia analyses the first case in which the Supreme Court recognized a constitutional right to privacy, Gobind v. State of Madhya Pradesh, and argues that the holding in that case adopted the three-pronged American test of strict scrutiny, compelling State interest, and narrow tailoring in its approach to privacy violations.

After its judgment in Kharak Singh, the Court was not concerned with the privacy question for a while. The next case that dealt – peripherally – with the issue came eleven years later. In R.M. Malkani v State of Maharashtra, the Court held that attaching a recording device to a person’s telephone did not violate S. 25 of the Telegraph Act, because

"where a person talking on the telephone allows another person to record it or to hear it, it can-not be said that the other person who is allowed to do so is damaging, removing, tampering, touching machinery battery line or post for intercepting or acquainting himself with the contents of any message. There was no element of coercion or compulsion in attaching the tape recorder to the telephone."

Although this case was primarily about the admissibility of evidence, the Court also took time out to consider – and reject – a privacy-based Article 21 argument, holding that:

"Article 21 was invoked by submitting that the privacy of the appellant’s conversation was invaded. Article 21 contemplates procedure established by law with regard to deprivation of life or personal liberty. The telephonic conversation of an innocent citizen will be protected by Courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants. It must not be understood that the Courts will tolerate safeguards for the protection of the citizen to be imperiled by permitting the police to proceed by unlawful or irregular methods."

Apart from the fact that it joined Kharak Singh in refusing to expressly find a privacy right within the contours of Article 21, there is something else that unites Kharak Singh and R.M. Malkani: they hypothetical in Kharak Singh became a reality in Malkani – what saved the telephone tapping precisely because it was directed at "… a guilty person", with the Court specifically holding that the laws were not for targeting innocent people. Once again, then, the targeted and specific nature of interception became a crucial – and in this case, a decisive – factor. One year later, in another search and seizure case, Pooran Mal v Inspector, the Court cited M.P. Sharma and stuck to its guns, refusing to incorporate the Fourth Amendment into Indian Constitutional law.

It is Gobind v State of MP, decided in 1975, that marks the watershed moment for Indian privacy law in the Constitution. Like Kharak Singh, Gobind also involved domiciliary visits to the house of a history-sheeter. Unlike Kharak Singh, however, in Gobind the Court found that the Regulations did have statutory backing – S. 46(2)(c) of the Police Act, which allowed State Government to make notifications giving effect to the provisions of the Act, one of which was the prevention of commission of offences. The surveillance provisions in the impugned regulations, according to the Court, were indeed for the purpose of preventing offences, since they were specifically aimed at repeat offenders. To that extent, then, the Court found that there existed a valid “law” for the purposes of Articles 19 and 21.

By this time, of course, American constitutional law had moved forward significantly from eleven years ago, when Kharak Singh had been decided. The Court was able to invoke Griswold v Connecticut and Roe v Wade, both of which had found a "privacy" as an "interstitial" or "penumbral" right in the American Constitution – that is, not reducible to any one provision, but implicit in a number of separate provisions taken together. The Court ran together a number of American authorities, referred to Locke and Kant, to dignity, to liberty and to autonomy, and ended by holding, somewhat confusingly:

“the right to privacy must encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing. This catalogue approach to the question is obviously not as instructive as it does not give analytical picture of that distinctive characteristics of the right of privacy. Perhaps, the only suggestion that can be offered as unifying principle underlying the concept has been the assertion that a claimed right must be a fundamental right implicit in the concept of ordered liberty… there are two possible theories for protecting privacy of home. The first is that activities in the home harm others only to the extent that they cause offence resulting from the mere thought that individuals might he engaging in such activities and that such ‘harm’ is not Constitutionally protective by the state. The second is that individuals need a place of sanctuary where they can be free from societal control. The importance of such a sanctuary is that individuals can drop the mask, desist for a while from projecting on the world the image they want to be accepted as themselves, an image that may reflect the values of their peers rather than the realities of their natures… the right to privacy in any event will necessarily have to go through a process of case-by-case development."

But if no clear principle emerges out of the Court’s elucidation of the right, it was fairly unambiguous in stressing the importance of the right itself. Interestingly, it grounded the right within the context of the freedom struggle. "Our founding fathers," it observed, "were thoroughly opposed to a Police Raj even as our history of the struggle for freedom has borne eloquent testimony to it." (Para 30) The parallels to the American Fourth Amendment are striking here: in his historical analysis Akhil Amar tells us that the Fourth Amendment was meant precisely to avoid the various abuses of unreasonable searches and seizures that were common in England at the time.

The parallels with the United States become even more pronounced, however, when the Court examined the grounds for limiting the right to privacy. "Assuming that the fundamental rights explicitly guaranteed to a citizen have penumbral zones and that the right to privacy is itself a fundamental right, that fundamental right must be subject to restriction on the basis of compelling public interest." "Compelling public interest" is an interesting phrase, for two reasons. First, “public interest” is a ground for fundamental rights restrictions under Article 19 (see, e.g., Article 19(6)), but the text of the Article 19 restrictions do not use – and the Court, in interpreting them, has not held – that the public interest must be “compelling”. This suggests a stricter standard of review for an Article 21 privacy right violation than Article 19 violations. This is buttressed by the fact that in the same paragraph, the Court ended by observing: “even if it be assumed that Article 19(5) [restrictions upon the freedom of movement] does not apply in terms, as the right to privacy of movement cannot be absolute, a law imposing reasonable restriction upon it for compelling interest of State must be upheld as valid.” The Court echoes the language of 19(5), and adds the word “compelling”. This surely cannot be an oversight.

More importantly – the compelling State interest is an American test, used often in equal protection cases and cases of discrimination, where “suspect classes” (such as race) are at issue. Because of the importance of the right at issue, the compelling state interest test goes hand-in-hand with another test: narrow tailoring. Narrow tailoring places a burden upon the State to demonstrate that its restriction is tailored in a manner that infringes the right as narrowest manner that is possible to achieve its goals. The statement of the rule may be found in the American Supreme Court case of Grutter v Bollinger:

"Even in the limited circumstance when drawing racial distinctions is permissible to further a compelling state interest, government is still constrained under equal protection clause in how it may pursue that end: the means chosen to accomplish the government’s asserted purpose must be specifically and narrowly framed to accomplish that purpose."

To take an extremely trivial example that will illustrate the point: the State wants to ban hate speech against Dalits. It passes legislation that bans “all speech that disrespects Dalits.” This is not narrowly tailored, because while all hate speech against Dalits necessarily disrespects them, all speech that disrespects Dalits is not necessarily hate speech. It was possible for the government to pass legislation banning only hate speech against Dalits, one that would have infringed upon free speech more narrowly than the “disrespect law”, and still achieved its goals. The law is not narrowly tailored.

Crucially, then, the Court in Gobind seemed to implicitly accept the narrow-tailoring flip side of the compelling state interest coin. On the constitutionality of the Police Regulations itself, it upheld their constitutionality by reading them narrowly. Here is what the Court said:

“Regulation 855, in our view, empowers surveillance only of persons against whom reasonable materials exist to induce the opinion that they show a determination, to lead a life of crime – crime in this context being confined to such as involve public peace or security only and if they are dangerous security risks. Mere convictions in criminal cases where nothing gravely imperiling safety of society cannot be regarded as warranting surveillance under this Regulation. Similarly, domiciliary visits and picketing by the police should be reduced to the clearest cases of danger to community security and not routine follow-up at the end of a conviction or release from prison or at the whim of a police officer.”

But Regulation 855 did not refer to the gravity of the crime at all. Thus, the Court was able to uphold its constitutionality only by narrowing its scope in a manner that the State’s objective of securing public safety was met in a way that minimally infringed the right to privacy.

Therefore, whether the Gobind bench was aware of it or not, its holding incorporates into Indian constitutional law and the right to privacy, not just the compelling State interest test, but narrow tailoring as well. The implications for the CMS are obvious. Because with narrow tailoring, the State must demonstrate that bulk surveillance of all individuals, whether guilty or innocent, suspected of crimes or not suspected of crimes (whether reasonably or otherwise), possessing a past criminal record or not, speaking to each other of breaking up the government or breaking up a relationship – every bit of data must be collected to achieve the goal of maintaining public security, and that nothing narrower will suffice. Can the State demonstrate this? I do not think it can, but at the very least, it should be made to do so in open Court.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-the-indian-consitution-part-2

Interview with Mathew Thomas from the Say No to UID campaign - UID Court Cases

maria — 2014-01-27T12:47:49Z

The Centre for Internet and Society (CIS) recently interviewed Mathew Thomas from the Say No to UID campaign about his ongoing efforts to challenge the UID scheme legally in the Bangalore High Court and Supreme Court of India. Read this interview and gain an interesting insight on recent legal developments with regards to the UID!

Hi Mathew! We've heard that you've been in court a lot over the last few years with regards to the UID scheme. Could you please tell us about the UID case you have filed?

In early 2012, I filed a civil suit at the Bangalore Court to declare the UID scheme illegal and to stop further biometric enrollments. I alleged that foreign agencies are involved in the process of biometric enrollment, and that cases of corruption have occurred with regards to the companies contracted by the UID Authority of India (UIDAI). Many dubious companies have been empanelled for biometric enrollments by the UIDAI and many cases of corruption have been noted, especially with regards to the preparation of biometric databases for below poverty line (BPL) ration cards in Karnataka.

In 2010, according to a government audit report, COMAT Technologies Private Limited had a contract with the Karnataka Government and was required to undertake a door-to-door survey and to set up biometric devices. COMAT Technologies Private Limited was paid ₹ 542.3 million for this purpose, but it turns out that the company did not comply with the terms of the contract and did not fullfill its obligations under the contract. Even though COMAT Technologies Private Limited had been contracted and had been paid ₹ 542.3 million, the company did not hand over any biometric device to the Karnataka Government. Instead, when the company got questioned, it walked away from the contract in 2010, even though it had been paid for a service it did not deliver.

In the same year, 2010, COMAT Technologies was empanelled as an Enrolling Agency of the UIDAI. COMAT Technologies also carries out enrollments in Mysore and a TV channel sting operation revealed that fake IDs were being issued in the Mysore enrollment center. After much persuasion, the e-Government department of Karnataka informed me that they have filed an FIR. And this is just one case of a corrupt company empanelled as an enrollement agency with the UIDAI. Many similar cases with other companies have occurred in other cities in India, such as Mumbai, where the empanelled agencies have committed fraud and police complaints have been filed. But unfortunately, there is no publicly available information on the state of the investigations.

As such, I filed a case at the Bangalore Court and stated that the whole UID system is insecure, that it will not achieve the objective of preventing leakages of welfare subsidies and that, therefore, it is a waste of public funds, which also affects individuals' right to privacy and right to life. In my complaint in the civil court I made allegations of corruption and dangers to national security backed by documentary evidence. According to Order 8 of the Civil Procedure Code (CPC), defendants are required to specifically deny each of the allegations against them and if they don't, the court is required to accept the allegations as accurate. According to law, vague, bald denials are not acceptable in courts. Interestingly enough, the defendants in this court case did not deny any of the allegations, but instead stated that they (allegations) are “trivial” and requested the judge to dismiss the case without a trial. The judge requested the defendants to file a written application, asking for the suit to be dismissed under Order 7, Rule 11, of the Civil Procedure Code. Nonetheless, in May 2012, the judge observed that this is a serious case which should not be dismissed and that he would like to have a daily hearing of the case, especially since the case was grounded on the allegation that thousands of crores of rupees of public money are spent every day.

However, one month later in June 2012, the judge dismissed the case by stating that I did not have a “cause of action” and that the case is not of civil nature under Section 9 of the Code of Civil Procedure. I argued that tax payers have a right to know where their money is going and that we all have a right to privacy and that therefore, I did have a cause for action. I quoted the Supreme Court case setting out the law relating to the meaning of “civil nature”. The Apex court said, “Anything which is not of criminal nature is of civil nature”. I also quoted several court precedents which explained conditions under which complaints could be dismissed under Order VII Rule 11. Unfortunately though, the judge dismissed all of this and suggested that I should take this case to the High Court or to the Supreme Court, since the Bangalore Court did not have the authority to address the violation of fundamental human rights. In my opinion, the fallacy in this judgement was that, on the one hand, the judge stated in his order that there was “no cause for action”, but on the other hand, he said that I should take the case to the High Court or to the Supreme Court! And on top of that, the judge stated that my case was frivolous and levied on me a Rs. 25, 000 fine, because apparently I was “wasting the court's time” !

In addition to all of this, the judge made a very intriguing statement in his order: he claimed that the biometric enrollment with the UIDAI is voluntary and that therefore I need not enrol. I argued that although the UID is voluntary in theory, it is actually mandatory on many levels, especially since access to many governmental services require enrollment with the UIDAI. Nonetheless, the judge insisted that the UID is purely voluntary and that if I am not happy with the UID, then I should just “stay at home”.

And how did the case continue thereafter?

In October 2012 I appealed against this to the High Court by stating that there was a misapplication of Order 7, Rule 11, of the Civil Procedure Code and requested the High Court to send the suit back for trial at the Bangalore Court.

Now, when you appeal in India, the Court has to issue notices to the opposite party, which are usually sent by registered post. However, nothing was happening, so I filed a number of applications to hear the case. The registrar’s office filed a number of trivial “objections” with which I needed to comply and this took three months, until January 2013. For example, one “objection” was that the lower court order stated the date of the order as "03-07-12", whereas I had mentioned the date as 3 July 2012. Then they would argue that the acknowledgement of the receipt of the notice from the respondents was not received. The High Court is located next to the head post office (GPO) in Bangalore and normally it would be sent there, then directly to the GPO in Delhi and from there to the Planning Commission or to the UIDAI. Yet, the procedure was delayed because apparently the notices weren't sent. In one hearing, the court clerk said that the address of the defendant was wrong and that the address of the Planning Commission should also be included. All in all, it seemed to me like there was some deliberate attempt to delay the procedure and the dismissal of the case by the Bangalore Court seemed very questionable. As a result, in January 2013, I asked the High Court to permit me to personally hand over my appeal to the Government Council. And finally, on 17th December 2013, my appeal was heard by the Bangalore High Court!

Over the last three months, the defendants have not filed any counter affidavit. Instead, the Government Council came to the High Court and stated that I have not filed a “paper book” (which includes depositions and evidence, among other things). However, the judge stated that this is not a case which requires a “paper book”, since my appeal was about the misapplication of Order 7, Rule 11, of the Civil Procedure Code. Then the Government Council asked for more time to review the appeal and it is has been postponed.

Have there been any other recent court cases against the UID?

Yes. While all of this was going on, retired judge, Justice Puttaswamy, filed a petition in the Supreme Court, stating that the UID scheme is illegal, since it violates article 73 of the Constitution. Aruna Roy, who is an activist at the National Council for People’s Right to Information, has also filed a petition where she has questioned the UID because it violates privacy rights and the rights of the poor.

Furthermore, petitions have been filed in the Madras High Court and in the Mumbai High Court. In 2012, it was argued in the Madras High Court that the only legal provision for taking fingerprints exists under the Prisoners Act, whereas the UIDAI is taking the fingerprints of people who are not prisoners and therefore it is illegal. In 2013, Vikram Crishna, Kamayani Bahl and a few others argued in the Mumbai High Court that the right to privacy is being violated through the UID scheme. It is noteworthy that in most of these cases, the defendants have not filed any counter-arguments. The only exceptions were in the Aruna Roy and Puttaswamy cases, where the defendants claimed that the UID is secure and supported it in general. In the end, the Supreme Court directed that the cases in Mumbai and Madras should be clubbed together and addressed by it. As such, the cases filed in the Madras and Mumbai High Courts have been sent to the Supreme Court of India.

Major General Vombathakere also filed a petition in the Supreme Court, arguing that the UID scheme violates individuals' right to privacy. When the counsel for the General commenced his arguments the judge pointed to the possibility of the Government passing the NIA Bill soon, which will contain provisions for privacy, as stated by the Government. As such, the judge implied that if the Government passes such a law the argument, that the Government is implementing the scheme in a legal vacuum, may not be valid.

So what is the status of your pending court cases?

Well, I impleaded myself in Aruna Roy's petition and brought my arguments with regards to corruption in the case of companies contracted with the UIDAI and the danger to national security through the involvement of persons linked to US intelligence agencies. The last hearing in the Supreme Court was on 10th December 2013, but it was postponed to 28 January 2014. So in short, in the Supreme Court I am currently filing a case for investigation with regards to corruption and links with foreign intelligence agencies by companies contracted with the UIDAI, while in the Bangalore High Court, I have appealed a civil trial with regards to the misplacement of Order 7, Rule 11, of the Civil Procedure Code.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign

EU parliament report slams US surveillance

praskrishna — 2014-02-03T06:13:55Z

Report that outlines need for stringent laws for protecting citizen privacy, democratizing Internet governance holds lessons for India, say analysts.

The article by Moulishree Srivastava and Elizabeth Roche quotes Sunil Abraham. It was published in Livemint on January 17, 2014.

A European Union (EU) parliament report that outlines the need for stringent laws for protecting citizen privacy, democratizing Internet governance and rebuilding trust between Europe and the US holds many lessons for India, analysts and policymakers say.

The US government listened into Indian communications as part of its massive global surveillance, which was exposed last year in leaks to the media. The embassies of France, Italy, Greece, Japan, Mexico, South Korea and Turkey were also subjected to the surveillance put in place after the September 2001 terrorist attacks. According to the external affairs ministry, India has registered its protest at least thrice over the issue with US authorities.

A draft report on the US National Security Agency’s surveillance programme by the European parliament’s committee on civil liberties, justice and home affairs states that trust between the two transatlantic partners, trust among EU member-states, and trust between citizens and their governments were profoundly shaken because of the spying, and to rebuild trust in all these dimensions a comprehensive plan was urgently needed.

"It is very doubtful that data collection of such magnitude is only guided by the fight against terrorism, as it involves the collection of all possible data of all citizens; points therefore to the possible existence of other power motives such as political and economic espionage," says the report.

The report recommends prohibiting blanket mass surveillance activities and bulk processing of personal data, and asks EU member-states, including the UK, Germany, France, Sweden and the Netherlands, to revise their national legislation and practices governing the activities of intelligence services to ensure that they are in line with the standards of the European Convention on Human Rights.

It also calls on the US to revise its legislation without delay in order to bring it in line with international law, recognizing privacy and other rights as well as providing for judicial redress for EU citizens.

"The American approach to privacy regulation has been deeply flawed. The US dominance over the Internet affects the structure and substance of Internet governance and among other human rights, the right to privacy," said Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based not-for-profit research organization. "The (EU) report, if implemented, may change the future of Internet governance by deepening the existing leadership provided by the EU in promoting their privacy standards globally."

On India’s rather restrained reaction to the spying, he said, “It is a tragedy that our politicians are not as proactive when it comes to protecting our rights. While India has only focused on changing its official email policy after the revelations of mass surveillance, it has done nothing as concrete and comprehensive as EU."

"There is neither the recognition of (the) pervasive nature of global mass surveillance, nor is there full appreciation (of) the damaging consequences," Abraham added.

J. Satyanarayana, secretary in India’s department of electronics and information technology, said the concerns over privacy are the same for India as for the EU, but declined to comment on what preventive steps the government is implementing due to security reasons. The EU report called for concluding the EU-US umbrella pact, a framework agreement on data protection in the field of police and judicial cooperation, to ensure proper redress mechanisms for EU citizens in the event of data transfers from the EU to the US for law enforcement purposes. The report asks EU policymakers not to initiate any new sectoral agreements or arrangements for the transfer of personal data for law enforcement purposes and suggests suspending the terrorist finance tracking programme until the umbrella agreement negotiations are concluded.

"EU wants to use EU-US umbrella agreement...to raise the US standards, to ensure the rights of EU citizens and perhaps all the citizens. All humans will need protection under US law as is currently the case in the EU,” said Abraham. “The prohibition of blanket surveillance that the report recommends will hopefully apply to all citizens regardless of their nationality."

The draft report goes as far as suggesting suspending Safe Harbour, the legal instrument used for the transfer of EU personal data to the US through Google, Microsoft, Yahoo, Facebook, Apple and LinkedIn, until a full review has been conducted and current loopholes are plugged. The report’s proposals and recommendations are likely to be implemented after election to the European parliament in May.

In addition to reforms in the existing systems, the report outlines the importance of development of European clouds as it notes that trust in US cloud computing and cloud services providers has been affected by the surveillance practices.

"Three of the major computerized reservation systems used by airlines worldwide are based in the US and that PNR (passenger name record) data are saved in cloud systems operating on US soil under US law...lacks data protection adequacy," states the report.

C.U. Bhaskar, analyst with the South Asia Monitor think tank, was of the view that India had “adequately” responded to the US through quiet diplomacy.

"It is unlikely that the US will give up cyber surveillance,” he said, adding, “We should acquire our own capacity to ensure adequate defensive and offensive firewalls and build up appropriate capacity for our cyber programmes."

"Given our expertise in the IT (information technology) sector, as an analyst my opinion is that we have a reasonable capacity to build up our capabilities," Bhaskar added.

For more details visit https://cis-india.org/news/livemint-january-17-2014-moulishree-srivastava-elizabeth-roche-eu-parliament-slams-us-surveillance

Electoral Databases – Privacy and Security Concerns

snehashish — 2014-01-16T11:07:21Z

In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.

The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.[i] After due consideration, the ECI has decided to drop the plan.[ii]

The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.

Publication of Electoral Rolls
The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.

The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document[iii] given that the roll is published and can be circulated on the direction of the ECI.

With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.[iv] In addition to that, the electoral rolls for the entire country are available on the ECI website.[v] However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.[vi]

Security Concerns
The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.

In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “With Great Computing Power Comes Great Surveillance”[vii] Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain

For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.

Current IT Laws does not mandate the protection of the electoral database
A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”[viii] However, the appropriate Government has not notified the electoral database as a protected system[ix]. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.

The Information Technology Rules (IT Rules) are also not applicable to electoral databases, per se. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (hereinafter Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”[x] and should arguably be made subject to the Rules.

The intent of the ECI for hosting the entire country’s electoral database online inter alia is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”[xi] However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.

The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.

Conclusion
Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.

It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.

[i] Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss

[ii] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

[iii] Section 74, Indian Evidence Act, 1872

[iv] eci.nic.in/eci_main1/the_function.aspx

[v] http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx

[vi] “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at eci.nic.in/eci_main/eroll&epic/ins06012010.pdf

[vii] http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/

[viii] Section 70, Information Technology Act, 2000

[ix] Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure

[x] Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[xi] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

For more details visit https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns

Surveillance and the Indian Constitution - Part 1: Foundations

pranesh — 2014-01-23T15:12:30Z

In this insightful seven-part series, Gautam Bhatia looks at surveillance and the right to privacy in India from a constitutional perspective, tracing its genealogy through Supreme Court case law and compares it with the law in the USA.

Note: This was originally posted on the Indian Constitutional Law and Philosophy blog.

On previous occasions, we have discussed the ongoing litigation in ACLU v. Clapper in the United States, a challenge to the constitutionality of the National Security Agency’s (NSA) bulk surveillance program. Recall that a short while after the initial Edward Snowden disclosures, The Hindu revealed the extent of domestic surveillance in India, under the aegis of the Central Monitoring System (CMS). The CMS (and what it does) is excellently summarized here. To put thing starkly and briefly:

“With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.”

The CMS is not sanctioned by parliamentary legislation. It also raises serious privacy concerns. In order to understand the constitutional implications, therefore, we need to investigate Indian privacy jurisprudence. In a series of posts, we plan to discuss that.

Privacy is not mentioned in the Constitution. It plays no part in the Constituent Assembly Debates. The place of the right – if it exists – must therefore be located within the structure of the Constitution, as fleshed out by judicial decisions. The first case to address the issue was M. P. Sharma v. Satish Chandra, in 1954. In that case, the Court upheld search and seizure in the following terms:

"A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to Constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right. by some process of strained construction."

The right in question was 19(1)(f) – the right to property. Notice here that the Court did not reject a right to privacy altogether – it only rejected it in the context of searches and seizures for documents, the specific prohibition of the American Fourth Amendment (that has no analogue in India). This specific position, however, would not last too long, and was undermined by the very next case to consider this question, Kharak Singh.

In Kharak Singh v. State of UP, the UP Police Regulations conferred surveillance power upon certain “history sheeters” – that is, those charged (though not necessarily convicted) of a crime. These surveillance powers included secret picketing of the suspect’s house, domiciliary visits at night, enquiries into his habits and associations, and reporting and verifying his movements. These were challenged on Article 19(1)(d) (freedom of movement) and Article 21 (personal liberty) grounds. It is the second ground that particularly concerns us.

As a preliminary matter, we may observe that the Regulations in question were administrative – that is, they did not constitute a “law”, passed by the legislature. This automatically ruled out a 19(2) – 19(6) defence, and a 21 “procedure established by law” defence – which were only applicable when the State made a law. The reason for this is obvious: fundamental rights are extremely important. If one is to limit them, then that judgment must be made by a competent legislature, acting through the proper, deliberative channels of lawmaking – and not by mere administrative or executive action. Consequently – and this is quite apart from the question of administrative/executive competence - if the Police Regulations were found to violate Article 19 or Article 21, that made them ipso facto void, without the exceptions kicking in. (Paragraph 5)

It is also important to note one other thing: as a defence, it was expressly argued by the State that the police action was reasonable and in the interests of maintaining public order precisely because it was “directed only against those who were on proper grounds suspected to be of proved anti-social habits and tendencies and on whom it was necessary to impose some restraints for the protection of society.” The Court agreed, observing that this would have “an overwhelming and even decisive weight in establishing that the classification was rational and that the restrictions were reasonable and designed to preserve public order by suitable preventive action” – if there had been a law in the first place, which there wasn’t. Thus, this issue itself was hypothetical, but what is crucial to note is that the State argued – and the Court endorsed – the basic idea that what makes surveillance reasonable under Article 19 is the very fact that it is targeted – targeted at individuals who are specifically suspected of being a threat to society because of a history of criminality.

Let us now move to the merits. The Court upheld secret picketing on the ground that it could not affect the petitioner’s freedom of movement since it was, well secret – and what you don’t know, apparently, cannot hurt you. What the Court found fault with was the intrusion into the petitioner’s dwelling, and knocking at his door late at night to wake him up. The finding required the Court to interpret the meaning of the term “personal liberty” in Article 21. By contrasting the very specific rights listed in Article 21, the Court held that:

“Is then the word “personal liberty” to be construed as excluding from its purview an invasion on the part of the police of the sanctity of a man’s home and an intrusion into his personal security and his right to sleep which is the normal comfort and a dire necessity for human existence even as an animal? It might not be inappropriate to refer here to the words of the preamble to the Constitution that it is designed to “assure the dignity of the individual” and therefore of those cherished human value as the means of ensuring his full development and evolution. We are referring to these objectives of the framers merely to draw attention to the concepts underlying the constitution which would point to such vital words as “personal liberty” having to be construed in a reasonable manner and to be attributed that these which would promote and achieve those objectives and by no means to stretch the meaning of the phrase to square with any preconceived notions or doctrinaire constitutional theories.” (Paragraph 16)

A few important observations need to be made about this paragraph. The first is that it immediately follows the Court’s examination of the American Fifth and Fourteenth Amendments, with their guarantees of “life, liberty and property…” and is, in turn, followed by the Court’s examination of the American Fourth Amendment, which guarantees the protection of a person’s houses, papers, effects etc from unreasonable searches and seizures. The Court’s engagement with the Fourth Amendment is ambiguous. It admits that “our Constitution contains no like guarantee…”, but holds that nonetheless “these extracts [from the 1949 case, Wolf v Colorado] would show that an unauthorised intrusion into a person’s home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man – an ultimate essential of ordered liberty”, thus tying its own holding in some way to the American Fourth Amendment jurisprudence. But here’s the crucial thing: at this point, American Fourth Amendment jurisprudence was propertarian based – that is, the Fourth Amendment was understood to codify – with added protection – the common law of trespass, whereby a man’s property was held sacrosanct, and not open to be trespassed against. Four years later, in 1967, in Katz, the Supreme Court would shift its own jurisprudence, to holding that the Fourth Amendment protected zones where persons had a “reasonable expectation of privacy”, as opposed to simply protecting listed items of property (homes, papers, effects etc). Kharak Singh was handed down before Katz. Yet the quoted paragraph expressly shows that the Court anticipated Katz, and in expressly grounding the Article 21 personal liberty right within the meaning of dignity, utterly rejected the propertarian-tresspass foundations that it might have had. To use a phrase invoked by later Courts – in this proto-privacy case, the Court already set the tone by holding it to attach to persons, not places.

While effectively finding a right to privacy in the Constitution, the Court expressly declined to frame it that way. In examining police action which involved tracking a person’s location, association and movements, the Court upheld it, holding that “the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

The “therefore” is crucial. Although not expressly, the Court virtually holds, in terms, that tracking location, association and movements does violate privacy, and only finds that constitutional because there is no guaranteed right to privacy within the Constitution. Yet.

In his partly concurring and partly dissenting opinion, Subba Rao J. went one further, by holding that the idea of privacy was, in fact, contained within the meaning of Article 21: “it is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” Privacy he defined as the right to “be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures.” On this ground, he held all the surveillance measures unconstitutional.

Justice Subba Rao’s opinion also explored a proto-version of the chilling effect. Placing specific attention upon the word “freely” contained within 19(1)(d)’s guarantee of free movment, Justice Subba Rao went specifically against the majority, and observed:

“The freedom of movement in clause (d) therefore must be a movement in a free country, i.e., in a country where he can do whatever he likes, speak to whomsoever he wants, meet people of his own choice without any apprehension, subject of course to the law of social control. The petitioner under the shadow of surveillance is certainly deprived of this freedom. He can move physically, but he cannot do so freely, for all his activities are watched and noted. The shroud of surveillance cast upon him perforce engender inhibitions in him and he cannot act freely as he would like to do. We would, therefore, hold that the entire Regulation 236 offends also Art. 19(1)(d) of the Constitution.”

This early case, therefore, has all the aspects that plague the CMS today. What to do with administrative action that does not have the sanction of law? What role does targeting play in reasonableness – assuming there is a law? What is the philosophical basis for the implicit right to privacy within the meaning of Article 21’s guarantee of personal liberty? And is the chilling effect a valid constitutional concern?

We shall continue with the development of the jurisprudence in the next post.

You can follow Gautam Bhatia on Twitter

For more details visit https://cis-india.org/internet-governance/blog/surveillance-and-the-indian-consitution-part-1

Election panel rejects Google’s proposal for electoral services tie-up

praskrishna — 2014-01-31T08:58:01Z

EC had earlier signed a non-disclosure agreement with Google but had not shared or handed over any data to the Internet giant so far.

The article by Anuja and Moulishree Srivastava was published in Livemint on January 9, 2014. Lawrence Liang is quoted.

The Election Commission (EC) on Thursday rejected a proposal by Internet search engine operator Google Inc. to provide electoral information services to EC ahead of the general election due later this year. Google’s proposal, made earlier this week, was criticized by experts and political parties on the grounds of security.

Google, which deals with Internet-related services and products, had made a presentation at EC where it proposed to deliver voter facilitation services through a tie-up with the Commission.

“Google made a presentation to the Commission for electoral hook up services for citizens to help in efforts of the Commission for better electoral information services. However, after due consideration, the Commission has decided not to pursue the proposal any further,” EC said in a statement.

Its decision came at a meeting of senior EC officials on Thursday, called to discuss the proposal. Security was one of the main issues before it.

“Security and controlling the data were the main points which were considered. By ways of such a tie-up all the data would have been up for access. It was always a question of whether Indian laws would apply to it or not, so we decided against it,” a senior official from EC said.

PTI reported that the meeting was attended by the chief election commissioner V.S. Sampath and election commissioners H.S. Brahma and S. N. A. Zaidi.

The Times of India in a report on Sunday said there were concerns over the EC move to tie up with Google for voter registration.

EC had earlier signed a non-disclosure agreement with Google but it had not shared any data with it. The move was criticised by the ruling Congress party as well as the main opposition Bharatiya Janata Party. The legal cell of the Congress had written to EC raising concerns over national security and asking whether the tie-up would affect the electoral process. The BJP’s complaint was that stakeholders, including political parties, should have been consulted.

Experts say that in the event of such a tie-up, concerns about protection of privacy would have outweighed national security fears.

“The concern is not so much about national security as it is about privacy issues. This kind of database is too important and too powerful to be controlled by a private company. There have been too many instances of this kind of data being skewed and riots happening during the election process. Privately owned databases could lead to potential misuse of the data,” said Lawrence Liang, co-founder of Alternative Law Forum and chairman of the board at the Bangalore-based Centre for Internet and Society.

“It is not a question of how and what service Google could have provided for elections, but how the state can bring itself to provide that kind of service,” he said.

In the US, when George W. Bush was re-elected president in 2004, the company that manufactured the voting machines was accused of rigging the polls, Liang added.

Google called the EC’s rejection “unfortunate”, pointing out that the company has already helped governments with such services in countries like the Philippines, Egypt, Mexico and Kenya.

“It is unfortunate that our discussions with the Election Commission of India to change the way users access their electoral information, that is publicly available, through an online voter look up tool, were not fruitful,” Google said in a statement.

“Google will continue to develop tools and resources to make civic information universally accessible and useful, help drive more informed citizen participation, and open up new avenues for engagement for politicians, citizens, and civic leaders,” it added.

For more details visit https://cis-india.org/news/livemint-january-31-2014-anuja-moulishree-srivastava-election-panel-rejects-google-proposal-for-electoral-services-tie-up

Worldwide: International Privacy - 2013 Year in Review - Asia

praskrishna — 2014-01-31T08:44:20Z

Asian Data Privacy Updates

The article by Gonzalo S. Zeballos, James A. Sherer and Alan M. Pate was published in Mondaq's yearly review on January 8, 2014.

China

China's Personal Information Protection Law Proposal was submitted to the State Council in 2008, which was followed by the Ministry of Industry and Information Technology's non-binding Internet Information Services Market Order Provisions of 2011. However, little direct progress was made until the standing committee of the National People's Congress (NPC) introduced its Decision on Strengthening Internet Information Protection (the Decision) on December 28, 2012. Echoing Directive 95/46/EC in the EU by stipulating that the collection and use of information will be "legitimate, proper, and necessary," the Decision seeks to protect network information security; the lawful interest of citizens, legal persons, and other organizations; and safeguard China's security and social order through its Articles.

he Decision's first Article states that "[n]o organization or individual may steal or obtain in other illegal manners [ ] citizens' individual electronic information, sell or illegally provide citizens' individual electronic information to other persons." Instruction to Internet Service Providers (ISPs) continues, where providers must, among other activities:

Clearly indicate the purposes, methods, and scope of collection and use of citizens' data;
Obtain agreement from citizens before collecting their data;
Publicize rules for the collection and use of personal data;
Preserve the secrecy of collected data;
Not divulge, distort, or damage the data;
Refrain from selling or otherwise illegally providing the data to others; and
Adopt technical measures and other methods to ensure information security and prevent damage to or loss of the data.

Among the provisions of the Decision is Article Six, specifically directed at network service providers, whereby users of the services must "provide real identity information" prior to "website access," "fixed telephone, mobile telephone," "other surfing formalities," or "information publication services." In response to criticism that Article Six would be used to discourage whistleblowers and other Chinese dissention, the government-sponsored Xinhua News Agency argued that the Decision "will help, rather than harm, the country's netizens."

Japan

On May 24, 2013, the LDP-led ruling coalition directed the passage of the "Common Number" Bill through both Diet chambers. The Common Number Bill plans to assign every Japanese resident, including mid-to-long-stay foreigners and special permanent residents, a personal identification number beginning in January 2016. Additionally, a portal site through which people can check their social security records and other information via the Internet is planned for 2017. The numbering system was originally proposed in 2009, but remained quiescent until the LDP-New Komeito ruling coalition mustered sufficient support based, in part, on a philosophical foundation for fair social welfare and tax systems.

To oversee some aspects of the ID system, a third-party independent committee with independent authority will oversee allegations of data mishandling by public officials. Those who leak or illegally commercialize ID information will face up to four years in prison or a ¥2 million fine. While the use of a single number system has raised some concerns, including the potential for "forcible data-matching," the government push for support has focused on efficiencies in administration and easier detection of tax evasion and welfare fraud.

Malaysia

On November 15, 2013, the Personal Data Protection Act (PDPA) of 2010 was entered into force, introducing an omnibus privacy regime in Malaysia for the first time. This new regulation carries a host of requirements, including registration with the Personal Data Protection Department of Malaysia (PDPD) for a number of industries, including (among others) banking and financial institutions. The PDPA also includes the threat of severe consequences for non-compliance, including "fines for companies and/or fines and imprisonment for directors and officers of the company."

Khazaksthan

On November 26, 2013, Kazakhstani Law No. 94-V on Personal Data and its Protection came into force, defining such concepts as "personal data" among others, but left some ambiguity in how data might be transferred and/or stored internationally. It also contained a number of limitations: Law No. 94-V does not extend to the collection of personal data for personal and family needs; the use of information for the Kazakhstani National Archive; the collection, processing, and protection of personal data related to Kazakhstani state secrets; or the use of information related to intelligence, counter-intelligence, and criminal activities, within legal limits.

South Korea

Article 16 of South Korea's Personal Information Protection Act (effective September 30, 2011) was amended on August 6, 2013 to incorporate an affirmative obligation on the part of a personal information processor, requiring notification to data subjects that data subjects may deny consent for the collection of any personal information other than for any purposes under Article 15(1). This continues South Korea's stringent efforts to promote data privacy, and provides another instance of South Korea's articulation of a minimum data collection regime.

Singapore

Singapore's Personal Data Protection Act (PDPA), passed in 2012, went into effect on January 2, 2013, the same day Singapore's Personal Data Protection Commission (PDPC) was established; some portion of PDPA does not come into full effect until July 2, 2014. The PDPC followed-up the implementation of the PDPA with a further guidance note on September 24, 2013 which, among other topics, gave direction to organizations regarding notification requirements for the collection, use, or disclosure of personal data as well as the anonymization of personal data. This guidance outlined the use of 'cookies' for internet user's online activity, distinguishing in part between active consent on one hand, and "the mere failure of an individual to actively manage his browser settings" on the other.

Hong Kong

Revisions to Hong Kong's Personal Data (Privacy) Ordinance – Code of Practice on Consumer Credit Data – took effect on April 1, 2013. These revisions require consent prior to the use of personal data in the context of targeted, direct advertising, and instruct individuals that, while direct marketers must notify individuals of their opt-out right prior to using personal data for the first time, individuals may choose to opt out at any time at no cost to the individual opting out. The Ordinance also provides for the following penalties: if "the transfer of personal data to third parties [is] for gain, the maximum penalty is a fine of HK$1,000,000 and imprisonment for 5 years. For other direct marketing contraventions, the maximum penalty is a fine of HK$500,000 and imprisonment for 3 years."

India

While India currently adheres to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules) enacted in 2011, the Centre for Internet and Society presented a new Privacy (Protection) Bill, 2013 (Bill), on September 30, 2013. The Bill seeks to further refine provisions of the Rules, with a focus on protection of personal data through limitations on use and requirements for notice. The collection of personal data would be prohibited unless "necessary for the achievement of a purpose of the person seeking its collection," and, subject to sections 6 and 7 of the Bill, "no personal data may be collected under this Act prior to the data subject being given notice, in such form and manner as may be prescribed, of the collection." The Bill acknowledges the collection of data with and without consent; the regulation of personal data storage, processing, transfer, and security; and discusses the different types of disclosure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For more details visit https://cis-india.org/news/mondaq-january-8-2014-gonzalo-s-zeballos-james-a-sherer-alan-m-pate-worldwide-international-privacy-2013-year-in-review-asia

Digital Citizens: Why Cyber Security and Online Privacy are Vital to the Success of Democracy and Freedom of Expression

praskrishna — 2014-01-08T04:59:10Z

Michael Oghia will give a presentation which will show why cyber security and online privacy are vital for democracy and freedom of expression.

In the time when Edward Snowden is fighting for both clemency and to be known as a brave whistle blower that exposed government wrongdoing, cyber security and online privacy have never been more important. As Jacob Applebaum discussed in May last year, and CIS’ Maria Xynou presented recently in December, surveillance throughout the world is increasing. With security apparatus’ likethe NSA and now India’s Central Monitoring System, coupled with corporate data centers around the world storing our e–mails, address books, preferences, and passwords, it is easy to see how our online privacy is increasingly being threatened and often, violated.

Indeed, online privacy is inextricably linked to freedom of expression, and freedom of expression is a fundamental civil liberty imperative to democracy. Moreover, online security and privacy are essential to good, transparent, and accountable democratic governance. This is largely because surveillance, censorship, and monitoring ultimately create environments where self-censorship is the norm, as is the fear of the government instead of spaces that allow for freedom of expression and democratic dialogue and dissent.

What I would like to accomplish my speaking at CIS is not to merely educate about the dangers posed to Internet security or to world democracy, but rather to:

Reiterate the importance of digital privacy and cyber security to the success of democracy and the continued protection of free expression.
Encourage citizens, technology specialists, Internet and privacy advocates, and others to see themselves as part of a larger system of democratic governance and civic participation. This means understanding how technical capabilities intersect with civil society, and then use them to advocate for a more open, accessible, and private cyberspace.
Reinforce that digital media literacy education is vital to ensuring a free, open, accessible, and democratic Internet.

Additionally, I want to present ideas and recommendations for what you can do to engage with these problems, and how we can collaborate together to address them.

About the Public Intelligence Project

The Public Intelligence Project is an independent, non-partisan, not-for-profit think tank conducting research, education, and advocacy on the importance of diversity, critical thinking, dialogue, and freedom of expression. We seek to promote more robust systems of participatory democracy, civic engagement, and conflict prevention in order to create a culture of democracy.

Michael Oghia

Michael is responsible for a new project at Meta-Culture called the Public Intelligence Project, which focuses on expanding participatory democracy, civic engagement, and conflict prevention by conducting research, education, and advocacy on the intersections between diversity, dialogue, critical thinking, and freedom of expression. While new to the conflict resolution field, as a poet, musician, editor, writer, blogger, and activist, he is well-versed in the importance of freedom of expression and participating in the democratic process. He was born in Kentucky to Lebanese-Syrian parents, and after graduating with a BS in sociology from the University of Louisville, he moved to Lebanon to pursue an MA in sociology from the American University of Beirut. There, he had the opportunity to witness the Arab Revolutions first-hand while research about topics such as Internet ownership in the Middle East, social movements, Arab media, globalization, Arab youth and family, and his thesis subject, romantic love in the Arab world. Michael enjoys engaging Twitter conversations, and has an unnatural affinity for crunchy peanut butter.

Date: Tuesday, January 14, 2014
Time: 6.30 p.m. to 8.00 p.m.
Talk by: Michael Oghia
Title: Research & Advocacy Consultant, and Project Manager
Organisation: Meta-Culture / Public Intelligence Project
Websites: www.meta-culture.in <http://www.meta-culture.in> & www.publicintelligenceproject.org <http://www.publicintelligenceproject.org>

For more details visit https://cis-india.org/events/why-cyber-security-and-online-privacy-are-vital-for-success-of-democracy-and-freedom-of-expression

Despite apex court order, IOC proceeds with Aadhaar-linked DBT

praskrishna — 2014-01-31T06:50:33Z

Once DBT starts, there is no other method to avail of subsidy: IOC official.

The article by Deepa Kurup was published in the Hindu on January 6, 2014. Sunil Abraham is quoted.

Despite an interim order by the Supreme Court disallowing the government from making the Aadhaar number mandatory for accessing State subsidies and benefits, Indian Oil Corporation (IOC) Ltd. continues to inform consumers that they will not get their LPG subsidy if they do not seed their Aadhaar-linked bank accounts to the IOC database.

SMSes and publicity material released by IOC in the past week indicate that the company is going ahead with the Union government’s deadlines for the Direct Benefit Transfer scheme for LPG. While the deadline for Udupi and Dharwad districts has been extended till January-end, the “grace period” for Bangalore Urban will expire on March 1.

Over the past week, LPG consumers have been receiving frequent SMSes requesting them to submit their Aadhaar number to their LPG distributor and their bank, with “no further delay”. Though the SMS does not state whether or not this is mandatory, frequent messages have been instilling a sense of urgency and panic among consumers. Further, several consumers told The Hindu that, upon enquiry, distributors had been telling them that they would have to forego their subsidy amount (for nine cylinders a year) if they failed to register their details with the IOC database. Once the DBT scheme is enforced, the IOC will migrate customers entirely to the new system — that is, consumers will have to pay the market price, and the subsidy amount will be credited to their bank accounts.

‘No other method’

Senior IOC officials said that while the oil manufacturing company was desisting from making statements on whether or not this was mandatory, in effect those whose details would not be seeded to the database would not be able to avail of the benefit. “Basically, once the DBT scheme starts there is no other method to receive or avail of the subsidy. As of now, there is no alternative method,” said R.K. Arora, executive director, Karnataka State office. He pointed out that in rural areas several other subsidies were already linked to Aadhaar, and the DBT scheme was at 100 per cent in Tumkur and Mysore districts.

As of January 1, an IOC official said, only 30 per cent of LPG consumers in the Bangalore Circle had ‘seeded’ their accounts to the IOC database, while in Udupi and Dharwad it was roughly around 50 per cent.

“We are not claiming it’s mandatory, and currently all companies have submitted an affidavit seeking the order be reconsidered. Meanwhile, we have just asked people to submit the details to the distributor as soon as they can,” the official said. He added that IOC was likely to keep extending the deadline to “be on the safe side”.

Meanwhile, there is confusion among consumers on the issue. Krishnan Pillai, a resident of R.T. Nagar here, said Aadhaar numbers were being delayed, and there was huge anxiety among people. “Last week, I saw an advertisement that implied that I will lose subsidy if I don’t submit my number. Is the Supreme Court verdict not applicable?” he said. Sumitra Gupta, a charted accountant from Majestic, said distributors were telling them to “ignore news report on the Supreme Court verdict”.

“This is arm twisting,” she said.

‘So-called voluntary’

Sunil Abraham of the Centre for Internet and Society, a Bangalore-based NGO that has been part of the anti-Aadhaar campaign, said IOC was “pushing the boundary”. “From the very beginning, people have been objecting to the so-called voluntary nature of the scheme. It’s unfortunate that the will of the Supreme Court in its interim order on such as a critical component of our citizenship is also being ignored,” he said.

For more details visit https://cis-india.org/news/hindu-january-6-2014-deepa-kurup-despite-apex-court-order-ioc-proceeds-with-aadhar-linked-dbt