Centre for Internet and Society

Security Research

vanya — 2016-01-03T09:55:27Z

The Centre Internet and Society, India has been researching privacy policy in India since the year 2010 with the following objectives.

Research on the issue of privacy in different sectors in India.
Monitoring projects, practices, and policies around those sectors.
Raising public awareness around the issue of privacy, in light of varied projects, industries, sectors and instances.

State surveillance in India has been carried out by Government agencies for many years. Recent projects include: NATGRID, CMS, NETRA, etc. which aim to overhaul the overall security and intelligence infrastructure in the country. The purpose of such initiatives has been to maintain national security and ensure interconnectivity and interoperability between departments and agencies. Concerns regarding the structure, regulatory frameworks (or lack thereof), and technologies used in these programmes and projects have attracted criticism.

Surveillance/Security Research -

1. Central Monitoring System -

The Central Monitoring System or CMS is a clandestine mass electronic surveillance data mining program installed by the Center for Development of Telematics (C-DOT), a part of the Indian government. It gives law enforcement agencies centralized access to India's telecommunications network and the ability to listen in on and record mobile, landline, satellite, Voice over Internet Protocol (VoIP) calls along with private e-mails, SMS, MMS. It also gives them the ability to geo-locate individuals via cell phones in real time.

The Central Monitoring System: Some Questions to be Raised in Parliament http://bit.ly/1fln2vu

India´s ´Big Brother´: The Central Monitoring System (CMS) http://bit.ly/1kyyzKB

India's Central Monitoring System (CMS): Something to Worry About? http://bit.ly/1gsM4oQ

C-DoT's surveillance system making enemies on internet http://cis-india.org/news/dna-march-21-2014-krishna-bahirwani-c-dots-surveillance-system-making-enemies-on-internet

2. Surveillance Industry : Global And Domestic -

The surveillance industry is a multi-billion dollar economic sector that tracks individuals along with their actions such as e-mails and texts. With the cause for its existence being terrorism and the government's attempts to fight it, a network has been created that leaves no one with their privacy. All that an individual does in the digital world is suspect to surveillance. This included surveillance in the form of snooping where an individual's phone calls, text messages and e-mails are monitored or a more active kind where cameras, sensors and other devices are used to actively track the movements and actions of an individual. This information allows governments to bypass the privacy that an individual has in a manner that is considered unethical and incorrect. This information that is collected also in vulnerable to cyber-attacks that are serious risks to privacy and the individuals themselves. The following set of articles look into the ethics, risks, vulnerabilities and trade-offs of having a mass surveillance industry in place.

Surveillance Technologies http://bit.ly/14pxg74

New Standard Operating Procedures for Lawful Interception and Monitoring http://bit.ly/1mRRIo4

Video Surveillance and Its Impact on the Right to Privacy http://cis-india.org/internet-governance/blog/privacy/video-surveillance-privacy

More than a Hundred Global Groups Make a Principled Stand against Surveillance http://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance

Models for Surveillance and Interception of Communications Worldwide http://cis-india.org/internet-governance/blog/models-for-surveillance-and-interception-of-communications-worldwide

Why 'Facebook' is More Dangerous than the Government Spying on You http://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you

The Difficult Balance of Transparent Surveillance http://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance

UK's Interception of Communications Commissioner - A Model of Accountability http://cis-india.org/internet-governance/blog/uk-interception-of-communications-commissioner-a-model-of-accountability
Search and Seizure and the Right to Privacy in the Digital Age: A Comparison of US and India http://cis-india.org/internet-governance/blog/search-and-seizure-and-right-to-privacy-in-digital-age
State Surveillance and Human Rights Camp: Summary http://bit.ly/ZZNm6M
India Subject to NSA Dragnet Surveillance! No Longer a Hypothesis - It is Now Officially Confirmed http://bit.ly/1eqtD8g
Spy Files 3: WikiLeaks Sheds More Light on the Global Surveillance Industry http://bit.ly/1d6EmjD
Surveillance Camp IV: Disproportionate State Surveillance - A Violation of Privacy http://bit.ly/1ilTJts
Hacking without borders: The future of artificial intelligence and surveillance http://bit.ly/1kWiwGv
Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes http://bit.ly/1mr3KTH
Policy Brief: Oversight Mechanisms for Surveillance http://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance

3. Judgements By the Indian Courts -

The surveillance industry in India has been brought before the court in different cases. The following articles look into the cause of action in these cases along with their impact on India and its citizens.

Anvar v. Basheer and the New (Old) Law of Electronic Evidence http://cis-india.org/internet-governance/blog/anvar-v-basheer-new-old-law-of-electronic-evidence

The Gujarat High Court Judgement on the Snoopgate Issue http://cis-india.org/internet-governance/blog/gujarat-high-court-judgment-on-snoopgate-issue

4. International Privacy Laws -

Due to the universality of the internet, many questions of accountability arise and jurisdiction becomes a problem. Therefore certain treaties, agreements and other international legal literature was created to answer these questions. The articles listed below look into the international legal framework which governs the internet.

Learning to Forget the ECJ's Decision on the Right to be Forgotten and its Implications http://cis-india.org/internet-governance/blog/learning-to-forget-ecj-decision-on-the-right-to-be-forgotten-and-its-implications
Privacy and Security Can Co-exist http://cis-india.org/internet-governance/blog/privacy-and-security
European Union Draft Report Admonishes Mass Surveillance, Calls for Stricter Data Protection and Privacy Laws http://cis-india.org/internet-governance/blog/european-union-draft-report-admonishes-mass-surveillance
Draft International Principles on Communications Surveillance and Human Rights http://bit.ly/XCsk9b

5. Indian Surveillance Framework -

The Indian government's mass surveillance systems are configured a little differently from the networks of many countries such as the USA and the UK. This is because of the vast difference in infrastructure both in existence and the required amount. In many ways, it is considered that the surveillance network in India is far worse than other countries. This is due to the present form of the legal system in existence. The articles below explore the system and its functioning including the various methods through which we are spied on. The ethics and vulnerabilities are also explored in these articles.

Paper-thin Safeguards and Mass Surveillance in India - http://cis-india.org/internet-governance/blog/paper-thin-safeguards-and-mass-surveillance-in-india

The Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers! - http://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers

The Surveillance Industry in India - An Analysis of Indian Security Expos http://cis-india.org/internet-governance/blog/surveillance-industry-in-india-analysis-of-indian-security-expos

GSMA Research Outputs: different legal and regulatory aspects of security and surveillance in India http://cis-india.org/internet-governance/blog/gsma-research-outputs

Way to watch http://cis-india.org/internet-governance/blog/indian-express-june-26-2013-chinmayi-arun-way-to-watch
Free Speech and Surveillance http://cis-india.org/internet-governance/blog/free-speech-and-surveillance
Surveillance rises, privacy retreats http://cis-india.org/internet-governance/news/business-standard-namrata-acharya-april-12-2015-surveillance-rises-privacy-retreats

Freedom from Monitoring: India Inc. should Push For Privacy Laws http://cis-india.org/internet-governance/blog/forbesindia-article-august-21-2013-sunil-abraham-freedom-from-monitoring

Surat's Massive Surveillance Network Should Cause Concern, Not Celebration http://cis-india.org/internet-governance/blog/surat-massive-surveillance-network-cause-of-concern-not-celebration

Vodafone Report Explains Government Access to Customer Data http://cis-india.org/internet-governance/blog/vodafone-report-explains-govt-access-to-customer-data

A Review of the Functioning of the Cyber Appellate Tribunal and Adjudicator officers under the IT Act http://cis-india.org/internet-governance/blog/review-of-functioning-of-cyber-appellate-tribunal-and-adjudicatory-officers-under-it-act

A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications http://bit.ly/U6T3xy

SEBI and Communication Surveillance: New Rules, New Responsibilities? http://bit.ly/1eqtD8g

Snooping Can Lead to Data Abuse http://cis-india.org/internet-governance/blog/snooping-to-data-abuse

Big Brother is Watching You http://bit.ly/1arbxwm

Moving Towards a Surveillance State http://cis-india.org/internet-governance/blog/moving-towards-surveillance-state
How Surveillance Works in India http://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india

Big Democracy, Big Surveillance: India's Surveillance State http://bit.ly/1nkg8Ho
Can India Trust Its Government on Privacy? http://cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy
Indian surveillance laws & practices far worse than US http://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us
Security, Surveillance and Data Sharing Schemes and Bodies in India http://cis-india.org/internet-governance/blog/security-surveillance-and-data-sharing.pdf/view
Policy Paper on Surveillance in India http://cis-india.org/internet-governance/blog/policy-paper-on-surveillance-in-indiahttp://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology
The Constitutionality of Indian Surveillance Law: Public Emergency as a Condition Precedent for Intercepting Communications http://cis-india.org/internet-governance/blog/the-constitutionality-of-indian-surveillance-law
Surveillance and the Indian Constitution - Part 1: Foundations http://bit.ly/1ntqsen

Surveillance and the Indian Constitution - Part 2: Gobind and the Compelling State Interest Test http://bit.ly/1dH3meL

Surveillance and the Indian Constitution - Part 3: The Public/Private Distinction and the Supreme Court's Wrong Turn http://bit.ly/1kBosnw

Mastering the Art of Keeping Indians Under Surveillance http://cis-india.org/internet-governance/blog/the-wire-may-30-2015-bhairav-acharya-mastering-the-art-of-keeping-indians-under-surveillance

For more details visit https://cis-india.org/internet-governance/blog/security-research

Surveillance

royson — 2008-09-21T14:57:53Z

Context

Technology and Surveillance have always been comfortable bed-partners. Each new technology has led to new and more ubiquitous form of surveillance practices premised on intensive data-mining and centralisation of data. In the age of Information Technologies, where Information is the new capital, Surveillance, as a theoretical concept and as practice takes on an unprecedented everydayness. The experience of the urban is necessarily one of being an object of surveillance. Everyday practices are now structured around models of surveillance—from CCTV in areas of consumption to physical surveillance at areas of transit—such that surveillance has become almost value neutral in its presence around us.

This overwhelming sense of being watched has led to two distinct forms of manifestation in the last four decades. The first is the sense of paranoia—the Big Brother syndrome—which has found many proponents lamenting the loss of privacy and the abduction of the personal by the State and the market. The second is in the anti-surveillance stance which demands either for an abolishing of the surveillance practices or for an ethical use of the data. While both these forms have their own merits, the debate and the stakes change considerably once we enter the digital domains.

Especially within the digital spaces, where ‘presence’, a ‘record of the presence’, and an archiving of the records are inescapable, surveillance becomes more than just a practice; it becomes an inescapable condition of being online. To be online is to leave traces, physical and digital, personal and pseudonymous. In such a case, instead of taking an either-or position around surveillance, we are now looking at what surveillance enables and what are the ways in which it mediates the complex mechanics of urban survival.

Research Agenda

What are the various forms of surveillance that we encounter in the digital world? How do we understand being subject to surveillance as a part of being online?
What are the ways to negotiate, mediate, and surpass the various forms of surveillance that are a part of cyberspaces? Who are the agents of surveillance?
What does surveillance enable for the different actors within a given space? For example, for the agent conducting the surveillance, it might be a question of collecting data. For the actor being watched, it might be a narrative condition where s/he can manifest him/her self in the process of surveillance. For the audience that becomes witness to the surveillance, a new set of relationships might emerge with the object being manifest and the practice of surveillance.
How does surveillance become a threat when it is especially conducted in the promotion of safety and security? What are the paradoxes it generates and how do we negotiate with them?
With the proliferation of portable media capture devices, what is the value of surveillance? What are the new forms of authorship that it creates? Can we look upon surveillance—the process of being watched, the knowledge of being watched, and the incessant historicisation of the present—as an aesthetic paradigm?

For more details visit https://cis-india.org/about/substantive-areas/digital-pluralism/surveillance

Paper-thin Safeguards and Mass Surveillance in India

chinmayi — 2015-06-20T10:17:57Z

The Indian government's new mass surveillance systems present new threats to the right to privacy. Mass interception of communication, keyword searches and easy access to particular users' data suggest that state is moving towards unfettered large-scale monitoring of communication. This is particularly ominous given that our privacy safeguards remain inadequate even for targeted surveillance and its more familiar pitfalls.

This need for better safeguards was made apparent when the Gujarat government illegally placed a young woman under surveillance for obviously illegitimate purposes, demonstrating that the current system is prone to egregious misuse. While the lack of proper safeguards is problematic even in the context of targeted surveillance, it threatens the health of our democracy in the context of mass surveillance. The proliferation of mass surveillance means that vast amounts of data are collected easily using information technology, and lie relatively unprotected.

This paper examines the right to privacy and surveillance in India, in an effort to highlight more clearly the problems that are likely to emerge with mass surveillance of communication by the Indian Government. It does this by teasing out Indian privacy rights jurisprudence and the concerns underpinning it, by considering its utility in the context of mass surveillance and then explaining the kind of harm that might result if mass surveillance continues unchecked.

The first part of this paper threads together the evolution of Indian constitutional principles on privacy in the context of communication surveillance as well as search and seizure. It covers discussions of privacy in the context of our fundamental rights by the draftspersons of our constitution, and then moves on to the ways in which the Supreme Court of India has been reading the right to privacy into the constitution.

The second part of this paper discusses the difference between mass surveillance and targeted surveillance, and international human rights principles that attempt to mitigate the ill effects of mass surveillance.

The concluding part of the paper discusses mass surveillance in India, and makes a case for expanding our existing privacy safeguards to protect the right to privacy in a meaningful manner in face of state surveillance.

Download the paper here.

For more details visit https://cis-india.org/internet-governance/blog/paper-thin-safeguards-and-mass-surveillance-in-india

The Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!

maria — 2013-07-12T11:59:10Z

Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out!

This blog post has been cross-posted in Medianama on May 8, 2013. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

So yes, we live in an Internet Surveillance State. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?

Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it lacks privacy legislation which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.

The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?

A glimpse of the surveillance industry in India

In light of the UID scheme, the National Intelligence Grid (NATGRID), the Crime and Criminal Tracking Network System (CCTNS) and the Central Monitoring System (CMS), who supplies law enforcement agencies the technology to surveille us?

In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies simultaneously produce internet monitoring software and encryption tools! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.

Companies selling surveillance technology in India are listed in Table 1. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.

Table 2 shows the types of surveillance technology produced and sold by these 76 companies.

The graph below is based on Table 2 and shows which types of surveillance are produced the most by the 76 companies.

Graph on types of surveillance sold to law enforcement agencies by 76 companies in India

Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the UID scheme which is rapidly expanding across India. Only one company from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the Central Monitoring System (CMS), especially since the project would have to monitor and mine Big Data.

On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since the majority of the population in India does not even have Internet access. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while more than half the population owns mobile phones. Seeing as companies, such as ClearTrail Technologies and Shoghi Communications, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.

Did you Know:

CARLOS62 on flickr

WSS Security Solutions Pvt. Ltd. is north India´s first CCTV zone
Speck Systems Limited was the first Indian company to design, manufacture and fly a micro UAV indigenously
Mobile Spy India (Retina-X Studios) has the following mobile spying features:

SniperSpy: remotely monitors smartphones and computers from any location

Mobile Spy: monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces

4. Infoserve India Private Limited produces an Internet monitoring System with the following features:

Intelligence gathering for an entire state or a region
Builds a chain of suspects from a single start point
Data loss of less than 2%
2nd Generation Interception System
Advanced link analysis and pattern matching algorithms
Completely Automated System
Data Processing of up to 10 G/s
Automated alerts on the capture of suspicious data (usually based on keywords)

5. ClearTrail Technologies deploys spyware into a target´s machine
6. Spy Impex sells Coca Cola Tin Cameras!
7. Nice Deal also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and Lighter Video Cameras to name a few...
8. Raviraj Technologies is an Indian company which supplies RFID and biometric technology to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?

Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further oppression within these countries

Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards

“I´m not a terrorist, I have nothing to hide!”

r1chardm on flickr

It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:

“I´m not a terrorist, I have nothing to hide!”

Indeed. You may not be a terrorist...and you may think you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?

Last year at the linux.conf.au, Jacob Appelbaum stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. Bruce Schneier has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.

That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, we are all potentially suspects. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called ´risky information´. As long as our data is being surveilled, we are all suspects, which means that we can all potentially be arrested, interrogated and maybe even tortured, just like any other criminal suspect.

But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.

Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The market appears to demand for surveillance technologies because a pre-existing surveillance culture has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as 3M, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that surveillance is being socially integrated. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.

By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as NATGRID and the CMS in India- or by handing over our data, we are fuelling the surveillance state. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution and of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.

Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because India lacks privacy legislation which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.

Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as Raviraj Technologies, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus export controls are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.

Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even murdered in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.

For more details visit https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers

Video Surveillance and Its Impact on the Right to Privacy

Vaishnavi Chillakuru — 2011-09-29T05:35:56Z

The need for video surveillance has grown in this technologically driven era as a mode of law enforcement. Video Surveillance is very useful to governments and law enforcement to maintain social control, recognize and monitor threats, and prevent/investigate criminal activity. In this regard it is pertinent to highlight that not only are governments using this system, but residential communities in certain areas are also using this system to create a safer environment.

However, this move is fundamentally opposed by many civil rights and privacy groups across different jurisdictions and have expressed concern that by allowing continual increases in government surveillance of citizens that we will end up in a mass surveillance society, with extremely limited, or non-existent political and/or personal freedoms.

European Union

The Data Protection Directive [1]of 1995, a Directive was issued by the European Union (EU) to regulate the processing and free movement of personal data. In pursuance with this Directive, every country of the EU passed a legislation to govern the protection of personal data. In this regard, the United Kingdom (UK) enacted the Data Protection Act (DPA) in 1998 and the same was brought into force in the year 2001.

The DPA sets forth eight, Data Protection Principles (DPP)[2] to protect personal data in the public sphere. Although video surveillance has not been explicitly referred to in the legislation, the definition given by the DPA is broad enough to encompass it. The application of these principles to video surveillance has been made explicit through the publication of the CCTV Code of Practice (CoP) by the information commissioner. The CoP does not apply to surveillance cameras used for household purposes. Images captured for recreational purposes with a camera, video recorder, etc., are also exempt. The main features of the CoP have been summarized below:

It is important to ascertain who has the responsibility for the control of the images i.e., deciding what is to be recorded, how the images should be used and to whom they may be disclosed. The body which makes these decisions is called the data controller and is responsible for the compliance with the DPA. The body has to notify the information commissioner as to who the data controller is.
An impact assessment should be done to evaluate the scheme’s impact on the privacy rights of the public. While conducting such an assessment, the data controller should take into account what benefits can be gained, whether better solutions exist, and what effect it may have on individuals. The results of the assessment should be used to determine whether video surveillance is justified and if so, how it should be operated.
The camera equipment should be chosen so as to fulfill the purposes for which the surveillance is being carried out. They should have the necessary technical specification so that the images are of appropriate quality. The camera should be positioned in such a way that only those areas which are intended to be the subject of surveillance are covered.
Viewing of live feed must be restricted to authorized personnel only. The data controller should try and protect the images from public view. Disclosure of recorded images should also be controlled and limited to the purpose for which the surveillance was set up. All other requests for viewing images should be considered carefully and balanced against the privacy rights of other individuals who may be affected by the disclosure of the images.
The DPA does not prescribe any minimum or maximum period of retention. It should be ascertained keeping in mind the purpose for which the surveillance system was set up. However, the images should not be kept for longer than is strictly necessary.
There should be prominently placed signs to let people know that they are in an area which is under video surveillance. This can be supplemented by an audio announcement in places where public announcements are already being used, such as in stations. Systems in public spaces and shopping centres should have signs giving the name and contact details of the company, organisation or authority responsible.
Staff operating the system needs to be aware of the rights of the individual under the DPA.

Canada

Canada has two federal laws which deal with privacy — the Privacy Act, 1985 and the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA). The former protects privacy rights by limiting the collection, use and disclosure of personal information by the federal government departments and agencies whereas the latter deals with the collection, use and disclosure of personal information by private sector organizations. In addition to these two legislations, every province or territory has their own privacy legislations.

A privacy commissioner is appointed to receive and investigate complaints filed by Canadian citizens pertaining to allegations of violation of the Acts. They also conduct research into privacy issues and promote awareness. The privacy commissioner reports directly to the House of Commons and the Senate. Every province or territory may also have its own commissioner or ombudsman authorized to investigate complaints. The Office of the Privacy Commissioner of Canada (OPC) published two sets of guidelines in order to define and circumscribe the use of video surveillance and ensure that the impact on privacy is minimized.

The first set of guidelines is meant to guide the regulation of video surveillance (by law enforcement agencies) in public spaces i.e., in places where there is free and unrestricted access to everyone. These guidelines were drawn up after extensive discussions between the OPC and the Royal Canadian Mount Police (RCMP). However, these guidelines are to be considered merely as an aid and notwithstanding anything stated in the guidelines, the RCMP has the right to carry out its functions as it deems fit. Some of the important pointers are[3]

Video surveillance should only be used to address a "real and pressing problem" which is of sufficient in magnitude so as to warrant the overriding of the privacy rights of citizens. Hence, there should be "real and verifiable" instances of crime or concern for public safety.
Video surveillance should be conducted only as a last resort i.e., in circumstances where there in no other less privacy-intrusive alternative.
A "privacy impact assessment" should be conducted beforehand to assess the degree of interference that will result due to the video surveillance.
Relevant stakeholders (for example, members of the communities that will be affected by the surveillance systems) should be considered before arriving at a decision.
Video surveillance must comply with all applicable laws including over arching laws such as the Canadian Charter of Rights and Freedoms.
The video surveillance should be conducted in such a way that impact on the privacy rights of citizens is minimized. For example, limited use of video surveillance (e.g., for limited periods of day, public festivals, peak periods) should be preferred to be always on surveillance if it will achieve substantially the same result.
The public should be informed that they are under surveillance. Clear signs should be put up mentioning the perimeter of the surveillance areas, the person responsible for surveillance and his contact details in case of any queries.
Security of the equipment and images should be assured.
People whose images are recorded should be able to request access to their recorded personal information.

The second set of guidelines is with respect to video surveillance in private sector organizations. These guidelines apply to overt video surveillance of the public by private sector organizations in publicly accessible areas. They do not apply to covert video surveillance nor do they apply to the surveillance of employees.

"Determine whether a less privacy-invasive alternative to video surveillance would meet your needs.
Establish the business reason for conducting video surveillance and use video surveillance only for that reason.
Develop a policy on the use of video surveillance.
Limit the use and viewing range of cameras as much as possible.
Inform the public that video surveillance is taking place.
Store any recorded images in a secure location, with limited access, and destroy them when they are no longer required for business purposes.
Be ready to answer questions from the public. Individuals have the right to know who is watching them and why, what information is being captured, and what is being done with recorded images.
Give individuals access to information about themselves. This includes video images.
Educate camera operators on the obligation to protect the privacy of individuals.
Periodically evaluate the need for video surveillance."

United States of America

Statutory laws governing the regulation of video surveillance in America are scarce. While there are some state laws which regulate aspects of public video surveillance, there are virtually no federal laws which directly deal with it. However, video surveillance implicates certain constitutional doctrines — especially the first and the fourth amendments. Although it cannot be denied that the liberties enshrined by these amendments can be severely affected by continuous surveillance, so far, the American courts and jurisprudence on the subject have been very permissive.

Another important directive is the "Fair Information Practices" (FIP) originating from the recommendations written by the United States Government which provide certain rights to individuals with respect to the use and dissemination of personal information. Although these guidelines do not have the force of law, they can prove to be a valuable guide for the treatment of any government-held record containing personally identifiable information. The rights of individuals listed by the FIP, in their most basic form, have been given below:[4]

"Notice and awareness of the purpose of data collection, and how such information is used;
Consent to the collection of personal information, and choice concerning how it is used;
Access to and participation in the process of data collection and use, including the right to correct errors;
Integrity and security adequate to protect the information against loss or misuse; and
Redress and accountability for injury resulting from loss or misuse of personal information."

Also, the American Bar Association, in 1999, published standards for technologically-assisted physical surveillance, including video surveillance. Some of the key points of these guidelines are given below:

While regulating the use of video surveillance for law enforcement purposes, certain factors should be kept in mind. For example, the nature of the law enforcement objective or objectives sought to be achieved, the extent to which the surveillance will achieve the law enforcement objectives, the nature and extent of the crime involved, etc.
The extent to which the surveillance invades privacy should be assessed. While conducting such an assessment, care should be taken to enhance the privacy of the location under surveillance by taking into consideration the nature of the place, activity, condition, or location.
Alternate measures should be preferred over video surveillance in order to maintain a balance between the right to privacy and the need for surveillance.
Notice of the surveillance should be given when appropriate.
The scope of the surveillance should be limited to its authorized objectives and be terminated when those objectives are achieved.

Australia

Neither the Australian Federal Constitution nor the Constitutions of the six states and two territories contain any express provisions relating to privacy. However, there are several state and federal privacy laws governing specific sectors and aspects. The primary federal statute is the Privacy Act of 1988 (PA). This statute was enacted in a bid to give effect to Australia's commitment to the International Covenant on Civil and Political Rights and the Organization for Economic Cooperation and Development (OECD). There are four key areas of application of the Act out of which only two are relevant in the context of video surveillance. The first is the eleven Information Privacy Principles (IPPs), based on the OECD Guidelines. These principles are applicable to federal government agencies. The second is the National Privacy Principles (NPP) which regulates private sector organizations. However, private organizations can set forth their own "code of practice" and get it approved by the privacy commissioner as long as it does not go against the broad framework laid down by the NPPs.

Apart from the PA, each state or territory may have its own laws or practices regarding video surveillance. For instance, covert video surveillance in New South Wales is governed by the Workplace Video Surveillance Act, 1998. The Government of New South Wales also published a report on CCTV in public places. Similarly, Victoria is governed by the Surveillance Devices Act, 1999 and Western Australia by the Surveillance Devices Act, 1998. However, South Australia, Tasmania, Northern Territory and Australian Capital Region have no legislation dealing with the use of video surveillance.

Japan

The Constitution of Japan does not contain any express provisions guaranteeing the right to privacy. Till 2003, even statutory law in the field of data protection was non-existent and the government followed a policy of self regulation. It was only in 2003 that the Japanese Parliament enacted the Protection of Personal Information Act. The law underlying privacy in Japan[6] protects only personal information that is obtained and held by administrative agencies, private agencies. It seeks to set forth penal provisions in order to curb leakage of personal information by the government. The subsequent amendments to this Act have widened its scope to cover data that is paper based as well as computerized. Therefore, it can be said that the instant legislation is broad enough to encompass video surveillance data as well.

In this regard it is set forth that there exists no consolidated law to govern video-surveillance systems. Nevertheless, Japan uses video surveillance systems in order to assist the law enforcement agencies. The National Police Agency uses a video surveillance system called the "N system"[7] in order to record license plate numbers of vehicles on roads, highways, etc. This facilitates effective and efficacious law enforcement in Japan. Furthermore, Tokyo police have been operating surveillance cameras on utility poles and buildings to monitor pedestrians in the several densely populated districts of the city.[8] However, this mechanism has been challenged severely by litigants and many privacy groups in the court of law.

Conclusion

We have now moved into an age where security seems to be the primary issue for most countries and their citizens. Video surveillance is increasingly being used to assuage the fears of the citizens and bring perpetrators to justice. In such a scenario, the issue of privacy rights of individuals seems to have taken a backseat. While some countries such as Canada and Britain have attempted to strike a balance between the need for surveillance and the privacy rights of the people, other countries such as the United States of America and Japan do not seem to have made much progress in terms of creating video surveillance norms or regulations to protect the privacy rights of citizens.

Considering the pressing need for video surveillance to address national security issues, India surprisingly has no laws on the same. In this regard, India needs to draw from the experience of the United Kingdom and Canada. The first step is to enact laws permitting video surveillance.

These laws should be tightly worded and strictly connoted, considering the encroachment on civil liberties. Further, in order to balance security with privacy, the next step is to create an office for the information commissioner. It should be created and powers should be conferred to ensure that the privacy related disputes are handled efficiently and expeditiously. Furthermore, the misuse of the powers conferred upon surveillance authorities should be deterred by giving further powers to the commissioner to impose pecuniary liability.

Bibliography

European Union

Canada

United States of America:

Australia:

Japan

https://www.privacyinternational.org/article/phr2006-japan#[45]

Notes

[1]Directive 95/46/EC.

[2]See http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx (eight data protection principles)

[3]Full guidelines: http://www.priv.gc.ca/information/guide/vs_060301_e.cfm.

[4]Full guidelines: http://www.americanbar.org/publications/criminal_justice_section_archive/crimjust_standards_taps_blk.html#9.

[5]http://www.proactivestrategies.com.au/library/Loss%20Prevention/Video%20Surveillance%20National%20article.PDF.

[6]This law extends to private businesses, government organizations and independent administrative agencies.

[7]540 locations on expressways and major highways throughout the country; it automatically records the license plate number of every passing car.

[8]This regime has also been litigated upon thoroughly with lawyers claiming the same to be unconstitutional.

For more details visit https://cis-india.org/internet-governance/blog/privacy/video-surveillance-privacy

The Surveillance Industry in India – An Analysis of Indian Security Expos

divij — 2015-03-08T12:25:15Z

The author talks about the surveillance industry in India and analyses Indian security expos.

Introduction

The 'Spy Files', a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world - a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals.[1] These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites. Moreover, the unregulated and undiscerning nature of the industry means that it has enabled governments (and also private agencies) across the world - from repressive dictatorships to governments in western democracies with a growing track record of privacy and civil liberties infringements - to indulge in secretive, undemocratic and often illegal surveillance of their citizens. The Spy Files and related research have revealed how the mass surveillance industry utilizes the rhetoric of national security and counter-terrorism to couch technologies of surveillance.

'Security' and the Normalization Of Surveillance

New technologies undoubtedly create a potential for both malicious as well as beneficial use for society. Surveillance technologies are a prime example, having both enabled improvements in law enforcement and security, but at the same time creating unresolved implications for privacy and civil liberties. These technologies expose what Lawrence Lessig describes as 'latent ambiguities' in the law - ambiguities that require us to assess the implications and effects of new technologies and how to govern them, and most importantly, to choose between conflicting values regarding the use of technologies, for example, increased security as against decreased privacy.[2]

Unfortunately, In India, the ambiguity seems to have been resolved squarely in favour of surveillance - under the existing regulatory regime, surveillance is either expressly mandated or unregulated, and requires surveillance to be built into the architecture and design of public spaces like internet and telephone networks, or even public roads and parks. Most of these regulations or mechanisms are framed without democratic debate, through executive mechanisms and private contracts with technology providers, without and public accountability or transparency.

For example, under the telecom licensing regime in India, the ISP and UASL licenses specifically require lawful interception mechanisms through hardware or software to be installed by the licensees, for information (Call Data Records, Packet Mirroring, Call Location) to be provided to 'law enforcement agencies', as specified by the Government.[3] Section 69 of the Information Technology Act, the main legislation governing the Internet in India, read with the rules framed under the Act, makes it incumbent upon 'intermediaries' to provide surveillance facilities at the behest of government agencies.[4]

Beyond this, the State and its agencies Section 69 and 69B of the IT Act empower the government to intercept and monitor any data on the Internet. The Telegraph Act also permits wiretapping of telephony.[5] The proposed Central Monitoring System by the Central Government would give state agencies centralized access to all telecommunications in real time, on telephony or on the Internet. Other surveillance schemes include the Keyword Tracking system NETRA, as well as several state government proposed comprehensive CCTV-surveillance schemes for cities. [6] Clearly, therefore, there is a massive market for surveillance technologies in India.

Tracking the Surveillance Market

The Mass surveillance industry by its very nature is closed, secretive and without democratic oversight, Insights into the prevalence, nature and scope of the companies that form this industry, or the technologies that are utilized are far and few. No democratic debate about surveillance can take place in such a paradigm. In this context, security expos and exhibitions provide critical insight into this industry. Several of the important revelations about the industry in the past have been from examinations of large exhibitions in which the various governmental and industry actors participate, and therefore, such analysis is critical to the debate surrounding mass surveillance. Such exhibitions are a logical starting point because they are one of the few publically accessible showcases of surveillance-ware, and are also a congregation of most major players who are part of this market both as suppliers and purchasers.

Our research identified at least 13 exhibitions in India that specifically cater to the surveillance industry. A brief outline of each of these exhibitions is provided below:

1. Secutech India (Brochures: 2015 -http://www.secutechindia.co.in/pdf/secutech%20brochure.pdf)

The Secutech Expo is an exhibition held in Bombay and Delhi since 2011, to showcase Information Security, Electronic Security and Homeland Security technologies. Secutech also organizes the Global Digital Surveillance Forum, a conference amongst the stakeholders of digital surveillance industry in India.[7]

Exhibitors: Ivis; Matrix Comsec; Neoteric; Smartlink; Kanoe; Micro Technologies; Aditya Infrotech; CoreTech Solutions; Merit Lilin; Schneider Electric; Pash systems; Nettrack Technologies Pvt Ltd.; QNAP; Axxonsoft; Hk Vision (China); Alhua; Axis; Vivotech (Taiwan); Endroid (USA); Vantge (UK); Pelco (France); Advik; Hi Focus (UK); ESMS; Keeper (China); Neoteric; Vizor, etc

Visitors: The visitor profile and target audience consists of government and defense agencies, besides private agencies.

Technologies on display: Digital surveillance, biometrics, CCTV and RFID are some categories of the technologies which are showcased here.

2. IFSEC India (Brochures: 2013 - http://www.ifsecindia.com/uploads/IFSEC%20INDIA%20brochure%202013.pdf; 2014 - http://www.ubmindia.in/ifsec_india/uploads/IFSEC_INDIA_Brochure_CS5_new_low.pdf.)

IFSEC India, an extension of IFSEC UK, the 'worlds largest security exhibition', proclaims to be South Asia's largest security exhibition with 15,000 participants in its latest edition, including a special segment on surveillance. It has been held in either Bombay or Delhi since 2007.

Exhibitors: Honeywell; Infinova; Radar Vision; QNAP; Ensign; Winposee; Bosch; Comguard; Verint; ACSG; Ensign etc.

Visitors: Visitors include government agencies such as the Central Industrial Security Force, Border Security Force, Department of Internal Security, Railway Protection Force and the Department of Border Management.

Technologies on display: RFID, Video Surveillance, Surveillance Drones, IP Surveillance, Digital Surveillance and Monitoring were some of the categories of technologies on display.

3. India International Security Expo (Brochures: 2014 - http://www.indiasecurityexpo.com/images/e_brochure.pdf)

Held in New Delhi since 1996, and organized by the Ministry of Home Affairs, the expo is described as "India's largest show case of goods and services related to Homeland Security, Fire Safety, Traffic Management, Industrial Safety and Public Safety, Hospitality and Reality Security." With specific reference to the changing 'modus operandi of crime by using technology', the Expo focuses on using surveillance technologies for law enforcement purposes.

Exhibitors: Intellivision (USA); Intex (India); ESC Baz (Israel); Sparsh Securitech; Source Security (USA); Intellivision (USA); Interchain Solutions; ESSI; Kritikal; Matrix; Pace Solutions etc.

Visitors: According to the show's brochure, visitors include Central & State Police Organisations, Paramilitary Forces, Policy-makers from the Government, Industrial Establishments, Security Departments of Educational, Retail, Hospitality, Realty & other sectors, Colonisers, Builders, RWAs, System Integrators Large business houses and PSU's.

Technologies on display: Access control systems, surveillance devices, RFID, traffic surveillance and GPS Tracking.

4. Secure Cities Expo (Brochures: 2013 - http://securecitiesindia.com/Secure_Cities_2013_Brochure.pdf; 2014 - http://securecitiesindia.com/images/2014/SC_2014_Brochure.pdf.)

Secure Cities Expo has been organized since 2008, on the platform of providing homeland security solutions and technologies to government and private sector participants.

Exhibitors: Dell; Palo Alto Networks; Motorola; Konnet; Vian Technologies; Quick Heal; Intergraph, GMR, Tac Technologies, Steria, Teleste, Elcom, Indian Eye Security; Mirasys; CBC Group; Verint (USA); IBM (USA); Digitals; EyeWatch; Kanoe; NEC (Japan); ACSG Corporate; ESRI (USA), etc.

Visitors: Visitors include government and law enforcement agencies including the Ministry of Home Affairs as well as systems integrators and private firms including telecom firms.

Technologies on display: CCTV, Biometrics, Covert Tracking and Surveillance Software, Communication Interception, Location and Tracking systems, and IT Security.

5. Defexpo India (Brochures: No publically available brochures)

By far India's largest security exposition, the Ministry of Defense has organized Defexpo India since 1999, showcasing defense, border, and homeland security systems from technology providers internationally.

Exhibitors: Aurora Integrated; Airbus Defence (France); Boeing (USA); Hacking Team (Italy); Kommlabs (Germany); Smoothwall; Atlas Electronik; Cyint; Audiotel International; Cobham; Tas-Agt; Verint; Elsira (Elbit) (Israel); IdeaForge; Comint; Controp; Northrop Gruman; Raytheon; C-DoT; HGH Infrared (Israel); Okham Solutions (France); Septier (Israel); Speech Technology Centre (Russia); Aerovironment (USA); Textron; Sagem (France); Amesys (France); Exelis; ITP Novex (Israel), etc.

Visitors: The latest edition of the Expo saw participation from governmental delegations from 58 countries, besides Indian governmental and law enforcement authorities.

Technologies on display: The entire spectrum of surveillance and homeland security devices is on display at Defexpo, from Infrared Video to Mass Data Interception.

6. Convergence India Expo (Brochures: 2012 - http://convergenceindia.org/download/CI2012-PSR.pdf; 2014 -http://www.convergenceindia.org/pdf/CI-2014-Brochure.pdf; 2015 - http://www.convergenceindia.org/pdf/brochure-2015.pdf.)

Convergence India, being held in New Delhi since 1991, is a platform for interaction between Information and Communication Technology providers and purchasers in the market. In recent years, the expo has catered to the niche market for IT surveillance.

Exhibitors: ELT (UK); Comguard; Fastech; Synway (China); Saltriver; Anritsu (Japan); Cdot; Fastech; Rahul Commerce; Deviser Electronics; RVG Diginet; Blue Coat (USA); Cyberoam (USA); ZTE (China); Net Optics (USA); Controp; Comint etc.

Visitors: Visitors include Paramilitary Forces, Cable Operators, Government Ministries and PSU's and Telecom and Internet Service Providers.

Technologies on Display: Biometrics, Content Filtering, Data Mining, Digital Forensics, IP-Surveillance, Embedded Softwares, Network Surveillance and Satellite Monitoring were some of the technologies on display.

7. International Police Expo (Brochures: 2014 - http://www.nexgengroup.in/exhibition/internationalpoliceexpo/download/International_Police_Expo_2014.pdf.)

The International Police Expo held in New Delhi focuses on providing technologies to police forces across India, with specific focus on IT security and communications security.

Exhibitors: 3G Wireless Communications Pvt Ltd; Motorola Solutions; Cyint; Matrix Comsec; Cellebrite; Hayagriva; MKU; CP Plus etc.

Visitors: Visitors include State Police, Procurement Department, CISF, CRPF, RAF, BSF, Customs, GRPF, NDRF, Special Frontier Force, Para Commandos, Special Action Group, COBRA and PSU's and educational institutes, stadiums and municipal corporations, among others.

Technologies on display: Technologies include RFID and surveillance for Internal Security and Policing, CCTV and Monitoring, Vehicle Identification Systems, GPS, Surveillance for communications and IT, Biometrics and Network surveillance.

8. Electronics For You Expo (EFY Expo) ( 2014 - http://2013.efyexpo.com/wp-content/uploads/2014/03/efy_PDFisation.pdf; 2015 - http://india.efyexpo.com//wp-content/uploads/2014/03/5th%20EFY%20Expo%20India_Brochure.pdf.)

EFY Expo is a electronics expo which showcases technologies across the spectrum of electronics industry. It has been held since 2010, in New Delhi, and is partnered by the Ministry of Communications and IT and the Ministry of Electronics and IT.

Exhibitors: Vantage Security; A2z Securetronix; Avancar Security; Digitals security; Securizen Systems; Vision Security; Mangal Security Systems, etc.

Visitors: The visitors include Government Agencies and ministries as well as systems integrators and telecom and IT providers.

Technologies on display: Identification and Tracking Products and Digital Security Systems are a specific category of the technologies on display.

9. Indesec Expo (Brochures: 2009 - http://www.ontaero.org/Storage/14/897_INDESEC_Oct11-13_2009.pdf. )

An exhibition focused on homeland security, and sponsored by the Ministry of Home Affairs, the expo has been held since 2008 in New Delhi, which includes a specific category for cyber security and counter terrorism.

Exhibitors: Rohde and Schwarz; Salvation Data; AxxonSoft; KritiKal; Shyam Networks; Teledyne Dalsa; Honeywell; General Dynamics; Northrop Grumman; Interchain Solutions, etc.

Visitors: Visitors include officials of the central government, central police and paramilitary forces, Ministry of Defence, central government departments, institutes and colleges, state government and police and ports and shipping companies.

10. Next Generation Cyber Threats Expo

Held since 2012 in New Delhi and Mumbai, the Next Generation Cyber Threats Expo focuses on securing cyber infrastructure and networks in India.

Exhibitors: Ixia, CheckPoint, etc.

Visitors: Visitors include Strategic Planning Specialists, Policy Makers and Law Enforcement among others.

11. SmartCards/RFID/e-Security/Biometrics expo (Brochures: 2013 - http://cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013 ; 2015 - http://www.smartcardsexpo.com/pdf/SmartCards_Expo_2015_Brochure_$.pdf)

These expos are organized by Electronics Today in Delhi or Mumbai since 1999 and supported by the Ministries of Commerce, Home Affairs and External Affairs. They showcase various identification solutions, attended by hundreds of domestic and international exhibitors.

Visitors: Target audiences include central and local level law enforcement and government organizations, Colleges and Universities, and defense forces.

12. Com-IT Expo (Brochure: 2014 - http://www.comitexpo.in/doc/Brochure.pdf)

This expo has been organized by the Trade Association of Information and Technology in Mumbai since 2008, and focuses on software and hardware Information Technology, with specific focus on IT security and surveillance.

Visitors: Visitors include Government Agencies, Airport Authorities, Police and Law Enforcement, Urban Planners, etc.

Technologies Displayed: CCTV's, Surveillance Devices and IP Cameras, etc.

13. GeoIntelligence India (Brochures: 2013 - http://www.geointelligenceindia.org/2013/Geointelligence%20India%20Brochure.pdf; 2014 - http://geointworld.net/Documents/GeoInt_Brochure_2014.pdf.)

It is an exposition held in New Delhi since 2014, organized by Geospatial Media and Communications Pvt Ltd, and is 'dedicated to showcasing the highest levels of information exchange and networking within the Asian defense and security sector.'

Exhibitors: ESRI (USA); BAE Systems (UK); Leica (Switzerland); Helyx (UK); Digital Globe; Intergraph; Trimble (USA); RSI Softech; Silent Falcon etc.

Visitors: Visitors included the Director General of Information Systems, CRPF, Manipur, Delhi, Haryana and Nagaland Police, CBI, ITBP, NSDI, SSB, National Investigation Agency, Signals Intelligence Directorate among others.

Surveillance Wares in India - The Surveillance Exhibits and what they tell us about the Indian Surveillance Industry

An analysis of the above companies and their wares give us some insight into what is being bought and sold in the surveillance industry, and by whom. Broadly, the surveillance technologies can be grouped in the following categories:

Video Surveillance and Analysis

IP Video Surveillance and CCTV are quickly becoming the norm in public spaces. Emerging video surveillance tools allow for greater networking of cameras, greater fields of vision, cheaper access and come with a host of tools such as facial recognition and tracking as well as vehicle tracking. For example, IBM has developed an IP Video Analytics system which couples monitoring with facial recognition.[8] USA's Intellivision also offers analytics systems which enable licence plate tracking, facial recognition and object recognition.[9] HGH Infrared's Spynel system allows infrared wide-area surveillance,[10] and CBC's GANZ allows long-range, hi-resolution surveillance. [11]

Video surveillance is gradually infiltrating public spaces in most major cities, with Governments promoting large-scale video surveillance schemes for security, with no legal sanctions or safeguards for protecting privacy.

Companies showcasing Video Surveillance: 3G Wireless Communications Pvt Ltd, Motorola Solutions (USA), Bosch, CP Plus, Ivis, Aditya Infotech, Micro technologies, Core Tech (Denmark), Merit Lilin , Schneider Electric, Shyam Systems, Dalsa, Honeywell, Teleste, Mirasys, CBC Group, Infinova, Radar Vision, QNAP, Ensign, Winposee, Bosch, Hik Vision (China), Alhua, Axis Communications, Vivotech (Taiwan), Endroid (USA), Vantge (UK), Pelco (France), Advik, Hi Focus (UK), ESMS, Keeper (China), Neoteric, Vizor, Verint (USA), IBM (USA), Digitals Security, Intellivision (USA), Intex, Esc Baz (Israel), Sparsh Securitech, A2zsecuretronix, Avancar Security, Securizen Systems, Vision Security, HGH Infrared (Israel).

RFID/Smart Cards/Biometric Identification

India has begun the implementation of the Unique Identification Programme for its 1.2 billion strong population, combining a host of identification technologies to provide a unique identification number and Aadhar Card - promoted as an all-purpose ID. However, this remains without legislative sanction, and continues in the face of severe privacy concerns. Such centralized, accessible databases of ostensibly private information present a grave threat to privacy. RFID, Smart Cards and Biometric Identification technologies (like the Aadhar) all make individual monitoring and surveillance significantly easier by enabling tracking of individual movements, consumer habits, attendance, etc.

Companies showcasing Identification Technologies:

AxxonSoft, Matrix Comsec, Ensign, Hi focus, Intellivision (USA), Interchain solutions, Inttelix, Kanoe, NEC (Japan), Pace, Realtime, Secugen, Source Security (USA), Spectra, Speech technology centre (Russia), BioEnable Technologies.

(For a more detailed list, see the Smart Cards Expo Brochures, linked above)

Mass Data Gathering, Monitoring and Analysis

The age of Big Data has led to big surveillance. Information and communication technologies now host significant amounts of individual data, and the surveillance industry makes all of this data accessible to a surveyor. Government mandated surveillance means any and all forms of communication and data monitoring are being implemented in India - there are network taps on telephony and deep packet inspection on internet lines, which makes telephone calls, SMS, VoIP, Internet searches and browsing and email all vulnerable to surveillance, constantly monitored through systems like the Central Monitoring System. Moreover, centralized information stores enable data mining - extracting and extrapolating data to enable better surveillance, which is what India's NATGRID aims to do.

Hacking Team Italy, Blue Coat USA and Amesys France, three of the five companies identified as 'enemies of the internet' for enabling dictatorships to use surveillance to quell dissent and violate human rights,[12] have all presented surveillance solutions at Defexpo India. Cyberoam USA and ZTE China also market Deep Packet Inspection technology,[13] while ESRI's Big Data suite allows analysis through mass surveillance and analysis of social media and publically available sources. [14]

Indian companies showcasing mass data monitoring technologies include Cyint, Fastech DPI tools,[15] Kommlabs VerbaProbe packet switching probes,[16] and ACSG's OSINT, which allows Big Data social media surveillance and Call Data Record analysis.[17]

Companies showcasing Data Gathering and Monitoring technologies:

Cobham, Comguard, Cyint, ELT (UK), Fastech, Hacking Team (Italy), Smoothwall (USA), Verint Systems (USA), Cyint technologies, Atlas Electronik (Germany), Audiotel International (UK), Avancar, Cobham (UK), ELT (UK), Eyewatch, Kommlabs, Mangal Security Systems, Merit Lilin (Taiwan), Ockham Solutions (France), Septier (Israel), Synway (China), ACSG Corporate, Amesys (France), Anritsu (Japan), Axis (Sweden), BAE Systems (UK), Blue Coat (USA), C-dot, Comint, Cyberoam (USA), Deviser Electronics, Elsira (Elbit) (Israel), Esri (USA), Exelis, General Dynamics (USA), Helyx (UK), ITP Novex (Israel), Leica (Switzerland), Net Optics (Ixia) (USA), Northrop Gruman (USA), Rahul Commerce, Rohde And Schwarz (Germany), RVG Diginet, Tas-Agt, Trueposition (USA), Zte Technologies (China).

Cell-Phone Location Tracking and Vehicle Monitoring

A number of technologies enable location tracking through vehicle GPS, GLONASS or other location technologies. RFID or optical character recognition further enables Automatic Number Plate Recognition, which can be exploited to enable vehicle surveillance to track individual movements. Embedded hardware and software on mobile phones also allows constant transmission of location data, which is exploited by surveillance agencies to track individual movements and location.

Companies showcasing Cell-Phone Location Tracking technologies: Verint, Eyewatch, Septier (Israel), True Position (USA),

Companies showcasing Vehicle Monitoring technologies: Hi-techpoint technologies pvt ltd, Axxonsoft, Essi, Fareye, Intellivision (USA), Interchain Solutions, ITP Novex (Israel), Kaneo, Kritikal, NEC (Japan), Saltriver Infosystems, Vision Security Systems.

Air/Ground Drones and Satellite Surveillance

The use of unmanned drones for security purposes is being adopted for law enforcement and surveillance purposes across the world, and India is no exception, using UAV's for surveillance in insurgency-hit areas,[18] amongst other uses, while still having no regulations for their use.[19] Drones, both aerial and ground level, are capable of large-scale territorial surveillance, often equipped with high-technology video surveillance that allows for efficient monitoring at the ground level.

Digital Globe offers satellite reconnaissance surveillance coupled with Big Data analysis for predictive monitoring. [20] Controp offers cameras specifically for aerial surveillance, while Sagem's Patroller Drone and Sperwer, and Silent Falcon's Solar Powered surveillance drone are Unmanned Aerial Vehicles (UAV's) for aerial video surveillance. Auruora Integrated, [21] and IdeaForge are Indian companies which have developed UAV surveillance drones in collaboration with Indian agencies.[22]

Companies showcasing Drone Surveillance: Aurora Integrated, Controp (Israel), Aerovironment (USA), Digital Globe (USA), ESRI (USA), Intergraph (USA), RSI Softech, Sagem (France), Silent Falcon (UAS), Textron (USA), Trimble (USA), Northrop Grumman (USA).

[1] Wikileaks, The Spy Files, available at https://www.wikileaks.org/the-spyfiles.html.

[2] Lawrence Lessig, Code V 2.0.

[3] For more information on the licensing regime, see 'Data Retention in India', available at http://cis-india.org/internet-governance/blog/data-retention-in-india.

[4] Rule 13, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[5] Section 5, Indian Telegraph Act, 1885.

[6] See, for example, the Bangalore Traffic Police CCTV Scheme, http://www.bangaloretrafficpolice.gov.in/index.php?option=com_content&view=article&id=66&btp=66 ; the surveillance scheme supported by the MPLAD Scheme, http://mplads.nic.in/circular08112012.pdf; Mumbai's proposed video surveillance scheme, http://www.business-standard.com/article/companies/wipro-tata-ibm-reliance-among-31-bids-for-cctv-scheme-in-mumbai-112112600160_1.html.

[7] Information on the Forum is available at http://gdsf-india.com/Global-Digital-Surveillance-Forum1/images/GDSF-Bengaluru-Conference-program.pdf.

[8] http://www-01.ibm.com/support/knowledgecenter/SS88XH_1.6.0/iva/int_i2frs_intro.dita

[9] http://www.intelli-vision.com/products/recognition-suite

[10] http://www.hgh-infrared.com/Products/Optronics-for-security

[11] http://www.ifsecglobal.com/cbc-high-end-surveillance-tech-on-display-at-ifsec-india/

[12] http://surveillance.rsf.org/en/category/corporate-enemies/

[13] http://www.cyberoam.com/firewall.html

[14] http://www.esri.com/products/arcgis-capabilities/big-data

[15] http://www.fastech-india.com/packetBrokers.html

[16] http://www.kommlabs.com/products-verbaprobe.asp

[17] http://www.acsgcorporate.com/osint-software.html

[18] http://timesofindia.indiatimes.com/india/UAV-proves-ineffective-in-anti-Maoist-operations/articleshow/20400544.cms

[19] http://dronecenter.bard.edu/drones-in-india/

[20] https://www.digitalglobe.com/products/analytic-services

[21] http://www.aurora-is.com/

[22] http://www.ideaforge.co.in/home/

For more details visit https://cis-india.org/internet-governance/blog/surveillance-industry-in-india-analysis-of-indian-security-expos

State Surveillance and Human Rights Camp: Summary

elonnai — 2013-07-12T16:02:51Z

On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.

The camp also served as a platform for collaboration on the Draft International Principles on Communications Surveillance and Human Rights. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.

The draft principles were institutionalized for a number of reasons including:

Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data.
Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated.
New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.
Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual.

This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.

A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed here .

Summary of the Draft International Principles on Communications Surveillance and Human Rights

Legality: Any surveillance of communications undertaken by the government must be codified by statute.

Legitimate Purpose: Laws should only allow surveillance of communications for legitimate purposes.

Necessity: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.

Adequacy: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes.

Competent Authority: Any authorization for surveillance of communications must be made by a competent and independent authority.

Proportionality: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose.

Due process: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.

User notification: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information.

Transparency about use of government surveillance: The governments ability to survey communications and the process for surveillance should be transparent to the public.

Oversight: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications.

Integrity of communications and systems: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.

Safeguards for international cooperation: When governments work with other governments across borders to fight crime, the higher/highest standard should apply.

Safeguards against illegitimate access: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications.

Cost of surveillance: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.

Types of Data

The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.[1]

Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.[2]

It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.

Ways of Accessing Data

Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.

Access and Technology

In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.[3]

In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).[4] Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.[5] With this information it is possible to read the actual content of packets, and identify the program or service being used.[6]

DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.[7]

Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".[8]

Access and Legislation

The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.

1]. EFF. Mandatory Data Retention: United States. Available at: https://www.eff.org/issues/mandatory-data-retention/us
[2].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/
[3]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0
[4]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html
[5]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works
[6]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609
[7]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138
[8].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/

For more details visit https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary

More than a Hundred Global Groups Make a Principled Stand against Surveillance

elonnai — 2013-07-31T14:26:38Z

For some time now there has been a need to update understandings of existing human rights law to reflect modern surveillance technologies and techniques.

Nothing could demonstrate the urgency of this situation more than the recent revelations confirming the mass surveillance of innocent individuals around the world.

To move toward that goal, today we’re pleased to announce the formal launch of the International Principles on the Application of Human Rights to Communications Surveillance. The principles articulate what international human rights law – which binds every country across the globe – require of governments in the digital age. They speak to a growing global consensus that modern surveillance has gone too far and needs to be restrained. They also give benchmarks that people around the world can use to evaluate and push for changes in their own legal systems.

The product of over a year of consultation among civil society, privacy and technology experts, including the Centre for Internet and Society (read here, here, here and here), the principles have already been co-signed by over hundred organisations from around the world. The process was led by Privacy International, Access, and the Electronic Frontier Foundation. The process was led by Privacy International, Access, and the Electronic Frontier Foundation.

The release of the principles comes on the heels of a landmark report from the United Nations Special Rapporteur on the right to Freedom of Opinion and Expression, which details the widespread use of state surveillance of communications, stating that such surveillance severely undermines citizens’ ability to enjoy a private life, freely express themselves and enjoy their other fundamental human rights. And recently, the UN High Commissioner for Human Rights, Nivay Pillay, emphasised the importance of applying human right standards and democratic safeguards to surveillance and law enforcement activities.

"While concerns about national security and criminal activity may justify the exceptional and narrowly-tailored use of surveillance programmes, surveillance without adequate safeguards to protect the right to privacy actually risk impacting negatively on the enjoyment of human rights and fundamental freedoms," Pillay said.

The principles, summarised below, can be found in full at necessaryandproportionate.org. Over the next year and beyond, groups around the world will be using them to advocate for changes in how present laws are interpreted and how new laws are crafted.

We encourage privacy advocates, rights organisations, scholars from legal and academic communities, and other members of civil society to support the principles by adding their signature.

To sign, please send an email to rights@eff.org, or visit https://www.necessaryandproportionate.org/about

Summary of the 13 principles

Legality: Any limitation on the right to privacy must be prescribed by law.
Legitimate Aim: Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.
Necessity: Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a legitimate aim.
Adequacy: Any instance of communications surveillance authorised by law must be appropriate to fulfill the specific legitimate aim identified.
Proportionality: Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to users’ rights and to other competing interests.
Competent judicial authority: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent.
Due process: States must respect and guarantee individuals' human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public.
User notification: Individuals should be notified of a decision authorising communications surveillance with enough time and information to enable them to appeal the decision, and should have access to the materials presented in support of the application for authorisation.
Transparency: States should be transparent about the use and scope of communications surveillance techniques and powers.
Public oversight: States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance.
Integrity of communications and systems: States should not compel service providers, or hardware or software vendors to build surveillance or monitoring capabilities into their systems, or to collect or retain information.
Safeguards for international cooperation: Mutual Legal Assistance Treaties (MLATs) entered into by States should ensure that, where the laws of more than one State could apply to communications surveillance, the available standard with the higher level of protection for users should apply.
Safeguards against illegitimate access: States should enact legislation criminalising illegal communications surveillance by public and private actors.

For more details visit https://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance

Widening the Horizons of Surveillance - Lateral Surveillance Mechanisms

Mira Swaminathan & Shubhika Saluja — 2021-01-08T11:10:55Z

This paper sheds light on the issues and challenges associated with lateral surveillance mechanisms.

The pandemic has brought to light several fissures in existing patterns of governance-focussing on governmentality that snatches autonomy from the citizen and enmeshes it within existing power structures. Datafication through the phenomenon of lateral surveillance has been pushed across the globe as a way of combating human challenges in the 21st century, including those brought about by the pandemic.

Lateral surveillance is the act of ‘watching over’. Lateral surveillance differs from typical surveillance as the power dynamic between the one watching and the one being watched is not structural or hierarchical but more decentralized and balanced. The surveillance takes place between individuals themselves, without the involvement of any organizational entity such as the government. Looking back, the initiatives which encouraged lateral surveillance originated in the form of neighbourhood watch schemes and community policing initiatives in the United States and later spread across the world. These neighbourhood watch schemes enabled individuals to become the ‘eyes and ears’ of law enforcement agencies. With the advancements in technology, these neighbourhood watch and community building initiatives have transformed into easily accessible mobile applications, operated by law enforcement agencies or private entities, to mobilize citizens to monitor their surroundings or provide them with information sharing platforms to enable peer to peer or citizen communication. Though they aim to help in reducing the crime rates, improving the quality of life, building community pride and unity, they actually have many negative effects on people. This paper seeks to analyze the societal and legal implications of such technologies and provides recommendations to governments so that citizens’ rights are kept as a bare minimum threshold and not an option in a checklist.

While the essay released in May 2020 focused on the impact of lateral surveillance during COVID’19, this paper focuses largely on the history and evolution of lateral surveillance and the technologisation of the same. This paper also sheds light on the effects of lateral surveillance on the society and the challenges it poses to certain fundamental rights guaranteed under the Constitution.

Read the full paper here.

The research was submitted for review in May 2020 and accepted for publication in June 2020.

For more details visit https://cis-india.org/internet-governance/blog/widening-the-horizons-of-surveillance-lateral-surveillance-mechanisms

GSMA Research Outputs

elonnai — 2015-04-06T14:18:18Z

This is a collection of research under our GSMA project that we have undertaken in collaboration with Privacy International. The research has sought to understand different legal and regulatory aspects of security and surveillance in India and consists of blog entries and reports. Any feedback or comment is welcome.

Indian Law and the Necessary Proportionate Principles

The presentation shows that there are no comprehensive provisions for the principles of legitimate aim, competent judicial authority, proportionality, transparency, etc. whereas these are partially present for the principles of legality, necessity, adequacy, public oversight, safeguards for international cooperation, etc. The presentation also looks at the Indian intelligence agencies and shows us that there are nine agencies authorized to intercept communications along with at least eleven additional agencies. It further dwelves into the establishment and structure of Indian intelligence agencies and whom they report to, the sharing of information internationally as well as nationally. It shows us that India has MLAT agreements with 36 countries and request to CBI can be initiated informally or formally through court order. It then lists out the various regulatory and important bodies responsible for national security. Some cases of unlawful interception / leaks have been discussed along with examples of arrests based on digital evidence. The various government schemes, the telecommunication companies in India, telecom licenses requirements, government developed security and surveillance solutions, private security companies, security expos, export, import and selling of security and surveillance equipment, and the way forward are also discussed.

Click to download the PDF

Security, Surveillance and Data Sharing Schemes and Bodies in India

Following the 2008 Mumbai terrorist attacks, India had implemented a wide range of data sharing and surveillance schemes. Though developed under different governments the purpose of these schemes has been to increase public safety and security by tackling crime and terrorism. As such, two data sharing schemes have been proposed - the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & Systems (CCTNS), as well as several surveillance systems, such as the Lawful Intercept and Monitoring (LIM) system, the Network Traffic Analysis system (NETRA), state Internet Monitoring Systems and the Central Monitoring System (CMS). This chapter details the various schemes and provides policy recommendations for their improvement, with regards to the protection of the right to privacy and other human rights.

Click to download the PDF

Export and Import of Security Technologies in India: QA

The write-up examines in question-answer format the standards regulating the export of technologies that can be used for surveillance purposes, the department and legislation that governs exports and imports of security technologies in India, the procedure for obtaining an export licence for the export of SCOMET items, what is ITC (HS) and why is it important, and examples of ITC codes for technologies that can facilitate security or surveillance. The research finds answers to all these queries.

Click to download the PDF

Regulation of CCTV’s in India

In light of the increasing use and installation of CCTV’s in cities across India, and the role that CCTVs play in the Home Ministry's plans for implementing "Mega Policing Cities", this blog seeks to review various attempts to regulate the use of CCTV's in India, review international best practices, and provide preliminary recommendations for the regulation of CCTV's in India.

Click to download the PDF

Mutual Legal Assistance Treaties (MLATs) and Cross Border Sharing of Information in India

It is unclear the exact process that intelligence agencies in India share information with other agencies internationally. India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training is designated as the National Central Bureau of India.

Click to download the PDF

Composition of Service Providers in India

Telecom, at present, is one of the fastest-growing industries in India. As of January 2014, according to the Telecom Regulatory Authority of India (TRAI) there are 922 million wireless and over the wire subscribers in India, and 56.90 million broadband subscribers including wired, wireless and wimax subscribers. India’s overall wireless teledensity was quoted as having 893.31million subscribers, with a 0.79% (7.02 million) monthly addition.

Click to download the PDF

The Surveillance and Security Industry in India - An Analysis of Indian Security Expos

The ‘Spy Files’, a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world – a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals. These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites.

Click to download the PDF

An Analysis of News Items and Cases on Surveillance and Digital Evidence in India

In a technologically advanced era, with preponderance of electronic communications in both professional and social interactions and the ability to store such information in digital form, digital evidence has gained significance in civil as well as criminal litigation in India. In order to match the pace with the progressive technology, the Indian Courts have embarked on placing more and more reliance on the digital evidence and a portion of such digital evidence is obtained through electronic surveillance.

Click to download the PDF

Policy Recommendations for Surveillance Law in India and an Analysis of Legal Provisions on Surveillance in India and the Necessary & Proportionate Principles

The Government of India has created a legal framework which supports the carrying out of surveillance by authorities through its various laws and license agreements for service providers. The Centre for Internet and Society (CIS) acknowledges that lawful, warranted, targeted surveillance can potentially be a useful tool in aiding law enforcement agencies in tackling crime and terrorism. However, current Indian laws and license agreements appear to overextend the Government's surveillance capabilities in certain cases, while inadequately safeguarding individuals' right to privacy and data protection.

Click to download the PDF

The Surveillance Industry in India

India has the world's second largest population, an expanding middle class and undoubtedly a huge market which attracts international investors. Some of the world's largest corporations have offices in India, such as Google Incorporated and BlackBerry Limited. In the Information Age, the market revolves around data and companies which produce technologies capable of mining such data are on the rise. Simultaneously, companies selling surveillance technologies appear to be on the peak too, especially since the global War on Terror requires law enforcement agencies around the world to be equipped with the latest surveillance gear.

Click to download the PDF

State of Cyber Security and Surveillance in India: A Review of the Legal Landscape

The issue of cyber security and surveillance, especially unauthorised surveillance, though traditionally unprioritised, has recently gained much traction due to the increasing number of news reports regarding various instances of unauthorised surveillance and cyber crimes. In the case of unauthorised surveillance, more than the frequency of the instances, it is their sheer magnitude that has shocked civil society and especially civil rights groups. In the background of this ever increasing concern regarding surveillance as well as increasing concerns regarding cyber security due to the increased pervasiveness of technology in our society, this paper tries to discuss the legal and regulatory landscape regarding surveillance as well as cyber security.

Click to download the PDF

For more details visit https://cis-india.org/internet-governance/blog/gsma-research-outputs

Widening the Horizons of Surveillance - Lateral Surveillance Mechanisms

Mira Swaminathan & Shubhika Saluja — 2021-01-08T11:01:06Z

This paper sheds light on the issues and challenges associated with lateral surveillance mechanisms.

Read the full paper here.

The research was submitted for review in May 2020 and accepted for publication in June 2020.

For more details visit https://cis-india.org/internet-governance/widening-the-horizons-of-surveillance

Why 'Facebook' is More Dangerous than the Government Spying on You

maria — 2013-11-23T08:38:30Z

In this article, Maria Xynou looks at state and corporate surveillance in India and analyzes why our "choice" to hand over our personal data can potentially be more harmful than traditional, top-down, state surveillance. Read this article and perhaps reconsider your "choice" to use social networking sites, such as Facebook.

Do you have a profile on Facebook? Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:

“Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”

The Indian Surveillance State

Following Snowden ’s revelations, there’s finally been more talk about surveillance. But what is surveillance?

David Lyon - who directs the Surveillance Studies Centre - defines surveillance as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”. Surveillance can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.

State Surveillance

The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a real issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!

The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:

1. They create surveillance schemes, such as the Central Monitoring System (CMS ), which carry out targeted and/or mass surveillance

2. They create laws, guidelines and license agreements, such as the Information Technology (Amendment ) Act 2008, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply

3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance

While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.

In particular, surveillance in India is regulated under five laws: the Indian Telegraph Act 1885, the Indian Post Office Act 1898, the Indian Wireless Telegraphy Act 1933, section 91 of the 1973 Code of Criminal Procedure (CrPc ) and the Information Technology (Amendment ) Act 2008. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.

While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the Information Technology (Amendment ) Act 2008 allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.

Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in “1984”. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The arrest of two Indian women last November over a Facebook post reminds us of this.

Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the UAS License Agreement regarding the Central Monitoring System (CMS ) not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued numerous guidelines and license agreements for ISPs and telecom operators, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new National Cyber Security Policy, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.

As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, India ’s Computer Emergency Response Team (CERT ) is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.

The Crime and Criminal Tracking and Network & Systems (CCTNS ) is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.

Similarly, the National Intelligence Grid (NATGRID ) is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.

However, the most controversial surveillance scheme being implemented in India is probably the Central Monitoring System (CMS). While several states, such as Assam, already have Internet Monitoring Systems in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.

And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the surveillance industry in India is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to CIS ’ India Privacy Monitor Map - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the DRDO ’s “Netra ” - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.

But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, ClearTrail Technologies is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with surveillance software which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the ISS surveillance trade shows, otherwise known as “the wiretappers’ ball”.

Corporate Surveillance

When I ask people about corporate surveillance, the answer I usually get is: “Corporations only care about their profit - they don’t do surveillance per se”. And while that may be true, David Lyon ’s definition of surveillance - as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” - may indicate otherwise.

Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, allow law enforcement to tap into their servers. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.

So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that surveillance involves the collection of personal data - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, is surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, “if the product is free , you are the product ”.

Now if we look at online corporations more closely, we can probably identify three categories:

1. Websites through which we buy products and hand over our personal details - e.g. Amazon

2. Websites through which we use services and hand over our personal details - e.g. flight ticket

3. Websites through which we communicate and hand over our personal details - e.g. Facebook

And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:

- Disclose such data to law enforcement agencies

- Allow law enforcement agencies to tap into their servers

- Sell such data to “third parties”

What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we consent to the handing over of our personal information. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of “choice”. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.

State Surveillance vs. Corporate Surveillance

Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, collects 20 times more data per day than the NSA in total. In addition, Facebook has claimed that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.

Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the analysis of data, which in turn involves pattern matching and profiling, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because we “choose” to hand over our data!

Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: convenience. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.

The irony in all of this is that, while many people reacted to Snowden ’s revelations on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.

In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a direct threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas they rarely react to what does not directly affect them. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.

University students have protested on the streets against the installation of CCTV cameras, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:

- Personal photos

- Biometrics (possibly through photos)

- Family members

- Friends and acquaintances

- Habits, hobbies and interests

- Location (through IP address)

- Places visited

- Economic standing (based on pictures, comments, etc.)

- Educational background

- Ideas and opinions (which may be political, religious, etc.)

- Activities

- Affiliations

The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that we can never really know how much data we are disclosing, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. It all really comes down to who is looking at our data, when and why.

For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is “Anarchism and other Essays ” by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.

In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.

Today, governments don’t judge us and take decisions based on our version of our data, but based on what our data says about us. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.

Most companies retain data indefinitely or for a long period of time, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, every bit of data may potentially entails various other bits of data that we are not even aware of. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an illusionary sense of control over their personal data.

Social network analysis software is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to match patterns. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.

In data mining, behavioural statistics are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we voluntarily disclose massive amounts of data about ourselves - is that it appears to come down to public control.

According to security expert Bruce Schneier, data today is a byproduct of the Information Society. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an indirect threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.

Hannah Arendt argued that a main prerequisite and component of totalitarian power is support by the masses. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, CCTV cameras are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as Spy Coca Cola cans - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the Central Monitoring System in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access choose to share their personal data through the use of social networking sites.

Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just convenient to be on Facebook. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.

In the long term, what does this mean? Well, it seems like we will probably be more acceptive towards more authoritarian power, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.

What’s particularly interesting though about surveillance today is that it is fueled and enabled through our freedom of speech and general Internet freedom. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the Chinese versions of Facebook and Twitter - it’s probably no coincidence.

While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t choose to hand over our personal data to begin with, none of the above would have been possible.

The real danger in the Digital Age is not necessarily surveillance per se, but our choice to voluntarily disclose our personal data.

For more details visit https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you

Security and Surveillance – Optimizing Security while Safeguarding Human Rights

elonnai — 2015-02-13T02:41:46Z

The Centre for Internet and Society (CIS) on December 19, 2014 held a talk on “Security and Surveillance – Optimizing Security while Safeguarding Human Rights.

The talk focused on a project that is being undertaken by CIS in collaboration with Privacy International, UK. Initiated in 2014, the project seeks to study the regulatory side of surveillance and related technologies in the Indian context. The main objective of the project is to initiate dialogue on surveillance and security in India, government regulation, and the processes that go into the same. The talk saw enthusiastic participation from civil society members, policy advisors on technology, and engineering students.

During the event it was highlighted that requirements of judicial authorization, transparency and proportionality are currently lacking in the legal regime for surveillance in India and at the same time India has a strong system of ‘security’ that service providers must adhere to – which works towards enhancing cyber security in the country.

Discussions played out with regard to how most of the nine intelligence agencies that are authorized to intercept information in India are outside the ambit of parliamentary oversight, the RTI and the CAG, making them virtually unaccountable to the Indian public.

Another conversation focused on the sharing of information between various intelligence agencies within the country, and the fact that this area is virtually unregulated. The discussion then steered to cyber-security in general, emerging technologies used by the Government of India for surveillance, cooperative agreements for surveillance technologies that India has with other countries, the export and import of such technologies from India, and most importantly, the role of service providers in the surveillance debate, and the regulations they are subject to.

A common theme seemed to be emerging from the discussion was that the agencies responsible for regulating information interception and surveillance in the country are shockingly unaccountable to the Indian public. As an active civil society member noted today - “There is no oversight/monitoring of the agencies themselves, so there’s no way anyone would even know of how many instances of surveillance or unauthorized interception have actually occurred.”

The talk successfully concluded with inputs from members of the audience, and a broad consensus on the fact that the Government of India would have to adhere to stronger regulatory standards, harmonized surveillance standards, stronger export and import certification standards, etc., in order to make surveillance in India more transparent and accountable. As was stated at the talk, “We don’t have a problem with the concept of surveillance per se, - it has more to do with its problematic implementation”.

For more details visit https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights

Open Governance and Privacy in a Post-Snowden World : Webinar

vanya — 2015-10-04T11:09:12Z

On 10th September 2015, the OGP Support Unit, the Open Government Guide, and the World Bank held a webinar on “Open Governance and Privacy in a Post-Snowden World” presented by Carly Nyst, Independent consultant and former Legal Director of Privacy International and Javier Ruiz, Policy Director of Open Rights Group. This is a summary of the key issues that were discussed by the speakers and the participants.

See Open Governance and Privacy in a Post-Snowden World

Summary

The webinar discussed how Government surveillance has become an important and key issue in the 21^st century, thanks to Edward Snowden. The main concern raised was with respect to what a democracy should look like in the present day. Should the states’ use of technology enable state surveillance or an open government? Typically, there is a balance that must be achieved between the privacy of an individual and the security of the state – particularly as the former is primarily about social rights and collective interest of citizens.

At the international level, the right to privacy has been recognized as a basic human right and an enabler of other individual freedoms. This right encapsulates protection of personal data where citizens have the authority to choose whether to share or reveal their personal data or not. Due to technological advancement that has enabled collection, storage and sharing of personal data, the right to privacy and data protection frameworks have become of utmost importance and relevance with regard to open government efforts. Therefore, it is important for Governments to be transparent in handling sensitive data that they collect and use.

Many countries have also introduced laws to balance the right to privacy and right to information. The role of the private sector and NGOs involved in enabling an open and transparent government must also be duly addressed at a national level.

Key Questions:

Why should the government release information?

There are multiple reasons for doing so including:

For the purposes of research and public policy (which relates to healthcare, social issues, economics, national statistics, census, etc.)

Transparency and accountability (politicians, registers, public expenses, subsidies, fraud, court records, education)

Public participation and public services (budgets, anti-corruption, engagement, and e-governance).

However, all these have certain risks and privacy implications:

Risk of identification of individual: Any individual whose information is released has the risk of identification, followed by issues like identity theft, discrimination, stigmatization or repression. Normally, the solution for this would be anonymization of the data; however, this is not an absolute solution. Privacy laws can generally cope with such risks, but with pseudonymous data it becomes difficult in preventing identification.
Profiling of social categories which can lead to discrimination: In such a situation, policies and other legislations regulating the use of data and providing remedy for violations can help.
Exploitation and unfair/unethical use of information: When understanding the potential exploitation of information it is useful to consider who is going to benefit from the release of information. For example, in UK, with respect to release of Health Data, the main concern is that people and companies will benefit commercially from the information released, despite of the result potentially being improved drugs and treatment.

What are the Solutions?

The webinar also discussed potential solutions to the questions and challenges posed. For example, when commitments of Open Government Data Partnership are considered, privacy legislations must also be proposed. Further, key stakeholders must make commitments to take pro-active measures to reduce informational asymmetries between the state and citizens. To reduce the risks, measures must be taken to publish what information the State has or what the Government knows about the citizens. For example, in UK, within the civil society network, it is being duly considered in the national plan that the government will publicize how it will share data and have a centralized view on the process of information handling and usage of the data.

The Open Government Guide provides for Illustrative Commitments like enactment of data protection legislation, establishing programmes for awareness and assessment of their impact, giving citizens control of their personal information and the right to redress when that information is misused, etc.

Surveillance

The issue of surveillance and the role of privacy in an open government context was also discussed. The need for creating a balance between the legitimate interest of national security and the privacy of individuals was emphasized. With the rise of digital technologies, many governmental measures pertaining to surveillance intervene in individual privacy. There are many forms of surveillance and this has serious privacy implications, especially in developing countries. For example:

Communications surveillance
Visual surveillance
Travel surveillance

This raises the question: When is surveillance legitimate and when must it be allowed?

The International Principles on the Application of Human Rights to Communications Surveillance acts as a soft law and tries to set out what a good surveillance system looks like by ensuring that governments are in compliance with international human rights law.

In essence surveillance does not violate privacy, however, there must be a clear and foreseeable legal framework laying circumstances when the government has the power to collect data and when individuals might be able to foresee when they might be under surveillance.

Also, a competent judicial authority must be established to oversee surveillance and keep a check on executive power by placing restrictions on privacy invasions. The actions of the government must be proportionate and the benefits must not outweigh harm caused by surveillance.

Role of openness in a “mass surveillance” state

Surveillance measures that are being undertaken by governments are increasingly secretive. The European court of Human Rights has held that Secret surveillance may undermine democracy under the cloak of protecting it. Hence, open government and openness will work towards protecting privacy and not undermining it.

To balance the measure of government surveillance with privacy, there is a need to publish laws regulating such powers; publish transparency reports about surveillance, interception and access to communications data; reform legislations relating to surveillance by state agencies to ensure it complies with human rights and establish safeguards to ensure that new technologies used for surveillance and interception respect the right to privacy.

Conclusion

The conclusion one can draw is that Privacy concerns have gained importance in today’s data driven world. The main question that needs to be answered is whether Government’s should adopt surveillance measures or adopt an Open Government?

Considering equal importance of national security and privacy of individuals, it is required that a balance must be crafted between the two. This could be possibly done by enacting foreseeable and clear laws outlining scope of surveillance by the Government on one hand, and informing citizens about such measures on the other. Establishment of a competent judicial authority to keep a check on Government actions is also suggested to work out the delicate balance between surveillance and privacy.

For more details visit https://cis-india.org/internet-governance/blog/open-governance-and-privacy-in-a-post-snowden-world-webinar

Paranoid about state surveillance? Here’s the FD Guide to living in the age of snoops

Admin — 2017-12-16T13:38:46Z

The US does it, so does China. Ever since Edward Snowden’s revelations back in 2013, which exposed the extent of the US’s global surveillance apparatus, the public has been fairly clued into the extent of mass surveillance.

The blog post by Sriram Sharma was published in Factor Daily on December 12, 2017

It doesn’t take a conspiracy theorist to worry that India does it (or wants to), too, especially with the high decibel campaigns by banks, telecom service providers and others to have Indians link Aadhaar, the unique citizen ID, to multiple services.

If you want a dystopian picture of the future of surveillance, look no further than China, considered the world’s worst abuser of internet freedom for the third year in a row, according to the new Freedom House, a US-based NGO that conducts research and analysis on the internet. With a score of 87/100 (higher is worse), the Chinese state is renowned for its Great Firewall, which filters access to the wider internet. “Digital activism has declined amid growing legal and technical restrictions as well as heavy prison sentences against prominent civil society figures,” the latest Freedom House report notes.

India is rated “Partly Free” with a score of 41/100 (lower is better) in Freedom House’s 2017 report on internet freedom

While it’s a long way away from China, India scores 41/100 on Internet Freedom in 2017 but is still considered only ‘partly free’ owing to blocking of internet and telecom service providers in Kashmir and detainment of citizens for expressing their views online. The India report from Freedom House highlights Aadhaar’s mandatory linking for a wide range of schemes and records concerns regarding its privacy and security implications.

In this guide, we take a look at the why, what and how of India’s surveillance apparatus, the legal provisions in the Indian constitution that enables them, ask domain experts to provide us with tips on living in an age of state surveillance. We also take a look at a variety of widely used tools and apps that help you countering state surveillance or tracking of any kind.

Know your Big Brother: India’s State Surveillance Programs

Right to privacy organisation Privacy International has a detailed dossier on the state of privacy in India, which examines India’s surveillance schemes, laws around interception and access, and central intelligence agencies that carry out surveillance. Apart from the state police and the army, surveillance is carried out at least 16 different intelligence agencies, it notes.

The Centre for Internet and Society (CIS) and Software Freedom Law Centre (SFLC) have done extensive research in the past on India’s surveillance apparatus. Earlier this year, CIS reported on the various programs and tech infrastructure behind India’s surveillance state: these include Central Monitoring System (CMS), National Intelligence Grid (NATGRID), Network Traffic Analysis System (NETRA), etc. An earlier CIS report highlights a boom in surveillance tech in India following the 26/11 terror attacks in Mumbai.

Based on an RTI (Right to Information) filing, SFLC’s 2014 report on India’s Surveillance State reveals that around 7,500 to 9,000 telephone interception orders are issued by the central government alone each month. State surveillance of citizens’ private communications is authorised by laws that let them monitor phone calls, texts, e-mails and Internet activity on a number of broadly worded grounds such as such as ‘security of the state’, ‘defence of India’, and ‘public safety’.

The Government of India is also known to said to work with private third parties, some of which go so far as to infect target devices using malicious software to extract information on the subject. A 2013 Citizen Lab report titled ‘The Commercialisation of Digital Spying’ found command and control servers (used to control the host system) for FinFisher (a remote computer monitoring software suite) in India. A Wikileaks expose in 2015 dumped over a million emails belonging to Italian surveillance malware vendor HackingTeam. The emails revealed how India’s top intelligence agencies and the government expressed interest in buying Hacking Team’s malware interception tools.

Fears of an Aadhaar Surveillance State

Thejesh G N, an infoactivist wrote in FactorDaily about Hyderabad’s surveillance hub, which wants to collect all manner of details. Aadhaar is one of the primary keys to matching profiles with external data sources, he notes.

A look at data points gathered by Hyderabad’s Integrated Information Hub

“The end product shows on a map where you live, what you consume, did you take PDS, move to some other place, your mobile number, gender… there’s a lot of data in the hands of the very lowest level of government, which doesn’t have any protection as by a parliamentary committee or anything like that. It’s run by bureaucrats, so that has huge implications,” he says. “If you see Citizen Four (a 2014 documentary about Edward Snowden), it shows a similar system, where you enter one’s SSN, and it shows everything you have done, and are planning to do. We are building the same system…Governments change, today we might have a good government, tomorrow we might have the worst possible government on the planet.”

Pranesh Prakash, Policy Director of CIS says he doesn’t regard Aadhaar as a surveillance project. “I see Aadhaar as something that can facilitate surveillance, but by and of itself, it isn’t surveillance,” he says, adding that it does so in a non-consensual manner. “By having Aadhaar numbers across multiple databases, you make surveillance easier. But you need to tie it up to a surveillance system. For instance, Aadhaar without NATGRID isn’t surveillance, but Aadhaar with NATGRID can be helpful for surveillance.” NATGRID (National Intelligence Grid) was first proposed in late 2009 following 26/11 attacks by the Union Home Minister, to enhance India’s counter-terror capabilities. It links 21 citizen databases for access to intelligence/enforcement agencies.

Ongrid’s website earlier had this visualisation depicting its verification service, which made privacy advocates cringe. Source: Twitter.

We discussed some worst-case scenarios around the commercial use of Aadhaar and India Stack companies with Thejesh. “Let’s say there’s a screening company and they have your Aadhaar ID. They will send it to Airtel, or Vodafone, and ask for a list of all the websites you have viewed. Maybe you’ve watched porn or something, at some point in your life, and that could hurt your employment,” he says.

Curbing your data exhaust

The EFF (Electronic Frontier Foundation) has published a number of useful articles and resources for countering internet surveillance. Recommendations include using end-to-end encryption through tools such as OTR (a messaging protocol available on Adium), PGP (to exchange secure emails), and Signal (messenger).

Other useful tips:

Use VPNs

VPNs (virtual private networks) use encryption protocols and secure tunneling techniques to keep your internet activity impervious to snooping. With a VPN, you can bypass ISP restrictions on blocked websites or access services (Spotify) not available in your country, making it appear that you are browsing from another part of the world. Keep in mind that you can still be outed by your VPN provider, so it’s important to choose one that respects your privacy. There are hundreds of VPN service providers to choose from, That One Privacy Guy maintains a detailed comparison chart of over a hundred VPN providers, with details on jurisdiction, price, ethics, logging policies, VPN protocols supported, and more. Out of these, the country that the VPN provider is based in is a key filter: you don’t want to choose a VPN service based out of the ‘14 eyes‘, as they are known to do mass surveillance.

Use TOR

Tor, an acronym for ‘The Onion Router’, is a free app that lets you anonymise your online communication by directing a web browser’s traffic through a volunteer-run network of thousands of servers. It is funded by the US-based National Science Foundation, Mozilla, and Open Technology Fund, among others. Tor is available for download on Windows, Mac, Linux, and Android.

Browsing on Tor can be far slower than a regular web browser, but it keeps you anonymous.

Encrypt your storage

It’s now a default feature on your phone, or computer, so there’s no reason why you shouldn’t make use of it. To check if it is turned on in Windows 10, Go to Settings > System > About, and look for a “Device encryption” setting at the bottom of the About tab. Keep in mind that you need to sign into Windows with a Microsoft account to enable this setting, so it’s likely that the NSA or FBI might be able to bypass it.

On a Mac, you turn on full-disk encryption through FileVault, accessible in > System Preferences > Security & Privacy.

On an iPhone, data protection is enabled once you set up a passcode on your device.

Android 5.0 and above devices support full-disk encryption. If it isn’t turned on by default on your device, you can turn on encryption under the Security menu.

Sensitive documents can also be encrypted using TrueCrypt. Though you must keep in mind that key disclosure laws apply in India, under the Section 69 of the Information Technology Act, which states that there’s a seven-year prison sentence for failing to assist the central and state governments in decrypting information on a computer resource.

Use an air-gapped PC

An air-gapped PC is one that is not connected to the internet or to any computers that are connected to the internet. Air-gapped PCs are typically used when handling critical infrastructure, and this is an extreme measure one can take when working with sensitive data that you don’t want to be leaked.

Use HTTPS everywhere

HTTPS Everywhere offers plugins for Firefox, Chrome, and Opera, and turns every link you open or key in, to a secure version of the HTTP protocol, which is encrypted by Transport Layer Security (TLS). The tool protects you from eavesdropping or tampering with the site you are visiting, but only works on sites that support HTTPS. Keep in mind that this tool won’t conceal the sites you have accessed from eavesdroppers but it won’t reveal the specific URL that you visited.

Turn on Advanced Protection in Gmail

If you trust Gmail with your data, take the relationship to the next level with Advanced Protection, which safeguards your account against phishing attacks, limits access to trusted apps, and adds extra verification features to block fraudulent account access. You will need a Bluetooth key and a USB key to turn this feature on.

Some other don’ts

Don’t leave any cameras open. Tape them up if you are a potential surveillance target.
Don’t use freemium apps, which trade in your privacy. A recent example of a worst-case scenario.
Don’t send any data via free email services that you would like to keep private.
Don’t use Google or Facebook, as Snowden says, if you value your privacy. Don’t take our word for it.

As for Aadhaar, Thejesh says that there isn’t much one can do as it is forcibly linked to many essential services. He recommends using different email ids for official work and unofficial work. “Use one email ID for Aadhaar and mobile related accounts, and use the other one for regular communication. It separates the accounts from surveillance and adds a layer of security,” he says. “Don’t use Aadhaar until is necessary. If you use Aadhaar and you are not in a mood to resist everything, then don’t use it where it is not required. Don’t use it like a regular address proof,” he adds.

If you are already an Aadhaar holder, it makes sense to use the biometric locking system provided by UIDAI on its website to protect against identity theft and unauthorised access. The biometric locking feature sends an OTP code to your registered mobile number to unlock or disable the locking system.

If someone is concerned about surveillance, CIS’s Prakash recommends not having a cell phone. “The cellphone is the single largest means of data gathering about you,” he says.

Surveillance can take many forms: it can be physical or off-the-air surveillance (an interception technique used to snoop on phone calls), he points out.

A CCTV camera fitted on top of a Hyderabad Police vehicle

Surveillance is not always bad: medical surveillance, for instance, an entire field around the spread of diseases, is necessary, Prakash clarifies. “Even state surveillance for national security purposes is absolutely necessary. A nation-state can’t survive without surveillance so I am quite clear that those who oppose all forms of surveillance are opposing all kinds of rights – because you can’t have rights without security. And indeed, individual security is a human right guaranteed under the Universal Declaration of Human Rights and guaranteed in Article 21 of the Indian Constitution. Without security of the person, you can’t have the right to freedom of speech, you can’t enjoy the right to privacy… If you’re in a state of war or in a state of terror, then you can’t enjoy rights – so clearly for me, surveillance is necessary,” he says.

That said, surveillance in India is highly problematic as the laws and the democratic framework for surveillance is very weak, and enforcement of that framework is even worse, Prakash adds. “One of the best ways of countering surveillance, I would suggest, is to actually demand a democratic framework for surveillance in India. Demand that your MLA and MP take up this issue at the state and central level… and that we have a democratic framework for both our intelligence agencies and for all the surveillance that is conducted by the state in India,” he says.

He calls everything else – “the technological stuff, using anonymising networks, end-to-end encryption” – a second order issue. “It can help you as an individual, but it doesn’t help us as a society.”

For more details visit https://cis-india.org/internet-governance/news/factor-daily-sriram-sharma-december-12-2017-paranoid-about-state-surveillance-here-s-the-fd-guide-to-living-in-the-age-of-snoops