The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 11 to 25.
Interview with Big Brother Watch on Privacy and Surveillance
https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance
<b>Maria Xynou interviewed Emma Carr, the Deputy Director of Big Brother Watch, on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; ">For all those of you who haven't heard of Big Brother Watch, it's a London-based campaign group which was founded in 2009 to protect individual privacy and defend civil liberties.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/about">Big Brother Watch</a> was set up to challenge policies that threaten our privacy, our freedoms and our civil liberties, and to expose the true scale of the surveillance state. The campaign group has produced unique research exposing the erosion of civil liberties in the UK, looking at the dramatic expansion of surveillance powers, the growth of the database state and the misuse of personal information. Big Brother Watch campaigns to give individuals more control over their personal data, and hold to account those who fail to respect our privacy, whether private companies, government departments or local authorities.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.bigbrotherwatch.org.uk/who-we-are/emma-frances-carr-deputy-director">Emma Carr</a> joined Big Brother Watch as Deputy Director in February 2012 and has since been regularly quoted in the UK press. The Centre for Internet and Society interviewed Emma Carr on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">How do you define privacy?</p>
</li>
<li>
<p align="JUSTIFY">Can privacy and freedom of expression co-exist? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What is the balance between Internet freedom and surveillance?</p>
</li>
<li>
<p align="JUSTIFY">According to your research, most people worldwide care about their online privacy – yet they give up most of it through the use of social networking sites and other online services. Why, in your opinion, does this occur and what are the potential implications?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/Why not?</p>
</li>
<li>
<p align="JUSTIFY">What implications on human rights can mass surveillance potentially have?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Do we have Internet freedom?</p>
</li>
</ol><ol> </ol>
<p align="JUSTIFY"> </p>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/KhmwPYgLfjo" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance'>https://cis-india.org/internet-governance/blog/interview-with-big-brother-watch-on-privacy-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-15T14:24:27ZBlog EntryThe India Privacy Monitor Map
https://cis-india.org/internet-governance/blog/india-privacy-monitor-map
<b>The Centre for Internet and Society has started the first Privacy Watch in India! Check out our map which includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country. </b>
<p style="text-align: justify; ">In a country of twenty-eight diverse states and seven union territories, it remained unclear to what extent surveillance, biometric and other privacy-intrusive schemes are being implemented. We are trying to make up for this by mapping out data in every single state in India on the UID, CCTNS and NPR schemes, as well as on the installation of CCTV cameras and the use of Unmanned Aerial Vehicles (UAVs), otherwise known as drones.</p>
<p style="text-align: justify; ">In particular, the map in its current format includes data on the following:</p>
<p style="text-align: justify; "><b>UID:</b> The Unique Identification Number (UID), also known as AADHAAR, is a 12-digit unique identification number which the Unique Identification Authority of India (UIDAI) is currently issuing for all residents in India (on a voluntary basis). Each UID is stored in a centralised database and linked to the basic demographic and biometric information of each individual. The UIDAI and AADHAAR currently lack legal backing.</p>
<p style="text-align: justify; "><b>NPR:</b> Under the National Population Register (NPR), the demographic data of all residents in India is collected on a mandatory basis. The Unique Identification Authority of India (UIDAI) supplements the NPR with the collection of biometric data and the issue of the AADHAAR number.</p>
<p style="text-align: justify; "><b>CCTV:</b> Closed-circuit television cameras which can produce images or recordings for surveillance purposes.</p>
<p style="text-align: justify; "><b>UAV: </b>Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are aircrafts without a human pilot on board. The flight of a UAV is controlled either autonomously by computers in the vehicle or under the remote control of a pilot on the ground or in another vehicle. UAVs are used for surveillance purposes.</p>
<p style="text-align: justify; "><b>CCTNS: </b>The Crime and Criminal Tracking Networks and Systems (CCTNS) is a nationwide networking infrastructure for enhancing efficiency and effectiveness of policing and sharing data among 14,000 police stations across India.</p>
<p style="text-align: justify; "><b>Our India Privacy Monitor Map can be viewed through the following link: http://cis-india.org/cisprivacymonitor </b></p>
<p style="text-align: justify; ">This map is part of on-going research and will hopefully expand to include other schemes and projects which are potentially privacy-intrusive. We encourage all feedback and additional data!</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-privacy-monitor-map'>https://cis-india.org/internet-governance/blog/india-privacy-monitor-map</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-09T16:26:14ZBlog EntryThe National Privacy Roundtable Meetings
https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings
<b>The Centre for Internet & Society ("CIS"), the Federation of Indian Chambers of Commerce and Industry ("FICCI"), the Data Security Council of India ("DSCI") and Privacy International are, in partnership, conducting a series of national privacy roundtable meetings across India from April to October 2013. The roundtable meetings are designed to discuss possible frameworks to privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<h3>Background: The Roundtable Meetings and Organisers</h3>
<p style="text-align: justify; "><a href="https://cis-india.org/">CIS</a> is a Bangalore-based non-profit think-tank and research organisation with interests in, amongst other fields, the law, policy and practice of free speech and privacy in India. <a href="http://www.ficci.com/">FICCI</a> is a non-governmental, non-profit association of approximately 250,000 Indian bodies corporate. It is the oldest and largest organisation of businesses in India and represents a national corporate consensus on policy issues. <a href="http://www.dsci.in/">DSCI</a> is an initiative of the National Association of Software and Service Companies, a non-profit trade association of Indian information technology ("IT") and business process outsourcing ("BPO") concerns, which promotes data protection in India. <a href="https://www.privacyinternational.org/">Privacy International</a> is a London-based non-profit organisation that defends and promotes the right to privacy across the world.</p>
<h3 style="text-align: justify; ">Privacy in the Common Law and in India</h3>
<p style="text-align: justify; ">Because privacy is a multi-faceted concept, it has rarely been singly regulated. A taxonomy of privacy yields many types of individual and social activity to be differently regulated based on the degree of harm that may be caused by intrusions into these activities.<a href="#fn1" name="fr1">[1] </a></p>
<p style="text-align: justify; ">The nature of the activity is significant; activities that are implicated by the state are attended by public law concerns and those conducted by private persons <i>inter se</i> demand market-based regulation. Hence, because the principles underlying warranted police surveillance differ from those prompting consensual collections of personal data for commercial purposes, legal governance of these different fields must proceed differently. For this and other reasons, the legal conception of privacy — as opposed to its cultural construction – has historically been diverse and disparate.</p>
<p style="text-align: justify; ">Traditionally, specific legislations have dealt separately with individual aspects of privacy in tort law, constitutional law, criminal procedure and commercial data protection, amongst other fields. The common law does not admit an enforceable right to privacy.<a href="#fn2" name="fr2">[2]</a> In the absence of a specific tort of privacy, various equitable remedies, administrative laws and lesser torts have been relied upon to protect the privacy of claimants.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">The question of whether privacy is a constitutional right has been the subject of limited judicial debate in India. The early cases of <i>Kharak Singh</i> (1964)<a href="#fn4" name="fr4">[4]</a> and <i>Gobind</i> (1975)<a href="#fn5" name="fr5">[5]</a> considered privacy in terms of physical surveillance by the police in and around the homes of suspects and, in the latter case, the Supreme Court of India found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This inference held the field until 1994 when, in the <i>Rajagopal</i> case (1994),<a href="#fn6" name="fr6">[6]</a> the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty guaranteed by Article 21 of the Constitution of India. However, <i>Rajagopal</i> dealt specifically with a book, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the <i>PUCL</i> case (1996)<a href="#fn7" name="fr7">[7]</a> and, while finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards.<a href="#fn8" name="fr8">[8] </a>A more robust statement of the right to privacy was made recently by the Delhi High Court in the <i>Naz </i><i>Foundation</i> case (2011)<a href="#fn9" name="fr9">[9] </a>that de-criminalised consensual homosexual acts; however, this judgment is now in appeal.</p>
<h3 style="text-align: justify; ">Attempts to Create a Statutory Regime</h3>
<p style="text-align: justify; ">The silence of the common law leaves the field of privacy in India open to occupation by statute. With the recent and rapid growth of the Indian IT and BPO industry, concerns regarding the protection of personal data to secure privacy have arisen. In May 2010, the European Union ("EU") commissioned an assessment of the adequacy of Indian data protection laws to evaluate the continued flow of personal data of European data subjects into India for processing. That assessment made adverse findings on the adequacy and preparedness of Indian data protection laws to safeguard personal data.<a href="#fn10" name="fr10">[10]</a></p>
<p>Conducted amidst negotiations for a free trade agreement between India and the EU, the failed assessment potentially impeded the growth of India’s outsourcing industry that is heavily reliant on European and North American business.</p>
<p style="text-align: justify; ">Consequently, the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology, Government of India, issued subordinate legislation under the rule-making power of the Information Technology Act, 2000 ("IT Act"), to give effect to section 43A of that statute. These rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Personal Data Rules")<a href="#fn11" name="fr11">[11]</a> — were subsequently reviewed by the Committee on Subordinate Legislation of the 15<sup>th</sup> Lok Sabha.<a href="#fn12" name="fr12">[12]</a> The Committee found that the Personal Data Rules contained clauses that were ambiguous, invasive of privacy and potentially illegal.<a href="#fn13" name="fr13">[13]</a></p>
<p style="text-align: justify; ">In 2011, a draft privacy legislation called the ‘Right to Privacy Bill, 2011’, which was drafted within the Department of Personnel and Training ("DoPT") of the Ministry of Personnel, Public Grievances and Pensions, Government of India, was made available on the internet along with several file notings ("First DoPT Bill"). The First DoPT Bill contained provisions for the regulation of personal data, interception of communications, visual surveillance and direct marketing. The First DoPT Bill was referred to a Committee of Secretaries chaired by the Cabinet Secretary which, on 27 May 2011, recommended several changes including re-drafts of the chapters relating to interception of communications and surveillance.</p>
<p style="text-align: justify; ">Aware of the need for personal data protection laws to enable economic growth, the Planning Commission constituted a Group of Experts under the chairmanship of Justice Ajit P. Shah, a retired Chief Justice of the Delhi High Court who delivered the judgment in the <i>Naz Foundation</i> case, to study foreign privacy laws, analyse existing Indian legal provisions and make specific proposals for incorporation into future Indian law. The Justice Shah Group of Experts submitted its Report to the Planning Commission on 16 October 2012 wherein it proposed the adoption of nine National Privacy Principles.<a href="#fn14" name="fr14">[14]</a> These are the principles of notice, choice and consent, collection limitation, purpose limitation, disclosure of information, security, openness, and accountability. The Report recommended the application of these principles in laws relating to interception of communications, video and audio recordings, use of personal identifiers, bodily and genetic material, and personal data.</p>
<h3 style="text-align: justify; ">Criminal Procedure and Special Laws Relating to Privacy</h3>
<p style="text-align: justify; ">While the <i>Kharak Singh</i> and <i>Gobind</i> cases first brought the questions of permissibility and limits of police surveillance to the Supreme Court, the power to collect information and personal data of a person is firmly embedded in Indian criminal law and procedure. Surveillance is an essential condition of the nation-state; the inherent logic of its foundation requires the nation-state to perpetuate itself by interdicting threats to its peaceful existence. Surveillance is a method by which the nation-state’s agencies interdict those threats. The challenge for democratic countries such as India is to find the optimal balance between police powers of surveillance and the essential freedoms of its citizens, including the right to privacy.</p>
<p style="text-align: justify; ">The regime governing the interception of communications is contained in section 5(2) of the Indian Telegraph Act, 1885 ("Telegraph Act") read with rule 419A of the Indian Telegraph Rules, 1951 ("Telegraph Rules"). The Telegraph Rules were amended in 2007<a href="#fn15" name="fr15">[15]</a> to give effect to, amongst other things, the procedural safeguards laid down by the Supreme Court in the <i>PUCL</i> case. However, India’s federal scheme permits States to also legislate in this regard. Hence, in addition to the general law on interceptions contained in the Telegraph Act and Telegraph Rules, some States have also empowered their police forces with interception functions in certain cases.<a href="#fn16" name="fr16">[16]</a> Ironically, even though some of these State laws invoke heightened public order concerns to justify their invasions of privacy, they establish procedural safeguards based on the principle of probable cause that surpasses the Telegraph Rules.</p>
<p style="text-align: justify; ">In addition, further subordinate legislation issued to fulfil the provisions of sections 69(2) and 69B(3) of the IT Act permit the interception and monitoring of electronic communications — including emails — to collect traffic data and to intercept, monitor, and decrypt electronic communications.<a href="#fn17" name="fr17">[17]</a></p>
<h3 style="text-align: justify; ">The proposed Privacy (Protection) Bill, 2013 and Roundtable Meetings</h3>
<p style="text-align: justify; ">In this background, the proposed Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.</p>
<p style="text-align: justify; ">Previous roundtable meetings to seek comments and opinion on the proposed Privacy (Protection) Bill, 2013 took place at:</p>
<ul>
<li style="text-align: justify; ">New Delhi: April 13, 2013 (<a class="external-link" href="http://bit.ly/17REl0W">http://bit.ly/17REl0W</a>) with 45 participants;</li>
<li style="text-align: justify; ">Bangalore: April 20, 2013 (<a class="external-link" href="http://bit.ly/162t8rU">http://bit.ly/162t8rU</a>) with 45 participants;</li>
<li style="text-align: justify; ">Chennai: May 18, 2013 (<a class="external-link" href="http://bit.ly/12ICGYD">http://bit.ly/12ICGYD</a>) with 25 participants.</li>
<li style="text-align: justify; ">Mumbai, June 15, 2013 (<a class="external-link" href="http://bit.ly/12fJSvZ">http://bit.ly/12fJSvZ</a>) with 20 participants;</li>
<li style="text-align: justify; ">Kolkata: July 13, 2013 (<a class="external-link" href="http://bit.ly/11dgINZ">http://bit.ly/11dgINZ</a>) with 25 participants; and</li>
<li style="text-align: justify; ">New Delhi: August 24, 2013 (<a class="external-link" href="http://bit.ly/195cWIf">http://bit.ly/195cWIf</a>) with 40 participants.</li>
</ul>
<p style="text-align: justify; ">The roundtable meetings were multi-stakeholder events with participation from industry representatives, lawyers, journalists, civil society organizations and Government representatives. On an average, 75 per cent of the participants represented industry concerns, 15 per cent represented civil society and 10 per cent represented regulatory authorities. The model followed at the roundtable meetings allowed for equal participation from all participants.</p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. See generally, Dan Solove, “A Taxonomy of Privacy” <i>University of Pennsylvania Law Review</i> (Vol. 154, No. 3, January 2006).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. <i>Wainwright</i> v. <i>Home Office</i> [2003] UKHL 53.</p>
<p>[<a href="#fr3" name="fn3">3</a>]. See <i>A</i> v. <i>B plc</i> [2003] QB 195; <i>Wainwright</i> v. <i>Home Office </i>[2001] EWCA Civ 2081; <i>R (Ellis)</i> v. <i>Chief Constable of Essex Police</i> [2003] EWHC 1321 (Admin).</p>
<p>[<a href="#fr4" name="fn4">4</a>]. <i>Kharak Singh</i> v. <i>State of Uttar Pradesh</i> AIR 1963 SC 1295.</p>
<p>[<a href="#fr5" name="fn5">5</a>]. <i>Gobind</i> v. <i>State of Madhya Pradesh</i> AIR 1975 SC 1378.</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <i>R. Rajagopal</i> v. <i>State of Tamil Nadu</i> AIR 1995 SC 264.</p>
<p>[<a href="#fr7" name="fn7">7</a>]. <i>People’s Union for Civil Liberties</i> v. <i>Union of India</i> (1997) 1 SCC 30.</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. A Division Bench of the Supreme Court of India comprising Kuldip Singh and Saghir Ahmad, JJ, found that the procedure set out in section 5(2) of the Indian Telegraph Act, 1885 and rule 419 of the Indian Telegraph Rules, 1951 did not meet the “just, fair and reasonable” test laid down in <i>Maneka Gandhi</i> v. <i>Union of India</i> AIR 1978 SC 597 requisite for the deprivation of the right to personal liberty, from whence the Division Bench found a right to privacy emanated, guaranteed under Article 21 of the Constitution of India. Therefore, Kuldip Singh, J, imposed nine additional procedural safeguards that are listed in paragraph 35 of the judgment.</p>
<p>[<a href="#fr9" name="fn9">9</a>]. <i>Naz Foundation</i> v. <i>Government of NCT Delhi</i> (2009) 160 DLT 277.</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. The 2010 data adequacy assessment of Indian data protection laws was conducted by Professor Graham Greenleaf. His account of the process and his summary of Indian law can found at Graham Greenleaf, "Promises and Illusions of Data Protection in Indian Law"<i> International Data Privacy Law</i> (47-69, Vol. 1, No. 1, March 2011).</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. The Rules were brought into effect vide Notification GSR 313(E) on 11 April 2011. CIS submitted comments on the Rules that can be found here – <a href="https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011">http://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011</a>.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. The Committee on Subordinate Legislation, a parliamentary ‘watchdog’ committee, is mandated by rules 317-322 of the Rules of Procedure and Conduct of Business in the Lok Sabha (14<sup>th</sup> edn., New Delhi: Lok Sabha Secretariat, 2010) to examine the validity of subordinate legislation.</p>
<p>[<a href="#fr13" name="fn13">13</a>]. See the 31<sup>st</sup> Report of the Committee on Subordinate Legislation that was presented on 21 March 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. See paragraphs 7.14-7.17 on pages 69-72 of the Report of the Group of Experts on Privacy, 16 October 2012, Planning Commission, Government of India.</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. See, the Indian Telegraph (Amendment) Rules, 2007, which were brought into effect <i>vide</i> Notification GSR 193(E) of the Department of Telecommunications of the Ministry of Communications and Information Technology, Government of India, dated 1 March 2007.</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. See, <i>inter alia</i>, section 14 of the Maharashtra Control of Organised Crime Act, 1999; section 14 of the Andhra Pradesh Control of Organised Crime Act, 2001; and, section 14 of the Karnataka Control of Organised Crime Act, 2000.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. See, the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data and Information) Rules, 2009 vide GSR 782 (E) dated 27 October 2009; and, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 vide GSR 780 (E) dated 27 October 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings'>https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2014-03-21T10:03:44ZBlog EntryAn Interview with Suresh Ramasubramanian
https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian
<b>Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud. </b>
<ol>
<li style="text-align: justify; "><b>You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?</b><br />a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.<br /><br />In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.<br /><br />This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.<br /><br />There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.</li>
<li style="text-align: justify; "><b>In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?</b><br />a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.<br /><br />The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.<br /><br />It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.<br /><br />Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.<br /><br />There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.</li>
<li style="text-align: justify; "><b>What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?</b><br />a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.<br /><br />Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.<br /><br />Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.<br /><br />The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.</li>
<li style="text-align: justify; "><b>How is the jurisdiction of the data on the cloud determined?</b><br />This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.<br /><br />However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.<br /><br />The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.<br /><br />In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.<br /><br />In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.</li>
<li style="text-align: justify; "><b>Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?</b><br />a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].<br /><br />A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.</li>
<li style="text-align: justify; "><b>What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?</b><br />a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.<br /><br />Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - <a class="external-link" href="http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html">http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html</a>). Some standards you absolutely have to comply with for legal reasons.<br /><br />Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.<br /><br />The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.</li>
<li style="text-align: justify; "><b>What do you see as the big challenges for privacy in the cloud in the coming years?</b><br />a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.</li>
<li style="text-align: justify; "><b>Do you think encryption the answer to the private and public institutions snooping?</b><br />a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.<br /><br />There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.<br /><br />As a very popular <a class="external-link" href="http://xkcd.com/538/">XKCD</a> cartoon that has been shared around social media and has been cited in multiple security papers says -<br /><br />“A crypto nerd’s imagination”<br /><br />“His laptop’s encrypted. Let us build a million dollar cluster to crack it”<br />“No good! It is 4096 bit RSA”<br />“Blast, our evil plan is foiled”<br /><br />“What would actually happen”<br />“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”<br />“Got it”</li>
<li style="text-align: justify; "><b>Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?</b><br />a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.<br /><br />The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.<br /><br />Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.<br /><br />Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.<br /><br />Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.</li>
<li style="text-align: justify; "><b>There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?</b><br />a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.<br /><br />Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.<br /><br />Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.<br /><br />This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.<br /><br />User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.</li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian'>https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-09-06T09:37:47ZBlog EntryThe Personal Data (Protection) Bill, 2013
https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013
<b>Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013.
Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.
</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013'>https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T14:53:11ZFileReport on the Sixth Privacy Roundtable Meeting, New Delhi
https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi
<b>In 2013 the Centre for Internet and Society (CIS) drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with Federation of Indian Chambers of Commerce and Industry (FICCI) and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India. The following is a report on the Sixth Privacy Roundtable held in New Delhi on August 24, 2013.
</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p></p>
<p> </p>
<h2>Introduction<b> </b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">A series of seven multi-stakeholder roundtable meetings on "privacy" were conducted by CIS in collaboration with FICCI from April 2013 to August 2013 under the Internet Governance initiative. DSCI joined CIS and FICCI as a co-organizer on April 20, 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">CIS was a member of the Justice A.P. Shah Committee which drafted the "<a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of Groups of Experts on Privacy</a>". CIS also drafted a <a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft" class="external-link">Privacy (Protection) Bill 2013</a> (hereinafter referred to as ‘the Bill’), with the objective of establishing a well protected privacy regime in India. CIS has also volunteered to champion the session/workshops on "privacy" in the final meeting on Internet Governance proposed for October 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol>
<li>New Delhi Roundtable: April 13, 2013</li>
<li>Bangalore Roundtable: April 20, 2013</li>
<li>Chennai Roundtable: May 18, 2013</li>
<li>Mumbai Roundtable: June 15, 2013</li>
<li>Kolkata Roundtable: July 13, 2013</li>
<li>New Delhi Roundtable: August 24, 2013</li>
<li>New Delhi Final Roundtable and National Meeting: October 19, 2013</li>
</ol>
<p style="text-align: justify; ">This Report provides an overview of the proceedings of the Sixth Privacy Roundtable (hereinafter referred to as 'the Roundtable'), conducted at FICCI, Federation House in Delhi on August 24, 2013. <a href="https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="internal-link" title="The Personal Data (Protection) Bill, 2013">The Personal Data (Protection) Bill, 2013 </a>was discussed at the Roundtable.</p>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The Sixth Privacy Roundtable began with reflections on the evolution of the Bill. In its penultimate form, the Bill stands substantially changed as compared to its previous versions. For the purpose of this Roundtable, which entailed participation largely from industry organizations and other entities who handle personal data, only the personal data regime was discussed. This debate was distinguished from the general and specific discussion relating to privacy, surveillance and interception of communications as it was felt that greater expertise was required to deal adequately with such a vast and nuanced area. After further discussion with security experts, the provisions on surveillance and privacy of communications will be reincorporated resulting in omnibus privacy legislation. To reflect this alteration in the ambit of the Bill in its current form, its title was changed to <a href="https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill</a> from the more expansive – Privacy (Protection) Bill.</p>
<h2>Chapter I – Preliminary</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 2 of the first chapter enumerates various definitions including ‘personal data’, which is defined as any data that can lead to identification and ‘sensitive personal data’; a subset of personal data defined by way of a list. The main contentions arose in relation to the latter definition.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Religion and Caste</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">A significant modification is found in the definition of ‘sensitive personal data’, which has expanded to include two new categories, namely, (i) ethnicity, religion, race or caste, and (ii) financial and credit information. Although discussed previously, these two categories have hitherto been left out of the purview of the definition as they are fraught with issues of practicality. In the specific example of caste, the government has historically indulged in large-scale data collection for the purpose of census, for example as conducted by the Ministry of Rural Development and the Ministry of Social Justice and Empowerment, Government of India. Further, in the Indian scenario, various statutory benefits accrue from caste identities under the aegis of affirmative action policies. Hence, categorizing it as sensitive personal data may not be considered desirable. The problem is further exacerbated with respect to religion as even a person’s name can be an indicator. In light of this, some issues under consideration were –</p>
<ul>
<li>Whether religion and caste should be categorized as sensitive personal data or personal data?</li>
<li>Whether it is impracticable to include it in either category?</li>
<li>If included as sensitive personal data, how should it be implemented?</li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The majority seemed to lean towards including it under the category of sensitive personal data rather than personal data. It was argued that the categorization of some personal data as sensitive was done on the basis of higher potential for profiling or discrimination. In the same vein, caste and religious identities were sensitive information, requiring greater protection as provided under section 16 of the Bill. Regarding the difficulties posed by revealing names, it was proposed that since it was not an indicator by default, this consideration could not be used as a rationale to eliminate religion from the definition. Instead, it was suggested that programmes sensitizing the populous to the implications of names as indicators of religion/caste should be encouraged. With regard to the issue of census, where caste information is collected, it was opined that the same could be done in an anonymously as well. The maintenance of public databases including such information by various public bodies was considered problematic for privacy as they are often easily accessible and hence have a high potential for abuse. Overall, the conclusion was that the potential for abuse of such data could be better curtailed if greater privacy requirements were mandated for both private and public organizations. The collection of this kind of data should be done on a necessity basis and kept anonymous wherever possible. However, it was acknowledged that there were greater impracticalities associated with treating religion and caste as sensitive personal data. Further, the use and disclosure of indicative names was considered to be a matter of choice. Often caste information was revealed for affirmative action schemes, for example, rank lists for admissions or appointments. In such cases, it was considered to be counter-productive to discourage the beneficiary from revealing such information. Consequently, it was suggested that they could be regulated differently and qualified wherever required. The floor was then thrown open for discussing the other categories included under the definition of ‘sensitive personal data’.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Political Affiliation<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another contentious issue discussed at the Roundtable was the categorization of ‘political affiliation’ as ‘sensitive personal data’. A participant questioned the validity of including it in the definition, arguing that it is not an issue in India. Further, it was argued that one’s political affiliation was also subject to change and hence did not mandate higher protection as provided for sensitive personal data. Instead, if included at all, it should be categorized as ‘personal data’. This was countered by other participants who argued that revealing such information should be a matter of choice and if this choice is not protected adequately, it may lead to persecution. In light of this, changing one’s political affiliation particularly required greater protection as it may leave one more vulnerable. Everyone was in agreement that the aggregation of this class of data, particularly when conducted by public and private organizations, was highly problematic, as evidenced by its historic use for targeting dissident groups. Further, it was accepted unanimously that this protection should not extend to public figures as citizens had a right to know their political affiliation. However, although there was consensus on voting being treated as sensitive personal data, the same could not be reached for extending this protection to political affiliation.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conviction Data<b> <br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The roundtable also elicited a debate on conviction data being enumerated as sensitive personal data. The contention stemmed from the usefulness of maintaining this information as a matter of public record. Inter alia, the judicial practice of considering conviction history for repeat offenders, the need to consider this data before issuing passport and the possibility of establishing a sex offenders registry in India were cited as examples for the same.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Financial and Credit Information<b><br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">From the outset, the inclusion of Financial and Credit information as sensitive personal data was considered problematic as it would clash directly with existing legislations. Specifically, the Reserve Bank of India mandates on all issues revolving around this class of data. However, it was considered expedient to categorize it in this manner due to grave mismanagement associated with it, despite existing protections. In this regard, the handling of Credit Information was raised as an issue. Even though it is regulated under the Credit Information Companies (Regulation) Act, 2005, its implementation was found to be wanting by some participants. In this context, the harm sought to be prevented by its inclusion in the Bill was unregulated sharing of credit-worthiness data with foreign banks and organs of the state. Informed consent was offered as the primary qualifier. However, some participants proposed that extending a strong regime of protection to such information would not be economically viable for financial institutions. Thus, it was suggested that this category should be categorized as personal data with the aim of regulating unauthorized disclosures.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The debate on the definition of sensitive personal data concluded with the following suggestions and remarks:</p>
<ul>
<li style="text-align: justify; ">The categories included under sensitive personal data should be subject to contextual provisions instead of blanket protection.</li>
<li style="text-align: justify; ">Sensitive personal data mandates greater protection with regard to storage and disclosure than personal data.</li>
<li style="text-align: justify; ">While obtaining prior consent is important for both kinds of data, obtaining informed consent is paramount for sensitive personal data.</li>
<li style="text-align: justify; ">Both classes of data can be collected for legitimate purposes and in compliance with the protection provided by law. </li>
</ul>
<h2>Chapter II – Regulation of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter of the Bill establishes a negative statement of a positive right under Section 3 along with exemptions under Section 4, as opposed to the previous version of the Bill, discussed at the fifth Privacy Roundtable, which established a positive right. Thus, in its current form, the Bill provides a stronger regime for the regulation of personal data. The single exemption provided under this part is for personal or domestic use.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The main issues under consideration with regard to this part were –</p>
<ul>
<li>The scope of the protection provided</li>
<li>Whether the exemptions should be expanded or diminished. </li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">A participant raised a doubt regarding the subject of the right. In response, it was clarified that the Bill was subject to existing Constitutional provisions and relevant case law. According to the apex court, in <i>Kharak Singh v. The State of U.P.</i> (1964), the Right to Privacy arose from the Right to Life and Personal Liberty as enshrined under Article 21 of the Constitution of India. Since the Article 21 right is applicable to all persons, the Right to Privacy has to be interpreted in conjunction. Consequently, the Right to Privacy will apply to both citizens and non-citizens in India. It would also extend to information of foreigners stored by any entity registered in India and any other entity having an Indian legal personality irrespective of whether they are registered in India or not.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The next issue that arose at the Roundtable stemmed from the exemption provided under Section 4 of the Bill. A participant opined that excluding domestic use of such data was unadvisable as often such data was used maliciously during domestic rows such as divorce. With regard to the how ‘personal and domestic use’ was to be defined it was proposed that the same had to cater existing cultural norms. In India, this entailed that existing community laws had to be followed which does not recognize nuclear families as a legal entity. It was also acknowledged that Joint Hindu Families had to be dealt with specially and their connection with large businesses in India would have to be carefully considered.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another question regarding exemptions brought up at the Roundtable was whether they should be broadened to include the information of public servants and the handling of all information by intelligence agencies. Similarly, some participants proposed that exemptions or exceptions should be provided for journalists, private figures involved in cases of corruption, politicians, private detective agencies etc. It was also proposed that public disclosure of information should be handled differently than information handled in the course of business.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The overall conclusion of the discussion on this Chapter was –</p>
<ul>
<li>All exemptions and exceptions included in this Chapter should be narrowly tailored and specifically defined.</li>
<li>Blanket exemptions should be avoided. The specificities can be left to the Judiciary to adjudicate on as and when contentions arise. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Chapter III – Protection of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter seeks to regulate the collection, storage, processing, transfer, security and disclosure of personal data.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Personal Data</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Sections 5, 6 and 7 of the Bill regulate the collection of personal data. While section 5 establishes a broad bar for the collection of personal data, Section 6 and 7 provide for deviations from the same, for collecting data with and without prior informed consent respectively.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data with Prior Informed Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 6 establishes the obligation to obtain prior informed consent, sets out the regime for the same and by way of 2 provisos allows for withdrawal of consent which may result in denial of certain services.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The main issues discerned from this provision involved (i) notice for obtaining consent, (ii) mediated data collection, and (iv) destruction of data.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Regarding notice, some participants observed that although it was a good practice it was not always feasible. A participant raised the issue of the frequency of obtaining consent. It was observed that services that allowed its users to stay logged in and the storage of cookies etc. were considered benefits which would be disrupted if consent had to be obtained at every stage or each time the service was used. To solve this problem, it was unanimously accepted that consent only had to be obtained once for the entirety of the service offered except when the contract or terms and conditions were altered by the service provider. It was also decided that the entity directly conducting the collection of data was obligated to obtain consent, even if the same was conducted on behalf of a 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Mediated date collection proved to be a highly contentious issue at the Roundtable. The issue was determining the scope and extent of liability in cases where a mediating party collects data for a data controller for another subject who may or may not be a user. In this regard, two scenarios were discussed – (i) uploading pictures of a 3<sup>rd</sup> party by a data subject on social media sites like Facebook and (ii) using mobile phone applications to send emails, which involves, inter alia, the sender, the phone manufacturer and the receiver. The ancillary issues recognized by participants in this regard were – (i) how would data acquired in this manner be treated if it could lead to the identification of the 3<sup>rd</sup> party?, and (ii) whether destruction of user data due to withdrawal of consent amount to destruction of general data, i.e. of the 3<sup>rd</sup> party. The consensus was that there was no clarity on how such forms of data collection could be regulated, even though it seemed expedient to do so. The government’s inability to find a suitable solution was also brought to the table. In this regard it was suggested by some participants that the Principle of Collection Limitation, as defined in the A.P. Shah Committee Report, would provide a basic protection. Further the extent to which this would be exempted for being personal use was suggested as a threshold. A participant observed that it would be technically unfeasible for the service provider to regulate such collection, even if it involved illicit data such as pornographic or indecent photographs. Further, it was opined that such an oversight by the service provider could be undesirable since it would result in the violation of the user’s privacy. Thus, any proposal for regulation had to balance the data subject’s rights with that of the 3<sup>rd</sup> party. In light of this, it was suggested that the mediating party should be made responsible for obtaining consent from the 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another aspect of this provision which garnered much debate was the proviso mandating destruction of data in case of withdrawal of consent. A participant stated the need for including broad exceptions as it may not always be desirable. Regarding the definition of ‘destroy’, as provided for under Section 2, it was observed that it mandated the erasure/deletion of the data in its entirety. Instead, it was suggested, that the same could be achieved by merely anonymising the information.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data without Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 7 of the Bill outlines four scenarios which entail collection of personal data without prior consent, which are reproduced below -</p>
<p style="text-align: justify; "><i>“(a) necessary for the provision of an emergency medical service to the data subject;<br /></i><i>(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;<br />(c) necessary to prevent a reasonable threat to national security, defence or public order; or<br />(d) necessary to prevent, investigate or prosecute a cognisable offence”</i></p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Most participants at the Roundtable found that the list was too large in scope. The unqualified inclusion of prevention in that last two sub clauses was found to be particularly problematic. It was suggested that Section 7 (c) was entirely redundant as its provisions could be read into Section 7 (d). Furthermore, the inclusion of ‘national security’ as a basis for collecting information without consent was rejected almost unanimously. It was suggested that if it was to be included then a qualification was desirable, allowing collection of information only when authorized by law. Some participants extended this line of reasoning to Section 7 (c) as state agencies were already authorized to collect information in this manner. It was opined that including it under the Bill would reassert their right to do so in broader terms. For similar reasons, Section 7 (b) was found objectionable as well. It was further suggested that if sub clauses (b), (c) and (d) remained in the Bill, it should be subject to existing protections, for example those established by seminal cases such as <i>Maneka Gandhi v. Union of India</i> (1978) and<i> PUCL v. Union of India</i> (1997).</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Storage and Processing of Personal Data<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 8 of the Bill lays down a principle mandating the destruction of the information collected, following the cessation of the necessity or purpose for storage and provides exceptions to the same. It sets down a regime of informed consent, purpose specific storage and data anonymization.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The first amendment suggested for this provision was regarding the requirement of deleting the stored information ‘forthwith’. It was proposed by a participant that deleting personal data instantaneously had practical constraints and a reasonability criteria should be added. It was also noticed that in the current form of the Bill, the exception of historical, archival and research purposes had been replaced by the more general phrase ‘for an Act of Parliament’. The previous definition was altered as the terms being used were hard to define. In response, a participant suggested a broader phrase which would include any legal requirement. Another participant argued that a broader phrase would need to me more specifically defined to avoid dilution.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 9 of the Bill sets out two limitations for processing data in terms of (i) the kind of personal data being processed and (ii) the purpose for the same. The third sub clause enumerates exceptions to the abovementioned principles in language similar to that found in Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">With regard to the purpose limitation clause it was suggested by many participants that the same should be broadened to include multiple purposes as purpose swapping is widespread in existing practice and would be unfeasible and undesirable to curtail. Sub clause 3 of this Section was critiqued for the same reasons as Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 10 restricts cross-border transfer of data. It was clarified that different departments of the same company or the same holding company would be treated as different entities for the purpose of identifying the data processor. However, a concern was raised regarding the possibility of increased bureaucratic hurdles on global transfer of data in case this section is read too strictly. At the same time, to provide adequate protection of the data subject’s rights certain restrictions on the data controller and location of transfer.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The regime for disclosure of personal data without prior consent is provided for by Section 14. The provision did not specify the rank of the police officer in charge of passing orders for such disclosure. It was observed that a suitable rank had to be identified to ensure adequate protection. Further, it was suggested that the provision be broadened to include other competent agencies as well. This could be included by way of a schedule or subsequent notifications.</p>
<h3 class="MsoNormalCxSpLast" style="text-align: justify; ">Conclusion</h3>
<ul>
<li>Mediated collection of data should be qualified on the basis of purpose and intent of collection.</li>
<li>The issue of cost to company (C2C) was not given adequate consideration in the Bill.</li>
<li>The need to lay down Procedures at all stages of handling personal data.</li>
<li>Special exemptions need to be provided for journalistic sources. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Meeting Conclusion<b><br /></b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The Sixth Privacy Roundtable was the second to last of the stakeholder consultations conducted for the Citizens’ <a href="https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill, 2013</a>. Various changes made to the Bill from its last form were scrutinized closely and suitable suggestions were provided. Further changes were recommended for various aspects of it, including definitions, qualifications and procedures, liability and the chapter on offences and penalties. The Bill will be amended to reflect multi-stakeholder suggestions and cater to various interests.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi'>https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T15:04:51ZBlog EntryCan India Trust Its Government on Privacy?
https://cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy
<b>In response to criticisms of the Centralized Monitoring System, India’s new surveillance program, the government could contend that merely having the capability to engage in mass surveillance won’t mean that it will. Officials will argue that they will still abide by the law and will ensure that each instance of interception will be authorized.</b>
<hr />
<p style="text-align: justify; ">Pranesh Prakash's article was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/11/can-india-trust-its-government-on-privacy/">published in the New York Times</a> on July 11, 2013.</p>
<hr />
<p style="text-align: justify; ">In fact, they will argue that the program, known as C.M.S., will better safeguard citizens’ privacy: it will cut out the telecommunications companies, which can be sources of privacy leaks; it will ensure that each interception request is tracked and the recorded content duly destroyed within six months as is required under the law; and it will enable quicker interception, which will save more lives. But there are a host of reasons why the citizens of India should be skeptical of those official claims.</p>
<p style="text-align: justify; ">Cutting out telecoms will not help protect citizens from electronic snooping since these companies still have the requisite infrastructure to conduct surveillance. As long as the infrastructure exists, telecom employees will misuse it. In a 2010 report, the journalist M.A. Arun <a href="http://www.deccanherald.com/content/94085/big-brother-smaller-siblings-watching.html">noted</a> that “alarmingly, this correspondent also came across several instances of service providers’ employees accessing personal communication of subscribers without authorization.” Some years back, K.K. Paul, a top Delhi Police officer and now the Governor of Meghalaya, drafted a memo in which he noted mobile operators’ complaints that private individuals were misusing police contacts to tap phone calls of “opponents in trade or estranged spouses.” <span id="more-66976"> </span></p>
<p style="text-align: justify; ">India does not need to have centralized interception facilities to have centralized tracking of interception requests. To prevent unauthorized access to communications content that has been intercepted, at all points of time, the files should be encrypted using public key infrastructure. Mechanisms also exist to securely allow a chain of custody to be tracked, and to ensure the timely destruction of intercepted material after six months, as required by the law. Such technological means need to be made mandatory to prevent unauthorized access, rather than centralizing all interception capabilities.</p>
<p style="text-align: justify; ">At the moment, interception orders are given by the federal Home Secretary of India and by state home secretaries without adequate consideration. Every month at the federal level 7,000 to 9,000 phone taps are authorized or re-authorized. Even if it took just three minutes to evaluate each case, it would take 15 hours each day (without any weekends or holidays) to go through 9,000 requests. The numbers in Indian states could be worse, but one can’t be certain as statistics on surveillance across India are not available. It indicates bureaucratic callousness and indifference toward following the procedure laid down in the Telegraph Act.</p>
<p style="text-align: justify; ">In a 1975 case, the Supreme Court held that an “economic emergency” may not amount to a “public emergency.” Yet we find that of the nine central government agencies empowered to conduct interception in India, according to press reports — Central Board of Direct Taxes, Intelligence Bureau, Central Bureau of Investigation, Narcotics Control Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Research & Analysis Wing, National Investigation Agency and the Defense Intelligence Agency — three are exclusively dedicated to economic offenses.</p>
<p style="text-align: justify; ">Suspicion of tax evasion cannot legally justify a wiretap, which is why the government said it had believed that Nira Radia, a corporate lobbyist, was a <a href="http://www.hindustantimes.com/India-news/NewDelhi/2G-scam-Spy-link-sparked-Niira-Radia-phone-tap/Article1-636886.aspx">spy</a> when it defended putting a wiretap on her phone in 2008 and 2009. A 2011 report by the cabinet secretary pointed out that economic offenses might not be counted as “public emergencies,” and that the Central Board of Direct Taxes should not be empowered to intercept communications. Yet the tax department continues to be on the list of agencies empowered to conduct interceptions.</p>
<p style="text-align: justify; ">India has arrived at a scary juncture, where the multiple departments of the Indian government don’t even trust each other. India’s Department of Information Technology recently <a href="http://www.indianexpress.com/news/ntro-hacking-email-ids-of-officials-says-govts-it-dept/1105875/">complained</a> to the National Security Advisor that the National Technical Research Organization had hacked into National Informatics Center infrastructure and extracted sensitive data connected to various ministries. The National Technical Research Organization denied it had hacked into the servers but said hundreds of e-mail accounts of top government officials were compromised in 2012, including those of “the home secretary, the naval attaché to Tehran, several Indian missions abroad, top investigators of the Central Bureau of Investigation and the armed forces,” The Mint newspaper reported. Such incidents aggravate the fear that the Indian government might not be willing and able to protect the enormous amounts of information it is about to collect through the C.M.S.</p>
<p style="text-align: justify; ">Simply put, government entities have engaged in unofficial and illegal surveillance, and the C.M.S. is not likely to change this. In a 2010 <a href="http://www.outlookindia.com/article.aspx?265192">article</a> in Outlook, the journalist Saikat Datta described how various central and state intelligence organizations across India are illegally using off-the-air interception devices. “These systems are frequently deployed in Muslim-dominated areas of cities like Delhi, Lucknow and Hyderabad,” Mr. Datta wrote. “The systems, mounted inside cars, are sent on ‘fishing expeditions,’ randomly tuning into conversations of citizens in a bid to track down terrorists.”</p>
<p style="text-align: justify; ">The National Technical Research Organization, which is not even on the list of entities authorized to conduct interception, is one of the largest surveillance organizations in India. The Mint <a href="http://www.livemint.com/Politics/xxpcezb6Yhsr69qZ5AklgM/Intelligence-committee-to-meet-on-govt-email-hacking.html">reported</a> last year that the organization’s surveillance devices, “contrary to norms, were deployed more often in the national capital than in border areas” and that under new standard operating procedures issued in early 2012, the organization can only intercept signals at the international borders. The organization runs multiple facilities in Mumbai, Bangalore, Delhi, Hyderabad, Lucknow and Kolkata, in which monumental amounts of Internet traffic are captured. In Mumbai, all the traffic passing through the undersea cables there is captured, Mr. Datta found.</p>
<p style="text-align: justify; ">In the western state of Gujarat, a recent investigation by Amitabh Pathak, the director general of police, revealed that in a period of less than six months, more than 90,000 requests were made for call detail records, including for the phones of senior police and civil service officers. This high a number could not possibly have been generated from criminal investigations alone. Again, these do not seem to have led to any criminal charges against any of the people whose records were obtained. The information seems to have been collected for purposes other than national security.</p>
<p style="text-align: justify; ">India is struggling to keep track of the location of its proliferating interception devices. More than 73,000 devices to intercept mobile phone calls have been imported into India since 2005. In 2011, the federal government <a href="http://www.indianexpress.com/news/ib-to-crack-down-on-illegal-use-of-offair-interception-equipment/800672/">asked</a> various state governments, private corporations, the army and intelligence agencies to surrender these to the government, noting that usage of any such equipment for surveillance was illegal. We don’t know how many devices were actually <a href="http://articles.timesofindia.indiatimes.com/2012-10-11/india/34386576_1_security-agencies-privacy-concerns-surrender">turned in</a>.</p>
<p style="text-align: justify; ">These kinds of violations of privacy can have very dangerous consequences. According to the former Intelligence Bureau head in the western state of Gujarat, R.B. Sreekumar, the call records of a mobile number used by Haren Pandya, the former Gujarat home minister, were used to confirm that it was he who had provided secret testimony to the Citizens’ Tribunal, which was conducting an independent investigation of the 2002 sectarian riots in the state. Mr. Pandya was murdered in 2003.</p>
<p style="text-align: justify; ">The limited efforts to make India’s intelligence agencies more accountable have gone nowhere. In 2012, the Planning Commission of India formed a group of experts under Justice A.P. Shah, a retired Chief Justice of the Delhi High Court, to look into existing projects of the government and to suggest principles to guide a privacy law in light of international experience. (Centre for Internet and Society, where I work was part of the group). However, the government has yet to introduce a bill to protect citizens’ privacy, even though the governmental and private sector violations of Indian citizens’ privacy is growing at an alarming rate.</p>
<p style="text-align: justify; ">In February, after frequent calls by privacy activists and lawyers for greater accountability and parliamentary oversight of intelligence agencies, the Centre for Public Interest Litigation filed a case in the Supreme Court. This would, one hopes, lead to reform.</p>
<p style="text-align: justify; ">Citizens must also demand that a strong Privacy Act be enacted. In 1991, the leak of a Central Bureau of Investigation report titled “Tapping of Politicians’ Phones” prompted the rights groups, People’s Union of Civil Liberties to file a writ petition, which eventually led to a Supreme Court of India ruling that recognized the right to privacy of communications for all citizens as part of the fundamental rights of freedom of speech and of life and personal liberty. However, through the 2008 amendments to the Information Technology Act, the IT Rules framed in 2011 and the telecom licenses, the government has greatly weakened the right to privacy as recognized by the Supreme Court. The damage must be undone through a strong privacy law that safeguards the privacy of Indian citizens against both the state and corporations. The law should not only provide legal procedures, but also ensure that the government should not employ technologies that erode legal procedures.</p>
<p style="text-align: justify; ">A strong privacy law should provide strong grounds on which to hold the National Security Advisor’s mass surveillance of Indians (over 12.1 billion pieces of intelligence in one month) as unlawful. The law should ensure that Parliament, and Indian citizens, are regularly provided information on the scale of surveillance across India, and the convictions resulting from that surveillance. Individuals whose communications metadata or content is monitored or intercepted should be told about it after the passage of a reasonable amount of time. After all, the data should only be gathered if it is to charge a person of committing a crime. If such charges are not being brought, the person should be told of the incursion into his or her privacy.</p>
<p style="text-align: justify; ">The privacy law should ensure that all surveillance follows the following principles: legitimacy (is the surveillance for a legitimate, democratic purpose?), necessity (is this necessary to further that purpose? does a less invasive means exist?), proportionality and harm minimization (is this the minimum level of intrusion into privacy?), specificity (is this surveillance order limited to a specific case?) transparency (is this intrusion into privacy recorded and also eventually revealed to the data subject?), purpose limitation (is the data collected only used for the stated purpose?), and independent oversight (is the surveillance reported to a legislative committee or a privacy commissioner, and are statistics kept on surveillance conducted and criminal prosecution filings?). Constitutional courts such as the Supreme Court of India or the High Courts in the Indian states should make such determinations. Citizens should have a right to civil and criminal remedies for violations of surveillance laws.</p>
<p style="text-align: justify; ">Indian citizens should also take greater care of their own privacy and safeguard the security of their communications. The solution is to minimize usage of mobile phones and to use anonymizing technologies and end-to-end encryption while communicating on the Internet. Free and open-source software like OpenPGP can make e-mails secure. Technologies like off-the-record messaging used in apps like ChatSecure and Pidgin chat conversations, TextSecure for text messages, HTTPS Everywhere and Virtual Private Networks can prevent Internet service providers from being able to snoop, and make Internet communications anonymous.</p>
<p style="text-align: justify; ">Indian government, and especially our intelligence agencies, violate Indian citizens’ privacy without legal authority on a routine basis. It is time India stops itself from sleepwalking into a surveillance state.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy'>https://cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionSAFEGUARDSInternet GovernancePrivacy2013-07-15T10:35:33ZBlog EntryHow Surveillance Works in India
https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india
<b>When the Indian government announced it would start a Centralized Monitoring System in 2009 to monitor telecommunications in the country, the public seemed unconcerned. When the government announced that the system, also known as C.M.S., commenced in April, the news didn’t receive much attention. </b>
<hr />
<p style="text-align: justify; ">This article by Pranesh Prakash was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">published in the New York Times</a> on July 10, 2013.</p>
<hr />
<p style="text-align: justify; ">After a colleague at the Centre for Internet and Society wrote about the program and it was <a href="http://www.hrw.org/news/2013/06/07/india-new-monitoring-system-threatens-rights">lambasted</a> by Human Rights Watch, more reporters started covering it as a privacy issue. But it was ultimately the revelations by Edward J. Snowden about American surveillance that prompted Indians to ask questions about its own government’s surveillance programs.</p>
<p style="text-align: justify; ">In India, we have a strange mix of great amounts of transparency and very little accountability when it comes to surveillance and intelligence agencies. Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament.</p>
<p style="text-align: justify; ">This lack of accountability is seen both in the way the Big-Brother acronyms (C.M.S., Natgrid, T.C.I.S., C.C.T.N.S., etc.) have been rolled out, as well as the murky status of the intelligence agencies.<span id="more-66746"> </span> No intelligence agency in India has been created under an act of Parliament with <a href="http://articles.timesofindia.indiatimes.com/2013-02-02/india/36703357_1_intelligence-agencies-ntro-intelligence-bureau">clearly established roles and limitations on powers</a>, and hence <a href="http://articles.timesofindia.indiatimes.com/2012-03-26/chennai/31239894_1_ib-intelligence-bureau-officer-r-n-kulkarni">there is no public accountability whatsoever</a>.</p>
<p style="text-align: justify; ">The absence of accountability has meant that the government has <a href="http://articles.economictimes.indiatimes.com/2006-02-04/news/27434344_1_illegal-phone-indian-telegraph-act-security-agencies">since 2006</a> <a href="http://articles.timesofindia.indiatimes.com/2011-05-12/india/29535755_1_security-agencies-cms-intercept">been working on the C.M.S.</a>, which will integrate with the <a href="http://mha.nic.in/writereaddata/13040930061_Tr-ITJ-290411.pdf">Telephone</a> <a href="http://www.coraltele.com/support/GetPresentations.ashx?id=33">Call</a> <a href="http://indiatoday.intoday.in/story/government-plans-to-tighten-phone-tapping-norms/1/137251.html">Interception System</a> that is also being rolled out. The cost: around 8 billion rupees ($132 million) — more than four times the initial estimate of 1.7 billion — and even more important, our privacy and personal liberty. Under their licensing terms, all Internet service providers and telecom providers are required to provide the government direct access to all communications passing through them. However, this currently happens in a decentralized fashion, and the government in most cases has to ask the telecoms for metadata, like call detail records, visited Web sites, IP address assignments, or to carry out the interception and provide the recordings to the government. Apart from this, the government uses equipment to gain access to <a href="http://www.outlookindia.com/article.aspx?265192">vast quantities of raw data traversing the Internet across multiple cities</a>, including the data going through the undersea cables that land in Mumbai.</p>
<p style="text-align: justify; ">With the C.M.S., the government will get <a href="http://www.thehindu.com/news/national/indias-surveillance-project-may-be-as-lethal-as-prism/article4834619.ece">centralized access to all communications metadata and content</a> traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.</p>
<table class="listing">
<tbody>
<tr>
<th>
<p style="text-align: center; "><img src="https://cis-india.org/home-images/Surveillance.png" alt="Internet Surfing" class="image-inline" title="Internet Surfing" /></p>
</th>
</tr>
<tr>
<td><span class="caption">A man surfing a Facebook page at an internet cafe in Guwahati, Assam, on Dec. 6, 2011. <br />Image Credit: </span><span class="credit">Anupam Nath/Associated Press</span></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">You might ask: Why is this a problem when the government already had the same access, albeit in a decentralized fashion? To answer that question, one has to first examine the law.</p>
<p style="text-align: justify; ">There are no laws that allow for <i>mass</i> surveillance in India. The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception.The targeted interception both these laws allow ordinarily requires case-by-case authorization by either the home secretary or the secretary of the department of information technology.</p>
<p style="text-align: justify; ">Interestingly, the colonial government framed better privacy safeguards into communications interception than did the post-independence democratic Indian state. The Telegraph Act mandates that interception of communications can only be done on account of a public emergency or for public safety. If either of those two preconditions is satisfied, then the government may cite any of the following five reasons: “the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense.” In 2008, the Information Technology Act copied much of the interception provision of the Telegraph Act but removed the preconditions of public emergency or public safety, and expands the power of the government to order interception for “investigation of any offense.” The IT Act thus very substantially lowers the bar for wiretapping.</p>
<p style="text-align: justify; ">Apart from these two provisions, which apply to interception, there are many laws that cover recorded metadata, all of which have far lower standards. Under the Code of Criminal Procedure, no court order is required unless the entity is seen to be a “postal or telegraph authority” — and generally e-mail providers and social networking sites are not seen as such.</p>
<p style="text-align: justify; ">Unauthorized access to communications data is not punishable per se, which is why a private detective who gained access to <a href="http://articles.timesofindia.indiatimes.com/2013-04-17/india/38615115_1_anurag-singh-arvind-dabas-naushad-ahmad-khan">the cellphone records of Arun Jaitley</a>, a Bharatiya Janata Party leader, has been charged under the weak provision on fraud, rather than invasion of privacy. While there is a provision in the Telegraph Act to punish unlawful interception, it carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).</p>
<p style="text-align: justify; ">To put the ridiculousness of the penalty in <a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguards-for-interception-monitoring-and-decryption-of-information-rules-2009/">Sections 69</a> and <a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">69</a><a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">B</a> of the IT Act provision in perspective, an Intelligence Bureau officer who spills national secrets <a href="http://www.vakilno1.com/bareacts/laws/the-intelligence-organisations-restriction-of-rights-act-1985.html">may be imprisoned up to three years. </a>And under the Indian Penal Code, failing to provide a document one is legally bound to provide to a public servant, the punishment can be <a href="http://indiankanoon.org/doc/54229/">up to one month’s imprisonment</a>. Further, a citizen who refuses to assist an authority in decryption, as one is required to under Section 69, may simply be exercising her <a href="http://lawcommissionofindia.nic.in/reports/180rpt.pdf">constitutional right against self-incrimination</a>. For these reasons and more, these provisions of the IT Act are arguably unconstitutional.</p>
<p style="text-align: justify; ">As bad as the IT Act is, legally the government has done far worse. In the licenses that the Department of Telecommunications grants Internet service providers, cellular providers and telecoms, there are provisions that require them to provide direct access to all communications data and content even without a warrant, which is not permitted by the existing laws on interception. The licenses also force cellular providers to have ‘bulk encryption’ of less than 40 bits. (Since G.S.M. network encryption systems like A5/1, A5/2, and A5/3 have a fixed encryption bit length of 64 bits, providers in India have been known use A5/0, that is, no encryption, thus meaning any person — not just the government — can use off-the-air interception techniques to listen to your calls.)</p>
<p style="text-align: justify; ">Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year. Under the rules designed as India’s data protection law (oh, the irony!), sensitive personal data has to be shared with government agencies, if required for “purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses.”</p>
<p style="text-align: justify; ">Along similar lines, in the rules meant to say when an Internet intermediary may be held liable for a user’s actions, there is a provision requiring the Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity.” (Incoherent, vague and grammatically incorrect sentences are a consistent feature of laws drafted by the Ministry of Communications and IT; one of the telecom licenses states: “The licensee should make arrangement for monitoring simultaneous calls by government security agencies,” when clearly they meant “for simultaneous monitoring of calls.”)</p>
<p style="text-align: justify; ">In a landmark 1996 judgment, the Indian Supreme Court held that <a href="http://indiankanoon.org/doc/87862/">telephone tapping is a serious invasion of an individual’s privacy</a> and that the citizens’ right to privacy has to be protected from abuse by the authorities. Given this, undoubtedly governments must have explicit permission from their legislatures to engage in any kind of broadening of electronic surveillance powers. Yet, without introducing any new laws, the government has surreptitiously granted itself powers — powers that Parliament hasn’t authorized it to exercise — by sneaking such powers into provisions in contracts and in subordinate legislation.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india'>https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india</a>
</p>
No publisherpraneshSAFEGUARDSInternet GovernancePrivacy2013-07-15T10:20:45ZBlog EntryIndia’s Central Monitoring System: Security can’t come at cost of privacy
https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy
<b>During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).</b>
<hr />
<p>Danish Raza's article was<a class="external-link" href="http://www.firstpost.com/tech/indias-central-monitoring-system-security-cant-come-at-cost-of-privacy-944475.html"> published in FirstPost </a>on July 10, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The surveillance project, described as the Indian version of <a href="http://www.firstpost.com/topic/organization/prism-profile-230137.html" target="_blank" title="PRISM">PRISM</a>, will allow the government to monitor online and telephone data of citizens. <a href="http://www.medianama.com/2013/06/223-%3Ca%20href=" rel="nofollow" target="_blank" title="prism">prism</a>-milind-deora-cms-central-monitoring-system/” target=”_blank”></p>
<p style="text-align: justify; ">The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.</p>
<p style="text-align: justify; ">A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679" target="_blank">merely states</a> that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”</p>
<p style="text-align: justify; ">One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.</p>
<p style="text-align: justify; ">“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.</p>
<p style="text-align: justify; ">There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.</p>
<p style="text-align: justify; ">Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”</p>
<p style="text-align: justify; ">Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”</p>
<p style="text-align: justify; ">Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?</p>
<p style="text-align: justify; ">“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”</p>
<p style="text-align: justify; ">Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”</p>
<p>
For more details visit <a href='https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy'>https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy</a>
</p>
No publisherpraskrishnaSAFEGUARDSInternet GovernancePrivacy2013-07-15T06:43:21ZNews ItemMoving Towards a Surveillance State
https://cis-india.org/internet-governance/blog/moving-towards-surveillance-state
<b>The cyberspace is a modern construct of communication and today, a large part of human activity takes place in cyberspace. It has become the universal platform where business is executed, discourse is conducted and personal information is exchanged. However, the underbelly of the internet is also seen to host activities and persons who are motivated by nefarious intent. </b>
<hr />
<p>Note: The original tender document of the Assam Police dated 28.02.2013 along with other several other tender documents for procurement of Internet and Voice Monitoring Systems <a href="https://cis-india.org/internet-governance/blog/tenders-eoi-press-release.zip" class="internal-link">is attached as a zip folder</a>.</p>
<hr />
<p style="text-align: justify; ">As highlighted in the <a href="http://necessaryandproportionate.net/#_edn2"><i>International Principles on the Application of Human Rights to Communications Surveillance</i></a><i>, </i>logistical barriers to surveillance have decreased in recent decades and the application of legal principles in new technological contexts has become unclear. It is often feared that in light of the explosion of digital communications content and information about communications, or "communications metadata," coupled with the decreasing costs of storing and mining large sets of data and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale. Communications surveillance in the modern environment encompasses the monitoring, interception, collection, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person's communications in the past, present or future.<a href="#fn*" name="fr*">[*]</a> These fears are now turning into a reality with the introduction of mass surveillance systems which penetrate into the lives of every person who uses any form of communications. There is ample evidence in the form of tenders for Internet Monitoring Systems (IMS) and Telecom Interception Systems (TCIS) put out by the Central government and various state governments that the Indian state is steadily turning into an extensive surveillance state.</p>
<p style="text-align: justify; ">While surveillance and intelligence gathering is essential for the maintenance of national security, the creation and working of a mass surveillance system as it is envisioned today may not necessarily be in absolute conformity with the existing law. A mass surveillance system like the <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a> (CMS) not only threatens to completely eradicate any vestige of the right to privacy but in the absence of a concrete set of procedural guidelines creates a tremendous risk of abuse.</p>
<p style="text-align: justify; ">Although information regarding the Central Monitoring System is quite limited on the public forum at the moment it can be gathered that a centralized system for monitoring of all communication was first proposed by the Government of India in 2009 as indicated by the <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679">press release</a> of the Ministry of Communications & Information. Implementation of the system started subsequently as indicated by another government <a href="http://pib.nic.in/newsite/erelease.aspx?relid=70747">press release</a> and the Center for Development of Telematics (C-DOT) was entrusted with the responsibility of implementing the system. As per the C-DOT <a href="http://www.cdot.in/media/publications.htm">annual report</a> 2011-12, research, development, trials and progressive scaling up of a Central Monitoring System were conducted by the organization in the past 4 years and the requisite hardware and CMS solutions which support voice and data interception have been installed and commissioned at various Telecom Service Providers (TSP) in Delhi and Haryana as part of the pilot project. <a href="http://articles.economictimes.indiatimes.com/2013-05-07/news/39091148_1_single-window-pranesh-prakash-internet">Media reports</a> indicate that the project will be fully functional by 2014. While an extensive surveillance system is being stealthily introduced by the state, several concerns with regard to its extent of use, functioning, and real world impact have been raised owing to ambiguities and <a href="https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy">wide gaps in procedure and law</a>. Moreover, the lack of a concrete privacy legislation coupled with the absence of public discourse indicates the lack of interest of the state over the rights of an ordinary citizen. It is under these circumstances that awareness must first be brought regarding <a href="https://www.eff.org/deeplinks/state-surveillance-%26-human-rights">the risks of the mass surveillance</a> on civil liberties which in the absence of established procedures protecting the rights of the citizens of the state can result in the abuse of powers by the state or its agencies and lead to the demise of civil freedoms even in democratic states.</p>
<p style="text-align: justify; ">The architecture and working of a <a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">proposed Internet Monitoring System</a> must be examined in an attempt to better understand the functioning, capabilities and possible impact of a Central Monitoring System on our society and lives. This can perhaps allow more open discourse and a committed effort to preserve the rights of the citizens especially the right to privacy can be made while allowing for the creation of strong procedural guidelines which will help maintain legitimate intelligence gathering and surveillance.</p>
<p style="text-align: justify; "><b>Internet Monitoring System: Setup and Working</b><br />Very broadly, The Internet Monitoring System enables an agency of the state to intercept and monitor all content which passes through the Internet Service Provider’s (ISP) server which includes all electronic correspondence (emails, chats or IM’s, transcribed call logs), web forms, video and audio files, and other forms of internet content. The electronic data is stored and also subject to various types of analysis. While Internet Monitoring Systems are installed locally and their function is limited to specific geographic region, the Central Monitoring System will consolidate the data acquired from the different voice and data interception systems located across the country and create a centralized architecture for interception, monitoring and analysis of communications. Although the exact specifications and functions of the central monitoring system still remain unclear and ambiguous, some parallels regarding the functioning of the CMS can be drawn from the the specifications revealed in the Assam Police <a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">tender document</a> for the procurement of an Internet Monitoring System.</p>
<p style="text-align: justify; "><b>Setup</b><br />The deployment architecture of an Internet Monitoring System (IMS) contains probe servers which are installed at the Internet Service Provider’s (ISP) premises and the probes are installed at various tapping points within the entire ISP network. A collection server is also installed and hosted at the site of the ISP. The collection server is used to either collect, analyze, filter or simple aggregate the data from the ISP servers and the data is transferred to a master aggregation server located a central data center. The central data center may also contain more servers specifically for analysis and storage. This type of architecture is being referred to as a ‘high availability clustered setup’ which is supposed to provide security in case of a failure or outage.</p>
<p style="text-align: justify; ">The Assam Police Internet Monitoring System tender document specifically indicates that the deployment in the state of Assam shall require 8 taps or probes to be installed at different ISPs, out of which 6 taps/probes shall be of 10 GBPS and 2 taps are of 1 GBPS. The document however mentions that the specifications are preliminary and subject to change.<i> </i></p>
<p style="text-align: justify; "><b>Types of data</b><br />The proposed internet monitoring system of the Assam state can provide network traffic interception and a variety of internet protocols including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Session Initiation Protocol (SIP), Voice over Internet Protocol (VoIP) can be intercepted and monitored. The system can also support monitoring of Internet Relay Chat and various other messaging applications (such as Google Talk, Yahoo Chat, MSN Messenger, ICQ, etc.). The system can be equipped to capture and display multiple file types like text (.doc, .pdf), zipped (.zip) and executable applications (.exe). Further, information regarding login details, login pattern, login location, DNS address, routing address can be acquired along with the IP address and other details of the user.</p>
<p style="text-align: justify; ">Web crawling capabilities can be installed on the system which can provide data from various data sources like social networking sites, web based communities, wikis, blogs and other forms of web content. Social media websites (such as Twitter, Facebook, Orkut, MySpace etc.), web pages and data on hosted applications can also be intercepted, monitored and analyzed. The system also allows capture of additional pages if updated; log periodical updates and other changes. This allows the monitoring agencies the capability of gathering internet traffic based on several parameters like Protocols, Keywords, Filters and Watch lists. Keyword matching is achieved by including phonetically similar words in various languages including local languages.</p>
<p style="text-align: justify; ">More specific functions of the IMS can include complete email extraction which will disclose the address book, inbox, sent mail folder, drafts folder, personal folders, delete folders, custom folders etc. and can also provide identification of dead drop mails. The system can also be equipped to allow country wise tracking of instant messages, chats and mails.</p>
<p>Regarding retention and storage of data, the tender document specifies that the system shall be technically capable of retaining the metadata of Internet traffic for at least one year and the defined traffic/payload/content is to be retained in the storage server at least for a week. However, the data may be retained for a longer period if required. The metadata and qualified data after analysis are integrated to a designated main intelligence repository for storage.</p>
<p style="text-align: justify; "><b>Types of Analysis</b><br />The Internet Monitoring System apart from intercepting all the data generated through the Internet Service Providers is essentially equipped for various types of data analysis. The solutions that are installed in the internet monitoring system provide the capability for real time as well as historical analysis of network traffic, network perimeter devices and internal sniffers. The kinds of analysis based on ‘slicing and dicing of data’ range from text mining, sentiment analysis, link analysis, geo-spatial analysis, statistical analysis, social network analysis, transaction analysis, locational analysis and fusion based analysis, CDR analysis, timeline analysis and histogram based analysis from various sources.</p>
<p style="text-align: justify; ">The solutions installed in the IMS can enable monitoring of specific words or phrases (in various languages) in blogs, websites, forums, media reports, social media websites, media reports, chat rooms and messaging applications, collaboration applications and deep web applications. Phone numbers, addresses, names, locations, age, gender and other such information from content including comments and such can also be monitored. Specifically with regard to social media, the user’s profile and information related to it can be extracted and a detailed ontology of all the social media profiles of the user can be created.<br /><br />Based on the information, the analysis supposed to provide the capability to identify suspicious behavior based on existing and new patterns as they emerge and are continuously applied to combine incoming and existing information on people, profiles, transactions, social network, type of websites visited, time spent on websites, type of content download or view and any other type of gatherable information. The solutions on the system are also supposed to create single or multiple or parallel scenario build-ups that may occur in blogs, social media forums, chat rooms, specific web hosting server locations or URL, packet route that may be defined from time to time and such scenario build-ups can be based on parameters like sentiments, language or expressions purporting hatred or anti-national expressions, and even emotions like expression of joy, compassion and anger, which as may be defined by the agency depending on operational and intelligence requirement. Based on these parameters, automated alerts can be generated relating to structured or unstructured data (including metadata of contents), events, pattern discovery, phonetically similar words or phrases or actions from users. <br /><br />Based on the data analysis, reports or dossiers can be generated and visual analysis allowing a wide variety of views can be created. Further, real time visualization showing results from real-time data can be generated which allows alerts, alert categories or discoveries to be ranked (high, medium, and low priority, high value asset, low value asset, moderate value asset, verified information, unverified information, primary evidence, secondary evidence, circumstantial evidence, etc.) based on criteria developed by the agency. The IMS solutions can also be capable of offering web-intelligence and open source intelligence and allow capabilities like simultaneous search capabilities which can be automated providing a powerful tool for exploration of the intercepted data.<br /><br />Another important requirement mentioned in the tender document is the systems capability to integrate with other interception and monitoring systems for 2G, 3G/UMTS and other evolving mobile carrier technologies including fixed line and Blackberry services and encrypted IP services like Skype services.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />It is clear that a system like IMS with its extensive interception and analysis capabilities gives complete access to an agency or authority of all information that is accessed or transmitted by a person on the internet including information which is private and confidential such as email and instant messages. Although the state has the power to issue directions for interception or monitoring of information under the Information Technology Act, 2000 and certain rules are prescribed under section 69B, they are wholly inadequate compared to the scope and extent of the Internet Monitoring System and its scale of operations. The interception and monitoring systems that are either proposed or already in place effectively bypass the existing procedures prescribed under the Information Technology Act. <br /><br />The issues, concerns and risks are only compounded when it comes to the Central Monitoring System. The solutions installed in present day interception and monitoring systems give the state unprecedented powers to intercept, monitor and analyze all the data of any person who access the internet. Tools like deep packet inspection and extensive data mining solutions in the absence of concrete safeguards and when deployed through a centralized system can be misused to censor any content including legitimate discourse. Also, the perception that access to a larger amount of data or all data can help improve intelligence can also be sometimes misleading and it must be asked whether the fundamental rights of the citizens of the state can be traded away under the pretext of national security. Furthermore, it is essential for the state to weigh the costs of such a project both economically and morally and balance it with sufficient internal measures as well as adequate laws so that the democratic values are persevered and not endangered by any act of reckless force.<br /><br />Reiterating what has been said earlier, while it is important for the state to improve its intelligence gathering tools and mechanisms, it must not be done at the cost of a citizen’s fundamental right. It is the duty of the democratic state to endure and maintain a fine balance between national interest and fundamental rights through timely creation of equitable laws.</p>
<hr />
<p>[<a href="#fr*" name="fn*">*</a>]. <a class="external-link" href="http://necessaryandproportionate.net/#_edn2">http://necessaryandproportionate.net/#_edn2</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/moving-towards-surveillance-state'>https://cis-india.org/internet-governance/blog/moving-towards-surveillance-state</a>
</p>
No publisheratreyaSAFEGUARDSInternet GovernancePrivacy2013-07-15T05:57:15ZBlog EntryThe Difficult Balance of Transparent Surveillance
https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance
<b>Is it too much to ask for transparency in data surveillance? On occasion, companies like Microsoft, Facebook, and the other silicon valley giants would say no. When customers join these services, each company provides their own privacy statement which assures customers of the safety and transparency that accompanies their personal data.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.</p>
<p style="text-align: justify; ">So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">So we must unpack the idea of transparency.</p>
<p style="text-align: justify; ">First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?</p>
<p style="text-align: justify; ">Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.</p>
<p style="text-align: justify; ">Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, <i>so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds</i>.” <a href="#fna" name="fra">[a]</a> Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook <a href="#fna" name="fra">[a]</a>, Apple <a href="#fnb" name="frb">[b]</a>, Microsoft<a href="#fnc" name="frc">[c]</a>, and Google <a href="#fnd" name="frd">[d]</a>) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14<sup>th</sup>, “We have not received any national security orders <i>of the type that Verizon was reported to have received</i>.” <a href="#fnc" name="frc">[c]</a> Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.</p>
<p style="text-align: justify; ">Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.</p>
<p style="text-align: justify; ">But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS<a href="#fn4" name="fr4">[4]</a> but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the <a href="https://cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">petition</a> as an Indian agency is not involved.”<a href="#fn5" name="fr5">[5]</a><a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.</p>
<p style="text-align: justify; ">For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.<a href="#fn7" name="fr7">[7] </a>India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.<a href="#fn8" name="fr8">[8]</a> It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.</p>
<p style="text-align: justify; ">The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.<a href="#fn5" name="fr5">[5]</a> If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.</p>
<p style="text-align: justify; ">Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of <i>who</i> citizens prefer spying over them.</p>
<p style="text-align: justify; ">Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.<a href="#fn9" name="fr9">[9]</a> Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”<a href="#fnc" name="frc">[c]</a></p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. <a href="http://digitaldueprocess.org/">http://digitaldueprocess.org/</a></p>
<p>[<a href="#fr2" name="fn2">2</a>]. <a class="external-link" href="http://bit.ly/151Ue1H">http://bit.ly/151Ue1H</a></p>
<p>[<a href="#fr3" name="fn3">3</a>]. <a class="external-link" href="http://bit.ly/12XDb1Z">http://bit.ly/12XDb1Z</a></p>
<p>[<a href="#fr4" name="fn4">4</a>]. <a class="external-link" href="http://ti.me/11Xh08V">http://ti.me/11Xh08V</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. <a href="https://cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh</a> [attached]</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <a class="external-link" href="http://bit.ly/1aXWdbU">http://bit.ly/1aXWdbU</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. <a class="external-link" href="http://1.usa.gov/qafcXe">http://1.usa.gov/qafcXe</a></p>
<p>[<a href="#fr8" name="fn8">8</a>]. <a class="external-link" href="http://bit.ly/114hcCX">http://bit.ly/114hcCX</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. <a class="external-link" href="http://bit.ly/156wspI">http://bit.ly/156wspI</a></p>
<hr />
<p>[<a href="#fra" name="fna">a</a>]. <b>Facebook Statement</b>: <a class="external-link" href="http://bit.ly/ZQDcn6">http://bit.ly/ZQDcn6</a></p>
<p>[<a href="#frb" name="fnb">b</a>]. <b>Apple Statement</b>: <a class="external-link" href="http://bit.ly/1akaBuN">http://bit.ly/1akaBuN</a></p>
<p>[<a href="#frc" name="fnc">c</a>]. <b>Microsoft Statement</b>:<a class="external-link" href="http://bit.ly/1bFIt31">http://bit.ly/1bFIt31</a></p>
<p>[<a href="#frd" name="fnd">d</a>]. <b>Google Statement</b>: <a class="external-link" href="http://bit.ly/16QlaqB">http://bit.ly/16QlaqB</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance'>https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-15T04:23:35ZBlog EntryPrivacy Protection Bill, 2013 (With Amendments based on Public Feedback)
https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback
<b>In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.</p>
<p style="text-align: center; "><b><a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="internal-link">Click to download the Privacy Protection Bill, 2013 with latest amendments</a></b> (PDF, 196 Kb).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback'>https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback</a>
</p>
No publisherelonnaiFeaturedSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:50:22ZBlog EntrySEBI and Communication Surveillance: New Rules, New Responsibilities?
https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance
<b>In this blog post, Kovey Coles writes about the activities of the Securities Exchange Board of India (SEBI), discusses the importance of call data records (CDRs), and throws light on the significant transition in governmental leniency towards access to private records.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify; ">The Securities Exchange Board of India (SEBI) is the country’s securities and market regulator, an investigation agency which seeks to combat market offenses such as insider trading. SEBI has received much media attention this month regarding its recent expansion of authority; the agency is reportedly on track to be granted powers to access telecom companies’ CDRs. These CDRs are kept by telecommunication companies for billing purposes, and contain information on who sent a call, who received a call, and how long the call lasted, but does not disclose information about call content. Although SEBI has emphatically sought several new investigative powers since 2009 (including access to CDRs, surveillance of email, and monitoring of social media), India’s Ministry of Finance only recently endorsed SEBI’s plea for direct access to service providers’ CDRs. In SEBI’s founding legislation, this capability is not mentioned. Very recently, however, the Ministry of Finance has decided to support expansion of current legislation in regards to CDR access for SEBI, the Reserve Bank of India (RBI), and potentially other agencies, when it comes to prevention of money laundering and other economic offenses.</p>
<h3 style="text-align: justify; ">SEBI’s Authority (Until Now)</h3>
<p style="text-align: justify; ">Established in 1992 under the Securities and Exchange Board of India Act, SEBI was created with the power of "registering and regulating the working of… [individuals] and intermediaries who may be associated with securities markets in any manner."<a href="#fn1" name="fr1">[1]</a> Its powers have included "calling for information from, undertaking inspection, conducting inquires and audits of the intermediaries and self-regulatory organisations in the securities market."<a href="#fn2" name="fr2">[2]</a> Although the agency has held the responsibility to investigate records on market activity, they have never explicitly enjoyed a right to CDRs or other communications data. Now, with the intention of “meeting new challenges thrown forward by the technological and market advances,”<a href="#fn3" name="fr3">[3]</a> SEBI and the Ministry of Finance want to extend their record keeping scope and investigative powers to include CDR access, a form of communications surveillance.</p>
<p>But the ultimate question is whether agencies like SEBI need this type of easy access to records of communication.</p>
<h3>What is the Importance of CDR Access?</h3>
<p style="text-align: justify; ">Reports on SEBI’s recent expansion are quick to ensure that the agency is not looking for phone-tapping rights, which intercepts messages within telephonic calls, but instead only seeks call records. CDRs, in effect, are “metadata,” a sort of information about information. In this case, it is data about communications, but it is not the communications themselves. Currently, there a total of nine agencies which are able to make actual phone-tapping requests in India. But when it comes to access of CDRs, the government seems much more generous in expanding powers of existing agencies. SEBI, as well as RBI and others, are all looking to be upgraded in their authority over CDRs. Experts argue, however, that "metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection."<a href="#fn4" name="fr4">[4]</a> Therefore, a second crucial question is whether this sensitive CDR data will feature the same detail of protection and safeguards which exist for communication interception.</p>
<p style="text-align: justify; ">One reason for the recent move in CDR access is that SEBI and RBI have found the process of obtaining CDRs too arduous and ill-defined.<a href="#fn5" name="fr5">[5]</a> Currently, under section 92 of the CrPc, Magistrates and Commissioners of Police can request a CDR only with an official corresponding first information report (FIR), while there exists no explicit guideline for SEBI’s role in the process of CDR acquisition.<a href="#fn6" name="fr6">[6]</a> Although the government may seek to relax this procedure, SEBI’s founding legislation prohibits investigation without the pretense of “reasonable grounds," as stipulated in section 11C of the SEBI Act.<a href="#fn7" name="fr7">[7]</a> It has always stood that only under these reasonable grounds could SEBI begin inspection of an intermediary’s "books, registers, and other documents."<a href="#fn7" name="fr7">[7] </a>With the government creating a way for SEBI and similar agencies to circumvent the traditional procedures for access to CDRs, these new standards should incorporate safeguards to ensure the protection of individual privacy. Banking companies, financial institutions, and intermediaries have already been obliged to maintain extensive record keeping of transactions, clients, and other financial data under section 12 of the Prevention of Money-Laundering Act of 2002.<a href="#fn8" name="fr8">[8] </a>But books and records containing financial data differ greatly from communication data, which can include much more personal information and therefore may compromise individuals’ freedom of speech and expression, as well as the right to privacy.</p>
<h3 style="text-align: justify; ">Significance and Responsibility in this Decision</h3>
<p style="text-align: justify; ">Judging from SEBI’s prior capabilities of inspection and inquiry, this change may initially seem only a minor expansion of power for the agency, but it actually represents a significant transition in governmental leniency toward access to private records. As mentioned, the recent goal of the Ministry of Finance to extend rights to CDRs is resulting in amended powers for more agencies than only SEBI. Moreover, this power expansion comes on the heels of controversy surrounding America’s National Security Agency (NSA) amassing millions of CDRs and other datasets both domestically and internationally. There is obvious room for concern over Indian citizen’s call records being made more easily accessible, with fewer checks and balances in place. The benefits of the new policy include easier access to evidence which could incriminate those involved in financial crimes. But is that benefit actually worth giving SEBI the right to request citizen’s call records? In the cases against economic offenses, CDR access often amounts only to circumstantial evidence. With its ongoing battle against insider trading and other financial malpractice, crimes which are inherently difficult to prove, SEBI could have aspirations to grow progressively more omnipresent. But as the agency’s breadth expands, citizen’s rights to privacy are simultaneously being curtailed. Ultimately, the value of preventing economic offense must be balanced with the value of the people’s rights to privacy.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(b).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(i).</p>
<p>[<a href="#fr3" name="fn3">3</a>]. “Sebi Finalising new Anti-money laundering guidelines,” <i>The Times of India, </i>June 16, 2013</p>
<p><a href="http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms">http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms</a></p>
<p style="text-align: left; ">[<a href="#fr4" name="fn4">4</a>]. International Principles on the Application of Human Rights to Communications Surveillance -<a href="http://www.necessaryandproportionate.net/#_edn1">http://www.necessaryandproportionate.net/#_edn1</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. “Sebi to soon to get Powers to Access Call Records,” <i>Business Today</i>, June 13, 2013</p>
<p><a href="http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html">http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html</a></p>
<p>[<a href="#fr6" name="fn6">6</a>]. 1973 Criminal Procedure Code, Section 92 <a href="http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf">http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf</a></p>
<p>“Govt gives Sebi, RBI Access to Call Data Records,” The Times of India, June 14, 2013</p>
<p><a href="http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary">http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. 1992 Securities and Exchange Board of India Act, section 11C, part 8</p>
<p>[<a href="#fr8" name="fn8">8</a>]. 2002 Prevention of Money-Laundering Act, section 12</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance'>https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-12T10:51:46ZBlog EntryOpen Letter to Prevent the Installation of RFID tags in Vehicles
https://cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles
<b>The Centre for Internet and Society (CIS) has sent this open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to intall RFID tags in vehicles in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p class="western" style="text-align: justify; ">This letter is with regards to the installation of Radio Frequency Identification Tags (RFID) in vehicles in India.</p>
<p class="western" style="text-align: justify; ">On behalf of the Centre for Internet and Society, we urge you to prevent the installation of RFID tags in vehicles in India, as the legality, necessity and utility of RFID tags have not been adequately proven. Such technologies raise major ethical concerns, since India lacks privacy legislation which could safeguard individuals' data.</p>
<p class="western" style="text-align: justify; ">The proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India. However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.</p>
<p class="western" style="text-align: justify; ">The installation of RFID tags in vehicles is not only currently illegal, but it also raises majors privacy concerns. RFID tags yield locational information, and thus reveal information as to an individual’s whereabouts. This could lead to a serious invasion of the right to privacy, which is at the core of personal liberty, and constitutionally protected in India. Moreover, the installation of RFID tags in vehicles is not in compliance with the privacy principles of the Report of the Group of Experts on Privacy, as, among other things, the architecture of RFID tags does not allow for consent to be taken from individuals for the collection, use, disclosure, and storage of information generated by the technology.<a href="#fn1" name="fr1">[1]</a></p>
<p class="western" style="text-align: justify; ">The Centre for Internet and Society recently drafted the Privacy (Protection) Bill 2013 – a citizen's version of a possible privacy legislation for India.<a href="#fn2" name="fr2">[2]</a><sup> </sup>The Bill defines and establishes the right to privacy and regulates the interception of communications and surveillance, and would include the regulation of technologies like RFID tags. As this Bill has not been enacted into law and India lacks a privacy legislation which could safeguard individuals' data, we strongly urge you to not require the mandatory installation of RFID tags in vehicles, as this could potentially violate individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">As the proposed rule 138A, which mandates the installation of RFID tags in vehicles, is currently illegal and India lacks privacy legislation which would regulate the collection, use, sharing of, disclosure and retention of data, we strongly urge you to ensure that RFID tags are not installed in vehicles in India and to play a decisive role in protecting individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">Thank you for your time and for considering our request.</p>
<p class="western" style="text-align: justify; ">Sincerely,</p>
<p class="western" style="text-align: justify; ">Centre for Internet and Society (CIS)</p>
<p> </p>
<p id="sdfootnote1"> </p>
<p>[<a href="#fr1" name="fn1">1</a>]. Report of the Group of Experts on Privacy: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p>[<a href="#fr2" name="fn2">2</a>].Draft Privacy (Protection) Bill 2013: http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles'>https://cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:59:31ZBlog EntryReport on the 4th Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.
</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; "><span>In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</span></p>
<p style="text-align: justify; "><span>In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</span></p>
<p style="text-align: justify; "><span>At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</span></p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>
<p align="JUSTIFY"><span>New Delhi Roundtable: 13 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Bangalore Roundtable: 20 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Chennai Roundtable: 18 May 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Mumbai Roundtable: 15 June 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Kolkata Roundtable: 13 July 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>New Delhi Final Roundtable and National Meeting: 17 August 2013</span></p>
</li>
</ol>
<p style="text-align: justify; "><span>Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.</span></p>
<h2><b><span>Discussion of the Draft Privacy (Protection) Bill 2013</span></b></h2>
<h3><b><span>Discussion of definitions: Chapter 1</span></b></h3>
<p style="text-align: justify; "><span>The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised. </span></p>
<p style="text-align: justify; "><span>Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection. </span></p>
<p style="text-align: justify; "><span>The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored. </span></p>
<p style="text-align: justify; "><span>Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards. </span></p>
<p style="text-align: justify; "><span>The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over. </span></p>
<p style="text-align: justify; "><span>The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.</span></p>
<p style="text-align: justify; "><span>In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts. </span></p>
<p style="text-align: justify; "><span>Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data. </span></p>
<p style="text-align: justify; "><span>On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions. </span></p>
<h3><b><span>Right to Privacy: Chapter 2</span></b></h3>
<p style="text-align: justify; "><span>The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill. </span></p>
<p style="text-align: justify; "><span>Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts. </span></p>
<p style="text-align: justify; "><span>The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.</span></p>
<p style="text-align: justify; "><span>Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly. </span></p>
<h3><b><span>Protection of Personal Data: Chapter 3</span></b></h3>
<p style="text-align: justify; "><span>Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data. </span></p>
<p style="text-align: justify; "><b><span>Collection of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention. </span></p>
<p style="text-align: justify; "><span>It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill. </span></p>
<p style="text-align: justify; "><span>Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty. </span></p>
<p style="text-align: justify; "><span>A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes. </span></p>
<p style="text-align: justify; "><span>The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill. </span></p>
<p style="text-align: justify; "><span>In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection. </span></p>
<p style="text-align: justify; "><span>It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well. </span></p>
<p style="text-align: justify; "><b><span>Storage and destruction of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data. </span></p>
<p style="text-align: justify; "><span>In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India. </span></p>
<p style="text-align: justify; "><span>Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases. </span></p>
<p style="text-align: justify; "><b><span>Security of personal data and duty of confidentiality</span></b></p>
<p style="text-align: justify; "><span>Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”. </span></p>
<p style="text-align: justify; "><span>One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India. </span></p>
<p style="text-align: justify; "><b><span>Disclosure of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to. </span></p>
<p style="text-align: justify; "><span>It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill. </span></p>
<p style="text-align: justify; "><span>Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism. </span></p>
<p style="text-align: justify; "><span>This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided. </span></p>
<p style="text-align: justify; "><span>Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill. </span></p>
<p style="text-align: justify; "><span>A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed. </span></p>
<p style="text-align: justify; "><span>However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed. </span></p>
<p style="text-align: justify; "><span>Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security. </span></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill. </span></p>
<h2><b><span>Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner</span></b></h2>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation. </span></p>
<p style="text-align: justify; "><span>There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a </span><i><span>competitive disadvantage </span></i><span>in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security. </span></p>
<p style="text-align: justify; "><span>As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control. </span></p>
<p style="text-align: justify; "><span>On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations. <br /></span></p>
<p style="text-align: justify; "><span>When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported. </span></p>
<p style="text-align: justify; "><span>Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on </span><i><span>accountability</span></i><span>. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached. </span></p>
<p style="text-align: justify; "><span>On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights. </span></p>
<h2><b><span>Meeting conclusion</span></b></h2>
<p style="text-align: justify; "><a name="_GoBack"></a><span>The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed. </span></p>
<p align="JUSTIFY"><span> </span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting'>https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:04:25ZBlog Entry