Centre for Internet and Society

'Privacy Matters', Ahmedabad: Conference Report

praskrishna — 2011-04-04T04:45:49Z

On 26 March 2011, civil society, lawyers, judges, students and NGO’s, gathered together at the Ahmedabad Management Association to take part in 'Privacy Matters' – a public conference organised by Privacy India in partnership with IDRC and Research Foundation for Governance in India (RFGI) — to discuss the challenges of privacy in India, with an emphasis on national security and privacy. The conference was opened by Prashant Iyengar, head researcher at Privacy India and Kanan Drhu, director of RFGI. Mr. Iyengar explained Privacy India’s mandate to raise awareness of privacy, spark civil action, and promote democratic dialogue around privacy challenges and violations in India. RFGI is a think tank established in 2009 which aims to research, promote, and implement various reforms to improve the legal and political process in Gujarat and across India. ‘Privacy Matters – Ahmedabad’ is the third conference out of the eight that Privacy India will be hosting across India. The next conference will take place in Hyderabad on 9 April 2011. It will focus on human rights and privacy.

The keynote speech, delivered by Usha Ramanathan, focused on links not often made between privacy and social phenomenon.

Ms. Usha Ramanathan opened the conference by examining the links not often made between privacy and personal security, between databases and national security, and the centrality of dislodging privacy in projects of social control. In her presentation she spoke about the inverse relationship between national and personal security, making the point that an important part of privacy is the ability of an individual to secure their own person. Today, because national security follows a policy of ubiquitous surveillance, it is almost impossible for an individual to secure their person from the state. Ms. Ramanathan also traced the beginnings of ubiquitous surveillance to the increasing global fear of terrorism, and the national break down of the criminal justice system in India. Instead of looking to the roots of terrorism and the roots of failure in the criminal justice system, the Indian State has responded to both these factors by superimposing a system of surveillance on top of the existing rule. Consequently, the state has become pan-optical — closely following the movement of its entire population. The state has been able to achieve this level of surveillance through technology, which it has used to create identifiers for its population. The use of technology by the state mediates a link between corporate interest and state interest. Thus, by facilitating the easy and ubiquitous creation of identifiers and surveillance, technology is changing the idea and the nature of privacy. For example, it is now important that a privacy law allows for individuals to protect and secure their identity, something that every individual has and every individual controls, while regulating the creation and external use of identifiers — something that is used by another (not you) to distinguish a person from the rest of the population.

Questions to Consider

How can privacy legislation work to positively regulate the use of technology by the government, so that invasion of privacy does not consequently become state policy?

How can privacy legislation distinguish between and work to protect an identity while regulating the creation and use of personal information as identifiers?

Session I of the Conference featured a Judicial Perspective of Privacy and a Presentation on the Connections between Privacy and the Federal Income Tax Regime in India.

Privacy and the Constitution

J N Bhatt, the former Chief Justice of Gujarat and Bihar, and currently the head of the Gujarat State Law Commission, spoke about privacy as a fundamental right that has been written into articles 19 and 21 of the Constitution of India. Important points from his presentation include:

As privacy is already a recognized fundamental right, the question at hand is not if there is a right to privacy, but instead how can the right to privacy be best proliferated.

Within the question of how a privacy can best be proliferated, is a question about rights and duties. Wherever there is a right to privacy there is also a corresponding duty to privacy — as rights and duties are interdependent.

Though privacy has been recognized as a fundamental right in India, when looking at the actual assertion of the right, it is important to be aware of the cultural realities of India. India is a country with 39 per cent of her population living below the poverty line, with an even lower literacy rate, and there is a direct connection between the assertion of civil liberties, an individual’s civic sense, and education.

When looking at how to best proliferate the right to privacy, governance and common law, a methodology to reach the poorest of the poor should be laid out first.

Questions to Consider

What is the best way to proliferate the right to privacy ?

What legal structures need to be in place to ensure that the poor can assert their right to privacy?
What social structures need to be in place to ensure that the poor can assert their right to privacy?

Privacy and the Indian Tax Regime

Professor Amal Dhru, visiting professor from the Indian Institute of Management, Ahmedabad and a practicing Chartered Accountant spoke on the connections between privacy and the federal income tax regime in India. In his presentation he explained how the information collected by the federal income tax regime in India can be both useful in holding a citizen accountable, and invasive of one’s personal privacy if mis-used. Important points from his presentation include:

The Indian tax regime highlights the tension between public interest as tax evasion is considered an exception to the right to privacy as it is a matter of public interest.

There is a lack of confidence in the existing banking and tax system in India. For example in the business sector, Indian investors have deposited over 700 billion dollars abroad as they are given complete privacy and security over their money.

Though there is a lack of confidence in the current banking and tax system, a tighter law is not necessarily the solution. For example, studies have found that tighter tax regimes lead to greater evasion, while looser tax regimes have higher compliance rates.

On April 1, 2011 the new tax codes for India will be implemented. The reform will give enormous power to tax offices, and as the tax authorities will become equipped to do taxes smarter – this will come at a cost to citizen’s privacy.

Questions to Consider

Just as a tighter tax law leads to a higher percentage of tax evasion, will a tight privacy law simply lead to greater numbers of privacy violations?

What creates public confidence in a law?

Should a privacy legislation be responsible for defining the public good?

Should privacy protection of tax-related information be incorporated into a privacy legislation or contained only in tax law?

To what extent should tax authorities be allowed to investigate potential tax evasion i.e., one’s computer, house or e-mail?

How does one balance the private vs. the public good?

Session II of the Conference focused on National Security and Privacy, and Cultural Conceptions of Privacy

National Security and Privacy

In the second session on Privacy and National Security, Colonel Mathew Thomas spoke on privacy and national security. Colonel Thomas is a management consultant and activity leader for development centers and has held top positions in the Indian Army, and the Defence Research and Development Organisation, where he headed the missile manufacturing facility. Sharing his personal experiences in the army he explained the connection between privacy and national security. Important points from his presentation include:

National Security is often not an internal threat, but instead an external threat.

There is a connection between the increase in surveillance and liberalization of Government.

More surveillance does not bring more security.

Foreign software poses as a threat to national security.

Greater security is gained through intelligent use and analysis of data.

A strong national security plan should not rely solely on surveillance of its citizens. Instead national security should be brought about through strong economic policies, non-reliance on foreign software, neutrality in foreign policy, fair trade policies, rural development and prevention of migration to cities, and having a politically honest and accountable governance.

Questions to Consider

Is it effective for privacy to be compromised in the name of anti- terror laws?
Can the development and distribution of indigenous software protect national privacy?
How can strong economic policies indirectly protect an individual's privacy?
How can a strong foreign policy protect an Indian citizen's privacy when it is stored or sent abroad?

Privacy as a Cultural Construct

Gagan Sethi from the Centre for Social Justice, Ahmedabad shared his opinion on privacy. Important points from his presentation include:

Privacy is a cultural construct that changes with context, perspective, and time.
When considering a privacy policy it is important to create a policy that does not strictly define what privacy is and what it is not, but instead create a policy that defines and promotes a common respect for human dignity.

Questions to Consider

If a privacy policy is developed to promote a common respect for human dignity – will it be effective?

Can you develop a policy that has a loose definition and mandate, but has strong legal teeth?

Session III of the Conference focused on Minority Identities and Privacy, Prisoner Rights, and Cyber Security.

Privacy and Minority Identities

Bobby Kuhnu, a lawyer and activist, presented in the third session on Privacy, Minority Identities, and Security. In his talk Mr. Kuhnu through the use of three examples examined the ideological underpinnings of the discourse on privacy and its bearings on socially marginalized identities in the context of the Indian State and the constitutional right to privacy. Important points from his presentation include:

In India, names can be sensitive and personal information like one’s religion, family, caste, and background can all be known through a name.
Because of the sensitivity of a person’s name, many people do not feel safe or comfortable in their own identity.
Reservation lists and public postings of information, can and have been used to discriminate and violate another’s privacy.

Questions to Consider

Should a privacy legislation requirement throughout institutions and government bodies that names should not be publicly displayed to the point of identification?
What is the most effective way of legally protecting an individual from discrimination based on their name?

Perspectives of Privacy

In the last portion of the day, Yash Sampat and Aditya Yagnik spoke on the origins of privacy and privacy in the cyber world. Vimmi Surti spoke on prisoner's rights and privacy and Ramswaroop Chaudhary presented on minority identities in South Asia and privacy. Important points from their presentation include:

Internet has led to an increase in privacy violations.
The result of privacy infringements is often the deprivation of individuals from safe access to services availed to them.
When looking at privacy as the protection of human dignity, prisoner’s rights are violated through overcrowding in prisons, poor health, and poor sanitation.

Questions to Consider

Are there legal mechanisms that can be put in place to ensure the least amount of deprivation to services when an individual’s privacy is invaded?

To what extent should prisoners be availed the right to privacy?

The concluding session was a time for discussion and opinion sharing

From the closing session, and the above sessions many themes and questions pertaining to privacy came out that will need to be addressed when considering the way forward for a privacy legislation including:

Regulation of ubiquitous surveillance in the name of national security
Regulation over public display of names and personal information
The need to distinguish between identity and identifier.
The need to protect an individual's identity while regulating the production and use of identifiers.
Privacy rights and prisoners: what does the right to privacy mean to a prisoner, i.e., clean facilities and health care.
Can the right to privacy be a platform for individuals to claim sanitary/safe working and living conditions.
Recognize the changing nature of privacy rights in a technological society.
Privacy implications of biometric usage.
Creation of a definition of when privacy rights will supersede identification needs.
How can government institutions, like the tax department, incorporate and protect the right to privacy with the collection of large amounts of data for more efficient services.
Privacy and the family

Download the report and agenda here [pdf - 452kb]

Also see Matthew's presentation [powerpoint file 116kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-matters-report-from-ahmedabad

‘Learn from failed UK NIR project’

praskrishna — 2011-04-01T15:12:12Z

The new government in the UK recently scrapped its decade-long work spending millions of pounds on establishing the National Identity Registration (NIR) number simply because it realised it wasn't workable. This article by Madhumita was published in the Deccan Chronicle on March 22, 2011.

There might just be a lesson in this for India that has begun the ambitious Unique Identification (UID) project. The fact, experts says, is that the technology to make this project work successfully in India, that is attempting to cover the largest biometric registry in the world so far, does not exist, at the moment.

According to Dr Ian Brown, senior research fellow at the Oxford Internet Institute, University of Oxford, there was very little evidence that the NIR in UK met the objectives it laid for the initiative. Dr Brown, who has worked extensively on privacy with regard to biometrics, asserted that in the area of privacy and trust there was already a lot of distrust among citizens concerning identity registration. Additionally the UK government losing the CDs that contained information of 25 million people, led to the debate of data breach, a major issue for India concerning the UID.

“The reasons behind the need for the card included politically popular goals that varied depending on the demands of that political moment. From anti-terrorism to reducing social security fraud, identification fraud, illegal immigration and creating a sense of community, the UK government's response was thin when it came to checking for evidence on the project successfully meeting these objectives. If it was for the largest argument of fitting into the wider perspective of criminal justice and security, then studies have shown that cost-effective measures such as streetlights managed to reduce crime by 30 per cent as against surveillance cameras that reduced crime a mere three per cent in the UK,” stated Dr Brown during a lecture at IISc.

India too has argued the same reasons of terrorism and security along with literacy and eradicating poverty. But where is the evidence that one cannot breach this system? Asked advocate Malavika Jayaram.

Prashant Iyengar of the Centre for Internet and Society (CIS) reiterating this stated that there was no guarantee that an individual's information would be safeguarded. The general consensus was that nobody is opposed to the UID, just its current form.

UK’s NIR disaster

The introduction of the UK’s National Identity Register (NIR) scheme was much debated, and various degrees of concern about the scheme were expressed by human rights lawyers, activists, security professionals and IT experts, as well as politicians.

Many of the concerns focused on the databases which underlie the identity cards rather than the cards themselves.

Biometrics consists of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In computer science, in particular, biometrics is used as a form of identity access management and access control.

It is also used to identify individuals in groups that are under surveillance. India is undertaking an ambitious mega project (the Multipurpose National Identity Card) to provide a unique identification number to each of its 1.25 billion people.

Read the original in the Deccan Chronicle here

For more details visit https://cis-india.org/news/failed-uk-nir-project

Privacy Matters - A Public Conference in Ahmedabad

praskrishna — 2011-04-04T07:14:41Z

On behalf of Privacy India, and in partnership with the Research Foundation for Governance in India and Society in Action Group, the Centre for Internet and Society invites you to “Privacy Matters” a public conference focused on discussing the challenges and concerns to privacy in India. The event will be held at the Ahmedabad Management Association. We would be honored if you would attend the meeting and contribute your views.

The conference will focus on the questions and dilemmas posed by privacy in India today, with a concentration on security, national surveillance, prisoners rights and privacy. The right to privacy in India has been a neglected area of study and engagement. Although sectoral legislation deals with privacy issues, India does not as yet have a horizontal legislation that deals comprehensively with privacy across all contexts. The absence of a minimum guarantee of privacy is felt most heavily by marginalized communities, including HIV patients, children, women, sexuality minorities,prisoners, etc. – people who most need to know that sensitive information is protected. Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India.

One of our goals is to build consensus towards the promulgation of a comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

Please confirm your participation with:

elonnai@privacyindia.org, or
jsree.t@gmail.com

Agenda

Privacy Matters

March 26th 10:30 – 4:30 pm

Ahmedabad Management Association
Core-AMA Management House
Torrent-AMA Management Centre
ATIRA Campus, Dr. Vikram Sarabhai Marg
Ahmedabad 380 015, Gujarat, INDIA
Phone: +91-79-263086

Time	Session
10:00 to 10:30	Registration and Welcome Prashant Iyengar Prashant Iyengar is a practicing lawyer and lead researcher for Privacy India. He will present who Privacy India is, and the objectives of Privacy India's research. Lastly he will outline the present scenario of Privacy in India.
10:30 to 11:15	Keynote Address Usha Ramanathan Dr. Usha Ramanathan is an internationally recognized expert on law and poverty. Her research interests include human rights, displacement, torts and environment. Ms. Ramanathan will speak about the coerced decline of privacy. National security, corruption, pragmatism, and the emergence of technologies that often work to establish that privacy is an irrelevant notion. She will look at links not often made between privacy and personal security, between data bases and national security, and the centrality of dislodging privacy in projects of social control are, perhaps deliberate.
11:15 to 11:30	Tea break
11:30 to 1:00	Opinions on Privacy Justice J N Bhatt, Mr. Ajay Tomar, Renu Pokharna In this session key officials from Gujarat will share their experiences and opinions on privacy in the context of India. Speakers include: Justice J N Bhatt is the former Chief Justice of Gujarat and Bihar, and currently the head of the Gujarat State Law Commission. He has had ad successful career including having: joined the Office of the Government Pleader, at Jamnagar in 1976, worked as Central Government Counsel in special matter of Armed Forces and Labour Cases, and has authored more than 50 Articles on Jurisprudence, Constitution, International Law, A.D.R, Legal Aid and Lok Adalat and Judicial Reforms Renu Pokharna, a member of the Chief Minister's Office, State of Gujarat, has spent her career working towards the betterment of society, especially the poor and the hungry through policy and not charity. For example she is a part of the project “Gujarat Skill Development Mission”. The project tries to achieve convergence of skill training programs to make them more effective. Mr. Ajay Tomar is the chief of the Anti-Terrorism Squad in Gujarat. He has worked on cracking down on many cases involving national security and surveillance including the “Pepsi Bomber”.
1:00 to 2:00	Lunch Break
2:00 to 2:30	Privacy, Minority Identities, and Security Bobby Kuhnu Bobby Kuhnu is a lawyer, social activist, and writer. Mr. Kuhnu will examine the ideological underpinnings of the discourse on privacy and its bearings on socially marginalized identities particularly in the context of the Indian state and the constitutional right to privacy.
2:30 to 3:00	Privacy and National Security Mathew Thomas Mathew Thomas is a management consultant and activity leader for development centers. Mathew has held top positions in the Indian Army, and the Defense Research and Development Organization, where he headed the missile manufacturing facility. His presentation will focus on national security and privacy.
3:00 to 3:15	Tea Break
4:00 to 4:30	Open discussion and summary

Other Distinguished Participants

Justice Madhukar

Former Judge, Trial Courts, Gujarat

Kanan Divatia

Lawyer and Professor of Law, L A Shah Law College

Professor Amal Dhru

Visiting Professor, Indian Institute of Management, Ahmedabad

Madhusudan Agarwal

Founder, Ma'am movies

Gaurang Raval

Drishti Media

Rahul Chimanbhai Mehta

Independent Candidate, IIT Delhi Alumnus

Madhusudan Agarwal

Founder, Ma'am movies

For more details visit https://cis-india.org/events/privacy-matters-ahmedabad

Battle for the Internet

praskrishna — 2011-04-01T15:28:19Z

In this article written by Latha Jishnu and published by Down to Earth, Issue: March 15 2011, the author reports about the events in the United States in the post WikiLeaks scenario.

As the Internet becomes the public square and the marketplace of our world, it is increasingly becoming a contested terrain. Its potential for diffusing knowledge and subverting the traditional channels of information is tremendous. So it is not surprising that governments, corporations and even seemingly innocuous social networking sites all want to control and influence the way the Internet operates. It’s easy to see why. Close to a third of humanity is linked to this system—and the dramatic growth in Internet usage over the past decade is set to explode in coming years. So is its commercial promise. Latha Jishnu looks at events in the US following the WikiLeaks exposé of its diplomatic cables, and in the hot spots of political turmoil across the world to understand the significance of the Internet in today’s interconnected world and the threats it faces. Arnab Pratim Dutta explains the technology used to block access to the Net.

An opposition supporter holds up a laptop showing images of celebrations in Cairo's Tahrir Square, after Egypt's President Hosni Mubarak resigned (Photo: Reuters)

Ideas and ideologies, images and reports of events, both minor and cataclysmic, fly on the Internet, swirling through cyberspace, gathering resonance, metamorphosing and touching millions of lives in different ways. Many of the ideas—and visuals—could be banal (as they very often are), some dangerous, others bringing promise of change. Some have the power to subvert, helping to stir and stoke the smouldering embers of political and social unrest as recent uprisings in north Africa, West Asia and Asia have shown. To many, the Internet is the rebel hero of our times, subverting conventional media and leaking news and information that governments would like to censor. Even a village in the remote reaches of Odisha’s Malkangiri district which may have no electricity is in some way linked to cyberspace through smart cell phones because mobile operators are increasingly turning Internet service providers (ISPs) and bringing the worldwide web to the conflict-ridden forests of central India.

It is about the power and reach of connection, unprecedented since people first began communicating with each other. The Internet, therefore, is turning into a conflict zone with everyone seeking control of it: governments, corporations and social networking sites, all of whom have different agendas. Social networks may seem innocuous but they are as much a hazard as the others to Internet freedom. Surveillance of “netizens” is becoming commonplace, whether in democracies or in totalitarian regimes, through a host of new laws and regulations ostensibly aimed at strengthening national security, cyber security or protecting business interests.

While most governments are seeking to filter and block specific content, in extreme cases, as in Egypt, the Net has been blacked out using what some experts say is the “kill switch” (see ‘The Egypt shutdown’). This could emerge as the biggest threat to the Internet since other regimes could be tempted to go the Egyptian way. Most governments, however, prefer not to use it, not even the censorship-obsessed Chinese and Saudi regimes because the Internet is also about business—commerce of increasing significance is being routed through its sinews. Take one small example: In January alone, Britons spent a whopping £5.1 billion online, recording a 21 per cent jump in e-commerce revenues over January 2010, according to the latest edition of the IMRG/CapGemini e-Retail Sales Index. It is the kind of figure that stops authorities from reaching for the kill switch.

In the case of China, e-commerce transactions hit 4.5 trillion yuan (US $682.16 billion) in 2010, up 22 per cent year-on-year, according to China e- Business Research Center and CNZZ Data Center. Of this, online B2B or business-to-business deals accounted for the bulk: 3.8 trillion yuan (US

Popular whistleblower website wikileaks.org was unavailable for some time in December 2010

$576.05 billion). And retail sales are expected to zoom, too, pretty soon with e-commerce websites selling directly to customers growing to more than 18,600 last year. Thanks to a dramatic spike in the rate of Net penetration and impressive growth of online business.

But the world has a long way to go before the Internet becomes ubiquitous or an all-encompassing global commons. Currently, just two billion people are linked to the system (see above: ‘Big picture’), which is less than a third of the world’s population. And the reach, as the chart shows, is rather patchy. India may be in the top five Internet user nations with a total of 81 million users but penetration is an abysmal 6.9 per cent, the worst in the list. Blame that on our pathetic education levels and poverty. China, however, is the undisputed leviathan with 420 million users in 2010—some estimates put the figure closer to 500 million now—who account for more than a fifth of the world’s Internet users. No other country’s growth in this sector matches China’s either in speed or drama.

This is one reason Washington frequently raises the issue of China’s policing of the Internet in different fora. The most recent was on February 15 when secretary of state Hillary Clinton made the second of her rousing speeches on safeguarding the Internet from all kinds of government interference. Speaking at George Washington University in Washington DC, Clinton pointed out that the attempts to control the Internet were rife across the world but singled China for repeated attacks.

“In China, the government censors content and redirects search requests to error pages. In Burma, independent news sites have been taken down with distributed denial of service (DDoS) attacks. In Cuba, the government is trying to create a national intranet, while not allowing their citizens to access the global internet. In Vietnam, bloggers who criticize the government are arrested and abused. In Iran, the authorities block opposition and media websites, target social media, and steal identifying information about their own people in order to hunt them down. These actions reflect a landscape that is complex and combustible, and sure to become more so in the coming years as billions of more people connect to the Internet.”

That seemed a fair assessment of the trends but the irony is that even as the secretary of state was speaking, the Department of Justice was seeking to enforce a court order to direct Twitter Inc, to provide the US government records of three individuals, including Birgitta Jonsdottir, a member of Iceland's Parliament who had been in touch with others about WikiLeaks and its founder Juan Assange last year when WikiLeaks released its huge cache of US diplomatic cables.

A commentary in China Daily noted with asperity: “The Assange case reveals such rhetoric is just so much hypocrisy. It is apparent that when Internet freedom conflicts with self-declared US national interests, or when Internet freedom exposes lies by the self-proclaimed open and transparent government, it immediately becomes a crime.”

The Assange case more than anything else has exposed how vulnerable the Net is to political meddling and control. In December last year, Amazon said it stopped hosting the WikiLeaks website because it “violated its terms of service” and not because the office of the Senate Homeland Security Committee chaired by Joe Lieberman had questioned Amazon about its relationship with WikiLeaks.

WikiLeaks had turned to Amazon to keep its site available after hackers tried to flood it and prevent users accessing the classified information. Few people were willing to credit Amazon’s feeble explanation for cutting off WikiLeaks and the general surmise was that Lieberman had put some kind of pressure on the webhosting platform. According to one analyst, the simple reason is that the US government is one of the company’s biggest clients. According to a press note issued by the company: “Government adoption of AWS (Amazon Web Services) grew significantly in 2010. Today we have nearly 20 government agencies leveraging AWS, and the US federal government continues to be one of our fastest growing customer segments.”

As Amazon abandoned WikiLeaks, Paypal, Visa and MasterCard had also dumped WikiLeaks. This set off a fullscale cyber war in which a fourth party made its presence felt: Hackers/ ‘hacktivists’ who unleashed operation payback for what they deemed unfair targeting of WikiLeaks and Assange. This involved a series of (DDOS) attacks on Paypal, MasterCard, Swiss Bank PostFinance and Lieberman’s website.

So while governments in many parts of the world block sites, jail or kill dissidents for expressing their views on the Net, threats to the freedom of the Internet come primarily from the paranoia that governments suffer and from badly crafted policies they implement to protect business and other interests.

US enforcement agencies shut down 84,000 sites, falsely accusing them of child pornography

The US, the ultimate symbol of liberal democracy, is no less uneasy about the power of the Internet. A slew of laws are making their way through the Senate, laws that will give the administration sweeping powers to seize domain names and shut down websites, even those outside its territory, and laws that strengthen the powers of the president in the time of a cyber emergency, including the use of a kill switch. In September, the US Senate introduced the Combating Online Infringement and Counterfeits Act, which would allow the government to create a blacklist of websites that are suspected to be infringing IP rights and to pressure or require all ISPs to block access to those sites. In these cases, no due process of law protects people before they are disconnected or their sites are blocked.

In India, in the wake of the terrorist attacks in Mumbai in November 2008, Parliament hastily passed amendments to the Information Technology Act, 2000, without any discussion in either House. The December 2008 amendments have some good points but they also allow increased online surveillance. Section 69A permits the Centre to “issue directions for blocking of public access to any information through any computer resource”, which means that the government can block any website.

Pranesh Prakash of the Bengalurubased Centre for Internet and Society notes that while necessity or expediency in terms of certain restricted interests is specified, no guidelines have been specified. “It has to be ensured that they are prescribed first, before any powers of censorship are granted to anybody,” said Prakash in an analysis of the amendments. “In India, it is clear that any law that gives unguided discretion to an administrative authority to exercise censorship is unreasonable.”

Civil rights activists say the section has broadened the scope of surveillance and that there are no legal or procedural safeguards to prevent violation of civil liberties.

As the battle for keeping the Internet is joined by netizens who are aware of the power of connection, governments, too, are ramping up command and control measures. Among the risks to an open, democratic Internet are the following:

Threat to universality

The basic design principle underlying the World Wide Web is universality, and, according to its founder Tim Berners-Lee, several threats are emerging. Among these are: cable companies that sell Internet connectivity wanting to limit their Net users to downloading only the company’s mix of entertainment and social networking sites (see ‘Hidden dangers of Facebook’).

Another is by pricing Net connectivity out of the reach of the poor and allowing differential pricing. Berners- Lee, warned at a recent London conference: “There are a lot of companies who would love to be able to limit what web pages you can see...the moment you let Net neutrality go, you lose the web as it is...You lose something essential—the fact that any innovator can dream up an idea and set up a website at some random place and let it just take off from word of mouth...”

Actions against piracy

The nub of such operations lies in the US Department of Homeland Security, whose Immigration and Customs Enforcement (ICE) and the Department of Justice (DoJ) have been seizing domains because they are suspected of hawking pirated goods. The first seizure was in November last year when 82 websites selling counterfeit goods ranging from handbags to golf clubs were taken out.

Last month, there was another raid on the Internet. According to TorrentFreak and other Internet monitoring sites, the two agencies wrongly shut down 84,000 websites that had not broken the law, falsely accusing them of child pornography crimes. After the mistake was identified, it took about three days for some of the websites to go live again. The domain provider, FreeDNS, was taken aback. “Freedns.afraid.org has never allowed this type of abuse of its DNS service. We are working to get the issue sorted as quickly as possible,” it said.

Earlier, DoJ and ICE had seized the domain of the popular sports streaming and P2P download site Rojadirecta. What is shocking is that the site is based in Spain and is perfectly legal. Two courts in Spain have ruled that the site operates legally, and other than the .org domain the site has no links to the US.

Internet freedom could easily become the biggest casualty in the illconceived and poorly designed procedures adopted by developed countries— France, the UK, South Korea, Taiwan and New Zealand have similar laws—to protect intellectual property from counterfeiters and pirates, primarily at the behest of the film and music recording industries.

There are indications India may be planning to follow suit (see ‘India’s three-strikes policy’), although civil rights groups say it could amount to a form of deprivation of liberty.

Surveillance technology

The problem with the use of technology in keeping the Internet safe cuts both ways. With increasing number of cyber attacks on both official and public websites from an array of hackers and malware, governments are reaching for ever more sophisticated high-tech surveillance systems. For instance, computer systems of the US Congress and the executive branches are under attack an average of 1.8 billion times per month, according to a recent Senate report. The result: more spyware. One such is deep packet inspection technology. It is a tool that protects customers from rampant spam and virus traffic. Experts say the Internet could not survive without this technology and yet, it helps authorities to keep a close watch on what people are doing on the Net. In the US, ISPs are required to have this technology.

So what can be done? Keep close tabs on government involvement in the Internet and ensure that its intrusion in both the content and the engines of this system is kept to the minimum.

Read the original article written by Latha Jishnu in Down to Earth here

For more details visit https://cis-india.org/news/battle-internet

Draft IT guidelines may gag internet freedom

praskrishna — 2011-03-22T04:16:54Z

The draft rules proposed under the Information Technology Rules 2011 (due diligence observed by intermediaries guidelines) by the Indian government could lead to unprecedented levels of online censorship. This article by Shilpa Phadnis and Pranav Nambiar was published in the Times of India on March 11, 2011.

Intermediaries include telecommunications companies, internet service providers (ISPs) and blogging sites. Under the draft rules, intermediaries will have to notify users of their computer resource not to use, display, upload, publish, share or store a variety of `objectionable' content.

This includes infringement of proprietary information, blasphemy or abuse, information that could harm minors, content that impersonates another person or discloses sensitive personal information etc.

Sunil Abraham, executive director at the Centre for Internet and Society, said that these moves would have a chilling effect on internet freedom. For example Sec 3 (2)(a) states that any website with social media integrated into it and allows public to add content comes under the blanket surveillance regime. Sec 3 (h), which talks about impersonating another person, will potentially discourage cases like the fake IPL player who revealed rich information while keeping his real identity under wraps.

The draft rules use a standard set of rules across a variety of intermediaries including telecom service providers, blogging sites, online payment sites, e-mail service providers, and Web hosting companies.

Abraham believes that the government is explicitly targeting bloggers as a community and the draft rules are far from being tech neutral. "The government has come out with standard terms of use for due diligence. But you can't treat a small blogger on par with others who have large-scale commercial interests," he said.

According to the draft rules, an intermediary has to inform users that in case of non-compliance of its terms of use of the services and privacy policy, it has the right to immediately terminate the access rights of the users to its site. In case of infringement, the intermediary has to work with the user or owner of the information to remove access to the information.

Apar Gupta, partner in Accendo Law Partners, said intermediaries like blogs and search engines would have censorship powers. "It will not directly impeach the freedom of speech and expression. But intermediaries have to comply with some certain standards such as notify users on compliance issues,"he said.

Click below to find the original article in the Times of India

[1]

[2]

For more details visit https://cis-india.org/news/it-guidelines-gag-internet-freedom

Growing cyberspace controls, Internet filtering

praskrishna — 2011-08-20T14:36:26Z

OpenNet Initiative investigates, analyses filtering and surveillance practices, writes T Ramachandran in this article published in the Hindu on Sunday, February 20, 2011.

Governments in many parts of the world have been aggressively adopting a new generation of controls aimed at filtering and controlling information flow on the Internet, citing concerns such as cyber security, crime and terrorism, according to the OpenNet Initiative.

The OpenNet Initiative, which says it “investigates and analyses Internet filtering and surveillance practices in a credible and non-partisan fashion,” in its updated study released last year titled, “Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace,” said that it was fast becoming the global norm to control information flow on the Internet.

The OpenNet is a collaborative partnership between the Citizen Lab at the Munk School of Global Affairs, University of Toronto, the Berkman Centre for Internet and Society at Harvard University, and the Ottawa-based SecDev Group.

Asked whether the trend was likely to become more pronounced, given the recent developments in the Middle East, one of the contributors to the study, Ethan Zuckerman, a senior researcher at the Berkman Centre, said, “In general, we see governments becoming more aggressive and more overt about their Internet filtering.”

The OpenNet has described the recent Internet blackout in Egypt as ‘just-in-time-blocking' - when information flow is brought to a halt during critical times such as political crises, elections, or social unrest. Discussions have resurfaced about the deployment of 'Internet kill switches,' a way in which nations could snuff out the Internet when such a crisis occurs.

“For all the talk of Internet kill switches, turning off the Internet is a relatively easy and unsophisticated thing to do. What is hardest to do is filtering on finer, more granular levels,” Mr. Zuckerman told The Hindu.

The first-generation controls were deployed primarily at Internet “choke points,” places in the network where Internet addresses that had been blacklisted by the authorities could be filtered and blocked. These were mainly the gateways run by the Internet Service Providers (ISPs). The number-based IP addresses connected to particular websites or domain names could be used for the blocking. Keywords could also be used in weeding out proscribed sites or pages.

Reports of watchdogs such as the OpenNet and Freedom House indicate that though not pronounced, selective filtering has been a part of the Indian Internet scene. Google's Transparency Report for the first half of 2010 also shows that India is among the nations from where a number of government inquiries for information about users and requests to remove or censor content emanate.

“As far as censorship of Internet goes in India it is still first generation in terms of blocking and filtering at the Internet choke points. However, the Indian government has made and is making several moves that continue to undermine privacy and anonymity on the Internet. This has a chilling effect on freedom of expression and information accessing behaviour on the Internet,” says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society.

Second and third generation techniques of Internet filtering, as described in Access Controlled, are “more subtle, flexible, and even offensive in character,” often using legal regulations to supplement or legitimise technical filtering measures, extralegal or covert practices. These include the use of viruses to infiltrate computer systems, the launching of distributed denial-of-service (DDoS) attacks and surveillance at strategic points in the Internet and telecommunications infrastructure. The DDoS attacks involve directing traffic of such large volume at targeted sites during a particular period, in order to crash them, or keep them largely inaccessible. Counter-information campaigns could also be mounted, supplemented by policy measures and other strategies, including legal ones.

Governments have also been assiduously building up capabilities for monitoring and intercepting the large volume of information that flows on the Internet, including email, which mostly flows through the infrastructure of Internet Service Providers (ISPs) and Internet exchange points. In the Indian context, the I.T. Act “along with the ISP licences allows for blanket surveillance and also data retention,” says Mr. Abraham.

It is difficult to say if this sort of monitoring and interception is really effective in countering terrorism and other national security threats, says Mr. Zuckerman. “I don't believe trading privacy for security is a fair trade.”

Read the original news in the Hindu

For more details visit https://cis-india.org/news/growing-cyberspace-controls

Open Letter to the Finance Committee: UID and Transactions

praskrishna — 2011-02-24T13:35:11Z

Since official documentation from the UIDAI is very limited, we assume that data pertaining to transactions would comprise of the Aadhaar number, identifier of the authenticating device, date-time stamp, and approval/rejection/error code. Recording and maintaining of data pertaining to transactions is very important because it increases transparency and accountability through an audit trail. However, storage of such sensitive data creates many privacy risks, because more often than not metadata gives you as much intelligence as raw data.

For example – even if you didn’t have access to the Radia recordings – just knowing who she called, when, how frequently, in what order, and for how long, will give quite a comprehensive picture. Thus, we believe that such data should not be fully stored in a central database. By way of an open letter, we suggest three alternative ways of storing and securing data relating to transactions, so that transparency and accountability is preserved without enabling surveillance or profiling of individuals.

Partial storage of data relating to transactions

Once a transaction is processed, half of the UID number is stored in the central database, while the other half of the number is stored with the service provider. Thus, for an agency to reconstruct the audit trail they must seek consent from the service provider and the UIDAI for information regarding a specific transaction. The process would follow steps like these:

Send part of the Aadhaar number to the CIDR
Service provider stores part of the Aadhaar number locally.
Law enforcement and intelligence agencies seeking transaction data securing required approvals from the Home Ministry and then request data from the UIDAI and service provider
Data is provided by UIDAI and the service provider and combined to reconstruct the audit trail.

Storage of the public keys with a custodian

Similar to the model followed in the new wiretapping regulations1, the transaction details in the central database is secured using several custodians. Thus, no single entity has complete knowledge of access to the database. And if the transaction details are leaked to the public, the custodian can be held responsible for negligence. Thus, for an agency to reconstruct the audit trail they must seek approvals and request encrypted data. The process would follow steps like these:

Encrypt transaction data with the public key of the ‘custodian’
Store encrypted data in CIDR
Law enforcement and intelligence agencies seeking transaction details require approvals from the Home Ministry, and then request encrypted data from the UIDAI.
The custodian on receipt of the necessary approvals decrypts the data using his/her private key, and then the audit trail becomes available.

Complete storage of transaction details at the service provider level

After a transaction is processed, the information is encrypted and stored in a de-centralized manner with the service provider, thus agencies or individuals can only access information regarding a specific transaction at a specific organization. The process would follow steps like these:

Encrypt transaction data
Store encrypted data at service provider level
Law enforcement and intelligence agencies seeking transaction details require approvals from the Home Ministry, and then request encrypted data from each service provider. Audit trail is reconstructed by merging data sets from different service providers.
The CIDR will only hold Aadhaar number, date-time stamp, and approval/rejection/error code.

Note

1 http://timesofindia.indiatimes.com/india/Tapping-norms-Govt-will-erase-private-talk/articleshow/7407633.cms

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-and-transactions

Analysing the Right to Privacy and Dignity with Respect to the UID

Deva Prasad — 2012-03-21T09:54:35Z

In the below note, Deva Prasad, LLM Candidate at NLSIU, explores the challenges that the UID project faces from a legal perspective.

Introduction

The Unique Identity (hereinafter UID) project has been depicted to be a new face of development that technology could bring about. The UID project has also been sold to masses in India as a solution for accessibility to the service delivery, and as a tool for the eradication of ill-governance[1]. Though the UID tries to build up recognition and legitimacy on the basis of transparency, and delivery of good governance there are also issues of larger importance that have gone unnoticed by many. These include issues of the privacy and dignity of an individual being affected by the proposed UID scheme. An alarming fact is that little concern has been raised by opposition parties regarding the constitutionality and human rights implications that the UID scheme could cause. It is natural to have apprehensions and doubts about the effectiveness of implementation of the UID project, as this scheme is traversing through uncharted waters. Thus, it is important to analyze the socio-political implications in the context of the present political economy in India.

The UID scheme could be viewed as an intended shift in relationship between the state, the market, and the citizen in the new age of globalization and technological advancement[2]. It is very important to note that by merely providing a UID number to an individual, there is no guarantee of developmental accessibility, or rights and benefits that would be accrued to the poor and marginalized communities in India. The National Identification Authority of India Bill, 2010, which has been mooted for the purpose of providing legal status to the UID project, has raised many concerns including, privacy issues, and mechanisms for effective service delivery. More over civil society has pointed out that the legislative and administrative mechanisms created by the UID authority have not been created through a consultative - democratic process.

This paper will look at the challenges that the UID project faces from a legal perspective. Specifically the paper will focus on how the project will affect the privacy and dignity of individuals impacted by the project.

Problems and Issues Posed by the UID Project

UID is a product of what started as an idea of biometric identity cards for the border states in India in the wake of the increased terrorist activity. In a report, the consulting agency that was meant to determine the feasibility of the biometric card for border communities suggested that the identity cards could be implemented to the entire country[3]. Now the government is trying to implement the new UID scheme by masking it as a developmental agenda. Deeper questions of surveillance by the state, invasion of privacy at all levels, and the very fact of human beings being depicted to be mere numbers in the eyes of state leading to violation of dignity arise as a result of the UID project.

Issue of Surveillance by State

An important aspect of the project that needs to be understood is that as of now, the various data that is collected is stored across multiple sources, and data required for a particular purpose is being taken from individuals at one time. This leads to the creation of informational silos [4]. For example, the data required for booking a rail ticket shall be different from that of opening a bank account. But now with UID, which aims to be used as a multipurpose identification system, all the data pertaining to an individual could be accessed at one time. This could lead to a situation where an individuals’ autonomy, which is a well enshrined concept in human rights philosophy by the great philosophers such as Emanuel Kant [5], could be severely compromised. In other words, every decision made by a human in India could be under state surveillance. This could potentially lead to the denial of, and access to, many important social opportunities and other facilities for a particular section of people, who could be discriminated against by the state, using the information gathered from the UID. This has been referred to as “functional creep”, which constitutes the expansion of the ambit of usage of a particular system from its initial limit [6].

UID in the post-9/11 scenario of ‘state paranoidism’, could lead to unwanted monitoring and surveillance by the state. One of the objectives claimed by the UID is that of assisting the state in national security. But as mentioned above, the functional creep aspect may lead to the state monitoring at a level where an individual’s decision making is negatively affected. The UID scheme could also lead to providing the State and intelligence agencies information to legitimate surveillance, but in doing so would infringe on individuals privacy [7]. It is evident that the UID scheme could lead to providing more power to the hands of the state, impact the lives of the citizen, and also may lead to the implementation of hidden agenda's [8]. We should not forget the fact that in the Rwandan genocide it was by using identity cards that the demarcation of the Tutsis and Hutus could be done.

Issue of Breach of Privacy

Almost every country that tried to implement national identity cards based on integrated systems had public resistance, because of concerns over privacy. There are many dimensions to privacy, including the privacy of a person, privacy of communications, territorial privacy and privacy of personal data [10]. Privacy of the person concerns the privacy of body, and its integrity and freedom of not being infringed upon. Privacy of communications deals with the freedom to have communications by any means without being infringed upon by surveillance, telephone tapping etc. Territorial privacy addresses freedom from encroachment into domestic and official spaces by the way of surveillance. Identity and informational privacy or data privacy deals with the protection of information, especially sensitive information.

It is important to note that the main privacy concerns brought by the UID project are: territorial and data privacy. In India, the concept of privacy in the social sphere is not as prevalent as it is in Europe or the United States. A great observation made by Justice Brandeis and Samuel Warren in their article in Harvard Law review clearly shows the importance of limiting the impact and encroachment of technologies into the private sphere. Justice Brandeis observed that: “The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury [11].”

The UID leads to a situation of access to all the sensitive information of the people enrolled in the UID. This information could be misused by authorities. The risk that the UID poses to an individual’s privacy is enormous as information that is now scattered in the public domain will be brought into one point of convergence through the UID. Further, there are issues of privacy infringement due to the use of biometric information in the project. The collection of, and identification based on biometric information could be understood as a breach of one’s territorial privacy and one’s data privacy [12].

As persons are being identified on the basis of sensitive biometric information, the risk of being profiled, targeted and marginalized by the state on the basis of this sensitive information is very high. Hence, there is a requirement for the protection of data privacy and territorial privacy. The claims that the UID number will provide efficient access to developmental projects and facilities, should be viewed with suspicion, because when sensitive information of this nature is placed in the control of the state, it gives enormous power to the state.

Issue of Dignity

The greatest aspect of human rights could be identified as the acknowledgment of dignity of human beings. The UN Charter and the Universal Declaration of Human Rights both emphasize this point. Dignity signifies the innate rights of human beings to be treated with respect and ethical conduct [13]. Dignity is an extension of the thought, and the recognition that all individuals have inherent inviolable rights [14]. Freedom is also an aspect that has underpinnings in the concept of dignity.

In the UID project, the risk of surveillance, and breach of privacy clearly violates human dignity, as it curtails the freedom of choice that human beings are able to make, by placing individuals continuously under the threat of intrusive surveillance by the state, and the public domain. The factor of the UID scheme that truly robs human beings of their dignity is the treatment of human beings as mere numbers. In the case that an individual’s UID number is manipulated, used by someone else fraudulently, lost, or a technical problem occurs - the individual will be a non-existent entity before the state, having no value, as all the benefits and rights could be claimed only through the UID.

Actually, in the claim of public interest the UID scheme may cause more harm than good to the rights of the citizens, which are enshrined in the Constitution of India, 1950. Furthermore, the developmental claims by the UID of security and administrative efficiency cannot be a valid justification for infringement on the right of life under the Article 21 and the right to freedom of expression and movement as provided in the Article 19 of the Constitution of India, 1950. Identifying the right to privacy and dignity, and its scope under the Constitution of India, 1950 is very important for the purpose of gauging the impact that the UID scheme will cause upon these rights.

Right to Privacy and the Constitution of India

There is no direct provision providing for the right to privacy in the constitution of India. Hence the right to privacy needs to be understood on the basis of the decisional jurisprudence developed by the constitutional courts in India. Furthermore, the reason which the right to privacy is a non-defined right has its basis in the social context of India [15]. The development of the right to privacy in India could be traced from the case of M.P. Sharma v. Satish Chandra [16], in which case the Supreme Court held that the Indian constitution does not conceive the right to privacy while determining the contours of search and surveillance by the police. This narrow interpretation of the constitution reflects the view point of the judiciary of that particular time period [17].

In the case of Kharak Singh v. State of Punjab [18], the Supreme Court observed that: “The right of privacy is not guaranteed under our Constitution and therefore the attempt to ascertain the movements of an individual, which is merely a manner in which privacy is invaded is not an infringement of fundamental right guaranteed by Part III”[19]. This again reflects a restrictive interpretation of the constitution. But, in the case of Govind v. State of M.P [20], the Supreme Court took a viewpoint which represents a paradigm shift in perspective from their earlier rulings. In this case the Supreme Court observed that: “There can be no doubt that the makers of our Constitution wanted to ensure conditions favourable to the pursuit of happiness”. They certainly realized, as Brandeis, J. said in his dissent in Olmstead v. US, the significance of man’s Spiritual nature, of his feelings and his intellect. They sought to protect the individual in their beliefs, thoughts, their emotions and their sensations. To do this they must be deemed to have conferred upon the individual a sphere where he should be left alone, free from governmental access”[21].

The Govan case turned out to be a landmark case with the Supreme Court reiterating the right to privacy in subsequent cases. In the R. Rajagopal v. State of T.N [22], Supreme Court speaking through Jeevan Reddy, J. observed that: “The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”. A citizen has a right to safeguard the privacy of his life, family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent, whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages [23].”

In P.U.C.L. v. Union of India [24] , the Supreme Court of India, while laying down the standards for telephone wiretapping had observed that the right to privacy is an integral part of the fundamental right to life enshrined under Article 21 of the Constitution and this right shall be available only against the state. Further in the case of Mr. ‘X’ v. Hospital ‘Z’ [25] also Supreme Court acknowledged the right to privacy, but held that it is not an absolute right.

The cases mentioned above clearly establish that the right to privacy is very much a part of the fundamental rights under the Constitution of India. Furthermore, one must not forget that the right to be left alone, and to be free in one’s private space is an important right, which the Supreme Court has accepted in the case of Naz Foundation v. Government of NCT and Others [26]. Right to privacy cannot be claimed to be a negative right restraining the power of the state, but it should be viewed to be a positive duty casted on the state to crated institutions that would help in protecting the private space and life of the individual [27].

Dignity and the Constitution of India

The dignity of an individual finds special mention in the preamble of the Constitution of India. Furthermore in Part III of the Constitution of India, 1950, the provision of fundamental rights protects the dignity of the individuals at large. The constitutional courts have also have emphasized dignity as a fundamental right in many cases, and have developed the decisional jurisprudence regarding dignity. In the recent case of Naz Foundation v. Government of NCT and Others

[28] the Delhi High Court observed that: “At its least, it is clear that the constitutional protection of dignity requires us to acknowledge the value and worth of all individuals as members of our society. It recognizes a person as a free being who develops his or her body and mind as he or she sees fit. At the root of the dignity is the autonomy of the private will, and a person's freedom of choice and of action. Human dignity rests on recognition of the physical and spiritual integrity of the human being, his or her humanity, and his value as a person, irrespective of the utility he can provide to others [29].”

Further, in the case of Prem Shankar Shukla v. Delhi Admn [30]the Supreme Court observed that human dignity forms part of our constitutional culture, and in Francis Coralie Mullin v. Administrator, Union Territory of Delhi and Ors.

[31] the Supreme Court through Bhagwati, J. observed that: “...We think that the right to life includes the right to live with human dignity and all that goes along with it, namely, the bare necessaries of life such as adequate nutrition, clothing and shelter and facilities for reading, writing and expressing oneself in diverse forms, freely moving about and mixing and commingling with fellow human beings. Every act which offends against or impairs human dignity would constitute deprivation pro tanto of his right to live and it would have to be in accordance with reasonable, fair and just procedure established by law which stands the test of other fundamental rights [32].” Hence one could observe from the above cases that the Supreme Court accepted that human dignity implies expressing oneself in diverse forms and acknowledges the value and worth of all the individuals in the society.

In the following part, the UID project is contextualized with the Right to privacy and dignity as provided for in the Indian Constitution. Ways to tackle the various issues brought about by the UID project are discussed.

Tackling the Issues Arising Out of the UID

In the above two chapters, issues concerning the UID, the right to privacy, and dignity, upon which the UID scheme has heavy implications for, are discussed. Now it is important that we look at aspects of how the right to privacy under the Constitution of India and the UID could be reconciled, and ways to approach the issues arising out of The National Identification Authority of India Bill, 2010.

Contextualizing UID with Right to Privacy in Indian Constitution

Regarding the right to privacy in India, the decisional jurisprudence has clearly acknowledged the fact that it forms part of Article 21. In this context privacy can be understood as the right to be left alone, as envisaged by the Justice Louis Brandeis [33]. Being a right, that is acknowledged to be part of Article 21; violation of this right by the proposed UID scheme would seem to be unconstitutional.

When considering this, one aspect that needs to be kept in mind is that the cases that have come before the Supreme Court have thus far been related to the privacy of a person and privacy of communications. There have been no affirmative rulings of the right to privacy in any cases regarding personal data and territorial privacy. Also legislations such as the Anti-Terrorism Act of 2002, Information Technology Act of 2000 and the Telegraph Act of 1885 have limited restriction on privacy [34].

Looking at the different dimensions of privacy, and the contextual need for protection of privacy in India, clearly there is need for specific affirmative rights to be established in the constitution regarding privacy, rather than deriving the right to privacy from the Article 21 or Article 19. The affirmative right of privacy would help to bring in its ambit the aspects of territorial privacy and personal data privacy. If privacy was an established right, it would lead to a clearer definition of what is the right to privacy in the Indian context. Such clarity is important as projects such as the UID are increasing the need for individuals to have the right to privacy. Also, there is a need for a comprehensive privacy legislation, which would ensure the protection of personal and sensitive data, and which may also establish a regulatory body. Perhaps such a privacy legislation could be structured along similar lines as the data protection commissioner’s office, which exist in Canada, Ireland [35], and other developed informational economies.

The National Identification Authority of India Bill, 2010 and Privacy Concerns

Further it is also important to highlight the fact that The National Identification Authority of India Bill, 2010 [36], completely ignores the issue of privacy. Within the Bill there exist no provisions that would help in the protection of an individual’s personal privacy. Further, there is a great amount of brouhaha around Clause 33 of the proposed Bill. Clause 33 states that the disclosure of information for national security, which runs the risk of surveillance, tracking, profiling and social, shall be controlled by the state and its agents [37].

The Bill does not make the UID a mandatory requirement - as per the Clause 3 - it is the option of the individual to choose if he/she wants the UID. Hence the Authority claims that there is no breach of privacy as the people have consented, and have voluntarily provided their information. But there are two aspects that must be considered. One is that even though there is no explicit compulsion for a person to obtain a UID number, there may be indirect compulsion, due to exclusion and inaccessibility to services and facilities for those who do not have a UID number. Thus, in this sense the UID number will become mandatory. The second point to consider is that even though the information is given voluntarily, the right to privacy over sensitive personal information does not exist. To avoid situations where an individual’s privacy is violated by the UID scheme, there needs to be both a specific provision that states clearly that no particular services or facilities shall be denied to citizen on basis of lack of UID, and a provision protecting the privacy of collected information.

Contextualizing UID and Right to Dignity under Indian Constitution

From the discussion above, it is evident that the dignity of an individual in the context of UID would come into question. Furthermore, the dignity of human life is questioned by the UID project, because of the infringement of private space of an individual by the state, and the constant surveillance that the UID could bring about. Furthermore, the choices made by human beings will be seriously influenced by the changing power equation between the state and the individual.

It is also being claimed that a UID number will provide the poor of this country with a real identity. It will also provide the poor access to developmental programs and effective governance. But there is a point that is missed here. The UID cannot by itself provide any identity, rights or facilities to the poor [38]. In reality these entitlements can only be provided by the law, by policy measures, and by treating the constitution and law to be tools of social engineering.

Thus, to protect the dignity of individuals it is important to protect the privacy of individuals. This includes taking measure that would help in limiting the extent of surveillance by the state, and pro-actively protecting the worth of human beings by not solely linking all the facilities and services of the government to the UID. Hence, The National Identification Authority of India Bill, 2010, should include the provisions that would help in protecting the above points. Furthermore, as mentioned above, a specific provision addressing the privacy of individuals should be included in the Constitution of India, a privacy legislation addressing the protection of personal information, and a privacy regulator should be formed.

Conclusion

The above discussion on the right to privacy and dignity with respect to UID clearly shows that the UID, if brought into practice, would discount the right to privacy and dignity guaranteed under the Constitution of India, 1950, and would cause serious implications upon the freedom and choices of the Indian citizen. The UID could also lead to a situation of increased state surveillance, causing an invasion of the right to privacy, and in turn affecting the dignity of individuals. The argument that the UID is voluntary, and hence there is no infringement of privacy has been proved wrong in the above discussion. Also, it has been proven that depicting UID as a tool for development is nothing more than a myth. The important measures that need to be taken in tackling the issues raised by UID could be summed up as follows:

In view of the increased protection required specifically for territorial privacy and data privacy, there should be a provision added to the Constitution of India that deals with multiple dimensions of privacy- such as personal, territorial, communication and data/information. Such a provision would bring clarity as to the extent of the right to privacy.
There is need for a comprehensive privacy legislation which would ensure the protection of personal and sensitive data of people. There is also the need for an established regulatory body. This could be structured along similar lines as that of the data protection commissioner offices, which exist in Canada, Ireland, and other developed informational economies.

As regards to The National Identification Authority of India Bill, 2010 - there is a need for a specific provision that states clearly that no particular services or facilities shall be denied to citizen on basis of lack of a UID number. Also, there is the need for a provision that protects the privacy of the already collected information. Clause 33 of the Bill, which allows for the disclosure of information for national security, needs to be restricted and events of national security need to be clearly defined.

Bibiolography

Usha Ramanthan, A Unique Identity Bill, Economic and Political Weekly, 10-14 (2010).
Ravi Shukla, Reimagining Citizenship: Debating India’s Unique Identification Scheme, Economic and Political Weekly, 31-36 (2010).
Sheetal Asrani-Dann, The Right to Privacy in the Era of Smart Governance: Concerns Raised By the Introduction of Biometric-Enabled National ID Cards in India, 47 The Journal of India Law Institute, 53-95 (2005).
Supra n.1
Immanuel Kant (Translated by Herbert James Paton) The moral law: groundwork of the metaphysic of morals, 42 (2005).
Supra n.3
Shuddharbrata Sengupta, Every Day Surveillance in Sarai Reader 2002: The Cities of Everyday Life, 297-301 (2002).
Supra n.3
Information Resource on Identity Cards, Available at http://www.justice.org.uk/images/pdfs/idcardcc.pdf (Last Accessed on 19.12.2010)
Privacy and Human Rights 2006, Privacy International, Available at http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559458 (Last Accessed on 19.12.2010)
Samuel Warren and Louis D. Brandeis, The Right To Privacy, 4 Harvard Law Review 193 (1890)
Supra n.3 and also see Supra n.9
Oscar Schachter, Human Dignity as a Normative Concept, 77 The American Journal of International Law, 848-854 (1983)
Ibid
Kunwar Aditya Singh, Right To Privacy Under Indian Constitution And Privacy Protection In India, Available http://www.allindiareporter.in/articles/index.php?article=968#sdfootnote27sym (Last accessed on 19.12.2010)
AIR 1954 SC 300.
Supra n.15
AIR 1963 SC 1295.
AIR 1963 SC 1295,1303
AIR 1975 SC 1378.
AIR 1975 SC 1378, 1384
1994 SCC (6) 632
1994 SCC (6) 632,650
(1997)1 SCC 30
(1998) 8 SCC 296
MANU/DE/0869/2009
Lawrence H. Tribe, American Constitutional Law, 1305 (1988).
Supra n.26
Ibid
(1980) 3 SCR 855
(1981)2 SCR 516
Ibid
Supra n.1
Supra n.3
For more details see Data Protection Commissioner Ireland , http://www.dataprotection.ie/docs/Home/4.htm, Privacy Commissioner Canada, Av at http://www.privcom.gc.ca/
The draft bill available at http://www.prsindia.org/uploads/media//NIA%20Draft%20Bill.pdf (Last Accessed on 19.12.2010)
Supra n.1
Ruchi Gupta, Justifying the UIDAI: A Case of PR over Substance, Economic and Political Weekly, 135-136 (2010).

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-uiddevaprasad

Privacy Matters — Conference Report

praskrishna — 2011-01-27T10:22:55Z

A one-day conference on Privacy Matters was held on Sunday, 23 January 2011 at the National University of Juridical Sciences (NUJS) Law School in Kolkata. This was the first of a series of eleven conferences on ‘privacy’ that Privacy India is scheduled to host in different Indian cities from January to June this year. Members of Parliament, Sri Manoj Bhattacharya from the Revolutionary Socialist Party (RSP) and Sri Nilotpal Basu from the Communist Party of India (Marxist) CPI (M) spoke in the conference. Students, the civil society and lawyers also participated in it.

Introduction

The conference was held to discuss elements of the privacy legislation that has been proposed to the Parliament of India, and the UID Bill and project. The conference focused on the tensions between privacy and society that exist in India today, and acted as a space for opinion sharing and discussion. Privacy India which was formed under the auspices of Privacy International, a UK based organization that works to protect the right of privacy around the world, the Centre for Internet and Society (CIS), an NGO based in Bangalore, and Society in Action Group (SAG), an NGO based in Delhi joined hands to host this event.

Rajan Gandhi, founder of SAG opened the conference with an explanation of the mandate of Privacy India, the objective of which is of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of Privacy India's goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

Keynote

The keynote speech was delivered by Dr. Sudhir Krishnaswamy professor of law and governance. Dr. Krishnaswamy began by outlining the present situation of privacy in India. The right to privacy has been read into Sections 19 and 21 of the Constitution of India through case law, which has defined privacy — among other things — as the right to personal autonomy, the right against unreasonable search and seizure, and as a fundamental right that is critical to the person, but does not supersede public or national interest. Dr. Krishnaswamy also raised many intriguing questions including: what does privacy mean to India — is it linked to a person’s dignity and their honour? Or is it purely concerned with misappropriation of information, and further is privacy in India an issue of the individual or an issue of the family and the community? He also described the philosophical groundings of privacy as being in the right to dignity, the right to autonomy, and the misappropriation of information.

Privacy Challenges

The conference was spread into three sessions. In the first session Prashant Iyengar, head researcher of the project at Privacy India, spoke about the challenges that India specifically is facing in shaping a privacy legislation including: the need to balance the right to information/transparency and privacy, the need to create a definition of privacy that does not exclude lower classes and is not a negative right, but instead a positive right, and the problem of ubiquitous surveillance that is happening in society today. Elonnai Hickok, policy analyst at Privacy India, spoke specifically on wire tapping, and the Nira Radia tapes. In her presentation she first outlined other countries definitions of privacy which include: the right to be left alone, the protection from unauthorized searches, and the right to control information about oneself through consent. Using the case study of Nira Radia and Ratan Tata she spoke about the rising concern of wire tapping in the country as being indicative of a social change and relationship of the state and government. Elonnai also raised questions concerning whether privacy should be made inversely proportional to public figures, and if public interest will always supersede the private right of individuals.

UID and Privacy

The second session of the conference focused on the UID Bill and privacy. Presentations from NUJS student Amba Kak and Sai Vinod raised concerns about the UID project and privacy. Their presentation also compared and contrasted identity schemes of other countries with the UID. A few similarities that they found amongst all scheme were: the collection of data, the processing of data, and the storing of data. Deva Prasad from the National Law School of Bangalore presented on constitutional elements of the UID scheme ranging from loopholes in the Bill to connections that can be made when the UID Bill is placed in the larger picture. Sri Manoj Bhattacharya (MP) from RSP voiced his concerns of the UID, and emphasized that by giving an individual a number which acts as their fundamental identity which they use to function in society, the government in fact is eroding an individual’s actual identity, and that is an invasion of privacy. Sri Nilotpal Basu (MP) from CPI (M) spoke out strongly against the UID, voicing that his greatest concern with the UID is that it will be a way for corporate bodies to target individuals as consumers, and that privacy legislation could be used as a way for corporate bodies to hide from the public eye.

Conclusion

In the concluding session the floor was opened up to the public for questions and opinion sharing. Many participants shared what they believed needed to be included in privacy legislation, and what issues a privacy legislation needs to address. A few of these include: privacy rights and the media, privacy and the right to information, the privacy rights of minorities, and the privacy rights of the government. Also types of regulatory models for privacy were discussed. For instance, should privacy in India be represented and protected through a data protection law, or should privacy be seen as a fundamental right to privacy? Should privacy be represented through a broad framework, or through sector specific statutes? What should the redressal and enforcement mechanisms look like?

As seen from the presentations and the comments at the conference one thing which is clear is that privacy is an issue that concerns every person in India. Over the next six months Privacy India will be conducting ten more conferences in different Indian cities to engage the public in dialogues of privacy and raise awareness around the issues of privacy. The next workshop will be held on 5 February 2011 in Bangalore.

Download the conference summary here

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-nujsconference-summary

4 Popular Myths about UID

Prashant Iyengar — 2012-06-20T04:37:08Z

By now, there is already a lot of material in the public domain that is critical about the UID/Aadhar project, writes Prashant Iyengar in this blog entry published in Privacy India on January 22, 2011.

(See aadhararticles.blogspot.com for an exhaustive catalogue). Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme. Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme.

I do not intend to rehearse these arguments in this post. Instead, I pick four somewhat obscure, but troublesome assertions made about the UID and test their veracity against documents available on the UIDIA site itself. The purpose is to cut through all the equivocation behind the claims that UID officials have been making, and arrive at some minimal clarity on what the UID is (and isn’t).

Registration is voluntary!

How does one make sense of Nandan Nilenkani’s cryptic remark, “I wouldn’t call it compulsory. I would rather say that it will become ubiquitous”?

In a sense, this is true enough. Nowhere in the entire bulk of UID documentation will you encounter the express words “mandatory” or “compulsory”. Hence, proved! But that isn’t to say, however, that there is any way you will be able to avoid getting registered.

Very rapidly, accessing basic services and your very status as a citizen will be conditional on your possessing an Aadhar number. This is owing to the complex operational structure that the UID Scheme adopts which leaves the task of enrollment entirely in the hands of third party ‘Registrars’ who include a host of Central and State social security and welfare departments (including the Ministry of Rural Development which administers the Rural employment guarantee scheme), banks and insurance companies. There is nothing in the Aadhar Scheme that forbids these Registrars from making access to their services conditional on one’s consent to UID registration. In practice, many of them have and will continue to make UID registration a preliminary formality before access is granted to their services. So your ‘freedom’ to resist UID registration will depend on your ability to forego your minimum guarantee of the right to employment, cooking gas, banking and insurance services, food rations etc.

And if miraculously you are able to subsist without these services, there is still one minor detail that is seldom mentioned in conversations about UID: without a UID number, you will not be counted as a citizen of India. This is owing to the fact that the Registrar General of India, the authority responsible for compiling the National Population Register of India under the Citizenship Act, also happens to be a ‘Registrar’ for the purposes of the UID. Which means that one’s registration in the NPR will entail automatic enrollment in the UID. The Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules, 2003 makes it mandatory for everyone to be enrolled in the National Population Register. So, paradoxically, although the Aadhar number does not confer citizenship, one cannot be a citizen anymore without owning an Aadhar number.

In other words, the UID scheme avoids the charge of being compulsory, by outsourcing its compulsion entirely.

The UID Scheme will only collect a minimal set of information

A frequently made assertion about the UID scheme is that the data collected will be limited to a standard set of information like one’s name, residence, date of birth, photo, all 10 finger prints and iris image. Once again, this is only a half truth. As mentioned previously, the entire process of enrollment is carried out through Registrars who have absolute freedom to expand the categories of information collected to include data that is entirely orthogonal to the purposes of the UID. This freedom is typically guaranteed by a clause in the MOUs which the UIDAI has signed with Registrars enabling them to collect additional data that “is required for their business or service”. Thus, for instance, in Himachal Pradesh, citizens are asked to provide additional details such as information about their ration cards, PAN cards, LPG connection and bank accounts[i]

To employ a telling epithet found in one of the UID documents, the ‘Registrars own the process of enrollment’.

Privacy is guaranteed

Although the UIDAI makes repeated assertions regarding its intent to respect privacy and ensure data protection, the precise mechanism through which these objectives will be secured is extremely unclear.

To begin with, the entire responsibility for devising schemes for safeguarding information during the collection phase rests entirely on the Registrars. The UIDAI’s own responsibility for privacy begins only from the moment the information is transmitted to it by the Registrars – by which time the information has already passed through many hands including the Enrolling Agency, and the Intermediary who passes on information from the Registrar to the UIDAI.
Rather than setting out an explicit redressal mechanism and a liability regime for privacy violations, the UID’s documents stop at loosely describing the responsibility of the Registrars as a ‘fiduciary duty’ towards the resident/citizen’s information. The Registrars are tasked with maintaining records of the data collected for a minimum period of six months. No maximum period is specified and Registrars are free to make what use of the data they see fit.
In addition, the Registrars are mandated to keep copies of all documents collected from the Resident either in physical or scanned copies “till the UIDAI finalizes its document storage agency.”[ii]
The ‘Data Protection and Security Guidelines’ which the UIDAI requires all Registrars to observe merely contains pious injunctions calling on them to observe care at all stages of data collection and to develop appropriate internal policies. There is mention of the desirability of external audits and periodic reporting mechanisms, but the details of these schemes are left to the individual Registrar to draw up.
Although the Draft National Identification Authority of India Bill penalizes the intentional disclosure or dissemination of identity information collected in the course of enrollment or authentication, this does not guard against accidental leaks and does not mandate the service providers to positively employ heightened security procedures. Prosecution of offences under the Act can only proceed with the sanction of the UID Authority, which further burdens the task of criminal enforcement in these cases and would make it difficult for individuals to obtain redress quickly. The total absence of a provision for civil remedies against Registrars makes it unlikely that they will take the task of protecting privacy seriously.
In other words, the individual’s right to privacy is only as strong as the weakest link in the elaborate chain of information collection, processing and storage.

The UIDAI will not disclose any information and will only authenticate information with Yes/No answers

This is another of the frequently misleading claims made by the UID Authority. Thus, for instance, in April, 2010, in response to a question in the course of an interview, Nandan Nilekani said “UID itself has very limited fields, it has only four or five fields — name, address, date of birth, sex and all that. But it also does not supply this data to anybody. .. the only authentication you can get from our system is a yes or no. So, you can’t query and say what’s this guys name or what’s his date of birth, you can’t get all that.”[iii]

This statement is, however belied by many of the UIDAI’s own documents.

The draft NIA Bill, for instance, permits the Authority to issue regulations on the sharing of “the information of aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct”. In practice, prior “written consent” for sharing is obtained from the resident as a matter of course at the time of enrollment itself, and it is impossible to obtain an Aadhar number without consenting to sharing by the UID Authority.[iv] In practice, in India, a large number of forms will be filled in by assistants and the written consent box will be ticked as a matter of course without the resident understanding the full implications of her “consent”.
The draft NIA Bill permits the authority to “make any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge”. There is nothing in the Act that requires that this information be made available on an individual basis – in other words, it is possible for the data to be shared en-masse with any agency “in the interests of national security”.
There is nothing preventing “Registrars” who carry out the actual data collection functions from sharing this information with anyone they choose. Thus, for instance, the Aadhar information collected during the exercise of compiling the National Population Register will can be shared in whichever manner the Registrar General of India chooses – irrespective of what the UIDAI does with that information.

So, while ordinarily, the UIDAI would not authenticate information other than giving Yes/No responses, there are mechanisms already in place that presume that all this information will be made available, on demand, to whichever agency that happens to be interested.

[i] 2011. UID project picks up pace. Indian Express. Available at: http://www.indianexpress.com/story-print/735790 [Accessed January 22, 2011].
[ii] UIDAI – Document Storage Guidelines for Registrars Ver. 1.2, August 2010.
[iii] 2010. To issue first set of UIDs by Feb 2011: Nilekani – CNBC-TV18 -. Money Control. Available at: http://www.moneycontrol.com/news/business/to-issue-first-setuids-by-feb-2011-nilekani_449820-4.html [Accessed January 22, 2011].
[iv] For instance, a flowchart of the Resident Enrollment Process issued by the UID stipulates “Record Resident’s consent for Information Sharing” as the tenth step in the enrollment process. Unless this step is followed, the enrollment process cannot proceed!

Click to read the original here

For more details visit https://cis-india.org/internet-governance/popular-myths-about-uid

Would it be a unique identity crisis ?

praskrishna — 2011-04-01T17:10:30Z

The UID project will centralise a humongous amount of data but the fear is that it might fall into the wrong hands.

The Unique Identification (UID) project is already up and running. It’s touted as a watershed in inclusive politics, of bringing people, who by virtue of physical remoteness, their station in society or other liabilities were excluded from the system, back into it. UID Chairman Nandan Nilekani recently said that the aadhaar number will not replace the passport, driving license or the voter identity card and that by 2014, 60 per cent of the country’s population will have the 12-digit UID number. The idea, though it has not been made explicit, is that Aadhaar will eventually become the key document for the common man to navigate the system, whether it is opening a bank account or making a rent agreement to booking a train ticket or applying for a job.

In fact, there is the implicit danger that sooner than later the original idea of inclusiveness could be turned on its head by denying benefits to people who don’t have the Aadhaar! “There is nothing to ensure that you will continue to receive the same benefits like those who have the UID number. The claim that it is not mandatory is legally correct. But in practice it would not be,” said Prof Sridhar Krishnaswamy of W B University for Juridical Sciences.

It is a fundamental premise that data subjects ought to have “inalienable moral rights” about the “integrity” of the data collected about them. But even as UID is one of the best things that could have happened to deepen the democratic process in our society, the often un-remarked fact is that the project has also become the biggest industrial collector of personal information. Considering the size and heterogeneity of the Indian population, it becomes as big as Google, and the implications of this are quite frightening. The UID draft bill, which has to be cleared by Parliament for it to become law, has only perfunctorily looked at the dangers posed by such huge and centralized collection of data. It glosses over the issue, content with making conservative noises about “the interlinking of databases”. This only shows how casual our policy makers, even the most enlightened of them, are towards the whole issue of safeguarding privacy.

The Bangalore-based Centre for Internet and Society (CIS) has analyzed the draft UID bill in considerable depth. They have identified three main areas where the bill needs to be drastically reworked: (i) plugging all loopholes which would enable corporate organizations from accessing information from the Aadhar database for their own commercial or R & D purposes; (ii) stipulating a maximum period for the data to be stored; (iii) to be transparent about the methods it uses to collect, store and disseminate data.

Prof Krishnaswamy agreed that the UID bill has not taken the corporate threat seriously enough. He contends that the UID authorities should take small, concrete steps that would act as effective safeguards. “In the mobile phone segment, user information is stored only for six months. Now, the government is proposing a similar time cap for ISP too. But when it comes to UID there is no such time limit. It means personal information could be held perpetually,” he explained. All that UID Assistant Director A K Pandey had to say to this was, “if that is it, then we have to live with it.”

Another worrying aspect of the proposed bill, according to Usha Ramanathan, an activist and expert on identity and digital issues, is its failure to fix accountability on the main players including enrollers, outsourcing companies, and the UDAI authority itself. “The data collector and data controller should be equally held responsible for the protection of data,” she said. However, UID authorities themselves are of the view that the apprehensions are being overplayed. Pandey maintained that there was nothing in the UID that would compromise the privacy of individuals. “You go to a bank or the LIC office and you give whatever information they ask you. But when it comes to UID alone you say the information you give could be dangerous. We don’t quite understand this,” he retorted. He played down the fears that in the central data storage vital information could go corrupt. “We have taken adequate measures to protect it. We will have a backup,” he said.

The issue of transparency of data collection and storage remains. The CIS analysts feel that the UID should put out a synopsis of the algorithms it will use in collating and protecting data so that the public at large can be reassured of the firewalls that are in place. Then there is also the issue of not having concrete provisions in the UID bill to deal with special cases like whistleblowers and victims of abuse whose identities need to be protected even more carefully.

The UID authority also bypasses the question of whether it is confusing data protection with the larger issue of protection of privacy. A person’s identity is more than her date of birth, surname, religion, fingerprint or even the sum of these. Such information is basically data and allows governments or corporate bodies to provide a person a nominal identity, one that is indispensable if she is to be part of a socio-political system. The state and corporate entities conveniently deny a person her self, thereby reducing her to a subject instead of seeing each individual as a thinking, acting agency.

Be that as it may, right now the concern of civil society is to make at least protection of data as foolproof as possible. Aadhaar is just one of the projects that pose a threat to the privacy of individual citizens. There is the broader problem of how the Internet and mobile phones, the popularity of social networking sites such as Facebook and Twitter, and the widespread use of credit and debit cards has led to blatant misuse of personal information gathered online, sharing of consumer data without consent and the state’s own Big Brother surveillance. The need for an effective privacy law in India is imperative.

Read the original in Bangalore Mirror

For more details visit https://cis-india.org/news/unique-identity-crisis

Does the UID Reflect India?

elonnai — 2012-03-22T05:45:32Z

On December 17th the Campaign for No UID held a press conference and public meeting in Bangalore. Below is a summary and analysis of the events.

Introduction

Scientifically speaking, we are each unique. We have unique bodies and minds, and these give rise to unique understandings, interactions, and perceptions. Despite being unique, we can be put into different categories and classes, one of which is a culture. A culture is defined by its values, which are reflected in its legal system. Consequently legal systems are always changing – bills are constantly being amended, passed, and retracted in order to make the governing legal structure reflect the ethos of that society. Thus, when analyzing a piece of legislation it is important to ask if that bill is meaningful in a way that reflects the ideas, values, attitudes, and expectations that a society has. This is the question that Usha Ramanathan, Mathew Thomas, and others in the Campaign for No UID have been asking about the UID project, and urged the public to ask the same question in the press conference and public meeting held on the 17th of December. According to the Campaign for No UID, the project and Bill fail to reflect and meet the current needs that exist in India. The UID Bill, the proposed legislation for the project, authorizes the creation of a centralized database of unique identification numbers that are to be issued to every resident of India. The numbers will act as identity. Recently, the Bill was sent to the Parliamentary Standing Committee on Finance, and is scheduled to be enacted in early 2011. The UID project is attempting to create a technological solution to the identification problem in India. It is well-known that India faces challenges in identifying its citizens and residents. Individuals either have no identification – restricting their access to society and benefits -- or, in some cases, they have multiple identities, therefore taking advantage of society at the expense of others, or a person does not have any identification – therefore escaping civil duties. The confusing identity system that exists in India has many negative drawbacks including the facilitation of corruption, illegal immigration, and possible security threats. The UID project attempts to provide a system of identity that is based on individuals’ biometrics, and that places the whole of India on a grid through the issuance of 12 digit Aadhaar numbers. The Campaign for NO UID does not deny the need for an efficient identity system, is not against technology, and does not deny that the current identity system has problems. Instead, it believes that the project does not adequately address the issues at hand, while at the same time creating a real prospect of harmful ramifications.

Benefits for the Poor

Though the UID project only gives identity to an individual, it has been envisioned as a means of ensuring the delivery of benefits to the poor. According to the World Bank, within India 41% of the population lives below the poverty line, and targeting the need to ensure benefits for the poor is an appropriate vision. Furthermore, as reflected in the Right to Food Act, there is a cultural understanding and expectation that the State needs to work to bring benefits to the poor. The point that Ms. Ramanathan draws attention to, though, is that the goal of bringing benefits to the poor is just a vision. The project and the Bill are not structured in a way that guarantee benefits to the poor. Instead, by trying to include the perception of this benefit, the language of the Bill has become too broad. The wide-sweeping language allows room for abuse of how information that is collected will be used.

Appropriate Methodology

Ms. Ramanathan also questions the methodology of the UID project. The collection of biometrics is not an absolute insurer of identity, in the way that DNA would be. A person’s biometrics are in fact very public. They are left on anything one touches, and can easily be reproduced for use by others. Identity theft is thus easily accomplished if biometrics are the only safeguard. Realistically, the vast majority of India’s population would not know what to do or how to seek redress if identities were stolen – indeed, many would not even be aware of the fact that their identity had been stolen. Thus, the project establishes a hierarchy of vulnerability. Those who understand and have access to technology and the legal system are better able to protect their identity (or abuse another’s), and the rest of the population is at the mercy of the people who possess that knowledge and those connections.

Legal Questions

Ms. Ramanathan also brought up a few legal issues with the UID Bill. Most importantly she pointed out that the UID project is not legal, yet enrollment of individuals has been taking place. Not only is this action undemocratic, but it is presumptuous of the UIDAI to assume that their project will have legal validity. Another legal issue raised by Ms. Ramanathan was in concern with the compulsory nature of the Aadhaar number. Legally the UID Bill does not make the Aadhaar number compulsory. Instead, the project is structured in such a way that the UID number is socially compulsory. Ms. Ramanathan argues that this is unfair of the UIDAI. If the number were to be truly voluntary, the UID would need to include clauses that prohibit the denial of goods, services, entitlements and benefits for lack of a UID number. An individual would need to be able to access benefits with alternative forms of identification before the Aadhaar number would be truly voluntary.

Does India Comprehend what the UID Could Bring?

Another fear voiced by Mrs. Ramanathan in her presentation was the level of public comprehension. Even though the project will touch the lives of every human being who comes to India, the majority of the Indian population has not thought through why they support or do not support the project, and most do not comprehend the dangerous implications of the UID project. Connections are not being made and clearly publicized about how the project could be used in the future. For example, once everyone has a set of personal data that is uploaded on a centralized database, there is a new concern over that data. What is happening to it, who is using it, what is it being used for, who is seeing it, who is analyzing it, what happens if that data is lost? One of the serious implications of the project is its’ threat to anonymity. Anonymity results when the personal identity, or personally identifiable information of a person is not known. Anonymity already exists today in Indian society by default.. This will change, though, with the UID. One’s body will become a traceable marker that will be readily identifiable to law enforcement and other agencies. By issuing numbers to each person, that will be used for every transaction – it will be possible to create a map of the population and tag information about individuals in a way that changes the relationship between the state and the people. Though it is true India could benefit from a lesser degree of anonymity. For instance corruption might be easier to control. The Bill takes no steps, though, to ensure under what conditions anonymity will be preserved. Thus, the project has the potential to be widely misused for intensive surveillance and the policing of populations – not just for illegal activity but for disfavored or unpopular activity as well.

Conclusion

One way to avoid the misuse of data is through the adherence to privacy standards such as how data should be processed, transferred etc. India does not of yet have such a privacy law, and such principles are not reflected in the text of the Bill itself. The fact that the UID bill and project bring into focus principles that are not yet fully reflected in the social and legal framework of society can be problematic. On one hand this Bill can push India to adopt those principles, in which case a data protection and privacy bill must be enacted, and awareness must be raised. On the other hand, the Bill can simply overshadow the populace, allowing significant violations of privacy and anonymity to take place with no assurance of redress. As Ms. Ramanathan noted, even though the project is not reflective of Indian society, the way in which the project is being marketed is. The project has been tied to the image of Nandan Nilekani, and the message is clear: the project must be good. The Campaign for No UID is asking the public to look beyond the face of the project, and consider whether or not this is the India they imagine.

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india

The Niira Radia Tapes: Scrutinizing the Snoopers

praskrishna — 2011-04-02T07:29:21Z

There’s been plenty of outrage in India over taped phone calls between corporate lobbyist Niira Radia and local journalists, revealing what some people believe is evidence that star reporters at the country’s newspapers and TV channels are too cozy with the subjects they’re supposed to be reporting on.

Amid that firestorm, though, there’s been much less scrutiny of why and how the wiretaps happened in the first place, whether they were justified or a governmental overreach, and how these infamous tapes got from the government into the hands of media companies.

Here are just a few questions that merit more consideration: Who orders telephone surveillance in India and on what grounds? How often is it done? What protections are in place to ensure government officials don’t abuse their surveillance authority to settle scores with journalists, corporate officials or ordinary citizens they have a beef with?

The quick answer to all of these: India trusts its bureaucrats to do the right thing. The central government’s Home Secretary, along with some intelligence agencies and state officials, has the authority to approve wiretaps. Unlike in the U.S. and other countries, where investigators must generally obtain court warrants for surveillance to pursue matters ranging from drug-trafficking to insider trading, in India there is no such legal tradition or rule.

“There is no oversight infrastructure, either in parliament or in the judiciary,” said Sunil Abraham, executive director of the Bangalore-based Center for Internet and Society. There is only “post facto” protection in the sense that you can sue the government later if you feel you were wrongly wiretapped, he said.

According to local media reports, industrial giant Ratan Tata on Monday petitioned the Supreme Court over the leaking of the tapes, on which he is heard bantering with Ms. Radia (his lobbyist) about a range of topics related to the $70 billion Tata Group. The reports say he feels the episode violated his privacy and wants the leakers to be punished. (While there’s no explicit constitutional protection of privacy in India, the Supreme Court in some cases has held it is covered by Article 21 of the Constitution, which says, “No person shall be deprived of his life or personal liberty except according to procedure established by law.”)

A report in the Economic Times Monday said government is going to investigate the leak. A Home Ministry spokesman declined to comment on whether an inquiry has been launched but said India’s system of allowing a handful of security and intelligence officials to approve or deny wiretaps sufficiently guards Indian citizens’ privacy. “It isn’t an unchecked kind of thing, that anyone can just do it,” the spokesman said.

India draws its wiretap authority from a few laws, including the 1885 Telegraph Act and a separate information technology law enacted in 2000 and amended in 2008. The government can tap phones or intercept emails for reasons such as “any public emergency” or “in the interest of the public safety” – pretty broad language that gives a lot of leeway to bureaucrats, critics say.

A report in the Hindu last week claimed that more than 5,000 Indian phones are being bugged daily, citing anonymous sources. Mr. Abraham, of the Center for Internet and Society, says that breadth of surveillance in a country of 1.2 billion people wouldn’t be unreasonable. But his organization is planning a Right to Information request to find out more about the scope of government wiretapping.

The government may have had good reasons to conduct the wiretaps of Ms. Radia, which local media reports say were done by the income tax department for two four-month stints in 2008 and 2009, during which time they reportedly logged 5,851 calls.

The income tax agency hasn’t stated publicly what the rationale was and its officials declined to comment Monday.

Media reports suggest that the material was supposed to help probe the irregular allocation of mobile phone spectrum in 2008 to several Indian telecom firms. (The official in charge of that allocation, A. Raja, resigned as telecom minister Nov. 14 amid charges that he rigged the process to favor some companies over others.)

But much of the content in the several hours of so-called “2G tapes” that have leaked to Indian news organizations has little or nothing to do with taxes or 2G spectrum. There’s talk of the billionaire Ambani brothers’ natural gas pricing dispute, mining policy, a dog who is named Google because he is good at finding things, which corporate honchos are easy to get on the phone, and plenty of titillating exchanges between New Delhi’s power brokers on the politics of cabinet appointments. Some pretty top-notch gossip, in other words.

To be sure, the content on the tapes does raise disturbing and serious questions about whether some elements of the Indian media carry water for particular government ministers or corporations. And it pulls the veil back on how the titans of Indian business and politics shape policy away from the public spotlight, as Siddharth Varadarajan explained in Monday’s edition of the Hindu when he made a clever analogy to the movie The Matrix. (We’ve separately parsed the contents of some of the tapes for their potential significance.)

But it’s still worth asking tough questions about the legal and ethical foundations of wiretapping citizens, because, as Indian civil liberties expert Lawrence Liang said in an email, “if this can happen to a Nira Radia, then it can easily be used for a Nida Nobody.”

Update, 5:09 p.m.: “A Home Ministry spokesman confirmed the ministry has asked the Intelligence Bureau and Central Board of Direct Taxes to conduct a probe into the leak.”

Read the original in Wall Street Journal

For more details visit https://cis-india.org/news/niira-radia-tapes

Privacy and Telecommunications: Do We Have the Safeguards?

elonnai — 2012-03-21T10:06:48Z

All of you often come across unsolicited and annoying telemarketing calls/ SMS's, prank calls, pestering calls for payment, etc. Do we have any safeguards against them? This blog post takes a look at the various rules and regulations under Indian law to guard our privacy and confidentiality.

1 Introduction

With a subscriber base that stands at just over 700 million (TRAI, August 2010) the telecom industry has enjoyed spectacular success at absorbing Indians into its fold. Tele-density which, even as recently as in 2002 was stagnant in the low single-digits, today stands at a proud 59%. However far one could go today, it would seem one would never be too distant from a mobile phone.

While this extensive penetration has heralded an era of unprecedented access – truly a ‘communications revolution’ whose full effects it may still be too early to grasp – it has also led to the exposure of individuals to risks on a magnitude never before witnessed. Firstly, in the ordinary course of their business, telecom companies accumulate vast volumes of personal information about their customers including photocopies of identity documents, biographical information etc, which could potentially be misused;

Secondly, the fact that a vast amount of our communication now occurs with the involvement of electronic media has rendered us more susceptible to invasive surveillance - whether lawful or not;

Thirdly, much of our communication is now not merely ephemeral, but is stored in digital form for indefinite periods in corporate ‘data centers’.;

Lastly, owning a mobile phone not only enables us to communicate with our business partners and loved ones, but also forces us to engage with an incessant stream of ‘noise’ – telemarketing calls and SMSes, prank/hoax calls, calls pestering us for the payment of bills and offensive/threatening calls.

This note examines the kinds of safeguards that currently exist under Indian law to protect the privacy of telecom users. Broadly there are three streams of such protection

1) The Telegraph Act and Rules, which contains provisions that prohibit and penalize unlawful interception of communication. Furthermore, licenses issued to telecom service providers (TSPs) under this Act require TSPs to take measures to safeguard the privacy of their customers and confidentiality of communications.

2) The Telecom Regulatory Authority of India has issued various guidelines to TSPs many of which pertain to privacy.

3) The Consumer Protection Act provides customers with an avenue of redress in case of violation of their privacy.

The first two are described in greater detail in the paragraphs that follow. This is followed by a brief analysis of certain international norms

2 Indian Regulatory Regime

2.1 The Indian Telegraph Act and Rules

First enacted in 1885, the Telegraph Act remains today on the statute books as the umbrella legislation governing most forms of electronic communications in India including telephones, faxes, the internet etc. The Act contains several provisions which regulate and prohibit the unauthorized interception or tampering with messages sent over ‘telegraphs’i. The following sections apply:

1) Section 5 empowers the Government to take possession of licensed telegraphs and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence”ii

2) Section 23 imposes a fine of Rs. 500 on anyone who enters a telegraph office without proper authorization.

3) Section 24 makes it a criminal offence for a person to enter a telegraph office “with the intent of unlawfully learning the contents of any message”. Such a person may be punished with imprisonment for a term of up to a year.

4) Section 25 further imposes a criminal penalty on anyone who damages or tampers with any telegraph with the intent to prevent the transmission of messages or to acquaint himself with the contents of any message or to commit mischief. Punishment in this case could extend to 3 years imprisonment or a fine or both.

5) Section 26 makes it an offence for a Telegraph Officer to alter, unlawfully disclose or acquaint himself with the content of any message. This is also punishable with up to 3 years imprisonment or a fine or both.

6) Section 30 criminalizes the fraudulent retention or willful detention of a message which is intended for someone else. Punishment extends to 2 years imprisonment or fine or both.

2.2 License Agreements

Although the statute itself governs the actions of telecom operators in a general way, more detailed guidelines regulating their behavior are contained in the terms of the licenses issued to the telecoms which permit them to conduct businessiii. Frequently, these licenses contain clauses requiring telecom operators to safeguard the privacy of their consumers. A few examples include:

1) Clause 21 of the National Long Distance Licenseiv comprehensively covers various aspects of privacy including

a. Licensees to be responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place.

b. Licensees to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavors to secure that :

i. No person acting on behalf of the Licensees or the Licensees themselves divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and

ii. No such person seeks such information other than is necessary for the purpose of providing service to the Third Party.

c. The above safeguard however does not apply where

i. The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or

ii. The information is already open to the public and otherwise known.

d. The Licensees shall take necessary steps to ensure that the they and any person(s) acting on their behalf observe confidentiality of customer information.

2) Clause 39.2 of the Unified Access Service License and clause 42.2 of the Cellular Mobile Telephone Service licence enjoin the licensee to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party, and its business to whom it provides the service. The Licensee is required to use its best endeavors to secure that no person acting on behalf of the licensee or the licensee divulges or uses any such information - except as may be necessary in the course of providing such service to the third party.

3) The Internet Services License Agreement (which authorizes ISPs to function in India) similarly contains provisions touching on privacy:

a) Part VI of the License Agreement gives the Government the right to inspect/monitor the TSPs systems. The TSP is responsible for making facilities available for such interception.

b) Clause 32 under Part VI contains provisions mandating the confidentiality of information. These provisions are identical to those described in Clause 21 of the NLD License agreement (see above).

c) Clause 33.4 makes it the responsibility of the TSP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.

d) Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. These logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.

e) Clause 34.12 and 34.13 requires the Licensee to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities.

f) Clause 34.16 requires the Licensee to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.

g) Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”.

h) Clause 34.23 mandates that the Licensee maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor”.

i) Clause 34.28 (viii) forbids the licensee from transferring the following information to any person/place outside India:

j) Any accounting information relating to subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature) ; and

k) User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).

l) Clause 34.28(ix) and (x) require the TSP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time.

m) Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”. (It is unclear whether this is to operate as an overriding provision governing all other clauses as well)

2.3 TRAI Regulations and Directions

The Telecom Regulatory Authority of India was established by statute in 1997 to safeguard interests of consumers while simultaneously nurturing conditions for growth of telecommunications in the country. The Authority has issued several regulations on various subjects which are binding on TSPs. The following regulations touch on the subject of privacy:

2.4 Unsolicited Commercial Communications Regulation

In 2007, the Authority introduced the Telecom Unsolicited Commercial Communications Regulations which were aimed at creating a mechanism for registering requests of subscribers who did not wish to receive unsolicited commercial communications.

* The regulations define “unsolicited commercial communication” as any message, through telecommunications service, which is transmitted for the purpose of informing about, or soliciting or promoting any commercial transaction in relation to goods, investments or services which a subscriber opts not to receive,

* The following categories of message are excluded

(i) any message under a specific contract between the parties to such contract; or

(ii) any messages relating to charities, national campaigns or natural calamities transmitted on the directions of the Government or agencies authorized by it for the said purpose;

(iii) any message transmitted, on the directions of the Government or any authority or agency authorized by it, in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality;

* The regulations specified a procedure for initiation of complaints by consumers and for their adjudication and disposal.

* Telemarketers who initiate unsolicited commercial communication with a person who has opted not to receive such communications face a fine of Rs. 500 per call/SMS as well as disconnection of their telephone services.

* The regulations require the TSPs to maintain confidentiality of all information submitted by the subscribers for the purposes of the ‘Do not Call Registry’.

2.5 Privacy and Confidentiality Direction

In February 2010, the TRAI issued a direction seeking to implement the privacy and confidentiality related clauses in the service providers’ licenses (see previous sections). Accordingly by this direction, the TRAI ordered all service providers to “put in place an appropriate mechanisms, so as to prevent the breach of confidentiality on information belonging to the subscribers and privacy of communication”. All service providers were required by this regulation to submit a report to the TRAI giving details of measures so adopted.

3 International Norms

3.1 Telecommunications in the EU

In 2006, the European Union adopted Directive 2006/24/EC which mandated member states to store citizens' telecommunications data for six to 24 months stipulating a maximum time period. The directive permits police and security agencies to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A request to access the information would only be granted through a court order. In 2002 the Directive adopted the Privacy and Electronic Communications Directive. The ECD regulates the electronic communications sector and addresses issues such as: the retention of data, the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories.

Art 10(1) of the German Constitution holds “The secrecy of letters, as well as of the post and telecommunications, is inviolable”. However, in 1968 an amendment was introduced which permitted (1) surveillance to occur without the affected person ever being informed of it; and (2) surveillance without judicial review, but through “a review of the

case by bodies and auxiliary bodies appointed by Parliament.”These measures could only be invoked in order to protect “the free democratic basic order or the existence or security of the Federation or a state.”

3.2 Telecommunication in the United States

In the United States telecommunications are regulated by the Federal Communications Commission. Specifically the FCC regulates how telecommunications carriers and providers of cable television use customer personal information, cable subscriber information, and telemarketing and junk fax activities. Every company that participates in telemarketing must comply with the FCC's rules. The main legislation used to regulate telecommunication carriers is the Federal Communication Act. The Act applies to how carriers may use and disclose “Customer Proprietary Network Information” which includes billing information, type of telecommunications service used, and the types of calls customers tend to make. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. The FCC does though provide, what is known as a “total service approach”, exception to these rules - that allows carriers to use CPNI to market to existing customers. Also, under the Act, cable providers are required to provide to their subscribers detailed notice about the collection and use of information, and gather consent before collecting, distributing, or disclosing information. Additionally, customers are granted access to their information, and information must be destroyed after it has served the purpose for which it is collected. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing.

The Telephone Consumer Protection Act applies to U.S companies that tele-market to consumers for commercial purposes. The rules require that phone calls are not permitted before 8:00 am or after 9:00 pm, the company must keep an internal record of consumer who ask not to be called again, and the company must refrain from sending commercial faxes without the recipient's consent. Telephone monitoring and recording are regulated in each state. Many states follow a system known as “one-party consent”, which permits a party to record a telephone conversation without the other party's consent. Only eleven states require consent of all parties before a telephone conversation is recorded (ibid Westby, International Guide to Privacy, 2004).

4 Discussion

The Indian Constitution does not, as in certain other countries (Eg. Germany), contain express language upholding the right to privacy in telecommunications. This absence has not however hindered the Supreme Court from reading in the right to privacy into the Fundamental Right to Life. Various judicial decisions as well as statutes affirm this right to privacy in telecommunications. In conclusion, we would like to provide a quick FAQ on privacy in telecommunications that draws on the foregoing analysis of Indian Law.v

(1) To what extent is there legal protection for customer information (such as one’s name, address, telephone number, or non-dynamic IP address);

As mentioned above, it is fairly easy for enforcement agencies to obtain this data. ISPs are required to make available much of this data on a website for the government to access at all times. Such access may be gained without judicial scrutiny and without even any showing of suspicion.

(2) The extent of legal protection for connection data (such as the telephone numbers called; time and length of connection; one’s dynamic IP address) and the content of telecommunications

Targeted surveillance or wiretapping is only possible following the procedure laid out in the Telegraph Rules which specify the manner in which such an order may be made, the review procedure and the maximum permissible duration of surveillance.

(3) the legal requirements placed on telecommunications providers for data retention or data erasure;

The ISP License agreement requires the ISP to maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny. No definition is provided of what these commercial records would include or exclude. There is no information on the extent to which ISPs in India currently comply with this requirement and whether they follow any data erasure procedures.

Questions:

Will a privacy legislation address data retention for the Telecom sector?

Will a privacy legislation regulate the monitoring and tapping of phones?

End Notes

i‘Telegraph’ is defined widely in the Act to include any “apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature” thus covering most known mediums of communication.

ii In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.

iii Section 4 of the Telegraph Act forbids the establishment of any telegraph service (including, as mentioned earlier, all telephony, internet etc) without obtaining a license from the Central Government.

iv Issued to TSPs who offer long distance telephony in India

v These questions drawn from a template provided in Schwartz, Paul M. “German and U.S. Telecommunications Privacy Law: Legal Regulation of Domestic Law Enforcement Surveillance.” Hastings Law Journal 54 (August 25, 2003): 751.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications

C.I.S Responds to Privacy Approach Paper

elonnai — 2012-03-21T10:08:10Z

A group of officers was created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject. Shri Rahul Matthan of Tri Legal Services prepared an approach paper for the legal framework for a proposed legislation on privacy. The approach paper is now being circulated for seeking opinions of the group of officers and is also being placed on the website of the Department of Personnel and Training for seeking public views on the subject. The Privacy India team at C.I.S responded to the approach paper and has called for the need for a more detailed study of statutory enforcement models and mechanisms in the creation of a privacy legislation.

1. What is privacy?

a) In the approach paper, the definition of privacy is not consistent and the meanings are used interchangably. It is variously referred to as a right and an expectation. Also, we find that no real distinctions are being made between privacy, data protection, and security. As a result, the paper lays out an approach to a data protection legislation masquerading as a privacy legislation. Thus, we find that there is a need to define and make consistent in the document, the language used to define privacy.

b) CIS, drawing upon the definition of privacy used in the European Union, understands privacy as the right of an individual to be free from unauthorised intrusion and the ability of that individual to control and disseminate information that identifies or characterizes the individual. We thus believe privacy is operative in these contexts:

1. Physical - physical space, body, home, car, etc.

2. Informational - Digital as well as Non-Digital (Information gathering, storage, retrieval, usage, transfer, disposal, etc).

3. Intellectual - Right to make decisions pertaining to oneself, to enjoy one's perspective and ideas. A violation in any of these contexts should be construed as a breach of privacy.

2. Is there a need for privacy protection?

a) We agree that there is a pressing need for privacy protection in the context of the enhanced technological opportunities that have arisen in the past two decades for the exploitation of personal data.

b) As the approach paper rightly concludes, these threats to privacy are magnified by initiatives that interlink databases – such as the UID project.

c) However, we believe that privacy is not limited to data protection and would invite the Committee to consider ways in which it may broaden the ambit of its investigation.

3. Is there a need for such legislation?

a) We reject the “hybrid” approach being offered here. Previous experiences with Self Regulatory Organisations (SROs) in India (for eg. AMFI, MFIN) leaves us with little cause for optimism that they will be an effective guarantor of as sensitive a right as privacy. Curiously, the approach paper itself does not mention this “hybrid” aspect anywhere else in the document.

b) We endorse the attempt to arrive through statute, at a minimal, though robust, horizontal guarantee of privacy that operates across sectors. Just as the parameters of the right to life and liberty are broad guidelines on one hand but have specific and intentional meanings, so should the right to privacy.

4. Legislative Competence:

We agree.

5. Is there a constitutional right to privacy?

a) We agree that the Supreme Court has derived a constitutional right to privacy from Article 21 of the Constitution.

b) However, the approach paper is factual incorrect in its assertion that “all available cases have been decided in the context of government action”. There is by now a sizeable amount of consumer case law which deals with the issue of privacy between private individuals/entities.

c) Most frequently, this issue has arisen the context of hospital/patient relationships and the courts have held the right to privacy as one that is not unqualified.

d) Other common “non-government” arenas where courts have elaborated on the right to privacy include banking and telephony services.

e) We feel that the Committee ought to inform itself more thoroughly about the developing jurisprudence on the right to privacy in India – both in the context of government and non-government actions.

6. Existing legislation:

a) In addition to the IT Act, there are several statutes and subordinate legislation which safeguard an individual’s privacy in specified sectors such as banking, insurance, telephony etc.

b) By neglecting them wholesale, we feel that the approach paper deprives itself of valuable contextual elaborations of the right to privacy in India. The case for a horizontal right to privacy in India can be derived not merely from the inadequacies of the IT Act, but from the cumulative failings of all these numerous dispersed provisions.

c) We agree that ITA does not provide sufficient protection to privacy, and that there is a need for specific legislation that addresses all aspects of privacy, but we would go much further than the current proposal.

d) We suggest that in addition to the requirements listed for data security, a full-fledged privacy legislation needs to include specific regulations on: gathering, retention, access, transfer, security, data quality, and individuals’ consent.

e) Furthermore, the data protection component of the privacy legislation needs to include redress for breaches of data, and the individual must be informed when a data breach takes place and given access to sufficient information to identify who breached the privacy and how – as well as information about what data were compromised and ways to limit or undo the improper disclosure..

f) Generally speaking, a privacy regime should work towards: 1. Increasing the protection of tangible and intangible possessions as well as personal data; 2. Increasing knowledge of privacy and empowering people to make informed choices; 3. Making organizations more accountable for protecting privacy; 4. Compelling (through audits, sanctions, etc) organisations to improve security standards; 5. Increasing individuals’ confidence in privacy laws and the organisations protecting privacy.

7. Potential Conflicts between Data Protection Legislation and other Laws:

We find that it would be useful if the laws that conflict with the data protection legislation are referenced in each section.

7.1 Data Protection and the Right to Information

a) The argument that a privacy legislation would conflict with the RTI is somewhat overstated.

b) Where the government has collected data from individual citizens, that information needs to be exempt from RTI disclosure unless an overriding public interest is demonstrated – which is the current position under the RTI Act.

c) We believe, on the other hand, that public officials ought to be subject to scrutiny by virtue of the public office they hold and that they should be subject to transparency about certain aspects of their life which would not be applicable to the common man. Information about tax filings, credit history, and financial records can help root out corruption, for example.

d) The kinds of personal data that are broadcast in the transparency bulletins should be limited with specifics shared if need be on a case by case basis.

e) As the approach paper itself mentions, the RTI Act is extremely sensitive to the issue of privacy and privacy is one of the most frequent grounds of refusal of data by public bodies.

f) Rulings by various information appellate bodies under the RTI Act have done an admirable job of balancing issues of privacy against the public interest and the proposed privacy legislation ought not to disturb this careful balance.

g) We recommend that the proposed privacy legislation contain a non-obstante clause that subordinates it to the provisions of the RTI Act.

7.2 Data Protection and Credit Verification

a) We agree with the statement but believe the privacy issues that would come up are not limited to just credit verification.

b) All aspects of data collection and handling for the financial sector should be looked into and statutes developed to deal with the sensitive nature of the data.

c) This may include limitations on marketing efforts and disclosure to third-parties.

7.3 Data Protection and Private Investigative Agencies

a) We believe that the private investigators should undergo licensure, and that the PI agencies should be regulated so that any kind of surveillance must comply with privacy protection laws.

b) Judicial oversight should be required in order to take certain kinds of action (access to records, surveillance, monitoring, etc) by these agencies.

7.4 Data Protection and National Security

a) We understand the conflict between the need for a government to ensure the security of its population with the need to protect privacy.

b) We find the most effective resolution is for judicial oversight for some activities (monitoring, surveillance, access to personal records by law enforcement, etc) to be required.

7.5 Data Protection vs. Transparency in Government

a) We feel that this section engages very sloppily with the issue of transparency/corruption in India.

b) It completely ignores the history of the various struggles for transparency in government fought across India, that were aimed precisely at prodding the government out of its secretive shell.

c) In doing so the approach paper risks retarding, at one stroke, all the advances made by these several movements over the past fifty years.

d) The publication of lists of recipients/beneficiaries of schemes has been one of the most hard won, and potent tools that has been used to mobilize collective action by locals against corrupt officials.

e) We empathise with the approach paper’s aspiration that the government “rethink its approach to transparency”, but are skeptical that a new privacy law would, of all things, prompt such a transformative rethinking. We advise caution and certainly greater sensitivity in handling this issue.

8.0 Privacy legislation in other countries:

a) We agree with the recommendations, but would include notification of breach: how, when, what and who.

b) We believe that the auditing of companies is an important security and transparency mechanism that needs to be included, along with the ability to sanction offenders and methods of redressal for aggrieved parties.

9.0 Proposed Framework for Privacy Legislation:

a) Although India lacks a horizontal law of privacy, various sectoral laws currently function to provide a degree of protection. For instance, sectoral regulatory agencies such has TRAI, RBI and SEBI have periodically issued guidelines on privacy which are enforceable through tribunals and ombudsmen under the respective enactments. Professional bodies like the Medical Council and the Bar Council prescribe privacy and confidentiality norms which members of these bodies must adhere to.

b) In this context, the approach paper’s suggestion of a “framework” followed by sectoral guidelines would appear to be no more than a duplication through statute of the extant state of affairs.

c) We would recommend instead, the provision in the act of a robust, general “right to privacy” which would provide a threshold level of protection to the individual. Sectoral guidelines on privacy could then be framed to operate in addition to existing sectoral norms, thereby raising the bar of privacy in that particular sector.

d) We also find the framework primarily targeted toward digital data protection alone, and it needs to address all forms of information and include personal and intellectual contexts.

9.1 Applicability

We endorse the approach paper’s recommendation that the proposed legislation apply both to private and public entities. However, we feel that this does not exhaust the issue of ‘applicability’. Specifically we invite the Committee’s attention to the following issues:

a) We believe that the data and the private information that are already in the possession of the government and public/private companies should come under the ambit of the legislation. I.e. it should be applicable to all data collected by any entity, regardless of the fact that such data is otherwise publicly obtainable.

b) We invite the Committee’s consideration on whether it would be wise to limit the applicability of the act to regulating the organized, systematic collection of large amounts of personal data by entities, however incorporated. This would, as the approach paper suggests, exempt from the purview of this Act, private and domestic collection of information. In addition it would exempt marginal collectors such as hobbyist website designers, academic researchers etc from the scope of this act. Remedies against these users would still remain, as they have thus far in Tort law.

9.2 Data

While we acknowledge that certain kinds of information may be more sensitive than others, we feel that the approach paper has not adequately made use of this distinction in its later segments. Specifically we believe:

a) The distinction is useful to prescribe enahanced security precautions during the stage of data collection. For example, the collection of genetic data or HIV status of a person can be made subject to very stringent conditions compared to say, the collection of more mundane details like name, age.

b) However, we believe the distinction is not useful if is used, say, to provide differentiated access/data security standards for the two types of information. Eg. If the law stipulated a lesser penalty for the exposure of personal data as opposed to sensitive data. Or if the law prescribed a lesser security standard for personal data compared to personal sensitive data. The threat posed by information depends heavily on the context in which it is used, and in the tragic aftermath of Godhra, even a list of names (which the approach paper has not regarded as ‘sensitive’) could be used to lethal purposes.

9.3 Personal Data

We endorse the need expressed by the approach paper for a multilateral definition of the way in which information may identify a person

9.4 Personal Sensitive Data

See comments at 9.2 above

9.5 Data Collection

a) We feel that while informed consent ought to be mandatory in all situations the mandatory requirement of informed ‘written’ consent could be confined only to collection of sensitive information and any information that is likely to be stored for longer durations than say, a week.

b) This would exempt benign uses such as by academic researchers or hobbyist website designers or photographers who inadvertently collect small quantities of ‘personal data’.

c) Simultaneously, more ‘industrial’ collectors of personal information such as telephone and insurance companies would be required to obtained written consent. Note that this would not exempt them from the requirement of observing standards of data security, but only free them of the obligation of having obtained written consent.

d) It is important that this requirement would be in addition to but not diminish consent requirements under existing law. For instance, various judicial decisions and the NHRC have stipulated guidelines governing the administration of the polygraph test to an accused. These include the provision of legal assistance and the requirement that consent be recorded before a judge. The simple requirement of “Informed written consent” under the privacy act should not override more other rigorous judicial guidelines.

e) As a overriding safeguard, we think that where “balancing interests” come into play, such interest must first seek and obtain judicial approbation.

9.6 Data Processing

a) We agree with the need to fix primary responsibility for data security on the data controller, however,

b) it may be in the interest of the citizen/victim to stipulate that in the event of a breach by the data processor, she may prefer her remedy against either the data processor or the data controller.

c) We reject the approach paper’s view that concessions need to be made “considering the population of India”. After all, considering this population, the very necessity of a privacy legislation itself may also have to “be considered”.

9.7 Data Storage

a) We concur that data should be stored only until the time the purpose for which it was collected is achieved.

b) Further, the Committee could consider introducing a presumption that in all cases, unless demonstrated otherwise, the purpose of data collection would be deemed to have been served within, say, 6 months from the date of collection.

c) We believe that this could be strengthened by placing the onus on the data controller, in the event of any dispute, to prove that the stated purpose has not yet been achieved. Any data that are required for national security or for archival, etc should come under the scrutiny of the judiciary.

d) We endorse the approach paper’s conservative stance on linking of databases.

9.8 Data Security

a) We invite the Committee to explore the possibility of gradated data security standards depending on the size of the data collection and the sensitivity of the information held.

b) This would ensure that different security standards would apply to, on the one hand, academic researchers and hobbyist website designers who collect marginal data in small ephemeral collections, and on the other hand large insurance companies which maintain large perpetual data warehouses of personal information.

9.9 Data Access

a) We agree that data subjects ought to have a ‘moral right’ that guarantees the integrity of data collected and maintained about them.

b) We believe that the proposed legislation should provide a clear and speedy mechanism to activate this right.

9.10 Cross Border Applicability and Transfer

a) We would argue that India does need comprehensive legislation and strong enforcement. Population size is not a reason for loose legislation. To the contrary, it buttresses the argument for urgent action to be taken, since the stakes are exponentially greater in a country where a billion people stand to lose their privacy compared to countries with populations numbering in the trifling millions.

b) Furthermore, the benefits to international trade should be taken into consideration when determining the stringency of a data protection regime, and this should inform the terms of the statutes that are enacted.

9.11 Exemptions

a) We believe that exemptions to the legislation should be carefully worded and where possible, permitted only through judicial oversight.

b) Care must be taken to see that exemptions under the proposed legislation do not end up widening the scope of intrusion than allowable under existent law. eg. An exemption in the Privacy act on grounds of ‘national security’ should not permit wiretapping agencies to circumvent the due procedure requirements under the Telegraph Act or to violate principles of natural justice.

9.12 Automated Decision Making

a) We agree but we think that there is a present need for automated decision related laws since the technology is already in use in India and other countries.

b) In particular, we would endorse the incorporation of provisions which would compel disclosure of the fact that automated decision making algorithms are being employed along with a synopsis of the logic of such algorithms.

9.13 Regulatory Set Up

We believe that effective regulation and inexpensive, speedy redress are critical for the success of the proposed right to privacy legislation. We believe the approach paper, while admirable in the scope of the subject it covers, deals with this issue rather inadequately under the overbroad heading of “Regulatory Set up” .

a) At the outset we believe that standards-setting functions could be and ought to be separated from adjudicatory functions. This is a model that has proven successful in various other domains in India in the recent past (eg. TRAI/TDSAT and SEBI/SAT. ) and could be usefully imported in the present context

b) Secondly, we we believe that the approach paper is not clear enough on whether civil or criminal penalties are intended. We believe that a judicious mix of both would be necessary in order to minimize the risk of individuals being needlessly harassed by enforcement agencies, whilst simultaneously dealing firmly with corporations and other entities whose violations of privacy threaten the greatest harm. We believe that the proposed legislation could be modeled along the lines of the Workmen’s Compensation Act, the Motor Vehicles Act and similar legislations which provide a minimum assured relief immediately upon the establishment of a claim.

c) Lastly, we firmly reject the approach paper’s proposal to merge the functions of the data regulator under the Privacy legislation with those of the Information Commissioners under the Right to Information Act. We believe that the Right to Information Act is a landmark legislation which has, in a short while, become a critical tool of empowerment in the hands of the citizens and civil service organizations. One of the most frequently cited reasons by which government departments refuse access to information under the RTI is on grounds of ‘privacy’. In most cases these turn out to be delaying tactics to shield the actions of a few corrupt officials from public scrutiny. The success of the RTI Act hinges on its interpretation and promulgation by officers who believe in the peremptory importance of openness of information in the public interest. The right to privacy demands an opposite orientation and the merging of the two in one officer would lead to an unsatisfactory implementation of both. We believe, as indicated above, that privacy claims that conflict with a citizen’s exercise of her right to information are being resolved satisfactory by the information commissioners under the RTI Act at present and the proposed Privacy legislation should not disturb this.

Conclusion

We commend the drafters of the approach paper for their having skillfully woven together the best international practices related to privacy, with an eye to specifics of the Indian situation. However we also feel that the Committee could have been better served by a more detailed study of statutory enforcement models and mechanisms that have succeeded in expanding the reach of remedies to Indians eg. the Consumer Protection Act, Motor Vehicles Act etc.

Approach Paper: 121KB

For more details visit https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper