Centre for Internet and Society

Brochures from Expos on Smart Cards, e-Security, RFID & Biometrics in India

maria — 2013-12-26T05:24:39Z

Electronics Today organised a series of expos on smart cards, e-security, RFID and biometric technology in Delhi on 16-18 October 2013. The Centre for Internet and Society is sharing the brochures it collected from these public expos for research purposes.

In Pragati Maidan, New Delhi, many companies from India and abroad gathered to exhibit their products at the following expos which were organised by Electronics Today (India's first electronic exhibition organiser) on 16-18 October 2013:

SmartCards Expo 2013
e-Security Expo 2013
RFID Expo 2013
Biometrics Expo 2013

The Centre for Internet and Society (CIS) attended these exhibitions for research purposes and is sharing the publicly available brochures it gathered through the attached zip file. The use of these brochures constitutes Fair Use.

For more details visit https://cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013

CPDP 2014 Reforming Data Protection: The Global Perspective

praskrishna — 2013-12-11T03:39:50Z

Already in its 7th edition, the annual Computer Privacy and Data Protection conference (organised by CPDP) is being held in Brussels from January 22 to 24, 2014. Malavika Jayaram will be speaking at this event.

The Centre for Internet and Society is one of the sponsors for this event. Click here to read the full programme.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University, which has now grown significantly and incorporates a consortium of 21 conference partners.

CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. In an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world.

CPDP2014 has become truly global: it is co-organized by conference partners from Europe and the United States, and devotes panels to Latin-America and India. Moreover, CPDP is reaching out to the Asia-Pacific with speakers coming from all over the region.

The progressive growth of CPDP will culminate in an unprecedented 7^th edition. A terrific programme will include more than 60 panels held over three consecutive days. The panels will focus on key issues that cover all current debates: The data protection reform in the European Union, PRISM, big data, cybercrime, data retention, cloud computing, enforcement by Data Protection Authorities, biometrics, e-health, privacy by design, and much, much more. In addition, there will be a day event on the ethical issues of data collection on minorities, and the use of technology to advance the status of Roma.

CPDP will offer valuable contributions from the leading names in the field, including key representatives from all the major European institutions - the European Commission, the European Parliament, the European Data Protection Supervisor, and the Council of Europe.

In addition to the well-known classic Pecha Kucha side event, there will be several public debates held in the evenings – both in Dutch and English.

CDP2014 will continue to pay particular attention to high-level and innovative research from PhD Students and outstanding junior researchers by organizing sessions completely devoted to their work. CPDP2014 will also remain home to several award ceremonies, such as the award for the best Multidisciplinary Privacy Paper and the EPIC International Champion of Freedom Award.

Whether you are involved in the Conference as a sponsor, supporter, partner or participant or not, CPDP2014 welcomes you to join the event and contribute to the debate on emerging privacy and data protection issues.

For up to date information, registration and the programme, please visit http://www.cpdpconferences.org/ and follow CPDP on Facebook (cpdpconferences) and Twitter (@cpdpconferences).

If you have any questions please contact: info@cpdpconferences.org

For more details visit https://cis-india.org/events/cpdp-2014-reforming-data-protection-global-perspective

Technology in Government and Topics in Privacy

praskrishna — 2013-12-27T10:20:33Z

Malavika Jayaram is a speaker at an event organized by Data Privacy Lab at CGIS Cafe, Cambridge Street, Harvard University Campus. She will speak on Biometrics in Beta – India's Identity Experiment on December 9, 2013.

Technology in Government (TIG) and Topics in Privacy (TIP) consist of weekly discussions and brainstorming sessions on all aspects of privacy (TIP) and uses of technology to assess and solve societal, political, and government problems (TIG). Discussions are often inspired by a real-world problems being faced by the lead discussant, who may be from industry, government, or academia. Practice talks and presentations on specific techniques and topics are also common.

Abstract of the Talk

India's identity juggernaut - the Unique Identity (UID) project that has registered around 450 million people and is yet to be fully realized - is already the world's largest biometrics identity scheme. Based on the premise that centralized de-duplication and authentication will establish uniqueness and eliminate fraud, it is hailed as a game changer and a silver bullet that will solve myriad problems and improve welfare delivery, yet its conception and architecture raise significant concerns. In addition to the UID project, there is a slew of "Big Brother" systems that together form a matrix of identity and surveillance schemes: the UID is intended as a common identifier across this matrix as well as other public and private databases. Indian authorities frame Big Data as a panacea for fraud, corruption and abuse, without apprehending the further fraud, corruption and abuse that joined up databases can themselves engender. The creation of a privacy-invading technology layer not simply as a barrier to online participation but to social participation writ large is not fully appreciated by policy makers. Malavika will provide an overview of the identity landscape including the implications for privacy and free speech, and more broadly, democracy and openness.

Malavika Jayaram

Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard, focusing on privacy, identity and free expression, especially in the context of India's biometric ID project. A Fellow at the Centre for Internet and Society, Bangalore, she is the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series. She is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India's leading lawyers - one of only 8 women to be featured in the "40 under 45" survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global law firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. During 2012-2013, She was a Visiting Scholar at the Annenberg School for Communication, University of Pennsylvania.

Click to read more on the event originally published by Data Privacy Lab here.

For more details visit https://cis-india.org/news/technology-in-government-and-topics-in-privacy

"Whatever happened to Privacy?" - International Activism Conference

praskrishna — 2014-02-03T05:56:27Z

Maria Xynou gave a keynote speech and participated as a panelist on the "Suspect Societies" panel. The event was organized by Heinrich Boell Foundation in Berlin on December 5 and 6, 2013.

"Whatever happened to privacy" brought together international activists on focal topics and combined bar camp style work sessions and political round tables with a classic public event, It focussed on an issue which has far reaching consequences for politically active people across the world - the issue of privacy and surveillance. The revelations around the NSA and GCHQ as well as other countries secret service digital surveillance activities have spurred political debate. This debate was intensified at "Whatever happened to Privacy?" formulating political demands, developing action strategies and debating questions such as:

What cultural and political value does privacy have today?
What are the societal implications of the wide spread "I have nothing to hide" attitude?
What political actions are necessary to protect citizens from mass surveillance and what tools exist for people to secure their communications, movements and lives?

For video and more info, click here

For more details visit https://cis-india.org/news/whatever-happened-to-privacy

Misuse of Surveillance Powers in India (Case 1)

pranesh — 2013-12-06T09:37:24Z

In this series of blog posts, Pranesh Prakash looks at a brief history of misuse of surveillance powers in India. He notes that the government's surveillance powers have been freqently misused, very often without any kind of judicial or political redressal. This, he argues, should lead us as concerned citizens to demand a scaling down of the government's surveillance powers and pass laws to put it place more robust oversight mechanisms.

Case 1: Unlawful Phone-tapping in Himachal Pradesh

In December 2012, the government changed in Himachal Pradesh. The Bharatiya Janata Party (BJP) went out of power, and the Indian National Congress (INC) came into power. One of the first things that Chief Minister Virbhadra Singh did, within hours of taking his oath as Chief Minister on December 25, 2012, was to get a Special Investigation Team (SIT) to investigate phone tapping during the BJP government’s tenure.

On December 25th and 26th, 12 hard disk drives were seized from the offices of the Crime Investigation Department (CID) and the Vigilance Department (which is supposed to be an oversight mechanism over the rest of the police). These hard disks showed that 1371¹ phone numbers were targetted and hundreds of thousands of phone conversations were recorded. These included conversations of prominent leaders “mainly of” the INC but also from the BJP, including three former cabinet ministers and close relatives of multiple chief ministers, a journalist, and many senior police officials, including the Director General of Police.

Violations of the Law

While the law required the state’s Home Secretary to grant permission for each person that was being tapped, the Home Secretary had legitimately only granted permission in 34² cases. This leaves over a thousand cases where phones were tapped illegally, in direct violation of the law. The oversight mechanism provided in the law, namely the Review Committee under Rule 419A of the Indian Telegraph Rules, was utterly powerless to check this. Indeed, the internal checks for the police, namely the Vigilance Department, also seems to have failed spectacularly.

Every private telecom company cooperated in this unlawful surveillance, even though the people who were conducting it did so without proper legal authority. Clearly we need to revise our interception rules to ensure that these telecom companies do not cooperate unless they are served with an order digitally signed by the Home Secretary.

While all interception recordings are required to be destroyed within 6 months as per Rule 419A of the Indian Telegraph Rules, that rule was also evidently ignored and conversations going back to 2009 were being stored.

Concluding Concerns

What should concern us is not merely that such a large number of politicians/police officers were tapped, but that no criminal charges were brought about on the basis of these phone taps, indicating that much of it was being used for political purposes.

What should concern us is that the requirement under Section 5 of the Indian Telegraph Act, which covers phone taps, of the existence of a “public emergency” or endangerment of “public safety”, which is a prerequisite of phone taps as per the law and as emphasised by the Supreme Court in 1996 in the PUCL judgment, were blatantly ignored.

What should concern us is that it took a change in government to actually uncover this sordid tale.

1385 according to a Hindustan Times report [1]: http://indiatoday.intoday.in/story/himachal-pradesh-police-registers-first-fir-in-phone-tapping-scandal/1/285698.html↩
A Zee News report states 34 while it’s 171 according to a Mail Today report ↩

For more details visit https://cis-india.org/internet-governance/blog/misuse-surveillance-powers-india-case1

I Just Pinged to Say Hello

nishant — 2013-11-30T08:36:02Z

A host of social networks find us more connected than ever before, but leave us groping for words in the digital space.

Dr. Nishant Shah's article was published in the Indian Express on November 24, 2013.

I am making a list of all the platforms that I use to connect with the large networks that I belong to. Here goes: I use Yahoo! Messenger to talk to my friends in east Asia. Most of my work meetings happen on Skype and Google Hangout. A lot of friendly chatter fills up my Facebook Messenger. Twitter is always available for a little back-chat and bitching. On the phone, I use Viber to make VoIP calls and WhatsApp is the space for unending conversations spread across days. And these are just the spaces for real-time conversation. Across all these platforms, something strange is happening. As I stay connected all the time, I am facing a phenomenon where we have run out of things to say, but not the desire to talk.

I had these three conversations today on three different instant-messaging platforms:

Person 1 (on WhatsApp): Hi.

Me: Hey, good to hear from you. How are you doing?

Person 1: Good.

Me (after considerable silence): So what's up?

Person 1: Nothing.

End of conversation.

Person 2 (On an incoming video call on Skype): Hey, you there?

Me: Yeah. What time is it for you right now?

Person 2: It is 10 at night.

Me: Oh! That is late. How come you are calling me so late?

Person 2: Oh, I saw you online.

Me: Ok….. *eyes raised in question mark*

Person 2: So, that's it. I am going to sleep soon.

Me: Ok…. Er…goodnight.

Person2: Goodnight.

We hang up.

Person 3 (pinging me on Facebook): Hey, you are in the US right now?

Me: Yes. I am attending a conference here.

Person 3: Cool!

Me: Umm… yeah, it is.

Person 3: emoticon of a Facebook 'like'. Have fun. Bye.

Initially I was irritated at the futility of these pings that are bewildering in their lack of content. I dismissed it as one of those things, but I realise that there is a pattern here. Our lives are so particularly open and documented, such minute details of what we do, where we are and who we are with, is now available for the rest of the world to consume, making most of the conversations seeking information, redundant. If you know me on my social media networks, you already know most of the basic things that you would want to know about me. And it goes without saying that no matter how close and connected we are, we are not necessarily in a state where we want to talk all the time. The more distributed our lives are, the more diminished is the need for personal communication.

And yet, the habit or the urge to ping, buzz, DM or chat has not caught up with this interaction deficit. So, we still seem to reach out, using a variety of platforms just to say hello, even when there is nothing to say. I call this the 'Always On' syndrome. We live in a world where being online all the time has become a ubiquitous reality. Even when we are asleep, or busy in a meeting, or just mentally disconnected from the online spaces, our avatars are still awake. They interact with others. And when they feel too lonely, they reach out and send that empty ping — just to confirm that they are not alone. That on the other side of the glowing screen is somebody else who is going to connect back, and to reassure you that we are all together in this state of being alone.

This empty ping has now become a signifier, loaded with meaning. The need for human connection has been distributed, but it does not compensate our need for one-on-one contact. In the early days of the cell phone, when incoming calls were still being charged, the missed call, without any content, was a code between friends and lovers. It had messages about where to meet, when to meet, or sometimes, just that you were missing somebody. The empty ping is the latest avatar of the missed call — in a world where we are always online but not always connected, when we are constantly together, but also spatially and emotionally alone, the ping remains that human touch in the digital space that reassures us that on the other side of that seductive interface and the buzzing gadget, is somebody we can say hello to.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-november-24-2013-nishant-shah-i-just-pinged-to-say-hello

CIS Supports the UN Resolution on “The Right to Privacy in the Digital age”.

elonnai — 2013-11-30T07:25:18Z

The United Nations adopted the resolution on the right to privacy recently. It recognised privacy as a human right, integral to the right to free expression, and also declared that mass surveillance could have negative impacts on human rights.

On November 26, 2013, the United Nations adopted a non-binding resolution on The Right to Privacy in the Digital Age. The resolution was drafted by Brazil and Germany and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to privacy extending equally to citizens and non-citizens of a country. The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.

The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the Central Monitoring System, should take cognizance of, including in short:

Privacy is a human right: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence.
Privacy is integral to the right to free expression: an integral component in recognizing the right to freedom of expression.
Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression.
Exceptions to privacy and freedom of expression should be in compliance with human rights law: Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law.
Mass surveillance may have negative implications for human rights: Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights.
Equal protection for online and offline privacy: The right to privacy must be equally protected online and offline.

The resolution further called upon states to:

Respect and protect the right to privacy, particularly in the context of digital communications.
To ensure that relevant legislation is in compliance with international human rights law
To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.
To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.

The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.

The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.

Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the Necessary and Proportionate principles that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles. The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access. A petition to sign onto the principles and demand an end to mass surveillance is currently underway.

Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.

For more details visit https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d

DesiSec: Episode 1 - Film Release and Screening

purba — 2013-12-17T08:13:32Z

The Centre for Internet and Society is pleased to to announce the release of the first documentary film on cybersecurity in India - DesiSec. We hope you can join us for a special screening of the first episode of DesiSec, on 11th December, at CIS!

Early 2013, the Centre for Internet and Society began shooting its first documentary film project. After months of researching and interviewing activists and experts, CIS is thrilled to announce the release of the first documentary film on cybersecurity in India - DesiSec: Cybersecurity and Civi Society in India.

Trailer link: http://cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer

CIS is hosting a special screening of DesiSec: Episode 1 on 11th December, 2013, 6 pm and invites you to this event. The first episode is centered around the issue of privacy and surveillance in cyber space and how it affects Indian society.

We look forward to seeing you there!

RSVP: purba@cis-india.org

Venue: http://osm.org/go/yy4fIjrQL?m=

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening

Big Democracy: Big Surveillance - A talk by Maria Xynou

maria — 2013-12-12T10:23:21Z

Next Tuesday, Maria Xynou will be presenting her latest research on surveillance in India. Come and engage in a discussion on India's controversial surveillance schemes, surveillance industry and much much more!

And so we've heard a lot about the Edward Snowden leaks and about the NSA's controversial mass surveillance projects. But what's happening in India?

It turns out that the world's largest democracy has some of the most controversial surveillance schemes in the world! Some of India's laws, schemes, projects and technologies are unbeatable when it comes to mass surveillance, censorship and control. While India may be a developing country with issues ranging from poverty to corruption, it nonetheless appears to be at the forefront of surveillance on an international level.

Join us at the Centre for Internet and Society (CIS) on 3rd December 2013 to hear about India's surveillance laws, schemes and technologies and to engage in a discussion on the potential implications. All that is required is an open mind, critical thought and a will to challenge that which has not been challenged!

We look forward to seeing you all and to hearing your thoughts, ideas and opinions!

VIDEO

For more details visit https://cis-india.org/internet-governance/events/big-democracy-big-surveillance-a-talk-by-maria-xynou

Panel on Privacy, Surveillance & the UID in the post-Snowden era

praskrishna — 2013-11-26T19:05:54Z

The Centre for Internet and Society (CIS) and the Say No to UID campaign invite you to a discussion on the UID and on the implications of the world's largest biometric data collection scheme in a post-Snowden era. The panel will take place on November 30th at the Institution of Agricultural Technologists in Bangalore.

Probably one of the most important things that we learnt following the Edward Snowden revelations is that our data has value. In fact, what we learnt is that our data has immense value...since it is clearly worth billions of dollars — to say the least.

However, not only does India lack privacy legislation which could safeguard our data from potential abuse, but it is also currently implementing some of the most controversial surveillance schemes in the world, in addition to the world's largest biometric data collection scheme. What's probably more alarming is that such schemes, such as the UID, lack legal backing, as well as public and parliamentary debate!

We aim to change that. As such, the Centre for Internet and Society (CIS) and the Say No to UID campaign jointly invite you to attend a panel which will discuss all of these crucial topics.

Schedule of panel:

3.30pm - 4pm: Tea/Coffee/Refreshments & Registration

4pm - 5.30pm: Panel on Privacy, Surveillance & the UID in the post-Snowden era

5.30pm - 6pm: Q&A and Open Discussion

Panelists:

- Dr. Usha Ramanathan: Academic, Jurist and Activist

- K V Narendra: Director of Rezorce Research Foundation

- Vinay Baindur: Researcher on Urban Local Government & Decentralisation

- Maria Xynou: Policy Associate on the Privacy Project at the Centre for Internet & Society

For more details visit https://cis-india.org/events/panel-on-privacy-surveillance-uid-in-the-post-snowden-era

Seventh Privacy Round-table

elonnai — 2013-11-20T09:58:39Z

On October 19, 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation for Indian Chambers of Commerce and Industry, the Data Security Council of India, and Privacy International held a “Privacy Round-table” in New Delhi at the FICCI Federation House.

The Round-table was the last in a series of seven, beginning in April 2013, which were held across India.

Previous Privacy Round-tables were held in:

New Delhi: (April 13, 2013) with 45 participants;
Bangalore: (April 20, 2013) with 45 participants;
Chennai: (May 18, 2013) with 25 participants;
Mumbai, (June 15, 2013) with 20 participants;
Kolkata: (July 13, 2013) with 25 participants; and
New Delhi: (August 24, 2013) with 40 participants.

Chantal Bernier, Assistant Privacy Commissioner Canada, Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Party, and Christopher Graham, Information Commissioner UK were the featured speakers for this event.

The Privacy Round-tables were organised to ignite spark in public dialogues and gain feedback for a privacy framework for India. To achieve this, the Privacy Protection Bill, 2013, drafted by the Centre for Internet and Society, Strengthening Privacy through Co-regulation by the Data Security Council of India, and the Report of the Group of Experts on Privacy by the Justice A.P. Shah committee were used as background documents for the Round-tables. As a note, after each Round-table, CIS revised the text of the Privacy Protection Bill, 2013 based on feedback gathered from the general public.

The Seventh Privacy Round-table meeting began with an overview of the past round-tables and a description of the evolution of a privacy legislation in India till date, and an overview of the Indian interception regime. In 2011, the Department of Personnel and Training drafted a Privacy Bill that incorporated provisions regulating data protection, surveillance, interception of communications, and unsolicited messages. Since 2010, India has been seeking data secure status from the European Union, and in 2012 a report was issued noting that the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules found under section 43A of the Information Technology Act, were not sufficient to meet EU data secure adequacy. In 2012, the Report of the Group of Experts on Privacy was published recommending a privacy framework for India and was accepted by the government, and the Department of Personnel and Training is presently responsible for drafting of a privacy legislation for India.

Presentation: Jacob Kohnstamm, Dutch Data Protection Authority and Chairman of the Article 29 Working Group

Jacob Kohnstamm, made a presentation on the privacy framework in the European Union. In his presentation, Khonstamm shared how history, such as the Second World War, shaped the present understanding and legal framework for privacy in the European Union, where privacy is seen as a fundamental human right. Kohnstamm also explained how over the years technological developments have made data gold, and subsequently, companies who process this data and create services that allow for the generation of more data are becoming monopolies. This has created an unbalanced situation for the individual consumer, where his or her data is being routinely collected by companies, and once collected — the individual loses control over the data. Because of this asymmetric relationship, data protection regulations are critical to ensure that individual rights are safeguarded.

Kohnstamm recognized the tension between stringent data protection regulations and security for the government, and the provision of services for businesses was recognized. However, he argued that the use of technology without regulation — for commercial reason or security reasons, can lead to harm. Thus, it is key that any regulation incorporate proportionality as a cornerstone to the use of these technologies to ensure trust between the individual and the State, and the individual and the corporation. This will also ensure that individuals are given the right of equality, and the right to live free of discrimination. Kohnstamm went on to explain that any regulation needs to ensure that individuals are provided the necessary tools to control their data and that a robust supervisory authority is established with enough powers to enforce the provisions, and that checks and balances are put in place to safeguard against abuse.

In response to a question asked about how the EU addresses the tension of data protection and national security, Kohnstamm clarified that in the EU, national security is left as a matter for member states to address but the main principles found in the EU Data Protection Directive also apply to the handling of information for national security purposes. He emphasized the importance of the creation of checks and balances. As security agencies are given additional and broader powers, they must also be subjected to stronger safeguards.

Kohnstamm also discussed the history of the fair trade agreement with India, and India’s request for data secure status. It was noted that currently the fair trade agreement between India and the EU is stalled, as India has asked for data secure status. For the EU to grant this status, it must be satisfied that when European data is transferred and processed in India and that it is subject to the same level of protections as it would be if it were processed in the EU. Without a privacy legislation in place, India’s present regime does not reflect the same level of protections as the EU regime. To find a way out of this ‘dead lock’, the EU and India have agreed to set up an expert group — with experts from both the EU and India to find a way in which India’s regime can be modified to meet EU date secure adequacy. As of date, no experts from the Indian side have been nominated and communicated to the EU.

Key Points:

Europe’s history has influenced the understanding and formulation of the right to privacy as a fundamental right.
Any privacy regulation must have strong checks and balances in place and ensure that individuals are given the tools to control their data.
India’s current regime does not meet EU data secure adequacy. Currently, the EU is waiting for India to nominate experts to work with the EU to find a way of the ‘dead lock’.

Discussion: National Security, Surveillance and Privacy

Opening the discussion up to the floor, it was discussed how in India, there is a tension between data protection and national security, as national security is always a blanket exception to the right to privacy. This tension has been discussed and debated by both democratic institutions in India and commercial entities. It was pointed out that though data protection is a new debate, national security is a debate that has existed in India for many years. It was also pointed out that currently there are not sufficient checks and balances for the powers given to Indian security agencies. One missing safeguard that the Indian regime has been heavily criticized for is the power of the Secretary of the Home Ministry to authorize interception requests, as having the authorization power vested in the executive leaves little space between interested parties seeking approval of interception orders, and could result in abuse or conflict of interest. With regards to the Indian interception regime, it was explained that currently there are five ways in which messages can be intercepted in India. Previously, the Law Commission of India had asked that amendments be made to both the Indian Post Office Act and the Indian Telegraph Act.

Moving the discussion to the Privacy Protection Bill, 2013 by CIS, in Chapter V “Surveillance and Interception of Communications” clause 34, the authorization of interception and surveillance orders is left to a magistrate. Previously, the authorization of interception orders rested with the Privacy Commissioner, but this model was heavily critiqued in previous round-tables, and the authorizing authority has been subsequently changed to a magistrate. Participants pointed out that the Bill should specify the level of the magistrate that will be responsible for the authorization of surveillance orders, and also raised the concern that the lower judiciary in India is not adequately functioning as the courts are overwhelmed, thus creating the possibility for abuse. Participants also suggested that perhaps data protection and surveillance should be de-linked from each other and placed in separate bills. This echoes public feedback from previous roundtables.

While discussing needed safeguards in an interception and surveillance regime for India, it was called out that transparency of surveillance, by both the government and the service providers as key safeguards to ensuring the protection of privacy, as it would enable individuals to make educated decisions about the services they choose to use and the extent of governmental surveillance. The need to bring in a provision that incorporated the idea of "nexus of surveillance" was also highlighted. It was also pointed out that in Canada, entities wanting to deploy surveillance in the name of public safety, must take steps to prove nexus. For example, the organization must empirically prove that there is a need for a security requirement, demonstrate that only data that is absolutely necessary will be collected, show how the technology will be effective, prove that there is not a less invasive way to collect the information, demonstrate security measures in place to ensure against loss and misuse, and the organizations must have in place both internal and external oversight mechanisms. It was also shared that in Canada, security agencies are regulated by the Office of the Canadian Privacy Commissioner, as privacy and security are not seen as separate matters. In the Canadian regime, because security agencies have more powers, they are also subjected to greater oversight.

Key Points:

The Indian surveillance regime currently does not have strong enough safeguards.
The concept of ‘nexus’ should be incorporated into the Privacy Protection Bill, 2013.
A magistrate, through judicial oversight for interception and surveillance requests, might not be the most effective authority for this role in India.

Presentation: Chantal Bernier, Deputy Privacy Commissioner, Canada

In her presentation, Bernier made the note that in the Canadian model there are multiple legislative initiatives that are separate but connected, and all provide a legislative basis for the right to privacy. Furthermore, it was pointed out that there are two privacy legislations in Canada, one regulating the private sector and the other regulating the public sector. It has been structured this way as it is understood that the relationship between individuals and business is based on consent, while the relationship between individuals and the state is based on human rights. Furthermore, aspects of privacy, such as consent are different in the public sector and the private sector. In her presentation, Bernier pointed out that privacy is a global issue and because of this, it is critical that countries have privacy regimes that can speak to each other. This does not mean that the regimes must be identical, but they must at the least be inter-operable.

Bernier described three main characteristics of the Canadian privacy regime including:

It is comprehensive and applies to both the public and the private sectors.
The right to privacy in Canada is constitutionally based and is a fundamental right as it is attached to personal integrity. This means that privacy is above contractual fairness. That said, the right to privacy must be balanced collectively with other imperatives.
The Canadian privacy regime is principle based and not rule based. This flexible model allows for quick adaption to changing technologies and societal norms. Furthermore, Bernier explained how Canada places responsibility and accountability on companies to respect, protect, and secure privacy in the way in which the company believes it can meet. Bernier also noted that all companies are responsible and accountable for any data that they outsource for processing.

Furthermore, any company that substantially deals with Canadians must ensure that the forum for which complaints etc., are heard is Canada. Furthermore, under the Canadian privacy regime, accountability for data protection rests with the original data holder who must ensure — through contractual clauses — that any information processed through a third party meets the Canadian level of protection. This means any company that deals with a Canadian company will be required to meet the Canadian standards for data protection.

Speaking to the governance structure of the Office of the Privacy Commissioner in Canada, Bernier explained that the OPC is a completely independent office and reports directly to the Parliament. The OPC hears complaints from both individuals and organizations. The OPC does not have any enforcement powers, such as finding a company, but does have the ability to "name" companies who are not in compliance with Canadian regulations, if it is in the public interest to do so. The OPC can perform audits upon discretion with respect to the public sector, and can perform audits on the private sector if they have reasonable grounds to investigate.

Bernier concluded her presentation with lessons that have been learned from the Canadian experience including:

The importance of having strong regulators.
Privacy regulators must work and cooperate together.
Privacy has become a condition of trade.
In today’s age, issues around surveillance cannot be underestimated.
Companies that have strong privacy practices now have a competitive advantage in place in today’s global market.
Privacy frameworks must be clear and flexible.
Oversight must be powerful to ensure proper protection of citizens in a world of asymmetry between individuals, corporations, and governments.

Key Points:

The Right to Privacy is a fundamental right in Canada.
The Canadian privacy regime regulates the public sector and the private sector, but through two separate legislations.
The OPC does not have the power to levy fines, but does have the power to conduct audits and investigations and ‘name’ companies who are not in compliance with Canadian regulations if it is in the public interest.

Discussion: The Data Protection Authority

Participants also discussed the composition of the Data Protection Authority as described in chapter IV of the Privacy Protection Bill. It was called out that the in the Bill, the Data Protection Authority might need to be made more independent. It was suggested that to avoid having the office of the Data Protection Authority be filled with bureaucrats, the Bill should specify that the office must be staffed by individuals with IT experience, lawyers, judges, etc. On the other hand it was cautioned, that though this might be useful to some extent, it might not be helpful to be overly prescriptive, as there is no set profile of what composition of employees makes for a strong and effective Data Protection Authority. Instead the Bill should ensure that the office of the Data Protection Authority is independent, accountable, and chosen by an independent selection board.

When discussing possible models for the framework of the Data Protection Authority, it was pointed out that there are many models that could be adopted. Currently in India the commission model is not flexible, and many commissions that are set up, are not effective due to funding and internal bureaucracy. Taking that into account, in the Privacy Protection Bill, 2013, the Data Protection Authority, could be established as a small regulator with an appellate body to hear complaints.

Key Points:

The Data Protection Authority established in the Privacy Protection Bill must be adequately independent.
The composition of the Data Protection Authority be diverse and it should have the competence to address the dynamic nature of privacy.
The Data Protection Authority could be established as a small regulator with an appellate body attached.

Presentation: Christopher Graham, Information Commissioner, United Kingdom

Christopher Graham, the UK Information Commissioner, spoke about the privacy regime in the United Kingdom and his role as the UK Information Commissioner. As the UK Information Commissioner, his office is responsible for both the UK Data Protection Act and the Freedom of Information Act. In this way, the right to know is not in opposition to the right to privacy, but instead an integral part.

Graham said that his office also provides advice to data controllers on how to comply with the privacy principles found in the Data Protection Act, and his office has the power to fine up to half a million pounds on non-compliant data controllers. Despite having this power, it is rarely used, as a smaller fine is usually sufficient enough for the desired effect. Yet, at the end of the day, whatever penalty is levied, it must be proportionate and risk based i.e., selective to be effective. In this way the regulatory regime should not be heavy handed but instead should be subtle and effective. In fact, one of the strongest regulators is the reality of the market place where the price of not having strong standards is innovation and economic growth. To this extent, Graham also pointed out that self regulation and co-regulation are both workable models, if there is strong enforcement mechanisms. Graham emphasized the fact that any data protection must go beyond, and cannot be limited to, just security.

Graham also explained that he has found that currently there is a lack of confidence in Indian partners. This is problematic as the Indian industry tries to grow with European partners. For example, he has been told that customers are moving banks because their previous bank’s back offices were located in India. Citing other examples of cases of data breaches from Indian data controllers, such as a call center merging the accounts of two customers and another call centre selling customer information, he explained that the lack of confidence in the Indian regime has real economic implications. Graham further explained that one difficulty that the office of the UK ICO is faced with, is that India does not have the equivalent of the ICO. Thus, when a breach does happen, it is unclear who can be approached in India about the breach.

Touching upon the issue of data adequacy with the EU, Graham noted that if data adequacy is a goal of India, the privacy principles as defined in the Directive and reflected in the UK Data Protection Act, must be addressed in addition to security. In his presentation, Graham emphasized the importance of India amending their current regime, if they want data secure status and spoke about the economic benefits for both Europe and India, if India does in fact obtain data secure status. In response to a question about why it is so important that India amend its laws, if in effect the UK has the ability to enforce the provisions of UK Data Protection Act, Graham clarified that most important is the rule of law, and according to UK law and more broadly the EU Directive, companies cannot transfer information to jurisdictions that do not have recognized adequate levels of protection. Thus, if companies still wish to transfer information to India, this must be done through binding corporate rules.

Another question which was put forth was about how the right to privacy differs from other human rights, and why countries are requiring that other countries to uphold the right to privacy to the same level, when, for example this is not practiced for other human rights such as children’s rights. In response Graham explained that data belongs to the individual, and when it is transferred to another country — it still belongs to the individual. Although the UK would like all countries to uphold the rights of children to the standard that they do, the UK is not exporting UK citizen’s children to India. Thus, as the Information Commissioner he has a responsibility to protect his citizen’s data, even when it leaves the UK jurisdiction. Graham explained further that in the history of Europe, the misuse of data to do harm has been a common trend, which is why privacy is seen as a fundamental right, and why it is paramount that European data is subject to the same level of protection no matter what jurisdiction it is in. India needs to understand that privacy is a fundamental right and goes beyond security, and that when a company processes data it does not own the data, the individual owns the data and thus has rights attached to it to understand why Europe requires countries to be ‘data secure’ before transferring data to them.

Key Points:

The UK Information Commissioners Office regulates both the right to information and privacy, and thus the two rights are seen as integral to each other.
Penalties must be proportionate and scalable to the offense.
Co-regulation and self-regulation can both be viable models to for privacy, but enforcement is key to them being effective.

Discussion: Collection of Data with Consent and Collection of Data without Consent

Participants also discussed the collection of data with consent and the collection of data without consent found in Chapter III of the Bill. When asked opinions about the circumstances when informed consent should not be required, it was pointed out that in the Canadian model, the option to collect information without consent only applies to the public sector if it is necessary for the delivery of a service by the government. In the private sector all collection of information requires informed and meaningful consent. Yet, collection of data without consent in the commercial context is an area that Canada is wrestling with, as there are instances, such as online advertising, where it is unreasonable to expect consent all the time. It was also pointed out that in the European Directive, consent is only one of the seven grounds under which data can be collected. As part of the conversation on consent, it was pointed out that the Bill currently does not take explicitly take into account the consent for transfer of information, and it does not address changing terms of service and if companies must re-take consent, or if providing notice to the individual was sufficient. The question about consent and additional collection of data that is generated through use of that service was also raised. For example, if an individual signs up for a mobile connection and initially provides information that the service provider stores in accordance to the privacy principles, does the service provider have an obligation to treat all data generated by the user while using the service of the same? The exception of disclosure without consent was also raised and it was pointed out that companies are required to disclose information to law enforcement when required. For example, telecom service providers must now store location data of all subscribers for up to 6 months and share the same when requested by law enforcement.

Key Points:

There are instances where expecting companies to have informed consent for every collection of information is not reasonable. Alternative models, based on — for example transparency — must be explored to address these situations.
The Privacy Protection Bill should explicitly address transfer of information to other countries.
The Privacy Protection Bill should address consent in the context of changing terms of service.

Discussion: Penalties and Offences

The penalties and offenses prescribed in chapter VI of the Privacy Protection Bill were discussed by participants. While discussing the chapter, many different opinions were voiced. For example, some participants held the opinion that offences and penalties should not exist in the Privacy Protection Bill, because in reality they are more likely than not to be effective. For example, when litigating civil penalties, it takes a long time for the money to be realized. Others argued that in India, where enforcement of any law is often weak, strong, clear, and well defined criminal penalties are needed. Another comment raised the point that a distinction should be made between breaches of the law by data controllers and breaches by rogue individuals — as the type of violation. For example, a breach by a data controller is often a matter identifying the breach and putting in place strictures to ensure that it does not happen again by holding the company accountable through oversight. Where as a breach by a rogue agent entails identifying the breach and the rogue agent and creating a strong enough penalty to ensure that they will not repeat the violation. Adding to this discussion, it was pointed out that in the end, scalability is key in ensuring that penalties are proportional and effective. It was also noted that in the UK, any fine that is levied is appealable. This builds in a system of checks and balances, and ensures that companies and individuals are not subject to unfair or burdensome penalties.

The possibility of incentivizing compliance, through rewards and distinctions, was discussed by participants. Some felt that incentivizing compliance would be more effective as it would give companies distinct advantages to incorporating privacy protections, while others felt that incentives can be included but penalties cannot be excluded, otherwise the provisions of the Privacy Protection Bill 2013 will not be enforceable. It was also pointed out that in the context of India, ideally there should be a mechanism to address the ‘leakages’ that happen in the system i.e., corruption. Though this is difficult to achieve, regulations could take steps like specifically prohibiting the voluntary disclosure of information by companies to law enforcement. Taking a sectoral approach to penalties was also suggested as companies in different sectors face specific challenges and types of breaches. Another approach that could be implemented is the statement of a time limit for data controllers and commissioners to respond to complaints. This has worked for the implementation of the Right to Information Act in India, and it would be interesting to see how it plays out for the right to privacy. Throughout the discussion a number of different possible ways to structure offenses and penalties were suggested, but for all of them it was clear that it is important to be creative about the type of penalties and not rely only on financial penalty, as for many companies, a fine has less of an impact than perhaps having to publicly disclose what happened around a data breach.

Key Points:

Penalties and offenses by companies vs. rogue agents should be separately addressed in the Bill.
Instead of levying penalties, the Bill should include incentives to ensure compliance.
Penalties for companies should go beyond fines and include mechanisms such as requiring the company to disclose to the public information about the breach.

Discussion: Cultural Aspects of Privacy

The cultural realities of India, and the subsequent impact on the perception of privacy in India were discussed. It was pointed out that India has a history of colonization, multiple religions and languages, ethnic tensions, a communal based society, and a large population. All of these factors impact understandings, perceptions, practices, and the effectiveness of different frameworks around privacy in India. For example, the point was raised that given India’s cultural and political diversity, having a principle based model might be too difficult to enforce as every judge, authority, and regulator will have a different perspective and agenda. Other participants pointed out that there is a lack of awareness around privacy in India, and this will impact the effectiveness of the regulation. It was also highlighted that anecdotal claims that cultural privacy in India is different, such as the fact that in India on a train everyone will ask you personal questions, and thus Indian’s do not have a concept of privacy, cannot influence how a privacy law is framed for India.

Key Points:

India’s diverse culture will impact perceptions of privacy and the implementation of any privacy regulation.
Given India’s diversity, a principle based model might not be adequate.
Though culture is important to understand and incorporate into the framing of any privacy regulation in India, anecdotal stories and broad assumptions about India’s culture and societal norms around privacy cannot influence how a privacy law is framed for India.

Conclusion

The seventh privacy round-table concluded with a conversation on the NSA spying and the Snowden Revelations. It was asked if domestic servers could be an answer to protect Indian data. Participants agreed that domestic servers are just a band aid to the problem. With regards to the Privacy Protection Bill it was clarified that CIS is now in the process of collecting public statements to the Bill and will be submitting a revised version to the Department of Personnel and Training. Speaking to the privacy debate at large, it was emphasized that every stakeholder has an important voice and can impact the framing of a privacy law in India.

For more details visit https://cis-india.org/internet-governance/blog/report-of-sevent-privacy-round-table

Why 'Facebook' is More Dangerous than the Government Spying on You

maria — 2013-11-23T08:38:30Z

In this article, Maria Xynou looks at state and corporate surveillance in India and analyzes why our "choice" to hand over our personal data can potentially be more harmful than traditional, top-down, state surveillance. Read this article and perhaps reconsider your "choice" to use social networking sites, such as Facebook.

Do you have a profile on Facebook? Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:

“Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”

The Indian Surveillance State

Following Snowden ’s revelations, there’s finally been more talk about surveillance. But what is surveillance?

David Lyon - who directs the Surveillance Studies Centre - defines surveillance as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”. Surveillance can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.

State Surveillance

The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a real issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!

The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:

1. They create surveillance schemes, such as the Central Monitoring System (CMS ), which carry out targeted and/or mass surveillance

2. They create laws, guidelines and license agreements, such as the Information Technology (Amendment ) Act 2008, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply

3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance

While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.

In particular, surveillance in India is regulated under five laws: the Indian Telegraph Act 1885, the Indian Post Office Act 1898, the Indian Wireless Telegraphy Act 1933, section 91 of the 1973 Code of Criminal Procedure (CrPc ) and the Information Technology (Amendment ) Act 2008. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.

While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the Information Technology (Amendment ) Act 2008 allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.

Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in “1984”. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The arrest of two Indian women last November over a Facebook post reminds us of this.

Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the UAS License Agreement regarding the Central Monitoring System (CMS ) not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued numerous guidelines and license agreements for ISPs and telecom operators, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new National Cyber Security Policy, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.

As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, India ’s Computer Emergency Response Team (CERT ) is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.

The Crime and Criminal Tracking and Network & Systems (CCTNS ) is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.

Similarly, the National Intelligence Grid (NATGRID ) is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.

However, the most controversial surveillance scheme being implemented in India is probably the Central Monitoring System (CMS). While several states, such as Assam, already have Internet Monitoring Systems in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.

And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the surveillance industry in India is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to CIS ’ India Privacy Monitor Map - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the DRDO ’s “Netra ” - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.

But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, ClearTrail Technologies is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with surveillance software which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the ISS surveillance trade shows, otherwise known as “the wiretappers’ ball”.

Corporate Surveillance

When I ask people about corporate surveillance, the answer I usually get is: “Corporations only care about their profit - they don’t do surveillance per se”. And while that may be true, David Lyon ’s definition of surveillance - as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” - may indicate otherwise.

Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, allow law enforcement to tap into their servers. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.

So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that surveillance involves the collection of personal data - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, is surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, “if the product is free , you are the product ”.

Now if we look at online corporations more closely, we can probably identify three categories:

1. Websites through which we buy products and hand over our personal details - e.g. Amazon

2. Websites through which we use services and hand over our personal details - e.g. flight ticket

3. Websites through which we communicate and hand over our personal details - e.g. Facebook

And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:

- Disclose such data to law enforcement agencies

- Allow law enforcement agencies to tap into their servers

- Sell such data to “third parties”

What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we consent to the handing over of our personal information. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of “choice”. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.

State Surveillance vs. Corporate Surveillance

Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, collects 20 times more data per day than the NSA in total. In addition, Facebook has claimed that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.

Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the analysis of data, which in turn involves pattern matching and profiling, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because we “choose” to hand over our data!

Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: convenience. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.

The irony in all of this is that, while many people reacted to Snowden ’s revelations on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.

In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a direct threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas they rarely react to what does not directly affect them. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.

University students have protested on the streets against the installation of CCTV cameras, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:

- Personal photos

- Biometrics (possibly through photos)

- Family members

- Friends and acquaintances

- Habits, hobbies and interests

- Location (through IP address)

- Places visited

- Economic standing (based on pictures, comments, etc.)

- Educational background

- Ideas and opinions (which may be political, religious, etc.)

- Activities

- Affiliations

The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that we can never really know how much data we are disclosing, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. It all really comes down to who is looking at our data, when and why.

For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is “Anarchism and other Essays ” by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.

In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.

Today, governments don’t judge us and take decisions based on our version of our data, but based on what our data says about us. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.

Most companies retain data indefinitely or for a long period of time, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, every bit of data may potentially entails various other bits of data that we are not even aware of. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an illusionary sense of control over their personal data.

Social network analysis software is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to match patterns. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.

In data mining, behavioural statistics are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we voluntarily disclose massive amounts of data about ourselves - is that it appears to come down to public control.

According to security expert Bruce Schneier, data today is a byproduct of the Information Society. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an indirect threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.

Hannah Arendt argued that a main prerequisite and component of totalitarian power is support by the masses. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, CCTV cameras are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as Spy Coca Cola cans - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the Central Monitoring System in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access choose to share their personal data through the use of social networking sites.

Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just convenient to be on Facebook. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.

In the long term, what does this mean? Well, it seems like we will probably be more acceptive towards more authoritarian power, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.

What’s particularly interesting though about surveillance today is that it is fueled and enabled through our freedom of speech and general Internet freedom. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the Chinese versions of Facebook and Twitter - it’s probably no coincidence.

While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t choose to hand over our personal data to begin with, none of the above would have been possible.

The real danger in the Digital Age is not necessarily surveillance per se, but our choice to voluntarily disclose our personal data.

For more details visit https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you

Spy agencies, IB and RAW, put spanner in proposed privacy law

praskrishna — 2013-11-19T09:50:05Z

The country’s intelligence agencies are out to scuttle a law that’s being drafted to protect your privacy.

The article by Nagender Sharma and Aloke Tikku was published in the Hindustan Times on November 2, 2013. Sunil Abraham is quoted.

The Intelligence Bureau and the Research and Analysis Wing (RAW) have told the government to water down the proposed law that makes it a crime to leak sensitive personal information collected by government departments and the private sector.

The agencies conveyed their views to national security adviser Shivshankar Menon at a recent meeting at the prime minister’s office. With home secretary Anil Goswami backing the spooks, even arguing that “the very need for such a bill” should be reviewed, Menon has called for revisiting the provisions the agencies have objected to.

The Right to Privacy Bill 2013 lays down privacy principles and standards, and stipulates jail terms and fines for leak of sensitive personal data.

“If such a bill was to be considered, intelligence agencies should be exempted from its purview,” Goswami argued at the meeting.

The intelligence agencies also spoke about how the bill would “adversely affect or compromise” the functioning of many agencies and projects, such as the Central Monitoring System that is used to intercept phone calls and internet communication, and the National Intelligence Grid that would give law enforcement agencies access to information combat terror threats.

The proposed privacy law was initially conceptualised to address data privacy, particularly in the context of data handled by the Indian IT industry for foreign clients.

But the Department of Personnel and Training – that drew up the bill – expanded its scope to cover information collected by the government and interception by intelligence agencies.

Sunil Abraham of the Centre for Internet and Society, a Bangalore-headquartered advocacy group, said the security establishment’s attempts to scuttle the privacy law were a step back.

“Civil society isn’t against surveillance by security agencies. All that we ask for is due process and oversight,” Abraham said.

For more details visit https://cis-india.org/news/hindustan-times-november-2-2013-nagender-sharma-alok-tikku-spy-agencies-ib-and-raw-put-spanner-in-proposed-privacy-law

Interview with Caspar Bowden - Privacy Advocate and former Chief Privacy Adviser at Microsoft

maria — 2013-11-06T08:16:05Z

Maria Xynou recently interviewed Caspar Bowden, an internationally renowned privacy advocate and former Chief Privacy Adviser at Microsoft. Read this exciting interview and gain an insight on India's UID and CMS schemes, on the export of surveillance technologies, on how we can protect our data in light of mass surveillance and much much more!

Caspar Bowden is an independent advocate for better Internet privacy technology and regulation. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication. Until recently he was Chief Privacy Adviser for Microsoft, with particular focus on Europe and regions with horizontal privacy law.

From 1998-2002, he was the director of the Foundation for Information Policy Research (www.fipr.org) and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.

The Centre for Internet and Society interviewed Caspar Bowden on the following questions:

1. Do you think India needs privacy legislation? Why / Why not?

Well I think it's essential for any modern democracy based on a constitution to now recognise a universal human right to privacy. This isn't something that would necessarily have occurred to the draft of constitutions before the era of mass electronic communications, but this is now how everyone manages their lives and maintains social relationships at a distance, and therefore there needs to be an entrenched right to privacy – including communications privacy – as part of the core of any modern state.

2. The majority of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why / Why not?

Although the majority of people in India are still living in conditions of poverty and don't have access to the Internet or, in some cases, to any electronic communications, that's changing very rapidly. India has some of the highest growth rates in take up with both mobile phones and mobile Internet and so this is spreading very rapidly through all strata of society. It's becoming an essential tool for transacting with business and government, so it's going to be increasingly important to have a privacy law which guarantees rights equally, no matter what anyone's social station or situation. There's also, I think, a sense in which having a right to privacy based on individual rights is much preferable to some sort of communitarian approach to privacy, which has a certain philosophical following; but that model of privacy - that somehow, because of a community benefit, there should also be a sort of community sacrifice in individual rights to privacy - has a number of serious philosophical flaws which we can talk about.

3. "I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally." Please comment.

Well, it's hard to know where to begin. Almost everybody in fact has “something to hide”, if you consider all of the social relationships and the way in which you are living your life. It's just not true that there's anybody who literally has nothing to hide and in fact I think that it's rather a dangerous idea, in political culture, to think about imposing that on leaders and politicians. There's an increasing growth of the idea – now, probably coming from America- that political leaders (and even their staff - to get hired in the current White House) should open up their lives, even to the extent of requiring officials to give up their passwords to their social network accounts (presumably so that they can be vetted for sources of potential political embarrassment in their private life). This is a very bad idea because if we only elect leaders, and if we only employ bureaucrats, who do not accord any subjective value to privacy, then it means we will almost literally be electing (philosophical) zombies. And we can't expect our political leaders to respect our privacy rights, if we don't recognise that they have a right to privacy in their own lives also. The main problem with the “nothing to hide, so nothing to fear” mantra is that this is used as a rhetorical tool by authoritarian forces in government and society, who simply wish to take a more paternalistic and protective attitude. This reflects a disillusionment within the “deep state” about how democratic states should function.

Essentially, those who govern us are given a license through elections to exercise power with consent, but this entails no abrogation of a citizen's duty to question authority. Instead, that should be seen as a civic duty - providing the objections are reasonable. People actually know that there are certain things in their lives that they don't wish other people to know, but by indoctrinating the “nothing to hide” ideology, it inculcates a general tendency towards more conformism in society, by inhibiting critical voices.

4. Should people have the right to give up their right to privacy? Why / Why not?

In European data protection law there is an obscure provision which is particularly relevant to medical privacy, but almost never used in the area of so-called sensitive personal data, like political views or philosophical views. It is possible currently for European governments to legislate to override the ability of the individual to consent. So this might arise, for example, if a foreign company sets up a service to get people to consent to have their DNA analysed and taken into foreign databases, or generally where people might consent to a big foreign company analysing and capturing their medical records. I think there is a legitimate view that, as a matter of national policy, a government could decide that these activities were threatening to data sovereignty, or that was just bad public policy. For example, if a country has a deeply-rooted social contract that guarantees the ability to access medical care through a national health service, private sector actors could try to undermine that social-solidarity basis for universal provision of health care. So for those sorts of reasons I do think it's defensible for governments to have the ability in those sectors to say: “Yes, there are areas where people should not be able to consent to give up their privacy!”

But then going back to the previous answer, more generally, commercial privacy policies are now so complicated – well, they've always been complicated, but now are mind-blowingly devious as well - people have no real possibility of knowing what they're consenting to. For example, the secondary uses of data flows in social networks are almost incomprehensible, even for technologists at the forefront of research. The French Data Protection authorities are trying to penalize Google for replacing several very complicated privacy policies by one so-called unified policy, which says almost nothing at all. There's no possible way for people to give informed consent to this over-simplified policy, because it doesn't even tell anything useful to an expert. So again in these circumstances, it's right for a regulator to intercede to prevent unfair exploitation of the deceptive kind of “tick-box” consent. Lastly, it is not possible for EU citizens to waive or trade away their basic right to access (or delete) their own data in future, because this seems a reckless act and it cannot be foreseen when this right might become essential in some future circumstances. So in these three senses, I believe it is proper for legislation to be able to prevent the abuse of the concept of consent.

5. Do you agree with India's UID scheme? Why / Why not?

There is a valid debate about whether it's useful for a country to have a national identity system of some kind - and there's about three different ways that can be engineered technically. The first way is to centralise all data storage in a massive repository, accessed through remote terminal devices. The second way is a more decentralised approach with a number of different identity databases or systems which can interoperate (or “federate” with eachother), with technical and procedural rules to enforce privacy and security safeguards. In general it's probably a better idea to decentralise identity information, because then if there is a big disaster (or cyber-attack) or data loss, you haven't lost everything. The third way is what's called “user-centric identity management”, where the devices (smartphones or computers) citizens use to interact with the system keep the identity information in a totally decentralised way.

Now the obvious objection to that is: “Well, if the data is decentralised and it's an official system, how can we trust that the information in people's possession is authentic?”. Well, you can solve that with cryptography. You can put digital signatures on the data, to show that the data hasn't been altered since it was originally verified. And that's a totally solved problem. However, unfortunately, not very many policy makers understand that and so are easily persuaded that centralization is the most efficient and secure design – but that hasn't been true technically for twenty years. Over that time, cryptographers have refined the techniques (the alogithms can now run comfortably on smartphones) so that user-centric identity management is totally achievable, but policy makers have not generally understood that. But there is no technical reason a totally user-centric vision of identity architecture should not be realized. But still the UID appears to be one of the most centralised large systems ever conceived.

There are still questions I don't understand about its technical architecture. For example, just creating an identity number by itself doesn't guarantee security and it's a classic mistake to treat an identifier as an authenticator. In other words, to use an identifier or knowledge of an identifier - which could become public information, like the American social security number – to treat knowledge of that number as if it were a key to open up a system to give people access to their own private information is very dangerous. So it's not clear to me how the UID system is designed in that way. It seems that by just quoting back a number, in some circumstances this will be the key to open up the system, to reveal private information, and that is an innately insecure approach. There may be details of the system I don't understand, but I think it's open to criticism on those systemic grounds.

And then more fundamentally, you have to ask what's the purpose of that system in society. You can define a system with a limited number of purposes – which is the better thing to do – and then quite closely specify the legal conditions under which that identity information can be used. It's much more problematic, I think, to try and just say that “we'll be the universal identity system”, and then you just try and find applications for it later. A number of countries tried this approach, for example Belgium around 2000, and they expected that having created a platform for identity, that many applications would follow and tie into the system. This really didn't happen, for a number of social and technical reasons which critics of the design had predicted. I suppose I would have to say that the UID system is almost the anithesis of the way I think identity systems should be designed, which should be based on quite strong technical privacy protection mechanisms - using cryptography - and where, as far as possible, you actually leave the custody of the data with the individual.

Another objection to this user-centric approach is “back-up”: what happens when you lose the primary information and/or your device? Well, you can anticipate that. You can arrange for this information to be backed-up and recovered, but in such a way that the back-up is encrypted, and the recovered copy can easily be checked for authenticity using cryptography.

6. Should Indian citizens be concerned about the Central Monitoring System (CMS)? Why / Why not?

Well, the Central Monitoring System does seem to be an example of very large scale “strategic surveillance”, as it is normally called. Many western countries have had these for a long time, but normally only for international communications. Normally surveillance of domestic communications is done under a particular warrant, which can only be applied one investigation at a time. And it's not clear to me that that is the case with the Central Monitoring System. It seems that this may also be applicable to mass surveillance of communications inside India. Now we're seeing a big controversy in the U.S - particularly at the moment - about the extent to which their international strategic surveillance systems are also able to be used internally. What has happened in the U.S. seems rather deceptive; although the “shell” of the framework of individual protection of rights was left in place, there are actually now so many exemptions when you look in the detail, that an awful lot of Americans' domestic communications are being subjected to this strategic mass surveillance. That is unacceptable in a democracy.

There are reasons why, arguably, it's necessary to have some sort of strategic surveillance in international communications, but what Edward Snowden revealed to us is that in the past few years many countries – the UK, the U.S, and probably also Germany, France and Sweden – have constructed mass surveillance systems which knowingly intrude on domestic communications also. We are living through a transformation in surveillance power, in which the State is becoming more able to monitor and control the population secretively than ever before in history. And it's very worrying that all of these systems appear to have been constructed without the knowledge of Parliaments and without precise legislation. Very few people in government even seem to have understood the true mind-boggling breadth of this new generation of strategic surveillance. And no elections were fought on a manifesto asking “Do people want this or not?”. It's being justified under a counter-terrorism mantra, without very much democratic scrutiny at all. The long term effects of these systems on democracies are really uncharted territory.

We know that we're not in an Orwellian state, but the model is becoming more Kafkaesque. If one knows that this level of intensive and automated surveillance exists, then it has a chilling effect on society. Even if not very much is publicly known about these systems, there is still a background effect that makes people more conformist and less politically active, less prepared to challenge authority. And that's going to be bad for democracy in the medium term – not just the long term.

7. Should surveillance technologies be treated as traditional arms / weapons? If so, should export controls be applied to surveillance technologies? Why / Why not?

Surveillance technologies probably do need to be treated as weapons, but not necessarily as traditional weapons. One probably is going to have to devise new forms of export control, because tangible bombs and guns are physical goods – well, they're not “goods”, they're “bads” - that you can trace by tagging and labelling them, but many of the “new generation” of surveillance weapons are software. It's very difficult to control the proliferation of bits – just as it is with copyrighted material. And I remember when I was working on some of these issues thirteen years ago in the UK – during the so-called crypto wars – that the export of cryptographic software from many countries was prohibited. And there were big test cases about whether the source code of these programs was protected under the US First Amendment, which would prohibit such controls on software code. It was intensely ironic that in order to control the proliferation of cryptography in software, governments seemed to be contemplating the introduction of strategic surveillance systems to detect (among other things) when cryptographic software was being exported. In other words, the kind of surveillance systems which motivated the “cypherpunks” to proselytise cryptography, were being introduced (partly) with the perverse justification of preventing such proliferation of such cryptography!

In the case of the new, very sophisticated software monitoring devices (“Trojans”) which are being implanted into people's computers – yes, this has to be subject to the same sort of human rights controls that we would have applied to the exports of weapon systems to oppressive regimes. But it's quite difficult to know how to do that. You have to tie responsibility to the companies that are producing them, but a simple system of end-user licensing might not work. So we might actually need governments to be much more proactive than they have been in the past with traditional arms export regimes and actually do much more actively to try and follow control after export – whether these systems are only being used by the intended countries. As for the law enforcement agencies of democratic countries which are buying these technologies: the big question is whether law enforcement agencies are actually applying effective legal and operational supervision over the use of those systems. So, it's a bit of a mess! And the attempts that have been made so far to legislate this area I don't think are sufficient.

8. How can individuals protect their data (and themselves) from spyware, such as FinFisher?

In democratic countries, with good system of the rule of law and supervision of law enforcement authorities, there have been cases – notably in Germany – where it's turned out that the police using techniques, like FinFisher, have actually disregarded legal requirements from court cases laying down the proper procedures. So I don't think it's good enough to assume that if one was doing ordinary lawful political campaigning, that one would not be targeted by these weapons. So it's wise for activists and advocates to think about protecting themselves – of course, other professions as well who look after confidential information – because these techniques may also get into the hands of industrial spies, private detectives and generally by people who are not subject to even the theoretical constraints of law enforcement agencies.

After Edward Snowden's revelations, we understand that all our computer infrastructure is much more vulnerable – particularly to foreign and domestic intelligence agencies – than we ever imagined. So for example, I don't use Microsoft software anymore – I think that there are techniques which are now being sold to governments and available to governments for penetrating Microsoft platforms and probably other major commercial platforms as well. So, I've made the choice, personally, to use free software – GNU/Linux, in particular – and it still requires more skill for most people to use, but it is much much easier than even a few years ago. So I think it's probably wise for most people to try and invest a little time getting rid of proprietary software if they care at all about societal freedom and privacy. I understand that using the latest, greatest smartphone is cool, and the entertainment and convenience of Cloud and tablets – but people should not imagine that they can keep those platforms secure.

It might sound a bit primitive, but I think people should have to go back to the idea that if they really want confidential communications with their friends, or if they are involved with political work, they have to think about setting aside one machine - which they keep offline and just use essentially for editing and encrypting/decrypting material. Once they've encrypted their work on their “air gap” machine, as it's called, then they can put their encrypted emails on a USB stick and transfer them to their second machine which they use to connect online (I notice Bruce Schneier is just now recommending the same approach). Once the “air gap” machine has been set up and configured, you should not connect that to the network – and preferably, don't connect it to the network, ever! So if you follow those sorts of protocols, that's probably the best that is achievable today.

9. How would you advise young people working in the surveillance industry?

Young people should try and read a little bit into the ethics of surveillance and to understand their own ethical limits in what they want to do, working in that industry. And in some sense, I think it's a bit like contemplating a career in the arms industry. There are defensible uses of military weapons, but the companies that build these weapons are, at the end of the day, just corporations maximizing value for shareholders. And so, you need to take a really hard look at the company that you're working for or the area you want to work in and satisfy your own standard of ethics, and that what you're doing is not violating other people's human rights. I think that in the fantastically explosive growth of surveillance industries that we've seen over the past few years – and it's accelerating – the sort of technologies particularly being developed for electronic mass surveillance are fundamentally and ethically problematic. And I think that for a talented engineer, there are probably better things that he/she can do with his/her career.

For more details visit https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate

Open Secrets

nishant — 2013-11-30T08:21:21Z

We need to think of privacy in different ways — not only as something that happens between people, but between you and corporations.

Dr. Nishant Shah's article was originally published in the Indian Express on October 27.

If you are a part of any social networking site, then you know that privacy is something to be concerned about. We put out an incredible amount of personal data on our social networks. Pictures with family and friends, intimate details about our ongoing drama with the people around us, medical histories, and our spur-of-the-moment thoughts of what inspires, peeves or aggravates us. In all this, the more savvy use filters and group settings which give them some semblance of control about who has access to this information and what can be done with it.

But it is now a given that in the world of the worldwide web, privacy is more or less a thing of the past. Data transmits. Information flows. What you share with one person immediately gets shared with thousands. Even though you might make your stuff accessible to a handful of people, the social networks work through a "friend-of-a-friend effect", where others in your networks use, like, share and spread your information around so that there is an almost unimaginable audience to the private drama of our lives. Which is why there is a need for a growing conversation about what being private in the world of big data means.

Privacy is about having control over the data and some ownership about who can use it and for what purpose. Interface designs and filters that allow limited access help this process. The legal structures are catching up with regulations that control what individuals, entities, governments and corporations can do with the data we provide. However, most people think of privacy as a private matter. Just look at last month's conversations around Facebook's new privacy policies, which no longer allow you to hide. If you are on Facebook, people can find you using all kinds of parameters — meta data — other than just your name. They might find you through hobbies, pages you like, schools you have studied in, etc. This can be scary because it means that based on particular activities, people can profile and follow you. Especially for people in precarious communities — the young adults, queer people who might not be ready to be out of the closet, women who already face increased misogyny and hostility online. This means they are officially entering a stalkers' paradise.

While those concerns need to be addressed, there is something that seems to be missing from the debate. Almost all of these privacy alarms are about what people can do to people. That we need to protect ourselves from people, when we are in public — digital or otherwise. We are reminded that the world is filled with predators, crackers and scamsters, who can prey on our personal data and create physical, emotional, social and financial havoc. But this is the world we already know. We live in a universe filled with perils and we have learned and coped with the fact that we navigate through dangerous spaces, times and people all the time. The digital is no different than the physical when it comes to the possible perils that we live in, though digital might facilitate some kinds of behaviour and make data-stalking easier.

What is different with the individualised, just-for-you crafted world of the social web is that there are things which are not human, which are interacting with you in unprecedented ways. Make a list of the top five people you interact with on Facebook. And you will be wrong. Because the thing that you interact with the most on Facebook, is Facebook. Look at the amount of chatter it creates — How are you feeling today?; Your friend has updated their status; Somebody liked your comment… the list goes on. In fact, much as we would like to imagine a world that revolves around us, we know that there are a very few people who have the energy and resources to keep track of everything we do. However, no matter how boring your status message or how pedestrian your activity, deep down in a server somewhere, an artificial algorithm is keeping track of everything that you do. Facebook is always listening, and watching, and creating a profile of you. People might forget, skip, miss or move on, but Facebook will listen, and remember long after you have forgotten.

If this is indeed the case, we need to think of privacy in different ways — not only as something that happens between people, but between people and other entities like corporations. The next time there is a change in the policy that makes us more accessible to others, we should pay attention. But what we need to be more concerned about are the private corporations, data miners and information gatherers, who make themselves invisible and collect our personal data as we get into the habit of talking to platforms, gadgets and technologies.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-october-27-2013-nishant-shah-open-secrets