Centre for Internet and Society

Privacy Policy Framework for Indian Mental Health Apps

Chakshu Sang and Shweta Mohandas — 2025-01-10T00:11:24Z

This report analyses the privacy policies of mental health apps in India and provides recommendations for making the policies not only legally compliant but also user-centric

The report’s findings indicate a significant gap in the structure and content of privacy policies in Indian mental health apps. This highlights the need to develop a framework that can guide organisations in developing their privacy policies. Therefore, this report proposes a holistic framework to guide the development of privacy policies for mental health apps in India. It focuses on three key segments that are an essential part of the privacy policy of any mental health app. First, it must include factors considered essential by the Digital Personal Data Protection Act 2023 (DPDPA) such as consent mechanisms, rights of the data principal, provision to withdraw consent etc. Second, the privacy policy must state how the data provided by them to these apps will be used. Finally, developers must include key elements, such as provisions for third-party integrations and data retention policies.”

Click to download the full research paper here

For more details visit https://cis-india.org/internet-governance/blog/privacy-policy-framework-for-indian-metal-health-apps

Learn It Yourself

praskrishna — 2011-12-23T05:01:14Z

The peer-to-peer world of online learning encourages conversations and reciprocal learning, writes Nishant Shah in an article published in the Indian Express on 30 October 2011.

Technologies and learning have always had a close link. In the past, distance learning programmes of higher education through the postal service, remote education programmes using satellite TV and interactive learning projects using information and communication infrastructure, have all been deployed with varied results in promoting literacy and higher education. In the last two decades, the internet has also joined this technology ecology in trying to provide quality and affordable education to remotely located areas through “citizen service centres” envisioned to reach 6,40,000 Indian villages in the future.

These technology-based information outreach programmes expand the ability of traditional formal learning centres like universities, to cater to the needs of those who might not have access to learning resources. This vision of networked education relies on existing systems of centralised syllabus making, teacher-to-student information transfer, grade-based evaluation and accreditation systems, and a degree-centred approach to learning.

I was in New York last week, at an international summit on the future of learning, Mobility Shifts, organised by the New School, where more than 260 speakers from 21 countries discussed the possibility of learning beyond the bounds of the school and university system. Many discussions were around the declining public education system (with huge disinvestment moves from the government), privatisation of education, increasing tuition and fees, and the non-relevance of current education. However, along with this digital expansion of the traditional education system is an emerging trend that challenges the ways in which we understand education and learning – DIY Learning or Do It Yourself Learning.

DIY Learning is a product of the networked condition. It recognises that as more people get onto digital information networks, there is a possibility of producing peer-to-peer learning conditions, which do not have to follow our accepted models of learning and education.

We have seen the rise of various decentralised and democratised knowledge repositories like Wikipedia. The search based algorithms of search engines also take into consideration the idea that knowledge is personal. User generated content sites like eHow.com show that the individual learner is not merely a recipient of information and knowledge. Information seeking spaces like Quora have shown that knowledge-sharing communities can incite new conditions of learning. Our contexts, experiences, everyday practices, aspirations etc. equip us with valuable information, which not only shape how we learn but also what we find relevant to learn for ourselves. DIY Learning picks up on the idea that the infrastructure of education is not necessarily designed towards learning. Learning often happens outside the classrooms, in informal conversations.

Thus DIY Learning offers a new model of learning. It destabilises the established hierarchy of knowledge production and pedagogy and creates an each-one-teach-one model with a twist. Instead of a centralised board of curriculum designer who shape syllabi for the “average” student, you have the possibility of customised, highly individual, interest-based learning curricula where the student is a part of deciding what s/he wants to learn. DIY Learning doesn’t recognise the distinctions between teachers and students, but recognises them as “peers” within a network, encouraging conversations and reciprocal learning rather than information transfer based classroom models. Instead of mass-produced education that caters only to an imagined average, the DIY Learning model recognises that within the same student group, there are different rates and scales of learning, thus offering environments suited to the aptitude of the students.

Within the DIY Learning model, aspects of education, from the design of curriculum and learning methods, to grading and evaluation are geared towards individual preferences and aspirations.

Many people think of DIY Learning as an alternative to mainstream learning processes and structures. However, it is perhaps more fruitful to think of DIY Learning as a way of figuring out the problems that beset our traditional educational system. It allows us to rethink the relationships between learning, education, teaching and technologies. It recalibrates the space of the classroom and reconfigures the role of the teacher and the student.

DIY Learning emphasises that merely building schools and universities is not enough to assure that learning happens. Learning happens through experiences, practice, conversations, internalisations and through making mistakes. DIY Learning offers these possibilities in an education universe that is constantly refusing to take risks, innovate and adapt to the needs of the present. By itself it might not be able to take on the roles and functions of the existing education systems. But it does warn us that we are preparing our students for our pasts rather than their futures. And the time to change is now.

The original story was published in the Indian Express, it can be read here

For more details visit https://cis-india.org/news/learn-yourself

Netizen Report: Transparency Edition

praskrishna — 2011-11-09T04:31:48Z

Global Voices Online has carried a feature story, "Netizen Report: Transparency Edition". We at CIS had filed an RTI application about website blocking. This is reflected in this article by Rebecca MacKinnon which was posted online on 7 November 2011.

Here at Global Voices Advocacy we believe that transparency by governments and companies about how and when censorship and surveillance takes place is a base-line requirement if the Internet is ever to be governed in a manner that is compatible with free expression, dissent, and citizens' right to organize and assemble. Thus we applaud Google's latest Transparency Report - the company's fourth such report detailing government requests for user data and content removal, as well as the traffic flows (or lack thereof) to Google webistes across the world since July 2009. The new data for January-June 2011 contains more detail than in the past, including data on how Google responded to the requests and whether they were honored. The data comes with a list of caveats including that automated content removal is not logged and that some data cannot be released due to local law. Nonetheless, we hope that Google's data will provide an interesting snap shot of the state of Internet affairs and the data could be used to hold governments accountable to their censorship activities. We believe that if all Internet companies disclosed similar data, the world would be further on its way to being a better place. Many articles have been written analyzing the data. A few of them include:

TechPresident: Google Data Shows Government Internet Surveillance Far Outstrips Wiretap Requests
WIRED: U.S. Requests for Google User Data Spike 29 Percent in Six Months
Huffington Post:The 13 Countries That Request The Most User Data From Google
CNet: Google: Governments seek more about you than ever

Adding to the publicly available data about censorship around the world, the Open Net Initiative has released its research data on global Internet filtering, covering seventy-four countries.

Thuggery: Read the latest news on GVA about bloggers jailed in Egypt, Syria, and Kuwait and spread the word.

Surveillance: As GVA and others have recently reported, 13 Internet filtering devices produced by the California-based company Blue Coat have made their way to Syria. According to the Wall Street Journal, Blue Coat executives say that the company will not sell the devices to countries that are under embargo by the United States, and that the devices found in Syria had been sold to a dealer who claimed they were destined for Iraq.

The Wall Street Journal has had several other items related to the role of companies in global surveillance, including a report on how China's Huawei has been peddling its mobile phone tracking and censoring equipment to Iran.

In India, Research in Motion has set up a facility in Mumbai to help the Indian government carry out lawful surveillance of its BlackBerry services including the messenger chat service, but the WSJ reports that India still has no method to intercept and decode BlackBerry enterprise email.

In Russia, bloggers' influence has apparently made the Kremlin nervous. Reporters Without Borders has condemned plans by the Russian government to deploy new software to track “extremist” content on the web, highlighting concerns about an over-broad definition of “extremist,” and the arbitrary and disproportionate approach to punishment and sanctions against websites. For more on the Russian Internet be sure to follow Global Voices' Runet Echo Project.

Moving on the United States, The Guardian has a fascinating report on the super-secret Intelligence Support Systems World Americas conference held recently in Washington DC, at which surveillance professionals shared the latest surveillance technologies and innovations that they don't want you to know about. Hacktivist and friend of GVA Jacob Appelbaum managed to get in, but was thrown out.

On a more positive note in the United States, the Washington Post reports that since 2009 many Internet companies have been more assertive about challenging “national security letters” from the FBI requesting information about users.

The Guardian reports that Civil liberties and privacy groups in the United Kingdom have raised concerns about the deployment by the London Metropolitan Police of a "covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area."

Techdirt reports on the European Union's desire to have a “black box' built in to operating systems that would store a record of all of the computer's internet usage. The EU argues that this ability would be useful in cracking down on child pornography. The system that the EU is looking at as a possible candidate for role of ‘black box' is called LogBox. The developer of LogBox claims that the device is for preserving the freedoms and privacy of internet users, although Techdirt points out the fact that this device does little to ‘protect' the privacy of online users, it in fact, would make anonymous actions on the internet much more difficult and would provide governments and law enforcement a huge set of data on every internet user.

Censorship: The chief executives of China's 39 top Internet, telecom, and computer companies have agreed to “strengthen self-control, self-restraint and strict self-discipline” in order to “contain the tendency of spreading online rumours, pornography, fraud and other illegal, harmful information on the internet.” The move comes amidst a broader crackdown on the Internet and social media.

In India, the Bangalore-based Centre for Internet and Society submitted a right to information request to the government's Department of Information Technology, asking for more information about website blocking. Based on DIT's response the Centre observes that “The data provided by the government seemingly conflicts with the data released by the likes of Google." Their conclusion: "Either the DIT is not providing us all the relevant information on blocking, or is not following the law."

Courts in Belgium and Finland have ordered ISPs to block the Pirate Bay.

The U.S. House Judiciary Committee has recently proposed a bill aimed at protecting intellectual property online that some critics describe as the beginning of a "Great Firewall of America". The Electronic Frontier Foundation and others have detailed the bill's problems, including lack of due process, near certainty of over-blocking and abuse, imposition of excessive liability on Internet intermediaries, global legitimization of DNS censorship and potential fragmentation of the Internet, among other things. It is considered even worse than its evil fraternal twin in the Senate, the PROTECT IP Act which is also opposed by many tech companies and non-profit groups. Despite such opposition, the bill draws relatively broad support from lawmakers.

Net Neutrality: South African technology journalist Jan Vermeulen ran the M-Lab's Glasnost Test on South African ISP's to see whether their stated bandwith shaping policies match up with reality.

The growth of bandwidth intensive internet applications in South Korea has made Net Neutrality an important issue there. South Korean ISP's are reporting that it is becoming increasingly difficult to maintain neutral practices with content. The three largest telecommunications companies in Korea are worried by the rise of Smart TV's, which use Internet connections as opposed to traditional cable or satellite links to provide content. The ISP's want to charge companies varying amounts depending on the type and amount of content sent.

Internet Governance: ICANN held its 42nd public meeting in Dakar, Senegal late last month. Wendy Seltzer reported here on GVA why the seemingly arcane debates about domain name registrar accreditation is important. Konstantinos Komaitis, an active member of ICANN's Non-Commercial Stakeholder Group (Global Voices is also a member), describes the struggle that is taking place took place between governments and other ICANN stakeholders over whether some stakeholders are more equal than others within ICANN's multi-stakeholder governance model. Kieren McCarthy at dotNext also has an in-depth report and analysis on the clash between governments and registrars over law enforcement regarding domain names. Over at the Internet Governance Project Milton Mueller takes an in-depth look at the politics surrounding the Non-Commercial Stakeholder Group and related constituencies, and the fight for civil society representation at ICANN.

India has published a formal proposal to put the UN in charge of overseeing Internet governance. For different analyses by three Internet governance wonks see Kieren McCarthy, Milton Mueller, and Jeremy Malcolm.

The International Telecommunications Union has approved a new protocol for relaying biometric information. The protocol is intended to enable doctors to communicate data about patients safely and is geared towards developing countries where the access to medical care in rural areas is poor and communication between clinics and doctors would provide better patient care. You can read the full press release here.

Netizen Power: Lee Yoo Eun at Global Voices reports that the October 26th Seoul mayoral election was swayed by the use of twitter. Read the full article here.

African entrepreneur Herman Chinery-Hesse gave a speech at the Tech 4 Africa conference highlighting what the rise of Internet Communication Technologies has done for Africa. A synopsis of his talk can be found on the Tech4Africa.

Sovereigns of Cyberspace: Facebook has introduced a new “guardian angel” feature to help users restore locked accounts.

The 13th Austrian Big Brother Awards were held on October 25th in Vienna. “Winners” included the CEO of Telekom Austria, the Ministers of Interior and Justice, and the head of the anti-terror police unit. Mark Zuckerberg received the “lifelong menace” award and a “Defender of Liberty” award went to the creators of the “Europe versus Facebook” campaign.

The Silicon Valley Human Rights Conference was held in San Francisco in late October (see GVA's report, Jillian York's report, and The Economist's) and released the Silicon Valley Standard, a set of 15 principles that technology companies should follow in order to protect human rights.

China's Weibo plans to launch an English version in partnership with Flipboard and Instagram. Will they agree to follow the Silicon Valley Standard?

Security Alert: The security researcher Barnaby Jack has found it possible to conduct a blind attack on insulin pumps. While there have been no reports of anyone being harmed by such an attack, this highlights how far behind security technologies are when it comes to wireless devices that are embedded in critical infrastructure and medicine.

Publications: Digital Cameras Reduce Electoral Corruption by Michael Callen and James Long.

Events: Check out this handy calendar of Internet-related events around the world, courtesy of Internews!

Access Contested: Security, Identity, and Resistance in Asian Cyberspace, by the OpenNet Initiative, to be officially released in December. Part I of the book (including a chapter by yours truly) can be read online or downloaded here.

Note: This report was compiled with considerable help from Ted Eby and Weiping Li.

Read the original article here

For more details visit https://cis-india.org/news/netizen-report

Droidcon India, first Android Conference in Bangalore

praskrishna — 2011-11-24T04:17:12Z

HasGeek is happy to announce the forthcoming Droidcon India on the 18th and 19th of November 2011 at the MLR Convention Centre in Bangalore. Droidcon.com, Bangalore Android User Group, MobileMonday Bangalore, Medianama, Android Advices and the Centre for Internet and Society are the event partners.

Droidcon is India’s first international Android conference and is part of the world’s largest series of Android conferences, with other editions in London, Bucharest (Romania), Brussels, Amsterdam and Berlin. Droidcon India is a response to the booming market for Android, which has seen sales increase by 888.88 per cent in 2010, and reach nearly 50 per cent market share worldwide.

Organized by developers for developers, the multi-track two day event will provide a rich variety of content for delegates by attracting the best speakers in the Android community. HasGeek expects the participation of over 400 delegates, including students, developers, UX and UI designers, and people with strong interests in the Android ecosystem, both from India and beyond.

The sessions will be presented in an informal environment that gives everyone a chance to be heard. The theme for the conference covers a range of topics that include building well designed apps, dealing with device diversity, performance optimization, NFC, Arduino, and usage in the Enterprise. For more details about session topics visit http://goo.gl/F9bEB

For registrations and tickets, visit http://goo.gl/pmXpJ

Following the first day conference on November 18, there will be an after party for this event which will be held at the CounterCulture restaurant.

For more information on tickets and registrations, contact Zainab Bawa @ zainab@hasgeek.in or call @ +91 99454 73641.

For more details visit https://cis-india.org/internet-governance/events/droidcon-india

Report on the 4th Privacy Round Table meeting

maria — 2013-07-12T11:04:25Z

This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.

Discussion of the Draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter 1

The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013.

It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised.

Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection.

The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored.

Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards.

The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over.

The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.

In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts.

Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data.

On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions.

Right to Privacy: Chapter 2

The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill.

Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts.

The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.

Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly.

Protection of Personal Data: Chapter 3

Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data.

Collection of personal data

The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention.

It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill.

Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty.

A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes.

The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill.

In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection.

It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well.

Storage and destruction of personal data

The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data.

In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India.

Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases.

Security of personal data and duty of confidentiality

Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”.

One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India.

Disclosure of personal data

The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to.

It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill.

Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism.

This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided.

Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill.

A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed.

However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed.

Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security.

The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill.

Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner

The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013.

In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation.

There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future.

The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers.

Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a competitive disadvantage in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security.

As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so.

The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control.

On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations.

When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported.

Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data.

The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on accountability. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached.

On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated.

Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights.

Meeting conclusion

The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting

SEBI and Communication Surveillance: New Rules, New Responsibilities?

kovey — 2013-07-12T10:51:46Z

In this blog post, Kovey Coles writes about the activities of the Securities Exchange Board of India (SEBI), discusses the importance of call data records (CDRs), and throws light on the significant transition in governmental leniency towards access to private records.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Introduction

The Securities Exchange Board of India (SEBI) is the country’s securities and market regulator, an investigation agency which seeks to combat market offenses such as insider trading. SEBI has received much media attention this month regarding its recent expansion of authority; the agency is reportedly on track to be granted powers to access telecom companies’ CDRs. These CDRs are kept by telecommunication companies for billing purposes, and contain information on who sent a call, who received a call, and how long the call lasted, but does not disclose information about call content. Although SEBI has emphatically sought several new investigative powers since 2009 (including access to CDRs, surveillance of email, and monitoring of social media), India’s Ministry of Finance only recently endorsed SEBI’s plea for direct access to service providers’ CDRs. In SEBI’s founding legislation, this capability is not mentioned. Very recently, however, the Ministry of Finance has decided to support expansion of current legislation in regards to CDR access for SEBI, the Reserve Bank of India (RBI), and potentially other agencies, when it comes to prevention of money laundering and other economic offenses.

SEBI’s Authority (Until Now)

Established in 1992 under the Securities and Exchange Board of India Act, SEBI was created with the power of "registering and regulating the working of… [individuals] and intermediaries who may be associated with securities markets in any manner."[1] Its powers have included "calling for information from, undertaking inspection, conducting inquires and audits of the intermediaries and self-regulatory organisations in the securities market."[2] Although the agency has held the responsibility to investigate records on market activity, they have never explicitly enjoyed a right to CDRs or other communications data. Now, with the intention of “meeting new challenges thrown forward by the technological and market advances,”[3] SEBI and the Ministry of Finance want to extend their record keeping scope and investigative powers to include CDR access, a form of communications surveillance.

But the ultimate question is whether agencies like SEBI need this type of easy access to records of communication.

What is the Importance of CDR Access?

Reports on SEBI’s recent expansion are quick to ensure that the agency is not looking for phone-tapping rights, which intercepts messages within telephonic calls, but instead only seeks call records. CDRs, in effect, are “metadata,” a sort of information about information. In this case, it is data about communications, but it is not the communications themselves. Currently, there a total of nine agencies which are able to make actual phone-tapping requests in India. But when it comes to access of CDRs, the government seems much more generous in expanding powers of existing agencies. SEBI, as well as RBI and others, are all looking to be upgraded in their authority over CDRs. Experts argue, however, that "metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection."[4] Therefore, a second crucial question is whether this sensitive CDR data will feature the same detail of protection and safeguards which exist for communication interception.

One reason for the recent move in CDR access is that SEBI and RBI have found the process of obtaining CDRs too arduous and ill-defined.[5] Currently, under section 92 of the CrPc, Magistrates and Commissioners of Police can request a CDR only with an official corresponding first information report (FIR), while there exists no explicit guideline for SEBI’s role in the process of CDR acquisition.[6] Although the government may seek to relax this procedure, SEBI’s founding legislation prohibits investigation without the pretense of “reasonable grounds," as stipulated in section 11C of the SEBI Act.[7] It has always stood that only under these reasonable grounds could SEBI begin inspection of an intermediary’s "books, registers, and other documents."[7] With the government creating a way for SEBI and similar agencies to circumvent the traditional procedures for access to CDRs, these new standards should incorporate safeguards to ensure the protection of individual privacy. Banking companies, financial institutions, and intermediaries have already been obliged to maintain extensive record keeping of transactions, clients, and other financial data under section 12 of the Prevention of Money-Laundering Act of 2002.[8] But books and records containing financial data differ greatly from communication data, which can include much more personal information and therefore may compromise individuals’ freedom of speech and expression, as well as the right to privacy.

Significance and Responsibility in this Decision

Judging from SEBI’s prior capabilities of inspection and inquiry, this change may initially seem only a minor expansion of power for the agency, but it actually represents a significant transition in governmental leniency toward access to private records. As mentioned, the recent goal of the Ministry of Finance to extend rights to CDRs is resulting in amended powers for more agencies than only SEBI. Moreover, this power expansion comes on the heels of controversy surrounding America’s National Security Agency (NSA) amassing millions of CDRs and other datasets both domestically and internationally. There is obvious room for concern over Indian citizen’s call records being made more easily accessible, with fewer checks and balances in place. The benefits of the new policy include easier access to evidence which could incriminate those involved in financial crimes. But is that benefit actually worth giving SEBI the right to request citizen’s call records? In the cases against economic offenses, CDR access often amounts only to circumstantial evidence. With its ongoing battle against insider trading and other financial malpractice, crimes which are inherently difficult to prove, SEBI could have aspirations to grow progressively more omnipresent. But as the agency’s breadth expands, citizen’s rights to privacy are simultaneously being curtailed. Ultimately, the value of preventing economic offense must be balanced with the value of the people’s rights to privacy.

[1]. 1992 Securities and Exchange Board of India Act, section 11, part 2(b).

[2]. 1992 Securities and Exchange Board of India Act, section 11, part 2(i).

[3]. “Sebi Finalising new Anti-money laundering guidelines,” The Times of India, June 16, 2013

http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms

[4]. International Principles on the Application of Human Rights to Communications Surveillance -http://www.necessaryandproportionate.net/#_edn1

[5]. “Sebi to soon to get Powers to Access Call Records,” Business Today, June 13, 2013

http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html

[6]. 1973 Criminal Procedure Code, Section 92 http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf

“Govt gives Sebi, RBI Access to Call Data Records,” The Times of India, June 14, 2013

http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary

[7]. 1992 Securities and Exchange Board of India Act, section 11C, part 8

[8]. 2002 Prevention of Money-Laundering Act, section 12

For more details visit https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance

Privacy Round Table, Kolkata

praskrishna — 2013-07-10T06:11:59Z

The Centre for Internet and Society, the Federation for Indian Chambers of Commerce and Industry, and the Data Security Council of India cordially invite you to attend the "Privacy Round Table" in Kolkata on July 13, 2013, 10.30 a.m. to 4.00 p.m., to discuss the "Report of the Group of Experts on Privacy" by the Justice A.P. Shah Committee, the text of the "Citizen's Privacy (Protection) Bill, 2013, drafted by the Centre for Internet and Society, and "Strengthening Privacy Protection through Co-Regulation" by DSCI.

Reijo Aarino, Data Protection Ombudsman of Finland will be the featured guest for this event. The discussions and recommendations from the meeting will be published into a compilation, and presented at the Internet Governance meeting planned for October 2013.

Click below to download the documents:

Draft Agenda

Time	Detail
10.30	Introduction to privacy frameworks for India: The Draft 2011 Right to Privacy Bill, the Report of the Group of Experts on Privacy, and Strengthening Privacy Protection through Co-regulation.
11.30	Overview, explanation, and discussion: The Privacy Protection Bill 2013
13.00	Lunch
14.00	Open Discussion: Reijo Aarnio, Data Protection Ombudsman of Finland
16.15	Tea

Please send your confirmations for attending the Kolkata Roundtable Privacy on July 13, 2013, to Maria Xynou at maria@cis-india.org

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table-kolkata

Indian govt blocks 40 smut sites, forgets to give reason

praskrishna — 2013-07-01T09:04:26Z

Don't mind us, we're just censoring your content for you...

The article by Phil Muncaster was published in "The Register" on June 27, 2013. Sunil Abraham is quoted.

The Indian government has ordered ISPs to block 39 smut flick web sites hosted outside the country without giving any explanation, stoking further fears of online censorship by the back door.

Most of the sites are web forums and so allow for the uploading of naughty images and URLs where smut-seekers can download their grumble flicks, according to Times of India.

However, the sites claim to operate under the 18 USC 2257 rule, meaning actors are (supposedly) over 18 years of age, and there is apparently no indication from the Department of Telecom's order why ISPs are being asked to comply.

The message greeting web users who try to visit a blocked site now reads as follows:

This website has been blocked until further notice either pursuant to court orders or on the directions issued by the Department of Telecommunications.

While the law, updated in 2011, does forbid production, transmission and sharing of smutty content in India - therefore requiring internet cafes, for example, to block such content - there is no ban on consumption, especially from sites hosted outside India.

Sunil Abraham, director of Indian not-for-profit the Centre for Internet and Society, told ToI that the government is probably interpreting the law to serve its own ends, and that its ISP order “is a clear overreach”.

The Union government has certainly been quick in the past to order blocks on any content deemed inappropriate.

Facebook and Google were forced to remove “objectionable content” from their Indian sites last year after complaints it was offensive to Muslims, Hindus and Christians.

The government was also one of many across the globe to force Google to block notorious YouTube video Innocence of Muslims.

A controversial anti-piracy ruling last June, meanwhile, led to a clumsy, large-scale block on a number of legitimate sites in the country – drawing the ire of hacktivist group Anonymous.

The government also closed hundreds of sites and social media accounts in August last year in a bid to prevent the escalation of sectarian violence across the country.

In fact, the number of content removal requests received by Google increased by 90 per cent from July-December 2012 compared with the previous six months.

For these reasons, India only enjoys “Partly Free” status, according to the Freedom on the Net 2012 report from not-for-profit Freedom House.

For more details visit https://cis-india.org/news/the-register-phil-muncaster-june-27-2013-indian-govt-blocks-40-smut-sites-forgets-to-give-reason

Concerns over central snoop

praskrishna — 2013-07-01T09:33:27Z

Eyebrows have been raised at the Centre’s single-window system to intercept phone calls and internet exchanges — the desi version of the US’s surveillance programme, PRISM — that is expected to roll out this year-end.

The article by Aloke Tikku was published in the Hindustan Times on June 28, 2013. Sunil Abraham is quoted.

The Rs. 400-crore project — tentatively called the Central Monitoring System (CMS) — will not only allow the government to listen to a target’s phone conversation but also track down a caller’s precise location, match his voice against known suspects’ before the call is completed and see what people have been up to on the internet.

And then, it can also use analytics to discover possible links — between suspected terrorists, criminals or just about anybody — from the internet and phone data. All this will be done from one place without keeping the internet or phone service provider in the loop — something the telecom and home ministries insist will enhance citizens’ privacy.

Both ministries also insist that the CMS won’t change the rules of the game. “The process to seek authorisation for interception will not be diluted,” a home ministry official promised.

So is everything hunky dory?

Hardly. But technology — in this case, the CMS — is a smaller part of the problem.

The bigger chunk is the process of approving “lawful interception” orders and the lack of transparency around it.

It was in December 1996 that the Supreme Court held that the State could spy on its citizens in extraordinary circumstances but, as an interim measure, made it mandatory for the home secretary to approve each and every such request. Telecom minister Kapil Sibal, who appeared in this case in the mid-1990s, convinced the court that it didn’t have the powers to order that a judge decide each phone-tapping case. Instead, Sibal suggested that this power remain with the executive on lines of the law in the UK. A former home secretary, however, conceded that they hardly have the time to apply their mind before signing a wiretap order.

That isn’t surprising. The home secretary approves around 7,500-9,000 interception orders every month. That means he or she has to sign an average of 300 orders every day without a break.

If he were to spend just 30 seconds on each case, he would have to keep aside four-and-a-half hours just approving interception orders every day.

An official said the ministry was considering a suggestion to pick up a fixed number of cases at random for closer scrutiny before approval.

Many believe this might not be enough. It is argued that the government — which was trying to replicate surveillance technology from the west — needs to adopt their safeguards and transparency norms too.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, said he didn’t have a problem with CMS as long as it didn’t go for blanket surveillance.

“But there is no reason why the executive — and not a judge — should have the powers to decide on phone-tapping requests,” he said. Or for that matter, why shouldn’t there be an independent audit of phone-tapping decisions, their implementation and outcome?

“The aggregated data should be put in the public domain,” Abraham said. The US has such provisions. So does Britain, which inspired Sibal to argue for retaining interception powers with the executive in the mid-1990s. It is time to follow-up on that model.

For more details visit https://cis-india.org/news/hindustan-times-aloke-tikku-june-28-2013-concerns-over-central-snoop

Govt goes after porn, makes ISPs ban sites

praskrishna — 2013-07-01T10:11:29Z

The government has decided to put a blanket ban on several websites that allow users to share pornographic content.

The article by Javed Anwer was published in the Times of India on June 26, 2013. Sunil Abraham is quoted.

In an order dated June 13, department of telecom (DoT) has directed internet service providers (ISPs) to block 39 websites. Most of them are web forums, where internet users share images and URLs to download pornographic files. But some of these websites are also image hosts and file hosts, mostly used to store and share files that are non-pornographic.

While watching or distributing child pornography is illegal in India, watching adult pornography is not banned. The blocked websites are hosted outside India and claim to operate under the 18 USC 2257 rule enforced by the US. The rule specifies that producers of pornographic material are required to retain records showing performers were over 18 years of age at the time of video or image shoot.

The DoT order doesn't specify any reason or law under which the websites have been blocked. It says, "It has been decided to immediately block the access to the following URLs... you are accordingly directed to immediately block the access to above URLs."

If a user visits the blocked website, he/she is either shown a blank page or a message telling "this website has been blocked until further notice either pursuant to court orders or on the directions issued by the Department of Telecommunications".

A senior DoT official, who pleaded anonymity because he is not authorized to speak to the media, said the department was just following the orders issued by cyber security coordination committee and hence could not talk about the specific reasons behind the block.

Centre for Internet and Society (CIS), a Bangalore-based organization, says blocking of pornographic website is overreach on the part of the government.

"In the case of file hosts and image hosts, which people use for various purposes including for storing personal files, the DoT order is a clear overreach," said Sunil Abraham, director of CIS. "Even in the case of pornography, there is nothing in the IT Act that can be used to block websites hosted outside in India."

He added, "There is a possibility that government is interpreting some sections of the IT Act to suit its purpose but I feel that is wrong and should be challenged in the court by ISPs if they care about the rights of their users."

Rajesh Chharia, president of Internet Service Providers Association of India, said that it was not possible for ISPs to pushback orders from DoT. "We are the licensee and we have to operate under the laws... we can't pushback," he said.

"But I feel ideally the government should ask the people who have produced objectionable content to remove it from the web if these people are in India... If they are outside, the websites should be blocked at the international cable landing stations. Involving 150-odd ISPs to implement an order is not the right way to do it," added Chharia.

Though IT Act doesn't criminalize watching porn, the new rules notified in 2011 have certain provisions that show the government wants to dictate what people watch or do not watch on the web. For example, the rules ask an intermediary like an ISP to "inform users of computer resources not to host, display, upload, modify, publish, and transmit any information that is obscene and pornographic".

The rules meant for cyber cafe owners specify that they "shall display a board, clearly visible to the users, prohibiting them from viewing pornographic sites as well as copying or downloading information which is prohibited under the law".

Abraham says that going after pornographic websites, and that too in a non-transparent manner, serves no purpose.

"I have travelled to China and Middle East and have seen that people access pornographic websites using various web tools. In fact, by banning websites the governments have made it more alluring for users to watch and access pornography," he said. None of the western democracies have explicit ban on pornography.

Abraham added that Indian government should also be more transparent about blocking websites because the current method was prone to abuse. "They should notify owner of the blocked website, clearly tell web users why a website is getting blocked and tell public how many websites they have blocked."

For more details visit https://cis-india.org/news/times-of-india-javed-anwer-june-26-2013-govt-goes-after-porn-makes-isps-ban-sites

Way to watch

chinmayi — 2013-07-01T10:17:27Z

The domestic surveillance regime in India lacks adequate safeguards.

Chinmayi Arun's column was published in the Indian Express on June 26, 2013.

A petition has just been filed in the Indian Supreme Court, seeking safeguards for our right to privacy against US surveillance, in view of the PRISM controversy. However, we should also look closer home, at the Indian government's Central Monitoring System (CMS) and other related programmes. The CMS facilitates direct government interception of phone calls and data, doing away with the need to justify interception requests to a third party private operator. The Indian government, like the US government, has offered the national security argument to defend its increasing intrusion into citizens' privacy. While this argument serves the limited purpose of explaining why surveillance cannot be eliminated altogether, it does not explain the absence of any reasonably effective safeguards.

Instead of protecting our privacy rights from the domestic and international intrusions made possible by technological development, our government is working on leveraging technology to violate privacy with greater efficiency. The CMS infrastructure facilitates large-scale state surveillance of private communication, with very little accountability. The dangers of this have been illustrated throughout history. Although we do have a constitutional right to privacy in India, the procedural safeguards created by our lawmakers thus far offer us very little effective protection of this right.

We owe the few safeguards that we have to the intervention of the Supreme Court of India, in PUCL vs Union of India and Another. In the context of phone tapping under the Telegraph Act, the court made it clear that the right to privacy is protected under the right to life and personal liberty under Article 21 of the Constitution of India, and that telephone tapping would also intrude on the right to freedom of speech and expression under Article 19. The court therefore ruled that there must be appropriate procedural safeguards to ensure that the interception of messages and conversation is fair, just and reasonable. Since lawmakers had failed to create appropriate safeguards, the Supreme Court suggested detailed safeguards in the interim. We must bear in mind that these were suggested in the absence of any existing safeguards, and that they were framed in 1996, after which both communication technology and good governance principles have evolved considerably.

The safeguards suggested by the Supreme Court focus on internal executive oversight and proper record-keeping as the means to achieving some accountability. For example, interception orders are to be issued by the home secretary, and to later be reviewed by a committee consisting of the cabinet secretary, the law secretary and the secretary of telecommunications (at the Central or state level, as the case may be). Records are to be kept of details such as the communications intercepted and all the persons to whom the material has been disclosed. Both the Telegraph Act and the more recent Information Technology Act have largely adopted this framework to safeguard privacy. It is, however, far from adequate in contemporary times. It disempowers citizens by relying heavily on the executive to safeguard individuals' constitutional rights. Additionally, it burdens senior civil servants with the responsibility of evaluating thousands of interception requests without considering whether they will be left with sufficient time to properly consider each interception order.

The extreme inadequacy of this framework becomes apparent when it is measured against the safeguards recommended in the recent report on the surveillance of communication by Frank La Rue, the United Nations special rapporteur on the promotion and protection of the right to freedom of speech and expression. These safeguards include the following: individuals should have the legal right to be notified that they have been subjected to surveillance or that their data has been accessed by the state; states should be transparent about the use and scope of communication surveillance powers, and should release figures about the aggregate surveillance requests, including a break-up by service provider, investigation and purpose; the collection of communications data by the state, must be monitored by an independent authority.

The safeguards recommended by the special rapporteur would not undermine any legitimate surveillance by the state in the interests of national security. They would, however, offer far better means to ensure that the right to privacy is not unreasonably violated. The emphasis placed by the special rapporteur on transparency, accountability and independent oversight is important, because our state has failed to recognise that in a democracy, citizens must be empowered as far as possible to demand and enforce their rights. Their rights cannot rest completely in the hands of civil servants, however senior. There is no excuse for refusing to put these safeguards in place, and making our domestic surveillance regime transparent and accountable, in compliance with our constitutional and international obligations.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-june-26-2013-chinmayi-arun-way-to-watch

Indian student in Cornell University hacks into ICSE, ISC database

praskrishna — 2013-07-02T07:39:45Z

A 20-year-old Indian student from Cornell University hacked into the database of ICSE (Class X) and ISC (Class XII) school exam results, exposed glaring anomalies in the marking system and went on to merrily write about his exploits in an online post.

The article by Kim Arora was published in the Times of India on June 6, 2013. Pranesh Prakash is quoted.

Kolkata-born Debarghya Das, majoring in computer science, says that all he had to do was run a simple program that entered all roll numbers after defining a range to get access to all the results. "It is shocking they haven't implemented a more secure system," Das told TOI on phone from New York.

After the result's data was crunched, analysed and plotted in graphs, Das discovered an interesting incongruity in the marking system: there are 33 different scores unattained between the passing mark of 35 and the maximum of 100 by the nearly 1,50,000 who appeared for the ICSE (Class X) exam. According to Das' findings, not a single student got the following marks: 36, 37, 39, 41, 43, 45, 47, 49, 51, 53, 55, 56, 57, 59, 61, 63, 65, 67, 68, 70, 71, 73, 75, 77, 79, 81, 82, 84, 85, 87, 89, 91, 93. Similarly, in the case of ISC (Class XII exam) a set of 24 marks between 40 and 100 were found to be unattained.

When contacted, chairperson of the CI SCE (Council for the Indian School Certificate Examinations) Gerry Arathoon, refused to comment on both data security and the unattained marks. "I can't say anything until I have had a look at things myself," he said.

Das says that the missing marks indicate that perhaps they were tampered with. He offers mathematical and statistical arguments to defend his position in his online post. He says that the ISC anomaly appears to be a case of awarding "grace marks" and writes -- "Everything from 35 onwards, and most things from 23 onward seem blindly promoted to a pass mark."

	Pranesh Prakash, policy director at the Center for Internet and Society, says one needn't even be a techie to execute such a hack. "You don't need real technical skills to do this. You just need to figure out the ranges and feed them in. It is an interesting revelation that the website does nothing to obfuscate the javascript for security, but one can still retrieve data without that information. Once you have the data, it requires two minutes of programming to get it in a spreadsheet," says Prakash. In his post, titled "Hacking into the Indian Education System", Das wrote that he was doing this to "demonstrate how few measures our education board takes to hide such sensitive information".

Pranesh Prakash, policy director at the Center for Internet and Society, says one needn't even be a techie to execute such a hack. "You don't need real technical skills to do this. You just need to figure out the ranges and feed them in. It is an interesting revelation that the website does nothing to obfuscate the javascript for security, but one can still retrieve data without that information. Once you have the data, it requires two minutes of programming to get it in a spreadsheet," says Prakash. In his post, titled "Hacking into the Indian Education System", Das wrote that he was doing this to "demonstrate how few measures our education board takes to hide such sensitive information".

The student also told the TOI that it wasn't possible to change any values in marks and upload fudged data again, and that he made any significant progress in this direction only about 3-4 days after the results were announced. His online post says he also has the data for CBSE class XII. Though he hasn't yet made it public, he does admit it was harder to crack than CISCE, though not altogether difficult.

Schooled in Kolkata, Das is curren tly interning at Google, working on YouTube's captioning system. He is also working on a tongue-controlled game and has earlier been active in game and applet design. The idea to hack the results came to him fo llowing a desire to help two close friends who had recently taken the exams.

Das, nicknamed Deedy, told ToI that he worked on the ICSE and ISC results off and on for a week, but it essentially took about 4-5 hours to get all the data."It took me more time to write the blog post," says Das, referring to his 19-page post with all the graphs, data and explanations that is currently online.

For Das, there was only one other takeaway from the whole exercise. "Regardless of any tampering, it would be nice to see a transparent exam scheme. SAT (Scholastic Assessment Test) publishes everything related to the exam results every year. It is inconceivable that a national level exam board doesn't do that," he says.

For more details visit https://cis-india.org/news/the-times-of-india-kim-arora-june-6-2013-indian-student-in-cornell-university-hacks-icse-isc-databas

Sweden 'must raise its net freedom profile'

praskrishna — 2013-07-02T09:57:51Z

While promoting internet freedom is a policy priority for Swedish Foreign Minister Carl Bildt, Sweden's efforts remain largely unknown, according a new report that concludes Sweden needs to do more to raise its global profile as a leader on the issue.

The article by David Landes was published in "The Local" on May 30, 2013. Pranesh Prakash is quoted.

Last week, Bildt and his colleagues at Sweden's Ministry of Foreign Affairs welcomed hundreds of delegates to the Stockholm Internet Forum to discuss what Sweden considers one of the "great global issues of the future".

"Our aim is clear: to create an international, inclusive platform for constructive discussions on the importance of internet freedom for development," Bildt told conference attendees in Stockholm last week.

"We will work to connect the unconnected to an open, secure internet that drives innovation and growth, and that contributes to better democracy and the enjoyment of free speech."

But while Bildt's message was clear to everyone in the audience in Stockholm, a report released on Wednesday suggested that Sweden has so far failed to adequately explain its commitment to internet freedom to a wider audience.

"Sweden does a lot right already, but we are too unknown. We're a small player. So we need to work with others to raise our profile," United Minds analyst Paul Alacron, one of the authors of the report, told The Local.

The report, Freedom and Development on the Internet, was published by the Swedish Institute, together with the United Minds opinion research firm, and is designed to give a qualitative view of internet freedom in six countries, as well as insights into Sweden's perceived importance for the issue.

In-depth interviews with 18 internet experts and activists in Russia, Pakistan, India, China, the United States, and Egypt revealed that there is a demand for Sweden's expertise on internet freedom, but that awareness of what Sweden has to offer is limited.

"If you ask a regular Chinese, most would probably think that the United States is the best role model [for internet freedom]. Most Chinese don't know anything about Sweden," one Chinese blogger is quoted as saying in the report.

Meanwhile, Pranesh Prakash from the Centre for Internet and Society in India, said Sweden could better leverage its strong reputation to help promote internet freedom.

"If the Americans push an issue, many go against it simply because they're behind it. If Sweden takes up the same proposal, the chances are greater that the debate will be about the proposal itself," he said in the report.

According to report co-author Javeria Rizvi Kabani of the Swedish Institute, Sweden has kept a low profile in part due to safety considerations for activists who have participated in exchange programmes organized by the Swedish Institute.

"The safety of those in the of human rights defenders and net activist networks we've created over the last few years and who have visited Sweden always comes first. So we've focused on that rather than Sweden's profile on these issues," she told The Local.

The low-profile approach is nothing new for Sweden, she added.

"We have been very strong in recent years in foreign aid and supporting the process of democratization around the world, but unlike other countries, we haven't put 'brand Sweden' next to that work," Rizvi Kabani explained.

While Sweden is generally recognized as a country that promotes transparency and the freedom of information, the report revealed that the ongoing case involving Sweden's attempts to extradite WikiLeaks founder Julian Assange has dented some people's belief that Sweden is committed to internet freedom.

"The trial of Julian Assange makes Sweden's relationship with the issue of internet freedom complicated," Egyptian journalist Nasry Esmat said in the report.

"I'm aware that the accusations against Assange pertain to something completely different, but that makes Sweden appear like a country that doesn't support WikiLeaks."

The report also pointed to a "troublesome development" in some countries whereby regimes are trying to exert more control over the internet and the spread of information.

According to Alacron, such developments, while concerning, are simply one more argument for why Sweden needs to raise its profile as a staunch supporter of internet freedom.

"Sweden has an important role to play. That's very clear," he said.

"Knowledge and understanding about Sweden may be rather low, but at the same time there are high expectations for what Sweden can do. The conditions are ripe, therefore, for Sweden to play an even more important role in these issues."

For more details visit https://cis-india.org/news/the-local-may-30-2013-sweden-must-raise-its-net-freedom-profile

Govt mulls advisory on privacy issues related to Google, Facebook

praskrishna — 2013-07-02T14:31:48Z

The Government is set to harden its stand against foreign Internet firms in asking them to comply with Indian laws.

The article by Thomas K Thomas was published in the Hindu Business Line on June 10, 2013. Sunil Abraham is quoted.

According to a top Government source, an advisory may be issued in the interest of general public to make them aware of the privacy issued while using services offered by foreign Internet companies such as Google and Facebook.

This follows an international media expose on how US agencies were getting access to user data from Internet companies such as Google and Facebook.

Final Strategy Soon

Top official in the Ministry of Telecom and IT told Business Line that the National Security Advisor, under the Prime Minister’s Officer, is discussing the issue and will outline the final strategy on Wednesday.

The key concern is that the US security agencies may have collected data from key Indian accounts using services from any of the Internet companies. A number of Government officials also use email service from Google and MS Outlook, which may have been accessed by the US agencies.

The other major concern is that Indian security agencies have also been seeking access to data from these foreign companies but so far they have not obliged on grounds that they do not come under the purview of Indian laws.

“If the US Government can get access to data from these companies, why can’t the Indian Government be given access,” posed a top functionary of the telecom ministry.

While Google and other companies have denied knowledge to how the US agencies got access to their networks, industry experts said that it’s time India starts taking concrete steps to address the issue.

B.K. Syngal, Former Chairman, Videsh Sanchar Nigam Ltd, said, “If we believed that our privacy is sacred then we would have taken effective domestic measures, years ago, to ensure that the information of our citizens remains private. To now say that multiple US companies have betrayed our trust is meaningless.”

Double Standards

Syngal said that there are double standards in the way organisations and Government is handling the issue. “As a start, lets stop giving too much time and space to the so called “Foreign Funded NGOs” teaching us on privacy. Our problem is that we are not China. We are so ill equipped that the third party interests aided and abetted by these NGOs would prevail,” said Syngal.

According to Sunil Abraham, Executive Director, Centre for Internet and Society, companies such as Google and Facebook are foes when it comes to privacy issues and friends when it comes to freedom of speech. “An Indian consumer using any of these foreign websites has no privacy rights whatsoever. The Indian Government also cannot force these companies to follow Indian laws,” said Abraham.

For more details visit https://cis-india.org/news/hindu-businessline-thomas-k-thomas-june-10-2013-govt-mulls-advisory-on-privacy-issues-related-to-google-facebook

A Technological Solution to the Challenges of Online Defamation

Eduardo Bertoni — 2013-07-02T14:47:46Z

When people are insulted or humiliated on the Internet and decide to take legal action, their cases often follow a similar trajectory.

This blog post written by Eduardo Bertoni was published in GlobalVoices on May 28, 2013. CIS has cross-posted this under the Creative Commons Licence.

Consider this scenario:

A public figure, let’s call her Senator X, enters her name into a search engine. The results surprise her — some of them make her angry because they come from Internet sites that she finds offensive. She believes that her reputation has been damaged by certain content within the search results and, consequently, that someone should pay for the personal damages inflicted.

Her lawyer recommends appealing to the search engine – the lawyer believes that the search engine should be held liable for the personal injury caused by the offensive content, even though the search engine did not create the content. The Senator is somewhat doubtful about this approach, as the search engine will also likely serve as a useful tool for her own self-promotion. After all, not all sites that appear in the search results are bothersome or offensive. Her lawyer explains that while results including her name will likely be difficult to find, the author of the offensive content should also be held liable. At that point, one option is to request that the search engine block any offensive sites related to the individual’s name from its searches. Yet the lawyer knows that this cannot be done without an official petition, which will require a judge’s intervention.

“We must go against everyone – authors, search engines – everyone!” the Senator will likely say. “Come on!” says the lawyer, “let's move forward.” However, it does not occur to either the Senator or the lawyer that there may be an alternative approach to that of classic courtroom litigation. The proposal I make here suggests a change to the standard approach – a change that requires technology to play an active role in the solution.

Who is liable?

The “going against everyone” approach poses a critical question: Who is legally liable for content that is available online? Authors of offensive content are typically seen as primarily liable. But should intermediaries such as search engines also be held liable for content created by others?

This last question raises a very specific, procedural question: Which intermediaries will be the subjects of scrutiny and viewed as liable in these types of situations? To answer this question, we must distinguish between intermediaries that provide Internet access (e.g. Internet service providers) and intermediaries that host content or offer content search functions. But what exactly is an ‘intermediary’? And how do we evaluate where an intermediary’s responsibility lies? It is also important to distinguish those intermediaries which simply connect individuals to the Internet from those that offer different services.

What kind of liability might an intermediary carry?

This brings us to the second step in the legal analysis of these situations: How do we determine which model we use in defining the responsibility of an intermediary? Various models have been debated in the past. Leading concepts include:

strict liability, under which the intermediary must legally respond to all offensive content
subjective liability, under which the intermediary’s response depends on what it has done and what it was or is aware of
conditional liability – a variation on subjective liability – under which, if an intermediary was notified or advised that it was promoting or directing users to illegal content and did nothing in response, it is legally required to respond to the offensive content.

These three options for determining liability and responses to offensive online content have been included in certain legislation and have been used in judicial decisions by judges around the world. But not one of these three alternatives provides a perfect standard. As a result, experts continue to search for a definition of liability that will satisfy those who have a legitimate interest in preventing damages that result from offensive content online.

How are victims compensated?

Now let’s return to the example presented earlier. Consider the concept of Senator X’s “satisfaction.” In these types of situations, “satisfaction” is typically economic — the victim will sue for a certain amount of money in “damages”, and she can target anyone involved, including the intermediary.

Interestingly, in the offline world, alternatives have been found for victims of defamation: For example, the “right to reply” aims to aid anyone who feels that his or her reputation or honor has been damaged and allows individuals to explain their point of view.

We must also ask if the right to reply is or is not contradictory to freedom of expression. It is critical to recognize that freedom of expression is a human right recognized by international treaties; technology should be able to achieve a similar solution to issues of online defamation without putting freedom of expression at risk.

Solving the problem with technology

In an increasingly online world, we have unsuccessfully attempted to apply traditional judicial solutions to the problems faced by victims like Senator X. There have been many attempts to apply traditional standards because lawyers are accustomed to using in them in other situations. But why not change the approach and use technology to help “satisfy” the problem?

The idea of including technology as part of the solution, when it is also part of the problem, is not new. If we combine the possibilities that technology offers us today with the older idea of the right to reply, we could change the broader focus of the discussion.

My proposal is simple: some intermediaries (like search engines) should create a tool that allows anyone who feels that he or she is the victim of defamation and offensive online content to denounce and criticize the material on the sites where it appears. I believe that for victims, the ability to say something and to have their voices heard on the sites where others will come across the information in question will be much more satisfactory than a trial against the intermediaries, where the outcome is unknown.

This proposal would also help to limit regulations that impose liability on intermediaries such as search engines. This is important because many of the regulations that have been proposed are technologically impractical. Even when they can be implemented, they often result in censorship; requirements that force intermediaries to filter content regularly infringe on rights such as freedom of expression or access to information.

This proposal may not be easy to implement from a technical standpoint. But I hope it will encourage discussion about the issue, given that a tool like the one I have proposed, although with different characteristics, was once part of Google’s search engine (the tool, “Google Sidewiki” is now discontinued). It should be possible improve upon this tool, adapt it, or do something completely new with the technology it was based on in order to help victims of defamation clarify their opinions and speak their minds about these issues, instead of relying on courts to impose censorship requirements on search engines. This tool could provide much greater satisfaction for victims and could help prevent the violation of the rights of others online as well.

Critics may argue that people will not read the disclaimers or statements written by “defamed” individuals and that the impact and spread of the offensive content will continue unfettered. But this is a cultural problem that will not be fixed by placing liability on intermediaries. As I explained before, the consequences of doing so can be unpredictable.

If we continue to rely on traditional regulatory means to solve these problems, we’ll continue to struggle with the undesirable results they can produce, chiefly increased controls on information and expression online. We should instead look to a technological solution as a viable alternative that cannot and should not be ignored.

Eduardo Bertoni is the Director of the Center for Studies on Freedom of Expression and Access to Information at Palermo University School of Law in Buenos Aires. He served as the Special Rapporteur for Freedom of Expression to the Organization of American States from 2002-2005.

For more details visit https://cis-india.org/internet-governance/blog/global-voices-may-28-2013-eduardo-bertoni-a-technological-solution-to-the-challenges-of-online-defamation