The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 11 to 25.
Report on the 1st Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. DSCI will be joining the CIS as a co-organizer on 20 April 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS was a member of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the final meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li style="text-align: justify; ">New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p> </p>
<p>This <a href="https://cis-india.org/internet-governance/blog/report-on-delhi-privacy-round-table.pdf" class="internal-link">report </a>entails an overview of the discussions and recommendations of the first Privacy Round Table meeting in New Delhi, on 13th April 2013.</p>
<p> </p>
<h2><b>Overview of Justice A P Shah Report: Purpose, Principles and Framework</b></h2>
<p style="text-align: justify; ">The Delhi Privacy Round Table meeting began with an overview of the Report of the Group of Experts on Privacy, by the Justice AP Shah Committee. The report recommends a potential framework for privacy in India, including detailing nine privacy principles and a regulatory framework. India currently lacks a privacy legislation and during the meeting it was pointed out that the protection of personal data in India is a highly significant issue, especially in light of the UID scheme. The Report of the Group of Experts on Privacy has guided the draft of the Privacy (Protection) Bill 2013 by CIS and will potentially guide the creation of privacy legislation by the Government of India.</p>
<p style="text-align: justify; ">During the discussion on the report, a participant stated that, although a privacy legislation should be enacted in India to protect individuals´ personal data, commercial interests should not be endangered in the name of privacy. In particular, he called upon the need for the creation of a comprehensive privacy law in India and argued that although privacy should be protected, it should not have a negative impact on cloud computing, social media and on online businesses. Thus, the participant emphasized upon the creation of “light-weight” privacy legislation, which would protect individual´s right to privacy, without infringing upon the interests of the private sector.</p>
<p style="text-align: justify; ">Following the presentation of the privacy principles of the Justice AP Shah Report, the participants of the meeting made many comments on the feasibility of applying these principles within privacy legislation. In particular, a participant stated that setting a specific data retention framework is a very complicated issue, since the storage of data depends on many factors, some of which are:</p>
<ul style="text-align: justify; ">
<li>The purpose of the collection of data</li>
<li>The purpose behind the collection of data may change within the process and may require a longer retention period, depending on the case</li>
<li>Data is shared with third parties and it is hard to control how long they retain the data for</li>
<li>Every type of data serves a different purpose and it is hard to set a universal data retention regulatory framework for all different types of data</li>
</ul>
<p style="text-align: justify; ">Some participants argued that the nature of technological evolution should be considered within the privacy principles framework, in the sense that privacy is a fundamental human right to the extent that it does not disrupt other human rights and interests, such as those of companies. Many questions were raised in regards to data collection, one of them being: When data is collected for two different purposes, should an individual be eligible to single access of both types of data? Many other questions were raised in regards to co-regulation and self-regulation. In particular, a participant argued that, based on international experience, India will not be able to enforce self-regulation. On self-regulation in the United States, a participant stated that there are fifty laws which deal with certain aspects of privacy. The participant suggested that India follows the U.S. model, since self-regulation is more effective when the industry is involved, rather than when the government just imposes laws in a top-down manner. The United States enables the involvement of the industry in self-regulation and a participant recommended the same for India, as well as that the standards for co-regulation and self-regulation are approved by the Privacy Commissioner.</p>
<p style="text-align: justify; ">While identifying the clash between the right to privacy and the right to information, participants argued that safeguards are essential in a co-regulation framework, to ensure transparency. It was emphasized that India has a history of corruption and abuse of government power, which increases the probability of self-regulation in the country not being successful. India is currently facing serious problems of accountability and lack of transparency, and participants argued that a solid legal privacy framework would have to be reached, which would not require a legal amendment every other month. Participants pointed out that, within the privacy context, it is highly significant to identify where incentives lie and to regulate the Privacy Commissioner. Currently, if an officer denies access to information, it could take at least a year and a half before being authorised access to information. Participants argued that IT companies and law enforcement agencies should be enabled to access information and that the denial of access to information by the Privacy Commissioner should be regulated. In particular, participants referred to examples from the UK and questioned whether Privacy Commissioners should be considered public authorities.</p>
<p style="text-align: justify; ">The need to find a mechanism which would inform individuals of how their data is used was discussed during the meeting. A debate revolved around the question of whether the Indian government should inform an individual, once that individual´s personal information has been collected, used, processed and retained. Many participants argued that since customers decide to use their products, they should comply with the companies´ method of handling data and they should trust that the company will not misuse that data. This argument was countered by other participants, who argued that companies should be accountable as to how they handle customers´ data and that the sharing of customer data without the individual´s prior knowledge or consent could lead to data breaches and human rights violation.</p>
<p style="text-align: justify; ">The first hour of the meeting concluded that self-regulation should be considered in regards to IT companies dealing with customers´ data, but a consensus on whether companies should inform individuals of how their data is being used was not reached. Nonetheless, everyone in the meeting agreed upon the need to introduce privacy legislation in India, especially since phone tapping and the interception of communications is a widespread phenomenon in the country. India currently lacks rules for CDRs and the introduction of procedures and laws which would regulate the interception of communications in India was generally agreed upon throughout the first session of the meeting, even though the technical details of how data would be used by the private sector remained controversial.</p>
<h3 style="text-align: justify; ">Discussion Highlights:</h3>
<ul style="text-align: justify; ">
<li>The pros and cons of self-regulation and co-regulation</li>
<li>The national privacy principles – and how to build in insurance for technology</li>
<li>The role of the Privacy Commissioner</li>
<li>The definition of terms used in the draft Privacy (Protection) Bill 2013 </li>
</ul>
<p style="text-align: justify; "> </p>
<h2><b>Overview, explanation and discussion on the Privacy (Protection) Bill 2013</b></h2>
<p style="text-align: justify; ">The second session of the meeting began with an overview of the Privacy (Protection) Bill 2013, which was drafted by the Centre for Internet and Society (CIS) and represents a citizen´s version of a privacy legislation for India. The Bill entails chapters on the definition of privacy, personal data, interception, surveillance and the Privacy Commissioner. The surveillance chapter was not thoroughly discussed during the meeting, as it is primarily handled from a criminal law perspective and the majority of the participants were from the IT sector.</p>
<p style="text-align: justify; ">During the meeting, the possibility of splitting the Bill was discussed. In particular, if separated, one Bill would focus on personal data and interception, while the second would focus on the criminal justice system. This would broadly be along the lines of the Canadian regime, which has two separate legislations to deal with privacy in the private and public sector.</p>
<p style="text-align: justify; ">Participants discussed the possibility of narrowing down the scope of the exceptions to the right to privacy, and made the critique that the Bill does not include any provisions for co-regulation and self-regulation. Many participants insisted that self-regulation should be included in the Bill, while other participants pointed out that the Bill does not provide protection for very several types of data, such as sexual orientation, caste and religion, which may be problematic in the future.</p>
<p style="text-align: justify; ">As the draft Privacy (Protection) Bill 2013 may possibly clash with pre-existing laws, such as the IT Act, participants recommended that new definitions be created, to ensure that the proposed privacy legislation coincides with other contradicting legislation. Many questions were raised in regards to how personal data in the public sector would be distinguished by personal data in the private sector. Other questions were raised on the harmonization of the Privacy Bill with the Right to Information Act, as well as on the redefinition of surveillance and interception, their changing nature and the difficulties of regulating them.</p>
<p style="text-align: justify; ">Many participants agreed that India´s proposed Privacy Law should meet <i>global standards </i>in order to attract more customers to Indian IT companies. However, a participant disagreed with this notion and argued that privacy principles generally differ depending on the social, economic, political and cultural status of a country and that the same universal privacy principles should not be imposed upon all countries. The participant argued that India should not copy global standards, but should instead create parallel legislation which would be interoperable with global standards.</p>
<p style="text-align: justify; ">The issue of to whom privacy laws would apply to was thoroughly discussed during the meeting. In particular, questions were raised in regards to whether privacy legislation would only apply to Indian individuals, or if it would also apply to international individuals using services and/or products by Indian IT companies. The data protection of customers beyond India remains vague and this was thoroughly discussed, while participants disagreed upon this issue. According to the draft Privacy (Protection) Bill 2013, consent needs to be taken from the individual, but it remains unclear whether that would be applicable to international customers. Questions were raised on how Indian IT companies would gain consent on the use of data by customers of foreign countries, especially since different laws apply to each country.</p>
<p style="text-align: justify; ">The second session of the meeting also entailed a debate on the disclosure of data to intelligence agencies by IT companies. Public authorities often request data from IT companies, on the grounds of national security and the prevention of crime and terrorism. However, questions were raised on whether companies should inform the individual prior to disclosing data to public authorities, as well as on whether certain terms, such as ´data´, should be reconceptualised.</p>
<p style="text-align: justify; ">The term ´sensitive personal data´ was analysed in the meeting and it was argued that it entails data such as sexual orientation, religion, caste and health records among others. The participants emphasized the significance of the Bill explicitly including the protection of all sensitive personal data, as well as the need to provide requirements for using personal data in both the private and public sphere. Some participants suggested that the Privacy Commissioner in India be empowered with the authority to define the term ´sensitive personal data´ and that he/she not only ensures that all such data is legally protected, but also that health data is included within the definition of the term. A participant backed up the need to closely define the term ´sensitive personal data´, by arguing that a loose definition of the term, which would not include ethnic origin, could lead to social violence and tension and thus the necessity to strictly define the term is highly essential.</p>
<p style="text-align: justify; ">Throughout the meeting it was pointed out that the Bill only deals with three aspects of privacy: personal data, surveillance and interception of communications. According to the draft Privacy (Protection) Bill 2013, an individual has the right to install surveillance technology in his/her private property, as long as that technology does not monitor other individuals in private areas. A participant asked about the balance between internet freedom and privacy, whether that should be included in the Bill and whether exemptions to privacy should be included within those lines. Other participants asked whether CDR records should be placed under privacy exemptions and whether the public disclosure of surveillance should be prohibited by the Bill. The need to redefine ´public figures´ was also emphasized in the meeting, as the threshold for public disclosure of data remains unclear. Some participants argued that the public disclosure of data should be prohibited, as this may potentially have severe effects on vulnerable groups of people, such as victims of violence. However, several participants disagreed by arguing that disclosure of data in the name of public interest should be enabled.</p>
<p style="text-align: justify; ">During the meeting several participants argued that the fact that many social networking sites and other online social media enable individuals to publicize their personal data makes it even harder to protect their online privacy. A participant emphasized the need to take freedom of expression into consideration, as it significantly enables individuals to disclose their personal data and increases the probability of online data breaches. Thus, it was argued that the draft Bill should distinguish between private data and private data being made publicly available. However, a participant argued that publicly available data depends on <i>where </i>it is being broadcasted. To support this argument, an example was brought forward of an individual uploading a video on YouTube and that same video being broadcasted on national television. Thus the context in which data is made publicly available is highly significant and should be outlined within the draft Privacy Bill.</p>
<p style="text-align: justify; ">The meeting proceeded to a discussion on the interception of communications and a participant claimed that a major privacy abuse is to intercept communications without a warrant or a legal order, and to request for authorisation once the interception has already being conducted. It was argued that, in any case, legal authorisation prior to any interception should be a prerequisite and should be highlighted in the draft Privacy Bill. However, another participant argued that currently, the interception of communications needs to be legally authorised within seven days and that prior authorisation should not be a prerequisite. This argument was supported by the statement that in extreme cases, the conditions may not enable prior authorisation. Many participants then questioned this practice by asking what happens in cases when authorisation is not granted within seven days after an interception and whether the agencies conducting the interception would be accountable. An assertive answer was not given, but the majority of the participants appeared to agree upon the need for legal authorisation prior to any interception.</p>
<p style="text-align: justify; ">The second session of the meeting concluded to the significance of the principles of notice and consent, which should apply in every case, prior to every interception of communications and in regards to the handling of all individuals´ personal data.<span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>If the draft Privacy (Protection) Bill 2013 should be split to two separate Bills</li>
<li><span>Definition for the term ´sensitive personal data´ (to include broader categories, such as health data)</span></li>
<li>If personal data should be distinguished in the private and public sector</li>
<li>If the draft Privacy (Protection) Bill 2013 should comply with global privacy standards</li>
<li>The nuances of consumer consent</li>
<li>Various ways to define ´public figures´</li>
<li>Freedom of expression in the context of the draft Privacy (Protection) Bill 2013 </li>
<li>The distinction between exemptions and exceptions</li>
</ul>
<p> </p>
<h2><b>In depth explanation and discussions regarding the Privacy (Protection)</b></h2>
<h2><b> Bill 2013</b></h2>
<p style="text-align: justify; ">The third and final session of the Privacy Round Table began with a discussion on data collection. In particular, a participant stated that data collection should not be defined for a specific purpose, as the purposes for data collection constantly change. This argument was supported by the statement that privacy provisions can negatively affect a company and reduce its earnings, since restricting the instances for data collection ultimately restricts the services a company can provide (such as advertising). Thus it was strongly argued that data collection should not be restricted to ´specific purposes´, because such purposes can constantly change and all such restrictions can have a negative impact on both the industry and on intelligence agencies carrying out crime investigations. Other participants countered this argument by stating that the term ´necessary information´ is too broad and vague and could create a potential for abuse, which is why data collection should be restricted to specific instances which are legally justified.</p>
<p style="text-align: justify; ">The idea that Internet users should be given the right or the option not to be tracked was emphasized during the meeting. It was suggested that the draft Privacy Bill entails provisions which would oblige IT companies and intelligence agencies to inform an individual prior to the tracking of data and to request consent. This argument was supported by the statement that IT companies should protect the interest of the people, especially in terms of data mining and analytics. All such arguments were countered by a participant who stated that the collateral damage surrounding privacy needs to be acknowledged. This statement was supported by the argument that, although it is important to safeguard individuals´ right to privacy, regulations should not infringe upon the rights and interests of companies. In particular, it was argued that a deterrent law should not be created and that it should be acknowledged that individuals <i>choose</i> to disclose a large amount of information.</p>
<p style="text-align: justify; ">The meeting proceeded to the discussion of the disclosure of data to third parties, and many participants argued that they should not be obliged to disclose the names of the parties they are sharing data with. It was argued that businesses prefer not to reveal the names of the third parties to which they are disclosing data to, as this would affect their competitive advantage in the market. This argument was supplemented by the statement that it would not be feasible to inform individuals every time their data is being shared and that not only would this affect a company´s competitive advantage in the market, but it would also be costly and time consuming. Instead of informing individuals every time their data is being shared, it was argued that companies are responsible for protecting their customers´ data and that those customers should trust companies with their data. A participant strongly argued that while companies are obliged to protect their customers´ data, they are not obliged to reveal the parties with whom they are sharing information with, as this would be highly inconvenient.</p>
<p style="text-align: justify; ">Many participants strongly reacted to these statements by arguing that customers should have the right to be informed of how their data is being used and with which parties it is being shared. A participant argued that a customer may not trust the parties that the company chooses to trust and thus every customer should be informed of the sharing of their data. The customer should be respected and should be informed about the sharing of his/her personal data with third parties, because when data is being outsourced, the customer can only hope that the third parties handling his/her data will not misuse it. Thus, customers ultimately lose control over their data and over their personal lives. In order to avoid potential privacy breaches and to empower individuals with control over their personal data and their lives, it was argued that companies should be obliged to inform individuals of the sharing of their data and that this provision should be included in the draft Privacy Bill.</p>
<p style="text-align: justify; ">A participant countered this argument by stating that when data is being automated, it is hard to identify the source of the data and that by providing transparency on which parties share customer data, companies would be put out of business. A participant responded to this argument by stating that companies only protect users´ data when they have an incentive to do so, which is why a liability element should be added to the Bill. Other participants supported the argument of not informing customers of the handling of their data by stating that even some of the biggest IT companies, such as Gmail, share customers data with third parties without informing individuals or gaining prior consent. Such arguments were supported by other participants who emphasized upon the futility of informing customers of the handling of their data, especially since the average customer would not understand the security setting of a server. Since the majority of online users lack the technological expertise to understand the security settings, all companies should do is provide a security assurance to their customers in regards to how their data is being used.</p>
<p style="text-align: justify; ">In terms of data retention, a participant repeated the argument that a specific regulatory framework for data retention should not be established, especially since the purpose of data collection may change within time. Thus it was emphasized that no data retention period should be included within the draft Privacy Bill.</p>
<p style="text-align: justify; ">In terms of transparency, some participants argued that IT companies should submit detailed reports on how they are using customers’ data to the Privacy Commissioner, but not to the public. In particular, many participants emphasized that a co-regulation framework should be implemented for the use of data, through which IT companies would regulate the use of data in co-operation with the Privacy Commissioner. Under a co-regulation framework, the public would be excluded from the right to receive detailed reports on how data is being used. Yet, participants emphasized that companies would be in compliance with regulations on data protection and security, which would ensure that customers´ data is not breached.</p>
<p style="text-align: justify; ">Such arguments were countered by other participants, who argued that a tremendous amount of significance lies in informing online users of what type of data is being collected, whether it is being analysed and processed, why it is being collected and with which parties it is being shared with. Such questions are considered to be crucial elements of privacy, especially since privacy means that individuals are able to share some data with some individuals, and choose not to share the same or other data with other individuals. The practices of non-disclosure supported by some participants appear to be infringing upon the core of privacy. The participants emphasized that privacy cannot be protected if companies are not accountable in regards to how they handle data.</p>
<p style="text-align: justify; ">The fact that companies can use meta-data for research purposes was mentioned in the meeting, which called upon the need to redefine the term ´data´. Questions were raised in regards to how data can be deleted once used within analytics. Some participants referred to the ´Right to be Forgotten´ debate and stated that the deletion of data, in many cases, is not feasible. A participant stated that some data is very sensitive and that companies should be responsible for deciding on how such data should be handled. Data should not be disclosed for the sake of being disclosed, but companies should decide upon the disclosure, retention and destruction of data based on how sensitive its content is. The participant emphasized that customers directly or indirectly give their consent to their data being handled by companies when they use their products and if they do not agree with the security assurances provided by the companies, then they should use a different product or service. However, this argument was countered by several participants who argued that online consumers do not always have an alternative choice and that there is a difference between the bargaining powers of consumers around the world. Some consumers may be socially pressured into using a specific product or service, or may not have an alternative option and the example of Facebook was brought up. Participants argued that given that consumers do not always have a choice to use or not use a specific online service, their data should be protected regardless of consent.</p>
<p style="text-align: justify; ">The debate on the destruction of data continued with participants arguing that companies should not have to destroy all personal data and that such restrictions should only apply to ´sensitive personal data´. The need for the redefinition of the term ´sensitive personal data´ in the draft Privacy Bill was emphasized again, as well as participants´ concern that the purpose behind the collection of data may change within the process and that the regulations which apply in such cases remain vague. In response to issues revolving around the collection of data, a participant recommended the regulation of instances under which data should <i>not </i>be used. In terms of consent, several participants argued that it is not rational to expect consumers to give consent for the future (indefinite) use of their data, as this may expose them to future threats which they may have not considered when granting initial consent.</p>
<p style="text-align: justify; ">The meeting proceeded to discuss the processing of data and several participants emphasized upon the need to gain consent, whilst others disagreed for the reasons mentioned above. On the disclosure of data, a participant stated that companies can be approached by law enforcement agencies for multiple purposes and that it is usually hard for companies to define the cases under which information is disclosed. Other participants disagreed with the disclosure of data when it is being collected and analysed for investigatory purposes and argued that regulations on the disclosure of data should not be applicable to intelligence agencies. <span> </span></p>
<h3>Discussion Highlights:</h3>
<ul>
<li>The different instances of data collection and consumer consent</li>
<li>The nuances of data sharing </li>
<li>The issue of consumer consent and security assurances offered by companies</li>
<li>The pros and cons of having a data retention regulatory framework</li>
<li>How transparency is incorporated into the draft Privacy Protection Bill 2013 </li>
<li>What is needed in provisions that speak to data destruction</li>
</ul>
<h2>Meeting conclusion</h2>
<p style="text-align: justify; ">The general conclusion of the meeting was that self-regulation should be encouraged, as IT companies should provide security assurances to their consumers and regulate the collection, use, analysis, sharing and retention of their data. There was some discussion on the possibility of introducing co-regulation between IT companies and the Privacy Commissioner, but most participants appeared to prefer self-regulation. All participants in the meeting agreed upon the necessity to introduce a Privacy Bill in India which would safeguard individuals´ right to privacy and other human rights. However, the debate revolved around the definition of terms used in the Bill, whether consent should be a prerequisite to the collection, use, analysis, processing and retention of data, as well as whether companies should be obliged to inform consumers of the sharing, disclosure and destruction of their data.</p>
<p style="text-align: justify; ">Following the first Privacy Round Table meeting on the Privacy (Protection) Bill 2013, the discussion between various stakeholders will continue in the next national round table meetings throughout the year 2013. Following the Delhi Privacy Round Table, corrections have been incorporated into the <a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback" class="internal-link">Privacy Protection Bill, 2013</a> based on participants´ feedback, concerns, comments and ideas.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting'>https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-30T11:11:11ZBlog EntryOpen Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation
https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation
<b>India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, <a href="https://cis-india.org/accessibility/blog/#fn1" name="fr1">[1]</a> and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.<a href="https://cis-india.org/accessibility/blog/#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<p style="text-align: justify; ">The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.<a href="https://cis-india.org/accessibility/blog/#fn3" name="fr3">[3]</a> In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. <a href="https://cis-india.org/accessibility/blog/#fn4" name="fr4">[4]</a> In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.<a href="#fn5" name="fr5">[5]</a> The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.<a href="#fn6" name="fr6">[6]</a> Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.<a href="#fn7" name="fr7">[7]</a> The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; ">We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. CII asks EU to accept India as 'Data Secure' nation: <a class="external-link" href="http://bit.ly/15Z77dH">http://bit.ly/15Z77dH</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. India threatens to stall trade talks with EU: <a class="external-link" href="http://bit.ly/1716aF1">http://bit.ly/1716aF1</a><a class="moz-txt-link-freetext" href="http://www.business-standard.com/article/economy-policy/india-threatens-to-stall-trade-talks-with-eu-113050900020_1.html"></a></p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. New privacy Bill: Data Protection Authority, jail term for offence: <a class="external-link" href="http://bit.ly/emqkkH">http://bit.ly/emqkkH</a></p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. The Report of the Group of Experts on Privacy <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Law Minister Seeks stand along privacy legislation, writes PM: <a class="external-link" href="http://bit.ly/16hewWs">http://bit.ly/16hewWs</a></p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Privacy Protection Bill 2013 drafted by CIS: <a class="external-link" href="http://bit.ly/10eum5d">http://bit.ly/10eum5d</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Privacy Roundtable: <a class="external-link" href="http://bit.ly/12HYoj5">http://bit.ly/12HYoj5</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: <a class="external-link" href="http://bit.ly/Z2FjX6">http://bit.ly/Z2FjX6</a></p>
<div id="_mcePaste"><b>Note: CIS sent the letters to Data Protection Commissioners across Europe.</b></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation'>https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:07:58ZBlog EntryIndia Subject to NSA Dragnet Surveillance! No Longer a Hypothesis — It is Now Officially Confirmed
https://cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance
<b>As of last week, it is officially confirmed that the metadata of everyone´s communications is under the NSA´s microscope. In fact, the leaked data shows that India is one of the countries which is under NSA surveillance the most! </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC. This blog was <a class="external-link" href="http://www.medianama.com/2013/06/223-what-does-nsa-prism-program-mean-to-india-cis-india/">cross-posted in Medianama</a> on 24th June 2013. <br /></i></p>
<hr />
<p><span id="docs-internal-guid-5905db2c-6115-80fb-3332-1eaa5155c762"> </span></p>
<blockquote class="italized" dir="ltr" style="text-align: justify; "><span>¨Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, the democratic senator, </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining">Ron Wyden, asked James Clapper</a><span>, the director of national intelligence a few months ago. “No sir”, replied Clapper.</span></blockquote>
<p dir="ltr" style="text-align: justify; "> </p>
<p dir="ltr" style="text-align: justify; "><span>True, the National Security Agency (NSA) does not collect data on millions of Americans. Instead, it collects data on billions of </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Americans, Indians, Egyptians, Iranians, Pakistanis and others</span></a><span> all around the world.</span></p>
<p><span> </span></p>
<h2>Leaked NSA surveillance</h2>
<p><span> </span></p>
<h3><span>Verizon Court Order</span></h3>
<p style="text-align: justify; ">Recently, the <a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order">Guardian released</a> a top secret order of the secret Foreign Intelligence Surveillance Court (FISA) requiring Verizon on an “ongoing, daily basis” to hand over information to the NSA on all telephone calls in its systems, both within the US and between the US and other countries. Verizon is one of America's largest telecoms providers and under a top secret court order issued on 25 April 2013, the communications records of millions of US citizens are being collected indiscriminately and in bulk supposedly until 19 July 2013. In other words, data collection has nothing to do with whether an individual has been involved in a criminal or terrorist activity or not. Literally everyone is potentially subject to the same type of surveillance.</p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><a href="http://yahoo.usatoday.com/news/washington/2006-05-10-nsa_x.htm"><span>USA Today reported in 2006</span></a><span> that the NSA had been secretly collecting the phone call records of millions of Americans from various telecom providers. However, the </span><a href="http://www.guardian.co.uk/world/interactive/2013/jun/06/verizon-telephone-data-court-order"><span>April 25 top secret order</span></a><span> is proof that the Obama administration is continuing the data mining programme begun by the Bush administration in the aftermath of the 09/11 terrorist attacks. While content data may not be collected, this dragnet surveillance includes </span><a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order"><span>metadata </span></a><span>such as the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number and the time and duration of all calls.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Content data may not be collected, but metadata can also be adequate to discover an individual's network of associations and communications patterns. </span><a href="https://www.privacyinternational.org/blog/top-secret-nsa-program-spying-on-millions-of-us-citizens"><span>Privacy and human rights concerns</span></a><span> rise from the fact that the collection of metadata can result in a highly invasive form of surveillance of citizens´ communications and lives.</span><a href="http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order"><span> Metadata records can enable the US government to know the identity of every person with whom an individual communicates electronically</span></a><span>, as well as the time, duration and location of the communication. In other words, metadata is aggregate data and it is enough to spy on citizens and to potentially violate their right to privacy and other human rights.</span></p>
<p><span> </span></p>
<h3><span>PRISM</span></h3>
<p align="JUSTIFY">Recently, a secret NSA surveillance programme, code-named PRISM, was leaked by <a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html">The Washington Post</a>. Apparently, not only is the NSA gaining access to the meta data of all phone calls through the Verizon court order, but it is also tapping directly into the servers of nine leading Internet companies: Microsoft, Skype, Google, Facebook, YouTube, Yahoo, PalTalk, AOL and Apple. However, following these allegations, Google, Microsoft and Facebook recently asked the U.S. government to allow them to <a href="http://www.bbc.co.uk/news/business-22867185">disclose the security requests</a> they receive for handing over user data. It remains unclear to what extent the U.S. government is tapping into these servers.</p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Yet it appears that the </span><a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html"><span>PRISM online surveillance programme</span></a><span> enables the NSA to extract personal material, such as audio and video chats, photographs, emails and documents. The </span><a href="http://www.guardian.co.uk/world/2013/jun/09/prism-gchq-william-hague-statement"><span>Guardian reported</span></a><span> that PRISM appears to allow GCHQ, Britain's equivalent of the NSA, to secretly gather intelligence from the same internet companies. Following allegations that GCHQ tried to circumvent UK law by using the PRISM computer network in the US, the British foreign secretary, William Hague, stated that it is “fanciful nonsense” to suggest that GCHQ would work with an agency in another country to circumvent the law. Most notably, William Hague emphasized that reports that GCHQ are gathering intelligence from photos and online sites should not concern people who have nothing to hide! However, this implies that everyone is guilty until proven innocent...when actually, democracy mandates the opposite.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>James R. Clapper, the US Director of National Intelligence, </span><a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html"><span>stated</span></a><span>:</span></p>
<p><span> </span></p>
<blockquote class="italized" dir="ltr" style="text-align: justify; "><span>“</span><span>Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”</span></blockquote>
<p dir="ltr" style="text-align: justify; "><span>So essentially, Clapper stated that in the name of US national security, the personal data of billions of citizens around the world is being collected. By having access to data stored in the servers of some of the biggest Internet companies in the world, the NSA ultimately has access to the private data of almost all the Internet users in the world. </span></p>
<h3><span>Boundless Informant</span></h3>
<p dir="ltr" style="text-align: justify; "><span>And once the NSA has access to tons of data through the Verizon court order and the PRISM surveillance programme, how does it create patterns of intelligence and generally mine huge volumes of data? </span></p>
<p dir="ltr" style="text-align: justify; "><span>The Guardian released top secret documents about the NSA data mining tool, called </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Boundless Informant</span></a><span>; this tool is used to detail and map by country the volumes of information collected from telephone and computer networks. The focus of the Boundless Informant is to count and categorise the records of communication, known as metadata, and to record and analyse where its intelligence comes from. One of the leaked documents states that the tool is designed to give NSA officials answers to questions like: “What type of coverage do we have on country X”. According to the Boundless Informant documents, the NSA has been collecting 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. During the same month, 97 billion pieces of intelligence from computer networks were collected worldwide. </span></p>
<p dir="ltr" style="text-align: justify; "><span>The following </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>“global heat map”</span></a><span> reveals how much data is being collected by the NSA from around the world:</span></p>
<p dir="ltr" style="text-align: justify; "><span><img src="https://cis-india.org/BoundlessInformantmap.jpg" alt="Boundless Informant: "Global Heat Map"" class="image-inline" title="Boundless Informant: "Global Heat Map"" /></span></p>
<p><span style="text-align: justify; ">The colour scheme of the above map ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). India is notably orange and is thus subject to some of the highest levels of surveillance by the NSA in the world.</span></p>
<p dir="ltr" style="text-align: justify; "><span>During a mere 30-day period, the largest amount of intelligence was gathered from Iran with more than 14 billion reports, while Pakistan, Jordan and Egypt were next in line in terms of intelligence gathering. Unfortunately, India ranks 5th worldwide in terms of intelligence gathering by the NSA. According to the map above, 6.3 billion pieces of intelligence were collected from India by the NSA from February to March 2013. In other words, India is currently one of the top countries worldwide which is under the US microscope, with </span><a href="http://epaper.timesofindia.com/Default/Scripting/ArticleWin.asp?From=Archive&Source=Page&Skin=ETNEW&BaseHref=ETBG/2013/06/12&PageLabel=20&ForceGif=true&EntityId=Ar02002&ViewMode=HTML"><span>15% of all information</span></a><span> being tapped by the NSA coming from India during February-March 2013. </span></p>
<p dir="ltr" style="text-align: justify; "><a href="http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance"><span>Edward Snowden</span></a><span> is the 29-year-old man behind the NSA leaks...who is responsible for one of the most important leaks in US (and one may argue, global) history.</span></p>
<p dir="ltr" style="text-align: justify; "><span>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="350" width="425">
<param name="src" value="http://www.youtube.com/v/5yB3n9fu-rM"><embed height="350" width="425" src="http://www.youtube.com/v/5yB3n9fu-rM" type="application/x-shockwave-flash"> </embed>
</object>
</span></p>
<p><br /><span> </span></p>
<h2><span>So what does this all mean for India?</span></h2>
<p dir="ltr" style="text-align: justify; "><span>In his </span><a href="http://www.youtube.com/watch?v=Wl5OQz0Ko8c"><span>keynote speech at the 29th Chaos Communications Congress</span></a><span>, Jacob Appelbaum stated that surveillance should be an issue which concerns “everyone´s department”, especially in light of the NSA spying on citizens all over the world. True, the U.S. appears to have </span><a href="http://space.jpl.nasa.gov/msl/Programs/corona.html"><span>a history in spying on civilians</span></a><span>, and the Corona, Argon, and Lanyard satellites used by the U.S. for photographic surveillance from the late 1950s is proof of that. But how does all this affect India?</span></p>
<p dir="ltr" style="text-align: justify; "><span>By </span><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=1&"><span>tapping into the servers of some of the biggest Internet companies in the world,</span></a><span> such as Google, Facebook and Microsoft, the NSA does not only gain access to the data of American users, but also to that of Indian users. In fact, the “global heat map” of the controversial </span><a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining"><span>Boundless Informant</span></a><span> data mining tool clearly shows that India ranked 5th worldwide in terms of intelligence gathering, which means that not only is the NSA spying on Indians, but that it is also spying on India more than most countries in the world. Why is that a problem?</span></p>
<p dir="ltr" style="text-align: justify; "><span>India has no privacy law. India lacks privacy legislation which could safeguard citizens from potential abuse by different types of surveillance. But the worst part is that, even if India did have privacy laws, that would still not prevent the NSA from tapping into Indians´ data through the servers of Internet companies, such as Google. Moreover, the fact that India lacks a Privacy Commissioner means that the country lacks an expert authority who could address data breaches. </span></p>
<p dir="ltr" style="text-align: justify; "><span>Recent reports that the NSA is tapping into these servers ultimately means that the U.S. government has access to the data of Indian internet users. However, it remains unclear how the U.S. government is handling Indian data, which other third parties may have access to it, how long it is being retained for, whether it is being shared with other third parties or to what extent U.S. intelligence agencies can predict the behaviour of Indian internet users through pattern matching and data mining. </span></p>
<p dir="ltr" style="text-align: justify; "><span>Many questions remain vague, but one thing is clear: through the NSA´s total surveillance programme, the U.S. government can potentially control the data of billions of internet users around the world, and with this control arises the possibility of oppression. It´s not just about the U.S. government having access to Indians´ data, because access can lead to control and according to security expert, </span><a href="http://www.wired.com/politics/security/commentary/securitymatters/2008/05/securitymatters_0515"><span>Bruce Schneier</span></a><span>:</span></p>
<blockquote class="italized"><span> “Our data reflects our lives...and those who control our data, control our lives”. </span></blockquote>
<p dir="ltr" style="text-align: justify; "><span>How are Indians supposed to control their data, and thus their lives, when it is being stored in foreign servers and the U.S. has the “right” to tap into that data? The NSA leaks mark a significant point in our history, not only because they are resulting in </span><a href="http://www.bbc.co.uk/news/business-22867185"><span>corporations seeking data request transparency</span></a><span>, but also because they are unveiling a major global issue: surveillance is a fact and can no longer can be denied. The massive, indiscriminate collection of Indians´ data, without their prior knowledge or consent, and without the provision of guarantees in regards to how such data is being handled, poses major threats to their right to privacy and other human rights. The potential for abuse is real, especially since </span><a href="http://www.statsoft.com/textbook/data-mining-techniques/"><span>the larger the database, the larger the probability for error</span></a><span>. Mining more data does not necessarily increase security; on the contrary, it increases the potential for abuse, especially since </span><a href="http://dspace.flinders.edu.au/xmlui/bitstream/handle/2328/26269/wahlstrom%20on%20the%20impact.pdf;jsessionid=D948EDED21805D871C18E6E4B07DAE14?sequence=1"><span>technology is not infallible </span></a><span>and data trails are not always accurate.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>What does this mean? Well, probably the best case scenario is that an individual is targeted. The worst case scenario is that an individual is imprisoned (or maybe even </span><a href="http://www.time.com/time/world/article/0,8599,2097899,00.html"><span>murdered - remember the drones</span></a><span>?) because his or her data “says” that he or she is guilty. Is that the type of world we want to live in?</span></p>
<p><span> </span></p>
<h2><span>What can we do now?</span></h2>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Let´s start from the basics. India needs privacy legislation. India needs privacy legislation now. India needs privacy legislation now, more than ever.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Privacy legislation would regulate the collection, access to, sharing of, retention and disclosure of all personal data within India. Such legislation could also regulate surveillance and the interception of communications, in compliance with the right to privacy and other human rights. A Privacy Commissioner would also be established through privacy legislation, and this expert authority would be responsible for overseeing the enforcement of the Privacy Act and addressing data breaches. But clearly, privacy legislation is not enough. The various privacy laws of European countries have not prevented the NSA from tapping into the servers of some of the biggest Internet companies in the world and from gaining access to the data of millions of citizens around the world. Yet, privacy legislation in India should be a basic prerequisite to ensure that data is not breached within India and by those who may potentially gain access to Indian national databases.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>As a next- but immediate- step, the Indian government should demand answers from the NSA to the following questions:</span></p>
<p><span> </span></p>
<ul style="text-align: justify; ">
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>What type of data is collected from India and which parties have access to it?</span></p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>How long is such data retained for? Can the retention period be renewed and if so, for how long?</span></p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><span>Is data collected on Indian internet users shared with third parties? If so, which third parties can gain access to this data and under what conditions? Is a judicial warrant required?</span></p>
</li>
</ul>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>In addition to the above questions, the Indian government should also request all other information relating to Indians´ data collected through the PRISM programme, as well as proceed with a dialogue on the matter. Governments are obliged to protect their citizens from the abuse of their human rights, especially in cases when such abuse may occur from foreign agencies. Thus, the Indian government should ensure that the future secret collection of Indians´ data is prevented and that Internet companies are transparent and accountable in regards to who has access to their servers.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>On an individual level, Indians can protect their data by using encryption, such as </span><a href="http://www.gnupg.org/"><span>GPG encryption</span></a><span> for their emails and </span><a href="https://www.encrypteverything.ca/index.php/Setting_up_OTR_and_Pidgin"><span>OTR encryption</span></a><span> for instant messaging. </span><a href="https://www.torproject.org/"><span>Tor</span></a><span> is free software and an open network which enables online anonymity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor is originally short for “The Onion Router” and “onion routing” refers to the layers of encryption used. In particular, data is encrypted and re-encrypted multiple times and is sent to randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal it only to the next relay in the circuit and the final relay decrypts the last “layer” of encryption. Essentially, Tor reduces the possibility of original data being understood in transit and conceals the routing of it.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>To avoid surveillance, the use of </span><a href="https://www.eff.org/https-everywhere"><span>HTTPS-Everywhere</span></a><span> in the </span><a href="https://www.torproject.org/download/download-easy.html"><span>Tor Browser</span></a><span> is recommended, as well as the use of combinations of additional software, such as </span><a href="https://addons.mozilla.org/en-us/thunderbird/addon/torbirdy/"><span>TorBirdy</span></a><span> and </span><a href="http://www.enigmail.net/home/index.php"><span>Enigmail</span></a><span>, OTR and </span><a href="https://joindiaspora.com/"><span>Diaspora</span></a><span>. </span><a href="https://blog.torproject.org/blog/prism-vs-tor"><span>Tor hidden services are communication endpoints </span></a><span>that are resistant to both metadata analysis and surveillance, which is why they are highly recommended in light of the NSA´s surveillance. An XMPP client that ships with an XMPP server and a Tor hidden service is a good example of how to avoid surveillance.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Protecting our data is more important now than ever. Why? Because global, indiscriminate, mass data collection is no longer a hypothesis: it´s a fact. And why is it vital to protect our data? Because if we don´t, we are ultimately sleepwalking into our control and oppression where basic human rights, such as freedom, would be a myth of the past.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>The </span><a href="http://necessaryandproportionate.net/"><span>principles</span></a><span> formulated by the Electronic Frontier Foundation and Privacy International on communication surveillance should be taken into consideration by governments and law enforcement agencies around the world. In short, these </span><a href="https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights"><span>principles</span></a><span> are:</span></p>
<p><span> </span></p>
<ul style="text-align: justify; ">
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Legality</b>: Limitations to the right to privacy must be prescribed by law</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Legitimate purpose</b>: Access to communications or communications metadata should be restricted to authorised public authorities for investigative purposes and in pursuit of a legitimate purpose</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Necessity</b>: Access to communications or communications metadata by authorised public authorities should be restricted to strictly and demonstrably necessary cases</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Adequacy</b>: Public authorities should be restricted from adopting or implementing measures that allow access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Competent authority</b>: Authorities must be competent when making determinations relating to communications or communications metadata</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Due process</b>: Governments must respect and guarantee an individual's human rights, that may interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>User notification</b>: Service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Integrity of communications and systems</b>: Service providers are responsible for the secure transmission and retention of communications data or communications metadata</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Safeguards for international cooperation</b>: Mutual legal assistance processes between countries and how they are used should be clearly documented and open to the public</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should ensure that authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress</p>
</li>
<li dir="ltr" style="list-style-type: disc; ">
<p dir="ltr" style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation</p>
</li>
</ul>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span>Applying these above principles is a prerequisite, but may not be enough. Now is the time to resist unlawful and non-transparent surveillance. Now is the time for </span><span>everyone </span><span>to fight for their right to be free.</span></p>
<p><span> </span></p>
<p dir="ltr" style="text-align: justify; "><span><i>Is a world without freedom worth living in?</i></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance'>https://cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T10:20:46ZBlog EntryThe Difficult Balance of Transparent Surveillance
https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance
<b>Is it too much to ask for transparency in data surveillance? On occasion, companies like Microsoft, Facebook, and the other silicon valley giants would say no. When customers join these services, each company provides their own privacy statement which assures customers of the safety and transparency that accompanies their personal data.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.</p>
<p style="text-align: justify; ">So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">So we must unpack the idea of transparency.</p>
<p style="text-align: justify; ">First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?</p>
<p style="text-align: justify; ">Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.</p>
<p style="text-align: justify; ">Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, <i>so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds</i>.” <a href="#fna" name="fra">[a]</a> Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook <a href="#fna" name="fra">[a]</a>, Apple <a href="#fnb" name="frb">[b]</a>, Microsoft<a href="#fnc" name="frc">[c]</a>, and Google <a href="#fnd" name="frd">[d]</a>) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14<sup>th</sup>, “We have not received any national security orders <i>of the type that Verizon was reported to have received</i>.” <a href="#fnc" name="frc">[c]</a> Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.</p>
<p style="text-align: justify; ">Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.</p>
<p style="text-align: justify; ">But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS<a href="#fn4" name="fr4">[4]</a> but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the <a href="https://cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">petition</a> as an Indian agency is not involved.”<a href="#fn5" name="fr5">[5]</a><a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.</p>
<p style="text-align: justify; ">For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.<a href="#fn7" name="fr7">[7] </a>India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.<a href="#fn8" name="fr8">[8]</a> It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.</p>
<p style="text-align: justify; ">The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.<a href="#fn5" name="fr5">[5]</a> If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.</p>
<p style="text-align: justify; ">Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of <i>who</i> citizens prefer spying over them.</p>
<p style="text-align: justify; ">Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.<a href="#fn9" name="fr9">[9]</a> Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”<a href="#fnc" name="frc">[c]</a></p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. <a href="http://digitaldueprocess.org/">http://digitaldueprocess.org/</a></p>
<p>[<a href="#fr2" name="fn2">2</a>]. <a class="external-link" href="http://bit.ly/151Ue1H">http://bit.ly/151Ue1H</a></p>
<p>[<a href="#fr3" name="fn3">3</a>]. <a class="external-link" href="http://bit.ly/12XDb1Z">http://bit.ly/12XDb1Z</a></p>
<p>[<a href="#fr4" name="fn4">4</a>]. <a class="external-link" href="http://ti.me/11Xh08V">http://ti.me/11Xh08V</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. <a href="https://cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh</a> [attached]</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <a class="external-link" href="http://bit.ly/1aXWdbU">http://bit.ly/1aXWdbU</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. <a class="external-link" href="http://1.usa.gov/qafcXe">http://1.usa.gov/qafcXe</a></p>
<p>[<a href="#fr8" name="fn8">8</a>]. <a class="external-link" href="http://bit.ly/114hcCX">http://bit.ly/114hcCX</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. <a class="external-link" href="http://bit.ly/156wspI">http://bit.ly/156wspI</a></p>
<hr />
<p>[<a href="#fra" name="fna">a</a>]. <b>Facebook Statement</b>: <a class="external-link" href="http://bit.ly/ZQDcn6">http://bit.ly/ZQDcn6</a></p>
<p>[<a href="#frb" name="fnb">b</a>]. <b>Apple Statement</b>: <a class="external-link" href="http://bit.ly/1akaBuN">http://bit.ly/1akaBuN</a></p>
<p>[<a href="#frc" name="fnc">c</a>]. <b>Microsoft Statement</b>:<a class="external-link" href="http://bit.ly/1bFIt31">http://bit.ly/1bFIt31</a></p>
<p>[<a href="#frd" name="fnd">d</a>]. <b>Google Statement</b>: <a class="external-link" href="http://bit.ly/16QlaqB">http://bit.ly/16QlaqB</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance'>https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-15T04:23:35ZBlog EntryInterview with Bruce Schneier - Internationally Renowned Security Technologist
https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier
<b>Maria Xynou recently interviewed Bruce Schneier on privacy and surveillance. View this interview and gain an insight on why we should all "have something to hide"!</b>
<p style="text-align: justify; "><a class="external-link" href="https://www.schneier.com/about.html">Bruce Schneier</a> is an internationally renowned security technologist, called a "security guru" by <cite>The Economist</cite>.</p>
<p style="text-align: justify; ">He is the author of 12 <a href="https://www.schneier.com/books.html">books</a> -- including <a href="https://www.schneier.com/book-lo.html"><cite>Liars and Outliers: Enabling the Trust Society Needs to Survive</cite></a> -- as well as hundreds of articles, <a href="https://www.schneier.com/essays.html">essays</a>, and <a href="https://www.schneier.com/cryptography.html">academic papers</a>. His influential newsletter "<a href="https://www.schneier.com/crypto-gram.html">Crypto-Gram</a>" and his blog "<a href="https://www.schneier.com/about.html">Schneier on Security</a>" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly <a href="https://www.schneier.com/news.html">quoted</a> in the press.</p>
<p style="text-align: justify; ">Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for <a href="http://www.bt.com/">BT</a> -- formerly British Telecom.</p>
<p style="text-align: justify; ">The Centre for Internet and Society (CIS) interviewed Bruce Schneier on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">Do you think India needs privacy legislation? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">The majoity of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">“I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally.” Please comment.</p>
</li>
<li>
<p align="JUSTIFY">Can free speech and privacy co-exist? What is the balance between privacy and freedom of expression?</p>
</li>
<li>
<p align="JUSTIFY">Should people have the right to give up their right to privacy? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">Should surveillance technologies be treated as traditional arms/weapons? Why/ Why not?</p>
</li>
<li>
<p align="JUSTIFY">How can individuals protect their data (and themselves) from spyware, such as FinFisher?</p>
</li>
<li>
<p align="JUSTIFY">How would you advise young people working in the surveillance industry?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/mpKaXW_hwcE" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier'>https://cis-india.org/internet-governance/blog/interview-with-bruce-schneier</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-17T08:54:32ZBlog EntryInterview with Dr. Alexander Dix - Berlin Data Protection and Freedom of Information Commissioner
https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner
<b>Maria Xynou recently interviewed Berlin's Data Protection and Freedom of Information Commissioner: Dr. Alexander Dix. View this interview and gain an insight on recommendations for better data protection in India!</b>
<p style="text-align: justify; "><a class="external-link" href="http://www.ediscovery-exchange.com/SpeakerInfo.aspx?tp_spkid=37916">Dr. Alexander Dix</a> has been Berlin's Data Protection and Freedom of Information Commissioner since June 2005. He has more than 26 years of practical experience in German data protection authorities and previously served as Commissioner for the state of Bradenburg for seven years.</p>
<p style="text-align: justify; ">Dr. Dix is a specialist in telecommunications and media and has dealt with a number of issues regarding the cross-border protection of citizen’s privacy. He chairs the International Working Group on Data Protection in Telecommunications (“Berlin Group”) and is a member of the Article 29 Working Party of European Data Protection Supervisory Authorities. In this Working Party he represents the Data Protection Authorities of the 16 German States (Länder).</p>
<p style="text-align: justify; ">A native of Bad Homburg, Hessen, Dr. Alexander Dix graduated from Hamburg University with a degree in law in 1975. He received a Master of Laws degree from the London School of Economics and Political Science in 1976 and a Doctorate in law from Hamburg University in 1984. He has published extensively on issues of data protection and freedom of information. Inter alia he is a co-editor of the German Yearbook on Freedom of Information and Information Law.</p>
<p style="text-align: justify; ">The Centre for Internet and Society interviewed Dr. Alexander Dix on the following questions:</p>
<ol>
<li>
<p align="JUSTIFY">What activities and functions does the Berlin data commissioner's office undertake?</p>
</li>
<li>
<p align="JUSTIFY">What powers does the Berlin data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?</p>
</li>
<li>
<p align="JUSTIFY">How is the office of the Berlin Data Protection Commissioner funded?</p>
</li>
<li>
<p align="JUSTIFY">What is the organisational structure at the Office of the Berlin Data Protection Commissioner and the responsibilities of the key executives?</p>
</li>
<li>
<p align="JUSTIFY">If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?</p>
</li>
<li>
<p align="JUSTIFY">What challenges has your office faced?</p>
</li>
<li>
<p align="JUSTIFY">What is the most common type of privacy violation that your office is faced with?</p>
</li>
<li>
<p align="JUSTIFY">Does your office differ from other EU data protection commissioner offices?</p>
</li>
<li>
<p align="JUSTIFY">How do you think data should be regulated in India?</p>
</li>
<li>
<p align="JUSTIFY">Do you support the idea of co-regulation or self-regulation?</p>
</li>
<li>
<p align="JUSTIFY">How can India protect its citizens' data when it is stored in foreign servers?</p>
</li>
</ol>
<p>VIDEO <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/agXVs7ZlKdU" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner'>https://cis-india.org/internet-governance/blog/interview-with-berlin-data-protection-commissioner</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T09:29:32ZBlog EntryInterview with Caspar Bowden - Privacy Advocate and former Chief Privacy Adviser at Microsoft
https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate
<b>Maria Xynou recently interviewed Caspar Bowden, an internationally renowned privacy advocate and former Chief Privacy Adviser at Microsoft. Read this exciting interview and gain an insight on India's UID and CMS schemes, on the export of surveillance technologies, on how we can protect our data in light of mass surveillance and much much more!</b>
<div dir="ltr" style="text-align: justify; "><a class="external-link" href="http://www.isodarco.it/courses/andalo12/doc/CBowden.pdf">Caspar Bowden</a> is an independent advocate for better Internet privacy technology and regulation. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication. Until recently he was Chief Privacy Adviser for Microsoft, with particular focus on Europe and regions with horizontal privacy law.</div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; ">From 1998-2002, he was the director of the Foundation for Information Policy Research (www.fipr.org) and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.</div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; "></div>
<div dir="ltr" style="text-align: justify; ">The Centre for Internet and Society interviewed Caspar Bowden on the following questions:</div>
<p align="JUSTIFY"> </p>
<h3 align="JUSTIFY">1. Do you think India needs privacy legislation? Why / Why not?</h3>
<p> </p>
<p align="JUSTIFY"><span>Well I think it's essential for any modern democracy based on a constitution to now recognise a universal human right to privacy. This isn't something that would necessarily have occurred to the draft of constitutions before the era of mass electronic communications, but this is now how everyone manages their lives and maintains social relationships at a distance, and therefore there needs to be an entrenched right to privacy – including communications privacy – as part of the core of any modern state. </span></p>
<h3 align="JUSTIFY">2. The majority of India's population lives below the line of poverty and barely has any Internet access. Is surveillance an elitist issue or should it concern the entire population in the country? Why / Why not?</h3>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"><span>Although the majority of people in India are still living in conditions of poverty and don't have access to the Internet or, in some cases, to any electronic communications, that's changing very rapidly. India has some of the highest growth rates in take up with both mobile phones and mobile Internet and so this is spreading very rapidly through all strata of society. It's becoming an essential tool for transacting with business and government, so it's going to be increasingly important to have a privacy law which guarantees rights equally, no matter what anyone's social station or situation. There's also, I think, a sense in which having a right to privacy based on individual rights is much preferable to some sort of communitarian approach to privacy, which has a certain philosophical following; but that model of privacy - that somehow, because of a community benefit, there should also be a sort of community sacrifice in individual rights to privacy - has a number of serious philosophical flaws which we can talk about. </span></p>
<h3 align="JUSTIFY">3. "I'm not a terrorist and I have nothing to hide...and thus surveillance can't affect me personally." Please comment.</h3>
<p> </p>
<h3 align="JUSTIFY"></h3>
<p align="JUSTIFY"><span>Well, it's hard to know where to begin. Almost everybody in fact has “something to hide”, if you consider all of the social relationships and the way in which you are living your life. It's just not true that there's anybody who literally has nothing to hide and in fact I think that it's rather a dangerous idea, in political culture, to think about imposing that on leaders and politicians. There's an increasing growth of the idea – now, probably coming from America- that political leaders (and even their staff - to get hired in the current White House) should open up their lives, even to the extent of requiring officials to give up their passwords to their social network accounts (presumably so that they can be vetted for sources of potential political embarrassment in their private life). This is a very bad idea because if we only elect leaders, and if we only employ bureaucrats, who do not accord any subjective value to privacy, then it means we will almost literally be electing (philosophical) zombies. And we can't expect our political leaders to respect our privacy rights, if we don't recognise that they have a right to privacy in their own lives also. The main problem with the “nothing to hide, so nothing to fear” mantra is that this is used as a rhetorical tool by authoritarian forces in government and society, who simply wish to take a more paternalistic and protective attitude. This reflects a disillusionment within the “deep state” about how democratic states should function.</span></p>
<p align="JUSTIFY">Essentially, those who govern us are given a license through elections to exercise power with consent, but this entails no abrogation of a citizen's duty to question authority. Instead, that should be seen as a civic duty - providing the objections are reasonable. People actually know that there are certain things in their lives that they don't wish other people to know, but by indoctrinating the “nothing to hide” ideology, it inculcates a general tendency towards more conformism in society, by inhibiting critical voices.</p>
<h3>4. Should people have the right to give up their right to privacy? Why / Why not?</h3>
<p> </p>
<p align="JUSTIFY"><span>In European data protection law there is an obscure provision which is particularly relevant to medical privacy, but almost never used in the area of so-called sensitive personal data, like political views or philosophical views. It is possible currently for European governments to legislate to override the ability of the individual to consent. So this might arise, for example, if a foreign company sets up a service to get people to consent to have their DNA analysed and taken into foreign databases, or generally where people might consent to a big foreign company analysing and capturing their medical records. I think there is a legitimate view that, as a matter of national policy, a government could decide that these activities were threatening to data sovereignty, or that was just bad public policy. For example, if a country has a deeply-rooted social contract that guarantees the ability to access medical care through a national health service, private sector actors could try to undermine that social-solidarity basis for universal provision of health care. So for those sorts of reasons I do think it's defensible for governments to have the ability in those sectors to say: “Yes, there are areas where people should not be able to consent to give up their privacy!” </span></p>
<p><span>But then going back to the previous answer, more generally, commercial privacy policies are now so complicated – well, they've always been complicated, but now are mind-blowingly devious as well - people have no real possibility of knowing what they're consenting to. For example, the secondary uses of data flows in social networks are almost incomprehensible, even for technologists at the forefront of research. The French Data Protection authorities are trying to penalize Google for replacing several very complicated privacy policies by one so-called unified policy, which says almost nothing at all. </span>There's<span> no possible way for people to give informed consent to this over-simplified policy, because it doesn't even tell anything useful to an expert. So again in these circumstances, it's right for a regulator to intercede to prevent unfair exploitation of the deceptive kind of “tick-box” consent. Lastly, it is not possible for EU citizens to waive or trade away their basic right to access (or delete) their own data in future, because this seems a reckless act and it cannot be foreseen when this right might become essential in some future circumstances. So in these three senses, I believe it is proper for legislation to be able to prevent the abuse of the concept of consent.</span></p>
<h3 align="JUSTIFY">5. Do you agree with India's UID scheme? Why / Why not?</h3>
<p> </p>
<h3 align="JUSTIFY"></h3>
<p align="JUSTIFY"><span>There is a valid debate about whether it's useful for a country to have a national identity system of some kind - and there's about three different ways that can be engineered technically. The first way is to centralise all data storage in a massive repository, accessed through remote terminal devices. The second way is a more decentralised approach with a number of different identity databases or systems which can interoperate (or “federate” with eachother), with technical and procedural rules to enforce privacy and security safeguards. In general it's probably a better idea to decentralise identity information, because then if there is a big disaster (or cyber-attack) or data loss, you haven't lost everything. The third way is what's called “user-centric identity management”, where the devices (smartphones or computers) citizens use to interact with the system keep the identity information in a totally decentralised way. </span></p>
<p align="JUSTIFY"><span>Now the obvious objection to that is: “Well, if the data is decentralised and it's an official system, how can we trust that the information in people's possession is authentic?”. Well, you can solve that with cryptography. You can put digital signatures on the data, to show that the data hasn't been altered since it was originally verified. And that's a totally solved problem. However, unfortunately, not very many policy makers understand that and so are easily persuaded that centralization is the most efficient and secure design – but that hasn't been true technically for twenty years. Over that time, cryptographers have refined the techniques (the alogithms can now run comfortably on smartphones) so that user-centric identity management is totally achievable, but policy makers have not generally understood that. But there is no technical reason a totally user-centric vision of identity architecture should not be realized. But still the UID appears to be one of the most centralised large systems ever conceived. </span></p>
<p align="JUSTIFY"><span>There are still questions I don't understand about its technical architecture. For example, just creating an identity number by itself doesn't guarantee security and it's a classic mistake to treat an identifier as an authenticator. In other words, to use an identifier or knowledge of an identifier - which could become public information, like the American social security number – to treat knowledge of that number as if it were a key to open up a system to give people access to their own private information is very dangerous. So it's not clear to me how the UID system is designed in that way. It seems that by just quoting back a number, in some circumstances this will be the key to open up the system, to reveal private information, and that is an innately insecure approach. There may be details of the system I don't understand, but I think it's open to criticism on those systemic grounds. </span></p>
<p align="JUSTIFY"><span>And then more fundamentally, you have to ask what's the purpose of that system in society. You can define a system with a limited number of purposes – which is the better thing to do – and then quite closely specify the legal conditions under which that identity information can be used. It's much more problematic, I think, to try and just say that “we'll be the universal identity system”, and then you just try and find applications for it later. A number of countries tried this approach, for example Belgium around 2000, and they expected that having created a platform for identity, that many applications would follow and tie into the system. This really didn't happen, for a number of social and technical reasons which critics of the design had predicted. I suppose I would have to say that the UID system is almost the anithesis of the way I think identity systems should be designed, which should be based on quite strong technical privacy protection mechanisms - using cryptography - and where, as far as possible, you actually leave the custody of the data with the individual. </span></p>
<p align="JUSTIFY"><span>Another objection to this user-centric approach is “back-up”: what happens when you lose the primary information and/or your device? Well, you can anticipate that. You can arrange for this information to be backed-up and recovered, but in such a way that the back-up is encrypted, and the recovered copy can easily be checked for authenticity using cryptography.</span></p>
<h3><b>6. Should Indian citizens be concerned about the Central Monitoring System (CMS)? Why / Why not?</b></h3>
<p><b><br /></b></p>
<h3></h3>
<p align="JUSTIFY"><span>Well, the Central Monitoring System does seem to be an example of very large scale “strategic surveillance”, as it is normally called. Many western countries have had these for a long time, but normally only for international communications. Normally surveillance of domestic communications is done under a particular warrant, which can only be applied one investigation at a time. And it's not clear to me that that is the case with the Central Monitoring System. It seems that this may also be applicable to mass surveillance of communications inside India. Now we're seeing a big controversy in the U.S - particularly at the moment - about the extent to which their international strategic surveillance systems are also able to be used internally. What has happened in the U.S. seems rather deceptive; although the “shell” of the framework of individual protection of rights was left in place, there are actually now so many exemptions when you look in the detail, that an awful lot of Americans' domestic communications are being subjected to this strategic mass surveillance. That is unacceptable in a democracy. </span></p>
<p align="JUSTIFY"><span>There are reasons why, arguably, it's necessary to have some sort of strategic surveillance in international communications, but what Edward Snowden revealed to us is that in the past few years many countries – the UK, the U.S, and probably also Germany, France and Sweden – have constructed mass surveillance systems which knowingly intrude on domestic communications also. We are living through a transformation in surveillance power, in which the State is becoming more able to monitor and control the population secretively than ever before in history. And it's very worrying that all of these systems appear to have been constructed without the knowledge of Parliaments and without precise legislation. Very few people in government even seem to have understood the true mind-boggling breadth of this new generation of strategic surveillance. And no elections were fought on a manifesto asking “Do people want this or not?”. It's being justified under a counter-terrorism mantra, without very much democratic scrutiny at all. The long term effects of these systems on democracies are really uncharted territory. </span></p>
<p align="JUSTIFY"><span>We know that we're not in an Orwellian state, but the model is becoming more Kafkaesque. If one knows that this level of intensive and automated surveillance exists, then it has a chilling effect on society. Even if not very much is publicly known about these systems, there is still a background effect that makes people more conformist and less politically active, less prepared to challenge authority. And that's going to be bad for democracy in the medium term – not just the long term. </span></p>
<h3><b>7. Should surveillance technologies be treated as traditional arms / weapons? If so, should export controls be applied to surveillance technologies? Why / Why not?</b></h3>
<p><b><br /></b></p>
<p align="JUSTIFY"><span>Surveillance technologies probably do need to be treated as weapons, but not necessarily as traditional weapons. One probably is going to have to devise new forms of export control, because tangible bombs and guns are physical goods – well, they're not “goods”, they're “bads” - that you can trace by tagging and labelling them, but many of the “new generation” of surveillance weapons are </span><i><span>software</span></i><span>. It's very difficult to control the proliferation of bits – just as it is with copyrighted material. And I remember when I was working on some of these issues thirteen years ago in the UK – during the so-called crypto wars – that the export of cryptographic software from many countries was prohibited. And there were big test cases about whether the source code of these programs was protected under the US First Amendment, which would prohibit such controls on software code. It was intensely ironic that in order to control the proliferation of cryptography in software, governments seemed to be contemplating the introduction of strategic surveillance systems to detect (among other things) when cryptographic software was being exported. In other words, the kind of surveillance systems which motivated the “cypherpunks” to proselytise cryptography, were being introduced (partly) with the perverse justification of preventing such proliferation of such cryptography!</span></p>
<p align="JUSTIFY"><span>In the case of the new, very sophisticated software monitoring devices (“Trojans”) which are being implanted into people's computers – yes, this has to be subject to the same sort of human rights controls that we would have applied to the exports of weapon systems to oppressive regimes. But it's quite difficult to know how to do that. You have to tie responsibility to the companies that are producing them, but a simple system of end-user licensing might not work. So we might actually need governments to be much more proactive than they have been in the past with traditional arms export regimes and actually do much more actively to try and follow control after export – whether these systems are only being used by the intended countries. As for the law enforcement agencies of democratic countries which are buying these technologies: the big question is whether law enforcement agencies are actually applying effective legal and operational supervision over the use of those systems. So, it's a bit of a mess! And the attempts that have been made so far to legislate this area I don't think are sufficient. </span></p>
<h3>8. How can individuals protect their data (and themselves) from spyware, such as FinFisher?</h3>
<p> </p>
<p align="JUSTIFY"><span>In democratic countries, with good system of the rule of law and supervision of law enforcement authorities, there have been cases – notably in Germany – where it's turned out that the police using techniques, like FinFisher, have actually disregarded legal requirements from court cases laying down the proper procedures. So I don't think it's good enough to assume that if one was doing ordinary lawful political campaigning, that one would not be targeted by these weapons. So it's wise for activists and advocates to think about protecting themselves – of course, other professions as well who look after confidential information – because these techniques may also get into the hands of industrial spies, private detectives and generally by people who are not subject to even the theoretical constraints of law enforcement agencies. </span></p>
<p align="JUSTIFY"><span>After Edward Snowden's revelations, we understand that all our computer infrastructure is much more vulnerable – particularly to foreign and domestic intelligence agencies – than we ever imagined. So for example, I don't use Microsoft software anymore – I think that there are techniques which are now being sold to governments and available to governments for penetrating Microsoft platforms and probably other major commercial platforms as well. So, I've made the choice, personally, to use free software – GNU/Linux, in particular – and it still requires more skill for most people to use, but it is much much easier than even a few years ago. So I think it's probably wise for most people to try and invest a little time getting rid of proprietary software if they care at all about societal freedom and privacy. I understand that using the latest, greatest smartphone is cool, and the entertainment and convenience of Cloud and tablets – but people should not imagine that they can keep those platforms secure. </span></p>
<p align="JUSTIFY"><span>It might sound a bit primitive, but I think people should have to go back to the idea that if they really want confidential communications with their friends, or if they are involved with political work, they have to think about setting aside one machine - which they keep offline and just use essentially for editing and encrypting/decrypting material. Once they've encrypted their work on their “air gap” machine, as it's called, then they can put their encrypted emails on a USB stick and transfer them to their second machine which they use to connect online (I notice Bruce Schneier is just now recommending the same approach). Once the “air gap” machine has been set up and configured, you should not connect that to the network – and preferably, don't connect it to the network, ever! So if you follow those sorts of protocols, that's probably the best that is achievable today. </span></p>
<h3 align="JUSTIFY">9. How would you advise young people working in the surveillance industry?</h3>
<p> </p>
<ol> </ol>
<p><span>Young people should try and read a little bit into the ethics of surveillance and to understand their own ethical limits in what they want to do, working in that industry. And in some sense, I think it's a bit like contemplating a career in the arms industry. There are defensible uses of military weapons, but the companies that build these weapons are, at the end of the day, just corporations maximizing value for shareholders. And so, you need to take a really hard look at the company that you're working for or the area you want to work in and satisfy your own standard of ethics, and that what you're doing is not violating other people's human rights. I think that in the fantastically explosive growth of surveillance industries that we've seen over the past few years – and it's accelerating – the sort of technologies particularly being developed for electronic mass surveillance are fundamentally and ethically problematic. And I think that for a talented engineer, there are probably better things that he/she can do with his/her career. </span><b> </b></p>
<ol> </ol> <ol></ol><ol> </ol> <ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate'>https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-06T08:16:05ZBlog EntryDraft Human DNA Profiling Bill (April 2012): High Level Concerns
https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012
<b>In 2007 the Draft Human DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, with the objective of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked. The February 2012 Bill was drafted by the Department of Biotechnology. Another working draft of the Bill was created in April 2012. The most recent version of the Bill seeks to create DNA databases at the state, regional, and national level. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Each database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of establishing identity in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and creating a DNA board for overseeing the carrying out of the Act. Though it is important to carefully regulate the use of DNA for criminal purposes, and such a law is needed in India, the present working draft of the Bill is lacking important safeguards and contains overreaching provisions, which could lead to violation of individual rights. The text of the 2012 draft is still being discussed and has not been finalized. Below are high level concerns that CIS has with the April 2012 draft Human DNA Profiling Bill.</p>
<h3 style="text-align: justify; ">Broad offences and instances of when DNA can be collected</h3>
<p style="text-align: justify; ">The schedule of the Bill lists applicable instances for human DNA profiling and addition to the DNA database. Under this list, the Bill lays out nine Acts, for example the Indian Penal Code and the Protection of Civil Rights Act, and states that offences under these Acts are applicable instances of human DNA profiling. This allows the scope of the database to be expansive, as any individual who has committed an offence found under any of these Acts to be placed on the DNA database, and might include offences for which DNA evidence is not useful.</p>
<p style="text-align: justify; ">In the schedule under section C <b>Civil disputes and other civil matters </b>the Bill lists a number of civil disputes and civil matters for which DNA can be taken and entered onto the database. For example:</p>
<ul style="text-align: justify; ">
<li><i>(v) Issues relating to immigration or emigration </i></li>
<li><i>(vi) Issues relating to establishment of individual identity </i></li>
<li><i>(vii) Any other civil matter as may be specified by the regulations of the Board </i></li>
</ul>
<p style="text-align: justify; ">In these instances no crime has been committed and there is no justification for taking the DNA of the individual without their consent. In cases of civil disputes</p>
<p style="text-align: justify; "><b>Recommendation:<i> </i></b>Offences for which DNA can be collected must be criminal and must be specified individually by the Bill. When DNA is used in civil cases, the consent of the individual must be taken. In civil cases a DNA profile should not be stored on the database. DNA profiling and storage on a database should not be allowed in instances like v, vi, vii listed above.</p>
<h3 style="text-align: justify; ">Inadequate level of authorization for sharing of information</h3>
<p style="text-align: justify; ">The Bill allows for the DNA Data Bank Manager to determine when it is appropriate to communicate whether the DNA profile received is already contained in the Data Bank, and any other information contained in the Data Bank in relation to the DNA profile received.</p>
<ul style="text-align: justify; ">
<li>Section 35 (1): “…<i>shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency, or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely (a) as to whether the DNA profile received is already contained in the Data Bank; and (b) any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.</i>”</li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: The Data Bank Manager should not be given the power to determine appropriate instances for the communication of information. Law enforcement agencies, DNA laboratories, etc. should be required to gain prior authorization, from the DNA Board, before requesting the disclosure of information from the DNA Data Bank Manager. Upon receiving proof of authorization, the DNA databank can share the requested information.</p>
<h3 style="text-align: justify; ">Inaccurate understanding of infallibility of DNA</h3>
<p>The preamble to the Bill inaccurately states:</p>
<p style="text-align: justify; "><i>The Dexoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any between two individuals, living or dead without any doubt.</i></p>
<p style="text-align: justify; "><b>Recommendation:<i> </i></b>The Bill should recognize that DNA evidence is not infallible. For example, false matches can occur based on the type of profiling system used, and that error can take place in the chain of custody of the DNA sample.</p>
<p style="text-align: justify; "><i>The “definition” of DNA profiling is too loose in the Bill. Any technology used to create DNA profiles is subject to error. The estimate of this error should be experimentally obtained, rather than being a theoretical projection.</i></p>
<h3 style="text-align: justify; ">Inadequate access controls</h3>
<p style="text-align: justify; ">The Bill only restricts access to information on the DNA database that relates to a victim or to a person who has been excluded as a suspect in relevant investigations.</p>
<p style="text-align: justify; "><i>Section 43: Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from a) a victim of an offence which forms or formed the object of the relevant investigation, or b) a person who has been excluded as a suspect in the relevant investigation.</i></p>
<p style="text-align: justify; "><b>Recommendation:</b> Though it is important that access is restricted in these instances, access should also be restricted for: volunteers, missing persons, and victims. Broad access to every index in the database should not be permitted when a DNA sample for a crime is being searched for a match. Ideally, a crime scene index will be created, and samples will only be compared to that specific crime scene. The access procedure should be transparent with regular information published in an annual report, minutes of oversight meetings taken, etc.</p>
<h3 style="text-align: justify; ">Lack of standards and process for collection of DNA samples</h3>
<p style="text-align: justify; ">In three places the Bill mentions that a procedure for the collection of DNA profiles will be established, yet no process is enumerated in the actual text of the Bill.</p>
<ul>
<li style="text-align: justify; "><i>Section 12 (w) “The Board will have the power to… specify by regulation, the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule. </i></li>
</ul>
<ul>
<li style="text-align: justify; "><i>Section 66(d) “The Central Government will have the power to make Rules pertaining to… The list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule under clause (w) of section 12. </i></li>
<li style="text-align: justify; "><i>Schedule: In the title “List of applicable instances of Human DNA Profiling and Sources and Manner of Collection of Samples for DNA Profiling”. But the schedule does not detail the manner of collection of samples for DNA profiling</i>.</li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: According to the Criminal Procedure Code, section 53 and 54, DNA samples can only be collected by certified medical professionals. This must be reflected by the Bill. The Bill should also state that the collection of DNA must take place in a secure location and in a secure manner. When DNA is collected, consent must be taken, unless the individual is convicted of a crime for which DNA evidence is directly relevant or the court has ordered the collection. When DNA is collected, personal identification information should not be sent with samples to laboratories, and all transfers of data (from police station to lab) must be secure. Upon collection, information regarding the collection of information and potential use and misuse of DNA information must be provided to the individual.</p>
<h3 style="text-align: justify; ">Inadequate appeal process</h3>
<p style="text-align: justify; ">The provisions in the Bill allow aggrieved individuals to bring complaints to the DNA Board. If the complaint is not addressed, the individual can take the complaint to the court. Though grievances can be taken to the Board and the court, it is not clear if the individual has the right to appeal the collection, analysis, sharing, and use of his/her DNA. The text of section 58 implies that the Board and the Central government will have the power to take action based on complaints. This power was not listed above in the sections where the powers of the board and the central government are defined, thus it is unclear what actions the Board or the Central Government would be able to take on complaint.</p>
<p style="text-align: justify; "><i>Section 58: No court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder save on a complaint made by the Central Government or its officer or Board or its officer or any other person authorized by them: Provided that nothing contained in this sub-section shall prevent an aggrieved person from approaching a court, if upon his application to the Central Government or the Board, no action is taken by them within a period of three months from the date of receipt of the application.</i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Individuals should be allowed to appeal a decision to collect DNA or share a DNA profile, and take any grievance directly to the court. If the Board or the Central Government will have a role in hearing complaints, etc. These must be enumerated in the provisions of the Act.</p>
<h3 style="text-align: justify; ">Inclusion of population testing</h3>
<p style="text-align: justify; ">Though the main focus of the Bill is for the use of DNA in criminal and civil cases, the provisions of the Bill also allow for population testing and research to be done on collected samples.</p>
<p style="text-align: justify; "><i>Section 4: The Board shall consist of the following Members appointed from amongst persons of ability, integrity, and standing who have knowledge or experience in DNA profiling including.. (m) A population geneticist to be nominated by the President, Indian National Science Academy, Den Delhi-Member. </i></p>
<p style="text-align: justify; "><i>Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely, (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, or the purposes of identification research, protocol development or quality control provide that it does not contain any personally identifiable information and does not violate ethical norms. </i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Delete these provisions. If DNA testing is going to done for population analysis purposes, regulations for this must be provided for in a separate legislation, stored in separate database, informed consent taken from each participant, and an ethics board must be established. It is not sufficient or ethical to conduct population testing only on DNA samples from victims, offenders, suspects, and volunteers.</p>
<h3 style="text-align: justify; ">Provisions delegated to regulation that need to be incorporated into text of Bill</h3>
<p style="text-align: justify; ">The Bill empowers the board to formulate regulations for, and the Central Government to make Rules to, a number of provisions that should be within the text of the Bill itself. By leaving these provisions to Regulations and Rules, the Bill is a skeleton which when enacted will only allow for DNA Labs to be certified and DNA databases to be established. Aspects that need to be included as provisions include:</p>
<p style="text-align: justify; "><i>Section 12: The Board shall exercise and discharge the following functions for the purposes of this Act namely </i></p>
<ul>
<li style="text-align: justify; "><i>Section 12(j) – authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.</i></li>
<li style="text-align: justify; "><i>Section 12(p) – making specific recommendations to (ii) ensure the accuracy, security, and confidentiality of DNA information, (iii) ensure the timely removal and destruction of obsolete, expunged or inaccurate DNA information (iv) take any other necessary steps required to be taken to protect privacy.</i></li>
<li style="text-align: justify; "><i>Section 12(w) – Specifying, by regulation, the list of applicable instances of human DNA profiling and the sources a manner of collection of samples in addition to the lists contained in the Schedule. </i></li>
<li style="text-align: justify; "><i>Section 12(u) – establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies.</i></li>
<li style="text-align: justify; "><i>Section 12(x) – Enumerating the guidelines for storage of biological substances and their destruction. </i></li>
</ul>
<p style="text-align: justify; "><i>Section 65(1) The Central Government may, by notification, make rules for carrying out the purposes of this Act</i></p>
<ul>
<li style="text-align: justify; "><i>Section 65 (c) – The officials who are authorized to receive the communication pertaining to information as to whether a person’s DNA profile is contained in the offenders’ index under sub-section (2) of section 35</i></li>
<li style="text-align: justify; "><i>Section 65 (d) – The manner in which the DNA profile of a person from the offenders’ index shall be expunged under sub-section (2) of section 37</i></li>
<li style="text-align: justify; "><i> Section 65 (e) – The manner in which the DNA profile of a person from the offender’s index shall be expunged under sub-section (3) of section 37 </i></li>
<li style="text-align: justify; "><i>Section 65 (h) – The manner in which access to the information in the DNA data Bank shall be restricted under section 43 </i></li>
<li style="text-align: justify; "><i>Section 65 (zg) – Authorization of other persons, if any, for collection of non-intimate forensic procedures under Part II of the Schedule. </i></li>
</ul>
<h3>Broad Language that needs to be specified or deleted</h3>
<p style="text-align: justify; ">There are a number of places in the Bill which use broad and vague language. This is problematic as it expands the potential scope of the Bill. Instances where broad language is used includes:</p>
<p>Preamble: <i>There is, thus, need to regulate the use of human DNA Profiles through an Act passed by the Parliament only for Lawful purposes of establishing identity in a criminal or civil proceeding and for other specified purposes.</i></p>
<ul>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (j) authorizing procedures for communications of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies. </i></li>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (y) undertaking any other activity which in the opinion of the Board advances the purposes of this Act. </i></li>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (z) performing such other functions as may be assigned to it by the Central Government from time to time. </i></li>
<li style="text-align: justify; "><i>Section 32: The indices maintained under sub-section (4) shall include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 15 of the Act and of records relating thereto, in accordance with the standards as may be specified by the regulations made by the Board.</i></li>
<li style="text-align: justify; "><i>Section 35 (1) On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Data Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank and shall communication, for purposes of the investigation or prosecution in a criminal offence, the following information…(a) as to whether the DNA profile received is already contained in the Data Bank and (b) any information other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. (2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.</i></li>
<li style="text-align: justify; "><i>Section 39: All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule. Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part 1 of the Schedule for other purposes as may be specified by the regulations made by the board. </i></li>
<li style="text-align: justify; "><i>Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely (g) for any other purposes, as may be prescribed. </i></li>
<li style="text-align: justify; "><i>Schedule, C Civil disputes and other civil matters vii) any other civil matter as may be specified y the regulations made by the Board. </i></li>
</ul>
<p><b>Recommendation</b>: All broad and vague language should be deleted and replaced with specific language.</p>
<h3>Jurisdiction</h3>
<ul>
<li>Section 1(2) It extends to the whole of India.</li>
</ul>
<ul>
<li style="text-align: justify; ">Section 2(f) “Crime scene index” means an index of DNA profiles derived from forensic material found (i) at any place (whether within or outside of India) where a specified offence was, or is reasonably suspected of having been, committed. </li>
</ul>
<p style="text-align: justify; ">The validity of DNA profiles found outside of India is unclear as the Act only extends to the whole of India.</p>
<h3>Inconsistent provisions</h3>
<p style="text-align: justify; ">The Bill contains provisions that are inconsistent including:</p>
<ul>
<li style="text-align: justify; "><i>Preamble … from collection to reporting and also to establish a National DNA Data Bank and for matters connected therewith or incidental thereto. </i></li>
<li style="text-align: justify; "><i>Section 32 (1) The Central Government shall, by notification establish a National DNA Data Bank and as many Regional DNA Data Banks there under for every State or a group of States, as necessary. (2) Every State Government may, by notification establish a State DNA Data Bank which shall share the information with the National DNA Data Bank. The National DNA Data Bank shall receive DNA data from State DNA Data Banks…</i></li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: The introduction to the Bill states that only a National DNA Data Bank will be established, yet in the provisions of the Bill it states that Regional and State level DNA databanks will also be established. It should be clarified in the introduction to the Bill that state level, regional level, and a national level DNA database will be created.</p>
<h3 style="text-align: justify; ">Inadequate qualifications of DNA Data Bank Manager</h3>
<p style="text-align: justify; ">Section 33: “<i>The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member –Secretary of the Board. The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics.</i>”</p>
<p style="text-align: justify; "><b>Recommendation</b>: This is not sufficient qualifications. The DNA Data Bank Manager needs to have experience and expertise handling, working with, and managing DNA for forensic purposes.</p>
<h3 style="text-align: justify; ">Lack of restrictions on labs seeking certification</h3>
<p style="text-align: justify; ">According to section 16(2), before withdrawing approval granted to a DNA laboratory...the Board will give time to the laboratory...for taking necessary steps to comply with such directions...and conditions.” <br /><b>Recommendation</b>: This section should specify that during the time period of gaining certification, the DNA laboratory is not allowed to process DNA.</p>
<h3 style="text-align: justify; ">Incomplete terms for use of DNA in courts</h3>
<p style="text-align: justify; ">Section 45 of the Bill allows any individual undergoing a sentence of imprisonment or under sentence of death to apply to the court which convicted him for an order for DNA testing. The Bill lists seven conditions that must be met for this DNA evidence to be accepted and used in court. <br /><b>Recommendation</b>: This section speaks only to the use of DNA in courts upon request by a convicted individual. This section should lay down standards for all instances of use of DNA in courts. Included in this, the provision should clarify that when DNA is used, corroborating evidence will be required in courts, and if confirmatory samples will be taken from defendants. Individuals should also have the right to have a second sample taken and re-analyzed as a check, and individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.</p>
<h3 style="text-align: justify; ">Inadequate privacy protections</h3>
<p style="text-align: justify; ">Besides section 38 which requires that all DNA profiles, samples, and records are kept confidential, the Bill leaves all other privacy protections to be recommended by the DNA profiling Board.</p>
<p style="text-align: justify; "><i>Section 12(o) The Board shall exercise and discharge the following functions…“Making recommendation for provision of privacy protection laws, regulations and practices relating to access to, or use of, store DNA samples or DNA analyses with a view to ensure that such protections are sufficient.” </i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Basic privacy protections such as access, use, and storage of DNA samples should be written into the provisions of the Bill and not left as recommendations for the Board to make.</p>
<h2 style="text-align: justify; ">Missing Provisions</h2>
<ol> </ol><ol>
<li style="text-align: justify; "><b>Notification to the individual:</b> There are no provisions that ensure that notification is given to an individual if his/her information is legally accessed or shared. Notification to the individual would be appropriate in section 36, which allows for the sharing of DNA profiles with foreign states, and section 35, which allows for the sharing of information with a court, tribunal, law enforcement agency, or DNA laboratory. As part of the notification, an individual should be given the right to appeal the decision.</li>
<li style="text-align: justify; "><b>Consent: </b>There are no provisions which speak to consent being taken from individuals whose DNA is collected. Consent must be taken from volunteers, missing persons (or their families), victims, and suspects. DNA can be taken compulsorily from offenders after they have been convicted. If an individual refuses to provide a DNA sample, a judge can override the decisions and order that a DNA sample be taken. In all cases that DNA is collected without consent, it must be clear that DNA evidence is directly relevant to the case.</li>
<li style="text-align: justify; "><b>Right to request deletion of DNA profile from database: </b>There are no provisions which give volunteers (children volunteers when they become adults), victims, and missing persons the right to request that their profile be deleted from the DNA database. This could be provided in section 37 which speaks to the expunction of records of acquitted convicts. </li>
<li style="text-align: justify; "><b>Right of individuals to bring a private cause of action: </b>There are no provisions which give the individual the right to bring a privacy cause of action for the unlawful storage of private information in the national, regional, or state DNA database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database. </li>
<li style="text-align: justify; "><b>Right to review one's personal data: </b>There are no provisions that allow an individual to review his/her information contained on the state, regional, or national database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database. </li>
<li style="text-align: justify; "><b>Independence of DNA laboratories and DNA banks from the police: </b>There are no provisions which ensure that DNA laboratories and DNA data banks remain independent from the police. This is an important check in ensuring against the tampering of DNA evidence. </li>
<li style="text-align: justify; "><b>Established profiling standard: </b>The Bill does not mandate the use of one single profiling standard. This is important in order to minimize false matches occurring by chance and to ensure consistency across DNA testing and profiling. </li>
<li style="text-align: justify; "><b>Destruction of DNA samples: </b>There are no provisions mandating that original samples of DNA be deleted. DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them – allowing for sufficient time for quality assurance (six months). Furthermore, only a barcode and no identifying details should be sent to labs with samples for analysis.</li>
</ol>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul style="text-align: justify; ">
</ul>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012'>https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:36:59ZBlog EntryInterview with Mr. Billy Hawkes - Irish Data Protection Commissioner
https://cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner
<b>Maria Xynou recently interviewed Mr. Billy Hawkes, the Irish Data Protection Commissioner, at the CIS´ 4th Privacy Round Table meeting. View this interview and gain an insight on recommendations for data protection in India!</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>The Irish Data Protection Commissioner was asked the following questions:</p>
<p>1. What powers does the Irish Data Commissioner´s office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?</p>
<p>2. Does your office differ from other EU data protection commissioner offices?</p>
<p>3. What challenges has your office faced? What is the most common type of privacy violation that your office has faced?</p>
<p>4. Why should privacy legislation be enacted in India?</p>
<p>5. Does India need a Privacy Commissioner? Why? If India creates a Privacy Commissioner, what structure / framework would you suggest for the office?</p>
<p>6. How do you think data should be regulated in India? Do you support the idea of co-regulation or self-regulation?</p>
<p>7. How can India protect its citizens´ data when it is stored in foreign servers?</p>
<p> </p>
<p>video <iframe frameborder="0" height="250" src="http://blip.tv/play/AYOTmT4A.html?p=1" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner'>https://cis-india.org/internet-governance/blog/interview-with-irish-data-protection-commissioner</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:06:31ZBlog EntryDraft International Principles on Communications Surveillance and Human Rights
https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights
<b>These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications. The Centre for Internet and Society has been contributing feedback to the principles. </b>
<hr />
<p>The principles are still in draft form. The most recent version can be accessed <a class="external-link" href="http://necessaryandproportionate.net">here</a>. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Our goal is that these principles will provide civil society groups, industry, and governments with a framework against which we can evaluate whether current or proposed surveillance laws and practices are consistent with human rights. We are concerned that governments are failing to develop legal frameworks to adhere to international human rights and adequately protect communications privacy, particularly in light of innovations in surveillance laws and techniques.</p>
<p style="text-align: justify; ">These principles are the outcome of a consultation with experts from civil society groups and industry across the world. It began with a meeting in Brussels in October 2012 to address shared concerns relating to the global expansion of government access to communications. Since the Brussels meeting we have conducted further consultations with international experts in communications surveillance law, policy and technology.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">We are now launching a global consultation on these principles. Please send us comments and suggestions by January 3rd 2013, by emailing rights (at) eff (dot) org.</p>
<p style="text-align: justify; "><b>Preamble</b><br />Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and association, and is recognised under international human rights law.<a href="#fn2" name="fr2">[2]</a> Activities that infringe on the right to privacy, including the surveillance of personal communications by public authorities, can only be justified where they are necessary for a legitimate aim, strictly proportionate, and prescribed by law.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications generally limited access to personal communications by public authorities. In recent decades, those logistical barriers to mass surveillance have decreased significantly. The explosion of digital communications content and information about communications, or “communications metadata”, the falling cost of storing and mining large sets of data, and the commitment of personal content to third party service providers make surveillance possible at an unprecedented scale.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">While it is universally accepted that access to communications content must only occur in exceptional situations, the frequency with which public authorities are seeking access to information about an individual’s communications or use of electronic devices is rising dramatically—without adequate scrutiny. <a href="#fn5" name="fr5">[5]</a> When accessed and analysed, communications metadata may create a profile of an individual's private life, including medical conditions, political and religious viewpoints, interactions and interests, disclosing even greater detail than would be discernible from the content of a communication alone. <a href="#fn6" name="fr6">[6]</a> Despite this, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.</p>
<p style="text-align: justify; ">It is therefore necessary that governments, international organisations, civil society and private service providers articulate principles establishing the minimum necessary level of protection for digital communications and communications metadata (collectively "information") to match the goals articulated in international instruments on human rights— including a democratic society governed by the rule of law. The purpose of these principles is to:</p>
<ol>
<li style="text-align: justify; ">Provide guidance for legislative changes and advancements related to communications and communications metadata to ensure that pervasive use of modern communications technology does not result in an erosion of privacy.</li>
<li style="text-align: justify; ">Establish appropriate safeguards to regulate access by public authorities (government agencies, departments, intelligence services or law enforcement agencies) to communications and communications metadata about an individual’s use of an electronic service or communication media. </li>
</ol>
<p style="text-align: justify; ">We call on governments to establish stronger protections as required by their constitutions and human rights obligations, or as they recognize that technological changes or other factors require increased protection.</p>
<p style="text-align: justify; ">These principles focus primarily on rights to be asserted against state surveillance activities. We note that governments are required not only to respect human rights in their own conduct, but to protect and promote the human rights of individuals in general.<a href="#fn7" name="fr7">[7]</a> Companies are required to follow data protection rules and yet are also compelled to respond to lawful requests. Like other initiatives,<a href="#fn8" name="fr8">[8]</a> we hope to provide some clarity by providing the below principles on how state surveillance laws must protect human rights.</p>
<p><b>The Principles</b></p>
<p style="text-align: justify; "><b>Legality</b>: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process</p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow access to communications or communications metadata by authorised public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing access to communications or communications metadata by authorised public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.</p>
<p style="text-align: justify; "><b>Competent Authority</b>: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</p>
<p style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.</p>
<p style="text-align: justify; "><b>Due process</b>: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.<a href="#fn9" name="fr9">[9]</a>While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorisation by a competent authority, except when there is imminent risk of danger to human life. <a href="#fn10" name="fr10">[10]</a></p>
<p style="text-align: justify; "><b>User notification</b>: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations, and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</p>
<p style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at a minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. <a href="#fn11" name="fr11">[11]</a></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, <i>a priori</i> data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.</p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.</p>
<p style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</p>
<p><b>Signatories</b></p>
<p><b>Organisations</b></p>
<ul>
<li>Article 19 (International)</li>
<li>Bits of Freedom (Netherlands)</li>
<li>Center for Internet & Society India (CIS India)</li>
<li>Derechos Digitales (Chile)</li>
<li>Electronic Frontier Foundation (International)</li>
<li>Privacy International (International)</li>
<li>Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (Canada)</li>
<li>Statewatch (UK)</li>
</ul>
<p><b>Individuals</b></p>
<ul>
<li>Renata Avila, human rights lawyer (Guatemala)</li>
</ul>
<hr />
<p><b>Footnotes</b></p>
<ol>
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]For more information about the background to these principles and the process undertaken, see https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance<br />[<a href="#fr2" name="fn2">2</a>]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.<br />[<a href="#fr3" name="fn3">3</a>]Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” p11, available at <a href="http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf">http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf</a>. See also General Comments No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999, available at <a href="http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument">http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument</a>.<br />[<a href="#fr4" name="fn4">4</a>]Communications metadata may include information about our identities (subscriber information, device information), interests, including medical conditions, political and religious viewpoints (websites visited, books and other materials read, watched or listened to, searches conducted, resources used), interactions (origins and destinations of communications, people interacted with, friends, family, acquaintances), location (places and times, proximities to others); in sum, logs of nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.<br />[<a href="#fr5" name="fn5">5</a>]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies, who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011.<br />[<a href="#fr6" name="fn6">6</a>]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at <a href="http://www2.technologyreview.com/article/409598/tr10-reality-mining/">http://www2.technologyreview.com/article/409598/tr10-reality-mining/</a> and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 - 82.<br />[<a href="#fr7" name="fn7">7</a>]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at <a href="http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf">http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf</a><br />[<a href="#fr8" name="fn8">8</a>]The Global Network Initiative establishes standards to help the ICT sector protect the privacy and free expression of their users. See <a href="http://www.globalnetworkinitiative.org/">http://www.globalnetworkinitiative.org/</a><br />[<a href="#fr9" name="fn9">9</a>]As defined by international and regional conventions mentioned above.<br />[<a href="#fr10" name="fn10">10</a>]Where judicial review is waived in such emergency cases, a warrant must be retroactively sought within 24 hours.<br />[<a href="#fr11" name="fn11">11</a>]One example of such a report is the US Wiretap report, published by the US Court service. Unfortunately this applies only to interception of communications, and not to access to communications metadata. See <a href="http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx">http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx</a>. The UK Interception of Communications Commissioner publishes a report that includes some aggregate data but it is does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See <a href="http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top">http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top</a>.</p>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights'>https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:55:45ZBlog EntrySummary of the CIS workshop on the Draft Human DNA Profiling Bill 2012
https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012
<b>On March 1st, 2013, the Centre for Internet and Society organized a workshop which analysed the April 2012 draft Human DNA Profiling Bill and its potential implications on human rights in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p>Think you control who has access to your DNA data? That might just be a myth of the past. Today, clearly things have changed, as draft Bills with the objective of creating state, regional, and national DNA databases in India have been leaked over the last years. Plans of profiling certain residents in India are being unravelled as, apparently, the new policy when collecting, handling, analysing, sharing and storing DNA data is that all personal information is welcome; the more, the merrier!<span> </span></p>
<p>Who is behind all of this? The Centre for DNA Fingerprinting and Diagnostics in India created the 2007 draft DNA Profiling Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn1">[1]</a>, with the aim of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked which was created by the Department of Biotechnology. The most recent version of the Bill was drafted in April 2012 and seeks to create DNA databases at the state, regional and national level in India<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn2">[2]</a>. According to the latest 2012 draft Human DNA Profiling Bill, each DNA database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of identification in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and a DNA Profiling Board for overseeing the carrying out of the Act.</p>
<p>However, the 2012 draft Human DNA Profiling Bill lacks adequate safeguards and its various loopholes and overreaching provisions could create a potential for abuse. The creation of DNA databases is currently unregulated in India and although regulations should be enacted to prevent data breaches, the current Bill raises major concerns in regards to the collection, use, analysis and retention of DNA samples, DNA data and DNA profiles. In other words, the proposed DNA databases would not only be restricted to criminals…</p>
<h2><b>DNA databases...and Justice for All?</b></h2>
<p><img src="http://farm8.staticflickr.com/7197/6959954129_fefd0f928a.jpg" /></p>
<p class="italized">Source: <span> </span><a href="http://www.flickr.com/photos/libertasacademica/">Libertas Academica</a> on flickr</p>
<p class="italized"><a class="external-link" href="http://dnaphenomena.blogspot.in/2011/05/dna-profiling.html"></a>Du<span>ring the workshop </span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn3">[3]</a><span>on the 2012 draft Human DNA Profiling Bill, DNA</span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn4">[4]</a><span> was defined as a material that determines a persons´ hereditary traits, whilst DNA profiling</span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn5">[5]</a><span> was defined as the processing and analysis of unique sequences of parts of DNA. Thus the uniqueness of DNA data is clear and the implications that could potentially occur through its profiling could be tremendous. The 2007 DNA Profiling Bill has been amended, yet its current 2012 version appears not only to be more intrusive, but to also be extremely vague in terms of protecting data, whilst very deterministic in regards to the DNA Profiling Board´s power. A central question in the meeting was:</span></p>
<blockquote class="italized"><i>Should DNA databases be created at all? </i></blockquote>
<p><i> </i></p>
<p>The following concerns were raised and discussed during the workshop:</p>
<h3>● The myth of the infallibility of DNA evidence</h3>
<p>The Innocence Project<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn6">[6]</a>, which was presented at the workshop, appears to provide an appeal towards the storage of DNA samples and profiles, as it represents clients seeking post-conviction DNA testing to prove their innocence. According to statistics presented at the workshop, there have been 303 post-conviction exonerations in the United States, as a result of individuals proving their innocence through DNA testing. Though post-conviction exonerations can be useful, they cannot be the basis and main justification for creating DNA databases. Although DNA testing could enable post-conviction exonerations, errors in matching data remain a high probability and could result in innocent people being accused, arrested and prosecuted for crimes they did not commit. Thus, arguments towards the necessity and utility of the creation of DNA databases in India appear to be weak, especially since DNA evidence is <i>not </i>infallible<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn7">[7]</a>.</p>
<p>False matches can occur based on the type of profiling system used, and errors can take place in the chain of custody of the DNA sample, all of which indicate the weakness of DNA evidence being used. DNA data only provides<i> probabilities</i> of potential matches between DNA profiles and the larger the amount of DNA data collected, the larger the probability of an error in matching profiles<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn8">[8]</a>.</p>
<h3>● <b>The non-criteria of DNA data collection</b></h3>
<p>How and when can DNA data be collected? The amended draft 2012 Bill remains extremely vague and broad. In particular, the Bill states that <i>all</i> offences under the Indian Penal Code and other laws, such as the Immoral Traffic (Prevention) Act, 1956, are applicable instances of human DNA profiling. Section B(viii) of the Schedule states that human DNA profiling will be applicable for offences under <i>´any other law as may be specified by the regulations made by the Board´</i>. This incredibly vague section empowers the DNA Profiling Board with the ultimate power to decide upon the offences under which DNA data will be collected. The issue is this: most laws have loopholes. A Bill which lists applicable instances of human DNA profiling, under the umbrella of a potentially indefinite number of laws, exposes individuals to the collection of their DNA data, which could lead to potential abuse.</p>
<h3>● <b>The DNA Profiling Board´s power</b></h3>
<p>The DNA Profiling Board has ´absolute´ power, especially according to the 2012 draft Human DNA Profiling Bill. Some of the Board´s functions include providing recommendations for provision of privacy protection laws, regulations and practices relating to access to, or use of, stored DNA samples or DNA analyses<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn9">[9]</a>. The Board is also required to advise on all ethical and human rights issues, as well as to take ´necessary steps´ to protect privacy. However, it remains unclear how a Board which lacks human rights expertise will carry out such tasks.</p>
<p><b>No human rights experts</b></p>
<p><b> </b></p>
<p>Despite the various amendments<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn10">[10]</a> to the section on the composition of the Board, no privacy or human rights experts have been included. According to the Bill, the Board will be comprised of many molecular biologists and other scientists, while human rights experts have not been included to the list. This can potentially be problematic as a lack of expertise on privacy and human rights laws can lead to the regulation of DNA databases without taking civil liberties into consideration.</p>
<p><b>Vague authorisation for communication of DNA profiles</b></p>
<p><b> </b></p>
<p>The Bill also empowers the Board to ´authorise procedures for communication of DNA profiles for<i> civil proceedings</i> and for crime investigation by law enforcement and <i>other agencies</i>´<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn11">[11]</a>. Although the 2007 Bill <a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn12">[12]</a>restricted the Boards´ authorisation to crime investigation by law enforcement agencies, its 2012 amendment extends such authorisation to ´civil proceedings´ which can also be carried out by so-called ´other agencies´.<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn13">[13]</a> This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ remain vague.</p>
<p><b>Protecting the public</b></p>
<p><b> </b></p>
<p>The Board is also authorised to ´assist law enforcement agencies in using DNA techniques to protect the public´<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn14">[14]</a>. Over the last years, laws are being enacted that enable law enforcement agencies to use technologies for surveillance purposes in the name of ´public security´, and the 2012 draft Bill is no exception. Many security measures have been applied to ´protect the public´, such as CCTV cameras and other technologies, but their actual contribution to public safety still remains a controversial debate<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn15">[15]</a>. DNA techniques which would effectively protect the public have not been adequately proven, thus it remains unclear how the Board would assist law enforcement agencies.</p>
<p><b>Sharing data with international agencies…and regulating DNA laboratories</b></p>
<p>In addition to the above, the Board would also encourage cooperation between Indian investigation agencies and international agencies<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn16">[16]</a>. This would potentially enable the sharing of DNA data between third parties and would enhance the probability of data being leaked to unauthorised third parties.</p>
<p>The Board would <i>also </i>be authorised to regulate the standards, quality control and quality assurance obligations of the DNA laboratories<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn17">[17]</a>. The draft 2012 Bill ultimately gives <i>monopolistic control</i> to the DNA Profiling Board over<i> all</i> the procedures related to the handling of DNA data!</p>
<h3>● <b>The DNA Data Bank Manager</b></h3>
<p>According to the 2012 draft Human DNA Profiling Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn18">[18]</a>, it is the DNA Data Bank Manager who would carry out ´all operations of and concerning the National DNA Data Bank´. All such operations are not clearly specified. The powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.</p>
<p>The Bill also empowers the Manager to determine appropriate instances for the communication of information<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn19">[19]</a>. In other words, law enforcement agencies and DNA laboratories can request the disclosure of information from the DNA Data Bank Manager, without prior authorisation. The DNA Data Bank Manager is empowered to decide the requested data.</p>
<p><span> </span></p>
<ul>
<li><span>DNA access restrictions</span></li>
</ul>
<p> </p>
<p><span> </span><span>Are you a victim or a cleared suspect? You better be, if you want access to your data to be restricted! The 2012 draft Human DNA Profiling Bill </span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn20">[20]</a><span>states that access to information will be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect. The Bill is unclear as to how access to the data of non-victims or suspects is regulated.</span></p>
<h3>● Availability of DNA profiles and DNA samples</h3>
<p>According to the amended draft 2012 Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn21">[21]</a>, DNA profiles and samples can be made available in criminal cases, judicial proceedings and for defence purposes among others. However, ´criminal cases´ are loosely defined and could enable the availability of DNA data in low profile cases. Furthermore, the availability of DNA data is also enabled for the ´creation and maintenance of a<i> population statistics database</i>´. This is controversial because it remains unclear how such a database would be used.</p>
<h3>● Data destruction</h3>
<p>According to an amendment to section 37, DNA data will be kept on a ´permanent basis´ and the DNA Data Bank Manager will expunge a DNA profile only once the court has certified that an individual is no longer a suspect. This raises major concerns, as it does not clarify under what conditions individuals can have access to their data during its retention, nor does it give volunteers and missing persons the opportunity to have their data deleted from the data bank.</p>
<h2>Workshop conclusions</h2>
<p><img src="http://farm4.staticflickr.com/3235/3080247531_bf04a5cbe5.jpg" /></p>
<p>Source: <span> </span><a href="http://www.flickr.com/photos/micahb37/">micahb37</a> on flickr</p>
<p>The various loopholes in the Bill which can create a potential for abuse were discussed throughout the workshop, as well as various issues revolving around DNA data retention, as previously mentioned.<span> </span></p>
<p>During the workshop, some participants questioned the creation of DNA databases to begin with, while others argued that they are inevitable and that it is not a question of whether they should exist, but rather a question of how they should be regulated. All participants agreed upon the need for further safeguards to protect individuals´ right to privacy and other human rights. Further research on the necessity and utility of the creation of DNA databases in regards to human rights was recommended. In addition to all the above, the Ministry of Law and Justice was recommended to pilot the draft DNA Profiling Bill to ensure better provisions in regards to privacy and data protection.</p>
<p>A debate on the use of DNA data in civil cases versus criminal cases was largely discussed in the workshop, with concerns raised in regards to DNA sampling being enabled in civil cases. The fact that the terms ´civil cases´ and ´criminal cases´ remain broad, vague and not legally-specified, raised huge concerns in the workshop as this could enable the misuse of DNA data by authorities. Thus, the members attending the workshop recommended the creation of two separate Bills regulating the use of DNA data: a DNA Profiling Bill for Criminal Investigation and a DNA Profiling Bill for Research. The creation of such Bills would restrict the access to, collection, analysis, sharing of and retention of DNA data to strictly criminal investigation and research purposes.</p>
<p>However, even if separate Bills were created, who is to say that when implemented DNA in the database would not be abused? Criminal investigations can be loosely defined and research purposes can potentially cover anything and everything. So the question remains:</p>
<blockquote class="italized"><i>Should DNA databases be created at all? </i></blockquote>
<p><br clear="all" /></p>
<hr align="left" size="1" width="33%" />
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref1">[1]</a> Draft DNA Profiling Bill 2007, <a href="http://dbtindia.nic.in/DNA_Bill.pdf">http://dbtindia.nic.in/DNA_Bill.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref2">[2]</a> Human DNA Profiling Bill 2012: Working draft versión – 29th April 2012,</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref3">[3]</a> Centre for Internet and Society, <i>Analyzing the Draft Human DNA Profiling Bill 2012, </i>25 February 2013, <a href="https://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill">http://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref4">[4]</a> Genetics Home Reference: Your Guide to Understanding Genetic Conditions, <i>What is DNA?, </i><a href="http://ghr.nlm.nih.gov/handbook/basics/dna"><i>http://ghr.nlm.nih.gov/handbook/basics/dna</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref5">[5]</a> Shanna Freeman, <i>How DNA profiling Works, </i><a href="http://science.howstuffworks.com/dna-profiling.htm"><i>http://science.howstuffworks.com/dna-profiling.htm</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref6">[6]</a> Innocence Project, <i>DNA exoneree case profiles, </i><a href="http://www.innocenceproject.org/know/"><i>http://www.innocenceproject.org/know/</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref7">[7]</a> Australian Law Reform Commission (ALRC), <i>Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96), </i>´Criminal Proceedings: Reliability of DNA evidence´, Chapter 44, <a href="http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence">http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref8">[8]</a> Ibid.</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref9">[9]</a> Human DNA Profiling Bill 2012: Working draft version – 29th April 2012, Section 12(o, p, t), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref10">[10]</a> Ibid: Section 4(q)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref11">[11]</a> Ibid: Section 12(j)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref12">[12]</a> Draft DNA Profiling Bill 2007, Section 13, <a href="http://dbtindia.nic.in/DNA_Bill.pdf">http://dbtindia.nic.in/DNA_Bill.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref13">[13]</a> : Human DNA Profiling Bill 2012: Working draft version – 29<sup>th</sup> April 2012, Sections 12(j), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref14">[14]</a> Ibid: Section 12(l)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref15">[15]</a> Schneier, B.(2008), <i>Schneier on Security, </i>´CCTV cameras´, <a href="http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html">http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref16">[16]</a> Human DNA Profiling Bill 2012: Working draft version – 29<sup>th</sup> April 2012, Sections 12(u) and 12(v), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref17">[17]</a> Ibid: Section on the ´Standards, Quality Control and Quality Assurance Obligations of DNA Laboratories´</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref18">[18]</a> Ibid: Section 33</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref19">[19]</a> Ibid: Section 35</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref20">[20]</a> Ibid: Section 43</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref21">[21]</a> Ibid: Section 40</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012'>https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012</a>
</p>
No publishermariaWorkshopInternet GovernanceSAFEGUARDS2013-07-12T15:33:25ZBlog EntryComments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society submitted the following comments on the Information Technology (Guidelines for Cyber Cafe Rules), 2011.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p><b>I <span>Preliminary</span></b></p>
<p style="text-align: justify; ">1.1 This submission presents preliminary clause-by-clause comments from the Centre for Internet and Society (“<b>CIS</b>”) on the Information Technology (Guidelines for Cyber Café) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on 11 April 2011 (“<b>Cyber Café Rules</b>”).</p>
<p style="text-align: justify; ">1.2 This submission is for the consideration of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha. In its 21<sup>st</sup> Report, the Committee on Subordinate Legislation presciently noted that:</p>
<p style="text-align: justify; padding-left: 30px; ">“…<i>statutory rules ought to be framed and notified not only in time but utmost care and caution should also be exercised in their formulation and finalization so as to get rid of any avoidable discrepancies. As far as possible, the aim should be to prevent needless litigation arising subsequently from badly framed rules.</i>” [See the 21<sup>st</sup> Report of the Lok Sabha Committee on Subordinate Legislation presented on 16 December 2011 at pr. 2.1]</p>
<p style="text-align: justify; ">Unfortunately, the Cyber Café Rules have been poorly drafted, contain several discrepancies and, more seriously, may impinge upon constitutionally guaranteed freedoms of Indian citizens. The attention of the Committee on Subordinate Legislation is accordingly called to the following provisions of the Cyber Cafe Rules:</p>
<p><b>II <span>Validity of the Cyber Cafe Rules</span></b></p>
<p style="text-align: justify; ">2.1 The Cyber Cafe Rules are made in exercise of powers granted under section 87(2)(zg) read with section 79(2) of the Information Technology Act, 2000 (<b>“IT Act”</b>). Read together, these delegated powers invest the executive with the power to frame rules for exempting cyber cafes from liability for any third party information, data or communication link if they comply with Central Government guidelines. The empowerment made by section 87(2)(zg) of the IT Act pertains to:</p>
<p>“<i>the guidelines to be observed by the intermediaries under sub-section (2) of section 79</i>”</p>
<p>Sections 79 (1) and (2) state:</p>
<p>“<b><i>79. Exemption from liability of intermediary in certain cases. –</i></b><i> (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for <span>any third party information, data, or communication link made available or hosted by him</span>. </i></p>
<p><i>(2) The provisions of sub-section (1) shall apply if— </i></p>
<p><i>(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or</i></p>
<p><i>(b) the intermediary does not— </i></p>
<p><i>(i) initiate the transmission, </i></p>
<p><i>(ii) select the receiver of the transmission, and </i></p>
<p><i>(iii) select or modify the information contained in the transmission; </i></p>
<p><i>(c) the intermediary observes due diligence while discharging his duties under this Act and also observes <span>such other guidelines as the Central Government may prescribe in this behalf</span>.</i>”</p>
<p style="text-align: justify; ">2.2 Hence, section 79(2) permits the Central Government to prescribe guidelines for cyber cafes to comply with in order to claim the general exemption from liability granted by section 79(1) of the IT Act. The Cyber Cafe Rules constitute those guidelines. However, the liability from which cyber cafes may be exempted extends only to “<i>any third party information, data, or communication link made available or hosted</i>” by users of cyber cafes. In other words, the liability of cyber cafes (the exemption from which is supposed to be controlled by the Cyber Cafe Rules) is only in respect of the information, data or communication links of their users. No liability is assigned to cyber cafes for failing to collect identity information of their users. Therefore, the Cyber Cafe Rules made under the power granted by section 79(2)(c) of the IT Act cannot make cyber cafes liable for user identification information. In accordance with sections 79(2)(c) and 79(1) read with section 87(2)(zg) of the IT Act, the Cyber Cafe Rules may legitimately deal with the duties of cyber cafes in respect of any information, data or communication links of their users, but not in respect of user identification. However, the thrust of the Cyber Cafe Rules, and the pith of their provisions, is concerned solely with registering and identifying cyber cafe users including collecting their personal information, photographing them, storing their personal information and reporting these non-content related details to the police. There is even a foray into interior design to dictate the height limits of furniture inside cyber cafes. All of this may be a legitimate governance concern, but it cannot be undertaken by the Cyber Cafe Rules. <b>To the extent that the Cyber Cafe Rules deal with issues beyond those related to any information, data or communication links of cyber cafe users, the Rules exceed the permissible limit of delegated powers under section 79(2) and 87(2)(zg) of the IT Act and, consequently, are <i>ultra vires</i> the IT Act.</b></p>
<p style="text-align: justify; "><b>III Clause-by-Clause Analysis and Comments</b><span> </span></p>
<p style="text-align: justify; "><span>Rule 2 - Definitions</span><b> </b></p>
<p style="text-align: justify; ">3.1 Rule 2(1)(c) of the Cyber Cafe Rules defines a cyber cafe in accordance with the definition provided in section 2(1)(na) of the IT Act as follows:</p>
<p style="text-align: justify; ">“<i>“cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public</i>”</p>
<p style="text-align: justify; ">This definition of a cyber cafe is overbroad to bring within its ambit any establishment that offers internet access in the course of its business such as airports, restaurants and libraries. In addition, some State Road Transport Corporations offer wi-fi internet access on their buses; and, Indian Railways, as well as Bangalore Metro Rail Corporation Limited, plans to offer wi-fi internet access on some of its trains. These will all fall within the definition of “cyber cafe” as it is presently enacted. The definition of “cyber cafe” should be read down to only relate to commercial establishments that primarily offer internet access to the general public for a fee.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 2(1)(c) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“notwithstanding anything contained in clause (na) of sub-section (1) of section 2 of the Act, and for the purposes of these rules only, “cyber cafe” means, any commercial establishment which primarily offers access to the internet to members of the general public for consideration for any purpose but does not include any educational or academic institution, office or place where access to the internet is restricted to authorised persons only.”</p>
<p style="text-align: justify; ">3.2 Rule 2(1)(e) of the Cyber Cafe Rules defines “data” in accordance with the definition provided in section 2(1)(o) of the IT Act. However, the term “data” is not used anywhere in the Cyber Cafe Rules and so its definition is redundant. This is one of several instances of careless drafting of the Cyber Cafe Rules.</p>
<p><b>Therefore, it is proposed that the definition of “data” in rule 2(1)(e) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; ">3.3 Rule 2(1)(g) of the Cyber Cafe Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. While all cyber cafes are intermediaries, not all intermediaries are cyber cafes: there are different categories of intermediaries that are regulated by other rules under the IT Act. The Cyber Cafe Rules make no mention of any other category of intermediaries other than cyber cafes; indeed, the term “intermediary” is not used anywhere in the Cyber Cafe Rules. Its definition is therefore redundant.</p>
<p><b>Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p><span>Rule 3 - Agency for Registration of Cyber Cafes</span></p>
<p>4.1 Rule 3 of the Cyber Cafe Rules, which attempts to set out a registration regime for cyber cafes, as follows:</p>
<p style="text-align: justify; ">“<b><i>3. Agency for registration of cyber cafe. –</i></b><i> (1) All cyber cafes shall be registered with a unique registration number with an agency called as registration agency as notified by the Appropriate Government in this regard. The broad terms of registration shall include: </i></p>
<p><i>(i) name of establishment; </i></p>
<p><i>(ii) address with contact details including email address; </i></p>
<p><i>(iii) whether individual or partnership or sole properitership or society or company; </i></p>
<p><i>(iv) date of incorporation; </i></p>
<p><i>(v) name of owner/partner/proprietor/director; </i></p>
<p><i>(vi) whether registered or not (if yes, copy of registration with Registrar of Firms or Registrar of Companies or Societies); and </i></p>
<p><i>(vii) type of service to be provided from cyber cafe </i></p>
<p style="text-align: justify; "><i>Registration of cyber cafe may be followed up with a physical visit by an officer from the registration agency. </i></p>
<p style="text-align: justify; "><i>(2) The details of registration of cyber cafe shall be published on the website of the registration agency. </i></p>
<p style="text-align: justify; "><i>(3) The Appropriate Government shall make an endeavour to set up on-line registration facility to enable cyber cafe to register on-line. </i></p>
<p style="text-align: justify; "><i>(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.</i>”</p>
<p style="text-align: justify; ">CIS raises two unrelated and substantial objections to this provision: <span>firstly</span>, all cyber cafes across India are already registered under applicable local and municipal laws such as the relevant State Shops and Establishments Acts and the relevant Police Acts that provide detailed information to enable the relevant government to regulate cyber cafes; and, <span>secondly</span>, the provisions of rule 3 create an incomplete and clumsy registration regime that does not clearly establish a procedure for registration within a definite timeframe and does not address the consequences of a denial of registration.</p>
<p style="text-align: justify; ">4.2 At the outset, it is important to understand the distinction between registration and licensing. The state may identify certain areas or fields of business, or certain industries, to be regulated by the conditions of a licence in the public interest. These may include shops selling alcohol or guns; or, industries such as telecommunications, mining or nuclear power. Licences for various activities are issued by the state for a limited term on the basis of need and public interest and licensees are permitted to operate only within the term and conditions of the licence. Failure to observe licence conditions can result in the cancellation of the licence and other penalties, sometimes even criminal proceedings.</p>
<p style="text-align: justify; ">Registration, on the other hand, is an information-gathering activity that gives no power of intervention to the state unless there is a general violation of law. The primary statutory vehicle for achieving this registration are the various Shops and Establishments Acts of each State and Union Territory and other municipal registration regulations. For example, under section 5 of the Delhi Shops and Establishments Act, 1954, an establishment, which includes shops, commercial establishments and places of public amusement and entertainment, must fulfil the following registration requirements:</p>
<p style="text-align: justify; ">“<b><i>5. Registration of establishment. –</i></b><i> (1) Within the period specified in sub-section (5), the occupier of every establishment shall send to the Chief Inspector a statement in a prescribed form, together with such fees as may be prescribed, containing </i></p>
<p><i>(a) the name of the employer and the manager, if any; </i></p>
<p><i>(b) the postal address of the establishment; </i></p>
<p><i>(c) the name, if any, of the establishment, </i></p>
<p style="text-align: justify; "><i>(d) the category of the establishment, i.e. whether it is a shop, commercial establishment, residential hotel, restaurant eating house, theatre or other place of public amusement or entertainment; </i></p>
<p><i>(e) the number of employees working about the business of the establishment; and </i></p>
<p><i>(f) such other particulars as may be prescribed. </i></p>
<p style="text-align: justify; "><i>(2) On receipt of the statement and the fees, the Chief Inspector shall, on being satisfied about the correctness of the statement, register the establishment in the Register of Establishments in such manner as may be prescribed and shall issue, in a prescribed form, a registration certificate to the occupier. </i></p>
<p style="text-align: justify; "><i>(3) The registration certificate shall be prominently displayed at the establishment and shall be renewed at such intervals as may be prescribed in this respect. </i></p>
<p style="text-align: justify; "><i>(4) In the event of any doubt or difference of opinion between an occupier and the Chief Inspector as to the category to which shall after such enquiry, as it may think proper, decide the category of each establishment and the decision thereto shall be final for the purpose of this Act. </i></p>
<p style="text-align: justify; "><i>(5) Within ninety days from the date mentioned in column 2 below in respect of the establishment mentioned in column 1, the statement together with fees shall be sent to the Chief Inspector under sub-section (1).</i>”</p>
<p style="text-align: justify; ">Besides the registration regime, the Shops and Establishments Acts also enact inspection regimes to verify the accuracy of all registered information, the maintenance of labour standards and other public safety requirements. These are not addressed by the Cyber Cafe Rules.</p>
<p style="text-align: justify; ">4.3 In addition to the various Shops and Establishments Acts which prescribe registration procedures, <span>all premises within which cyber cafes operate are subject to a further licensing regime under the various State Police Acts</span> as places of public amusement and entertainment. For example, a cyber cafe is deemed to be a “place of public amusement” under section 2(9) of the Bombay Police Act, 1951 and therefore subject to the licensing, registration and regulatory provisions of the Rules for Licensing and Controlling Places of Public (Other than Cinemas) and Performances for Public Amusement including Cabaret Performances, Discotheque, Games, Poll Game, Parlours, Amusements Parlours providing Computer Games, Virtual Reality Games, Cyber Cafes with Net Connectivity, Bowling Alleys, Cards Rooms, Social Clubs, Sports Clubs, Meals and Tamasha Rules, 1960. Similar provisions exist in Delhi.</p>
<p style="text-align: justify; ">In view of these two-fold registration requirements under the Shops and Establishments Acts and relevant Police Acts, creating yet another layer of registration is unwarranted. The Cyber Cafe Rules do not prescribe any new registration requirement that has not already been covered by the Shops and Establishments Acts and Police Acts. Multiple overlapping legislations will create confusion within the various departments of the relevant government and, more importantly, will result in non-compliance.</p>
<p style="text-align: justify; ">4.4 Without prejudice to the preceding comments relating to already existing registration requirements under the Shops and Establishments Acts and Police Acts, rule 3 of the Cyber Cafe Rules are very poorly drafted and do not fulfil the requirements of a valid registration regime. Most State governments have not notified a registration agency for cyber cafes as required by the Cyber Cafe Rules, probably because appropriate provisions under the Shops and Establishments Acts already exist. No time-limit has been specified for the registration process. This means that the (as yet non-existent) registration agency may delay, whether out of inefficiency or malice, a registration application without consequences for the delay. This not only discourages small and medium enterprises to hinder economic growth, it also encourages corruption as cyber cafe operators will be forced to pay a bribe to receive their registration.</p>
<p style="text-align: justify; ">4.5 Furthermore, rule 3(4) of the Cyber Cafe Rules, which calls on the Central Government to notify rules made by State governments, reads as follows:</p>
<p style="text-align: justify; ">“<i>(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.</i>”</p>
<p style="text-align: justify; ">This nonsensical provision, which gives the Central Government the power to notify rules made by State governments, <i>prima facie</i> violates the constitutional scheme of division of legislative powers between the Union and States. Rules that have been made by State governments, the subject matter of which is within the legislative competence of the State legislatures, are notified by those State governments for application within their States and no separate notification of these rules can be done by the Central Government.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 3 be deleted in entirety and the remaining rules be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 4 - Identification of User</span><b> </b></p>
<p style="text-align: justify; ">5.1 Rule 4 of the Cyber Cafe Rules attempts to establish the identity of cyber cafe users. This is a legitimate and valid exercise to prevent unlawful use of cyber cafes. Sub-rule (1) of rule 4 reads as follows:</p>
<p>“<i>(1) The Cyber Cafe shall not allow any user to use its computer resource without the identity of the user being established. The intending user may establish his identify by producing a document which shall identify the users to the satisfaction of the Cyber Cafe. Such document may include any of the following:</i></p>
<p><i>(i) Identity card issued by any School or College; or </i></p>
<p><i>(ii) Photo Credit Card or debit card issued by a Bank or Post Office; or </i></p>
<p><i>(iii) Passport; or </i></p>
<p><i>(iv) Voter Identity Card; or </i></p>
<p><i>(v) Permanent Account Number (PAN) card issued by Income-Tax Authority; or </i></p>
<p><i>(vi) Photo Identity Card issued by the employer or any Government Agency; or </i></p>
<p><i>(vi) Driving License issued by the Appropriate Government; or </i></p>
<p><i>(vii) Unique Identification (UID) Number issued by the Unique Identification Authority of India (UIDAI).</i>”</p>
<p style="text-align: justify; ">The use of credits cards or debit cards to verify identity is specifically discouraged by the Reserve Bank of India because it directly results in identity theft, fraud and other financial crimes. Online credit card fraud results in large losses to individual card-holders and to banks. The other identity documents specified in rule 4 will suffice to accurately establish the identity of users.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that the use of credit or debit cards as a means of establishing identity in rule 4(1)(ii) be deleted and the remaining clauses in sub-rule (1) of rule 4 be accordingly renumbered.</b></p>
<p class="DefaultCxSpFirst">5.2 Rule 4(2) of the Cyber Café Rules compels the storage of photographs and other personal information of users by cyber cafés:</p>
<p>“<i>The Cyber Cafe shall keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorised representative of cyber cafe. Such record shall be securely maintained for a period of at least one year.</i>”</p>
<p style="text-align: justify; ">While this submission does not question the requirement of storing user information for the purposes of law enforcement, this rule 4(2) does not prescribe the standards of security, confidentiality and privacy that should govern the storage of photographs and other personal information by cyber cafes. Without such a prescription, cyber cafes will simply store photographs of users, including minors and women, and important personal information that can be misused, such as passport copies, in a file with no security. This is unacceptable. Besides endangering vulnerable user information, it makes identity theft and other offences easier to perpetrate. If cyber cafes are to collect, store and disclose personal information of users, they must be bound to strict standards that explicitly recognise their duties and obligations in relation to that personal information. In this regard, the attention of the Committee on Subordinate Legislation is called to CIS’ submission regarding the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
<p><b>Therefore, it is proposed that rule 4(2) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“Any information of any user collected by a cyber cafe under this rule shall be collected, handled, stored and disclosed in accordance with the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, for a period not exceeding six months from the date of collection of that information.”</p>
<p>5.3 Sub-rule (3) of rule 4 allows cyber cafe users to be photographed:</p>
<p style="text-align: justify; ">“<i>(3) In addition to the identity established by an user under sub-rule (1), he may be photographed by the Cyber Cafe using a web camera installed on one of the computers in the Cyber Cafe for establishing the identity of the user. Such web camera photographs, duly authenticated by the user and authorised representative of cyber cafe, shall be part of the log register which may be maintained in physical or electronic form.</i>”</p>
<p style="text-align: justify; ">Since the identity documents listed in rule 4(1) all contain a photograph of their owner, the need for further photography is unnecessary. This provision needlessly burdens cyber cafe owners, who will be required to store two sets of photographs of users – their photographic identity documents in addition to individual photographs, and invades the individual privacy rights of users who will be exposed to unnecessary photography by private cyber cafe operators. Granting a non-state entity the right to take photographs of other individuals to no apparent gain or purpose is avoidable, especially when no measures are prescribed to regulate the safe and lawful storage of such photographs. Without strict safety measures governing the taking and storing of photographs of users, including minor girls and women, the Cyber Cafe Rules leave open the possibility of gross misuse of these photographs.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that sub-rule (3) of rule 4 be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.</b></p>
<p>5.4 Sub-rue (4) of rule 4 reads as follows:</p>
<p>“<i>(4) A minor without photo Identity card shall be accompanied by an adult with any of the documents as required under sub-rule (1).</i>”</p>
<p style="text-align: justify; ">Regulating a minor’s access and use of the internet may serve a public good but it cannot be achieved by law. Information deemed unsuitable for minors that is available via other media, such as video, television or magazines, is not legally proscribed for minors. The law cannot and does not regulate their availability to minors. The protection of minors is an overriding public and jurisprudential concern, but law alone cannot achieve this end. Most minors do not possess photographic identity documents and rule 4(4) will, if implemented, result in internet access being taken away from minors. Restricting a minor’s ability to access useful, educational and other harmless content available on the internet is harmful to the public interest as it discourages education and awareness.</p>
<p><b>Therefore, it is proposed that rule 4(4) be amended to read as follows:</b></p>
<p style="text-align: justify; ">“A minor who does not possess any of the identity documents listed under sub-rule (1) of this rule may provide the name and address of his parent or guardian prior to using the cyber cafe.”</p>
<p style="text-align: justify; ">5.5 Rule 4(5) of the Cyber Cafe Rules states that a user “<i>shall be allowed to enter the cyber cafe after he has established his identity</i>.” However, since rule 4(1) already addresses identity verification by specifically preventing a cyber cafe from “<i>allow[ing] any user to use its computer resource without the identity of the user of the user being established</i>,” this rule 4(5) is redundant.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 4(4) be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.</b></p>
<p>5.6 Rule 4(6) of the Cyber Cafe Rules states:</p>
<p style="text-align: justify; ">“<i>(6) The Cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.</i>”</p>
<p style="text-align: justify; ">This provision is legally imprecise, poorly drafted and impossible to enforce. The nature of doubt or suspicion that is necessary before contacting the police is unclear. A cyber cafe may doubt whether a customer is able to pay the bill for his internet usage, or be suspicious because of the length of a person’s beard. Requiring the police to be called because someone is doubtful is ridiculous. Furthermore, reasonableness in law is a well-established concept of rationality; it is not open to interpretation. “Reasonable doubt” is a criminal law threshold that must be reached in order to secure a conviction. Reporting requirements must be clear and unambiguous.</p>
<p><b>Therefore, it is proposed that rule 4(6) be deleted.</b></p>
<p><span>Rule 5 - Log Register</span></p>
<p>6.1 Rule 5(3) of the Cyber Cafe Rules states:</p>
<p style="text-align: justify; ">“<i>(3) Cyber Cafe shall prepare a monthly report of the log register showing date- wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.</i>”</p>
<p style="text-align: justify; ">This provision is akin to telephone tapping. If phone companies are not required to report the call histories of each of their users and cable television providers not required to report individual viewing preferences, there is no reason for cyber cafes to report the internet usage of users. There may be instances where public interest may be served by monitoring the internet history of specific individuals, just as it is possible to tap an individual’s telephone if it is judicially determined that such a need exists. However, in the absence of such protective provisions to safeguard individual liberties, this sub-rule (3) is grossly violative of the individual right to privacy and should be removed.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 5(3) be deleted and the remaining sub-rules of rule 5 be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 7<b> - </b>Inspection of Cyber Cafe</span></p>
<p>7.1 Rule 7 of the Cyber Cafe Rules provides for an inspection regime:</p>
<p style="text-align: justify; ">“<i>An officer autnorised by the registration agency, is authorised to check or inspect cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.</i>”</p>
<p style="text-align: justify; ">The corollary of a registration regime is an inspection regime. This is necessary to determine that the information provided during registration is accurate and remains updated. However, as stated in paragraphs 3.2 – 3.4 of this submission, a comprehensive and more easily enforceable registration and inspection regime already exists in the form of the various Shops and Establishments Acts in force across the country. Those provisions also provide for the consequences of an inspection, which the Cyber Cafe Rules do not.</p>
<p><b>Therefore, it is proposed that rule 7 be deleted.</b></p>
<p><b>IV <span>Summary</span></b></p>
<p>8.1 In sum:</p>
<p style="text-align: justify; ">(a) Under the delegated powers contained in section 87(2)(zg) read with section 79(2) of the IT Act, the Central Government does not have the competence to make rules for identifying cyber cafe users including collecting, storing and disclosing personal information of cyber cafe users nor for prescribing the interior design of cyber cafes and, to the extent that the Rules do so, they are <i>ultra vires</i> the parent statute;</p>
<p style="text-align: justify; ">(b) The attention of the Committee on Subordinate Legislation is invited to the following provisions of the Cyber Cafe Rules which require amendment or annulment:</p>
<ul>
<li>Rule 2(1)(c);</li>
<li>Rule 2(1)(e);</li>
<li>Rule 2(1)(g);</li>
<li>Rule 3(1);</li>
<li>Rule 3(4);</li>
<li>Rule 4(1);</li>
<li>Rule 4(2);</li>
<li>Rule 4(3);</li>
<li>Rule 4(4);</li>
<li>Rule 4(5);</li>
<li>Rule 4(6);</li>
<li>Rule 5(3); and</li>
<li>Rule 7.</li>
</ul>
<p style="text-align: justify; ">(c) The Cyber Cafe Rules are extremely poorly framed, rife with discrepancies and will give rise to litigation. They should be selectively annulled and, to prevent a repeat of the same mistakes, new rules may be framed in concert with experts, professional organisations and civil society in a democratic manner.</p>
<p style="text-align: justify; ">8.2 CIS would like to conclude by taking this opportunity to present its compliments to the Committee on Subordinate Legislation and to offer the Committee any assistance or support it may require.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011</a>
</p>
No publisherbhairavInternet GovernanceSAFEGUARDS2013-07-12T12:15:30ZBlog EntryData Retention in India
https://cis-india.org/internet-governance/blog/data-retention-in-india
<b>As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h3>The Debate around Data Retention</h3>
<p style="text-align: justify; ">According to the EU, data retention <i>“refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”</i>.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or <i>a priori </i>data<i> </i>retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.<a href="#fn2" name="fr2">[2] </a>Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.</p>
<h3 style="text-align: justify; ">Data Retention vs. Data Preservation</h3>
<p style="text-align: justify; ">Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.<a href="#fn3" name="fr3">[3]</a> Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.<a href="#fn4" name="fr4">[4]</a> Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.<a href="#fn5" name="fr5">[5]</a> Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.<a href="#fn6" name="fr6">[6]</a></p>
<h3>Data Retention in India</h3>
<p style="text-align: justify; ">In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.</p>
<h3>ISP License</h3>
<p style="text-align: justify; ">According to the ISP License,<a href="#fn7" name="fr7">[7]</a> there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.</p>
<p>According to the ISP License, each ISP must maintain:<b><span> </span></b></p>
<p><span> </span></p>
<ul>
<span> </span>
<li><span><b><span>Users and Services</span></b></span>: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><span><b><span>Outward Logins or Telnet</span></b></span>: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Packets</span>:</span></b> Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Subscribers</span>:</span></b> A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).</li>
<li style="text-align: justify; "><b><span><span>Internet Leased Line Customers</span>:</span></b> A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).</li>
</ul>
<ul>
<li style="text-align: justify; "><b><span><span>Diagram Records and Reasons</span>:</span></b> A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span><span>Commercial Records</span>:</span></span></b><span> All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span><span>Location</span>:</span></span></b> The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).</p>
<span> </span></li>
<span> </span>
<li style="text-align: justify; "><span> </span><b><span><span><span>Remote Activities</span>:</span></span></b><span> A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).</span></li>
</ul>
<h3>UASL License</h3>
<p style="text-align: justify; ">According to the UASL License<a href="#fn8" name="fr8">[8]</a>, <span>there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept. </span></p>
<p style="text-align: justify; "><span>According to the license, service providers must maintain and make available: </span></p>
<p style="text-align: justify; "> </p>
<ul>
<li style="text-align: justify; "><span><span><span> </span></span></span><b><span><span>Numbers</span></span><span>: </span></b><span>Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).</span></li>
<li style="text-align: justify; "> <b><span><span>Interception records: </span></span></b><span>Time, date and duration of interception when required (Section 41.10).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span>All call records:</span></span></b><span> All call data records handled by the system when required (Section 41.10). This includes:</span><b><span><span><br /></span></span></b></p>
<ol>
<li><b><span><span>Failed call records:</span></span></b><span> Call data records of failed call attempts when required. (Section 41.10).</span></li>
<li><b><span><span>Roaming subscriber records</span></span></b><span>: Call data records of roaming subscribers when required. (Section 41.10)</span></li>
</ol></li>
<li style="text-align: justify; "><b><span><span>Commercial records: </span></span></b><span>All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).</span></li>
<li style="text-align: justify; "> <b><span><span>Outgoing call records: </span></span></b><span>A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).</span></li>
<li style="text-align: justify; "> <b><span><span>Calling line Identification:</span></span></b><span> A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).</span></p>
</li>
<li style="text-align: justify; "> <b><span><span>Remote access activities:</span></span></b><span><span> </span>Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section<span> </span>41.20 (xv)).</span></li>
</ul>
<h3>RTI Request to <a href="https://cis-india.org/internet-governance/blog/bsnl-rti" class="internal-link">BSNL</a> and <a href="https://cis-india.org/internet-governance/blog/mtnl-rti-request.pdf" class="internal-link">MTNL</a><span> </span></h3>
<p style="text-align: justify; "><span>On September 10,<sup></sup> 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices: </span></p>
<p style="text-align: justify; "> </p>
<ul type="disc">
<li class="MsoNormal"><span>Does MTNL/BSNL store the following information/data:</span></li>
<ul type="circle">
<li class="MsoNormal"><span>Text message detail (To and from cell numbers, timestamps)</span></li>
<li class="MsoNormal"><span>Text message content (The text and/or data content of the SMS or MMS)</span></li>
<li class="MsoNormal"><span>Call detail records (Inbound and outbound phone numbers, call duration)</span></li>
<li class="MsoNormal"><span>Bill copies for postpaid and recharge/top-up billing details for prepaid</span></li>
<li class="MsoNormal"><span>Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)</span></li>
</ul>
<li class="MsoNormal"><span>If it does store data then</span></li>
<ul type="circle">
<li class="MsoNormal"><span>For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?</span></li>
<li class="MsoNormal"><span>What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
</ul>
</ul>
<h3>BSNL Response</h3>
<p>BSNL replied by stating that it stores at least three types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li style="text-align: justify; "><span><span> </span>IP session information - connection start end time, bytes in and out (three years offline)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>MAC address of the modem/router/device (three years offline)</span></li>
<li class="MsoNormal"><span>Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).</span></li>
</ol>
<h3>MTNL Response</h3>
<p>MTNL replied by stating that it stores at least () types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li class="MsoNormal" style="text-align:justify; "><span>Text message details (to and from cell number, timestamps) in the form of CDRs<span> </span>(one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Call detail records including inbound and outbound phone numbers and call duration (one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Bill copies from postpaid (one year) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Recharge details for prepaid (three months) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)</span></li>
</ol>
<p class="MsoNormal" style="text-align:justify; "><span>It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.<span> </span></span></p>
<h3><span><span>Conclusion </span></span></h3>
<p> <span>The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:</span></p>
<ul>
<li><span><span><span> </span></span></span><span>What constitutes a ‘commercial record’ which must be stored for one year by service providers?</span><span> </span></li>
<li><span>How much data is retained by service providers on an annual basis?</span><span> </span></li>
<li><span>What is the cost involved in retaining data? For the service provider? For the public?</span><span> </span></li>
<li><span>How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?</span><span> </span></li>
<li><span>How many criminal and civil cases rely on retained data?</span><span> </span></li>
<li><span>What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?</span></li>
</ul>
<p class="MsoListParagraph" style="text-align:justify; "><span>Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation. </span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection, <span> </span></span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level.<span> </span>If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:</span></p>
<p></p>
<ul>
<li><span><span><span> </span></span></span><span>Any request for preservation and access to records must be legitimate and proportional</span></li>
<li><span>Accessed and preserved records must be used only for the purpose indicated </span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Accessed and preserved records can only be shared with authorized authorities</span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Any access to preserved records that do not pertain to an investigation must be deleted </span></li>
</ul>
<p></p>
<p> </p>
<p class="MsoListParagraph" style="text-align:justify; "><span>These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place. </span></p>
<p></p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>].<span><span><span> </span></span></span>European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21st 2013<br />[<a href="#fr2" name="fn2">2</a>].Draft International Principles on Communications Surveillance and Human Rights: <a class="external-link" href="http://bit.ly/UpGA3D">http://bit.ly/UpGA3D</a><br />[<a href="#fr3" name="fn3">3</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a><a href="http://europa.eu/rapid/press-release_IP-12-530_en.htm"></a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr4" name="fn4">4</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr5" name="fn5">5</a>]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: <a class="external-link" href="http://bit.ly/WOfzaX">http://bit.ly/WOfzaX</a>. Last Accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr6" name="fn6">6</a>]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: <a class="external-link" href="http://bit.ly/VoQxQ9">http://bit.ly/VoQxQ9</a>. Last accessed: January 21<sup>st</sup> 2013<br />[<a href="#fr7" name="fn7">7</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.<br />[<a href="#fr8" name="fn8">8</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3<sup>rd</sup> 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/data-retention-in-india'>https://cis-india.org/internet-governance/blog/data-retention-in-india</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:51:13ZBlog EntryA Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications
https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications
<b>This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: <a class="external-link" href="http://necessaryandproportionate.net/">http://necessaryandproportionate.net/</a></p>
<p>The Principles:</p>
<p style="text-align: justify; "><b>1. </b><b>Principle - Legality</b><b>:</b><i> Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.</p>
<li><b>The Indian Telegraph Act, 1885</b>
<ul>
<li style="text-align: justify; "> <i>The Indian Telegraph Amendment Rules 2007: </i>These<i> </i>Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL)</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Internet Services</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li><b>The Information Technology Act, 2000</b>
<ul>
<li style="text-align: justify; "><i>Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource. </li>
<li style="text-align: justify; "><i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.</li>
</ul>
</li>
</ul>
</li>
<p><i> </i></p>
<p><b>2. </b><b>Principle - Legitimate Purpose</b>:<i> Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.</p>
<p style="text-align: justify; ">Below are the circumstances for which access is allowed by each Act, Rule, and License:</p>
<li><b>The TA Rules 2007</b>: Interception is allowed in the following circumstances: <br />
<ul>
<li>On the occurrence of any public emergency</li>
</ul>
<ul>
<li>In the interest of the public safety</li>
</ul>
<ul>
<li>In the interests of the sovereignty and integrity of India</li>
</ul>
<ul>
<li>The security of the state</li>
</ul>
<ul>
<li>Friendly relations with foreign states</li>
</ul>
<ul>
<li>Public order</li>
</ul>
<ul>
<li>Preventing incitement to the commission of an offence</li>
</ul>
</li>
<li><b>ITA Interception and Monitoring Rules</b>: Interception, monitoring, and decryption of communications is allowed in the following circumstances:</li>
<ul>
<li>In the interest of the sovereignty or integrity of India, </li>
<li>Defense of India</li>
<li>Security of the state</li>
<li>Friendly relations with foreign states</li>
<li>Public order </li>
<li>Preventing incitement to the commission of any cognizable offence relating to the above </li>
<li>For investigation of any offence </li>
</ul>
<li style="text-align: justify; "><b>ITA Monitoring of Traffic Data Rules:</b> Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security: </li>
<ul>
<li>Forecasting of imminent cyber incidents </li>
<li>Monitoring network application with traffic data or information on computer resources </li>
<li>Identification and determination of viruses or computer contaminant </li>
<li>Tracking cyber security breaches or cyber security incidents </li>
<li>Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants </li>
<li style="text-align: justify; ">Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security. </li>
<li style="text-align: justify; ">Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.</li>
<li style="text-align: justify; ">Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.</li>
<li>Any other matter relating to cyber security. </li>
</ul>
<li><b>UASL License</b>: Assistance must be provided to the government for the following reasons and times: </li>
<ul>
<li>Reasons defined in the Telegraph Act. <b>(Section 41.20 (xix))</b></li>
<li>National Security. <b>(Section 41.20 (xvii))</b></li>
<li style="text-align: justify; ">To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)</li>
<li style="text-align: justify; ">Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. <b>(Section 40.4)</b></li>
<li>In the interests of security. <b>(Section 41.7)</b></li>
<li>For security reasons. <b>(Section 41.20 (iii))</b></li>
</ul>
<li><b>ISP License: </b>Assistance must be provided to the government for the following reasons and times:</li>
<ul>
<li>To counteract espionage, subversive act, sabotage, or any other unlawful activity. <b>(Section 34.1)</b></li>
<li>In the interests of security. <b>(Section 34.4)</b></li>
<li>For security reasons. <b>(Section 34.28 (iii))</b></li>
<li>Reasons defined in the Telegraph Act. <b>(Section 35.2)</b></li>
</ul>
<p style="text-align: justify; "><b>3. </b><b>Principle - Necessity</b>: <i>Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA <i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules</i>, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.</p>
<p>Below are summaries of the relevant provisions:</p>
<ul>
<li style="text-align: justify; "><b>TA Rules 2007</b>: Any order for interception issued by the competent authority must contain reasons for the direction <b>(Section 2).</b> While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means <b>(Section 3).</b></li>
<li style="text-align: justify; "><b>ITA Interception and Monitoring Rules: </b>Any direction issued by the competent authority must contain reasons for such direction <b>(Section 7). </b>The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means <b>(Section 8).</b></li>
<li style="text-align: justify; "><b>ITA Traffic Monitoring Rules:</b> Any direction issued by the competent authority must contain reasons for the direction <b>(Section 3(3)).</b></li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b></li>
</ul>
<p><b>4. </b><b><i>Principle - Adequacy</i></b><i>:</i> <i>Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure. </i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.</p>
<p style="text-align: justify; "><b>5. </b><b>Principle - Competent Authority</b>: <i>Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.</p>
<p>Below are summaries of relevant provisions:</p>
<li style="text-align: justify; "><b>The TA Rules 2007</b>: Under the Telegraph Act the authorizing authorities are:
<ul>
<li>The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level</li>
<li>The Secretary to the State Government in charge of the Home Department in the case of the State Government. </li>
<li>In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.</li>
<li>In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. <b>(Section 1(2))</b>. </li>
<li><b>ITA Interception and Monitoring Rules: </b>Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
<ul>
<li>The Secretary in the Ministry of Home Affairs in case of the Central Government.</li>
<li>The Secretary in charge of the Home Department, in case of a State Government or Union Territory. </li>
<li>In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority. </li>
<li>In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. <b>(Section 3)</b>.</li>
</ul>
</li>
<li><b>ITA Monitoring and Collecting Traffic Data Rules:</b> Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
<ul>
<li>The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. <b>(Section 2(d))</b>.</li>
<li>An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. <b>(Section 9 (2))</b>. </li>
</ul>
</li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b> </li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>6. </b><b>Principle - Proportionality</b>:<i> Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation. </i></p>
<p style="text-align: justify; "><b>Indian Legislation</b>: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA <i>Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA <i>Safeguards for Monitoring and Collecting Traffic Data or Information Rules</i>.</p>
<p style="text-align: justify; ">Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.</p>
<p>Below is a summary of the relevant provisions:</p>
<li><b>TA Rules 2007: </b>
<ul>
<li style="text-align: justify; ">Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. <b>(Section 19)</b>.</li>
<li style="text-align: justify; ">Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. <b>(Section 3)</b>.</li>
<li style="text-align: justify; ">The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. <b>(Section 4)</b>. </li>
<li style="text-align: justify; ">The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 6)</b>.</li>
<li><b> ITA Interception and Monitoring Rules:</b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 7)</b>.</li>
<li style="text-align: justify; ">The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. <b>(Section 8)</b>.</li>
<li style="text-align: justify; ">The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. <b>(Section 9)</b>. </li>
<li style="text-align: justify; ">The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 10)</b>.</li>
</ul>
</li>
<li><b>ITA Traffic and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 3(3))</b>.</li>
<li style="text-align: justify; ">Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. <b>(Section 8)</b>.</li>
</ul>
</li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>7. </b><b>Principle - Due process</b>:<i> Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.</p>
<li><b> TA Rules 2007:</b>
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
<li><b>ITA Interception and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules:</b>
<ul>
<li style="text-align: justify; ">The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>8. </b><b>Principle - User notification</b>:<i> Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>9. </b><b>Principle - Transparency about use of government surveillance</b>: <i>The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>10. </b><b><i>Principle - Oversight</i></b><i>:</i> <i>An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)</i><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are requirements for a review committee to be established.<i> </i>The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li><b>TA Rules 2007</b>:
<ul>
<li style="text-align: justify; ">A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. <b>(Section 17)</b>.<b> </b>Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. <b>(Section 2)</b>.</li>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 22)</b>. </li>
</ul>
</li>
<li><b>ITA Traffic Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 7)</b>.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>11. </b><b>Principles - Integrity of communications and systems</b>: <i>It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA<i> Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.</p>
<p><b> </b></p>
<p>Relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007</b>: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. <b>(Section 20, 20A 21, 23).</b></li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules: </b>The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 20)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules</b>: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 5&6)</b>.</li>
<li style="text-align: justify; "><b>UASL License:</b> The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. <b>(Section 39.1, Section 39.2, Section 41.4)</b>.</li>
<li style="text-align: justify; "><b>ISP License:</b> The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. <b>(Section 32.1)</b> The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. <b>(Section 32.2</b>) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. <b>(Section 32.3)</b>.</li>
<p>Provisions requiring the provision of facilities, assistance, and retention:</p>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction <b>(Section 13(2))</b>.</li>
<li style="text-align: justify; ">If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. <b>(Section 17)</b>. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. <b>(Section 4(7))</b>.</li>
</ul>
</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. <b>(Section 39.1)</b>. </li>
<li style="text-align: justify; ">The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.<b>(Section 40.4)</b>.<b> </b></li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 41.11)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. <b>(Section 41.14)</b>. The database of subscribers must also be made available to the licensor or its representatives. <b>(Section 41.16)</b>.</li>
<li style="text-align: justify; ">The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. <b>(Section 41.17)</b>.</li>
<li style="text-align: justify; ">Calling Line Identification must be provided and the network should also support Malicious Call Identification.<b> (Section 41.18)</b>.</li>
<li style="text-align: justify; ">Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis <b>(Section 41.19)</b>.</li>
<li style="text-align: justify; ">Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. <b>(Section 41.19(iv))</b>.</li>
<li style="text-align: justify; ">The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. <b>(41.20 (ix))</b>.</li>
<li style="text-align: justify; ">On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. <b>(41.20 (x))</b></li>
<li style="text-align: justify; ">Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(41.20 (xiv))</b>. </li>
<li>A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. <b>(Section 41.20 (xv))</b>.</li>
<li>For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. <b>(Section 41.20 (xx))</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. <b>(Section 2.2(vii))</b>. </li>
<li style="text-align: justify; ">The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. <b>(Section 9.1)</b>.</li>
<li style="text-align: justify; ">The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. <b>(Section 30.1)</b>.</li>
<li style="text-align: justify; ">The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. <b>(Section 34.1)</b>.</li>
<li style="text-align: justify; ">In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. <b>(Section 34.4)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. <b>(Section 34.6)</b>.</li>
<li style="text-align: justify; ">The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. <b>(Section 34.7)</b>.</li>
<li style="text-align: justify; ">ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. <b>(Section 34.8)</b>.<b> </b></li>
<li style="text-align: justify; ">The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 34.9)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. <b>(Section 34.12)</b>.</li>
<li style="text-align: justify; ">The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies.<b> (Section 34.13)</b>. </li>
<li style="text-align: justify; ">Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. <b>(Section 34.15)</b>.</li>
<li style="text-align: justify; ">The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. <b>(Section 34.22)</b>. </li>
<li style="text-align: justify; ">The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. <b>(Section 34.23)</b>.</li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
<li style="text-align: justify; ">Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. <b>(Section 34.27 (a(v))</b>.</li>
<li style="text-align: justify; ">The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. <b>(Section 34.27 (ix))</b>.</li>
<li style="text-align: justify; ">On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. <b>(Section 34.27 (x))</b>.</li>
<li style="text-align: justify; ">Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(Section 34.27 (xiv))</b>.</li>
<li style="text-align: justify; ">A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. <b>(Section 34.27 (xv))</b>.</li>
<li style="text-align: justify; ">ISPs must provide access of their network and other facilities, as well as books to security agencies. <b>(Section 34.27 (xx))</b>.</li>
</ul>
</li>
<p> </p>
<p><b> </b></p>
<p style="text-align: justify; "><b>12. </b><b>Principle - Safeguards for international cooperation</b>:<i> In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.</p>
<p>Below is a summary of the relevant provisions:</p>
<li style="text-align: justify; "><b>ITA 2000</b>: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. <b>(Section 1(2))</b> </li>
<li style="text-align: justify; "><b>UASL License:</b> The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. <b>(section (41.20 (viii))</b></li>
<li style="text-align: justify; "><b>ISP License:</b> For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. <b>(Section 34.28 (iii)) </b>ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) <b>(Section 34.28 (viii))</b></li>
<p style="text-align: justify; "><b>13. </b><b><i>Principle - Safeguards against illegitimate access</i></b><i>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007:</b> The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation<b>. (Section 20, 20A, 23, and 24 Indian Telegraph Act)</b>.</li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 21)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 6)</b>.</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. <b>(Section 41.20 (xix))</b>.</li>
<li style="text-align: justify; ">Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. <b>(Section 34.28 (xix))</b>.</li>
<li style="text-align: justify; ">The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. <b>(Section 8.4)</b>.</li>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
</ul>
</li>
<p style="text-align: justify; "><b>14. </b><b><i>Principle - Cost of surveillance</i></b><b><i>:</i></b><i> The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.</p>
<p>Below are summaries of relevant provisions:</p>
<li><b>UASL License</b>:
<ul>
<li style="text-align: justify; "> Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. <b>(Section 41.20 (xvi))</b>.</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. <b>(Section 34.7)</b>. </li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
</ul>
</li>
</ul>
</li>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications'>https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:40:51ZBlog EntryAn Interview with Suresh Ramasubramanian
https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian
<b>Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud. </b>
<ol>
<li style="text-align: justify; "><b>You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?</b><br />a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.<br /><br />In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.<br /><br />This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.<br /><br />There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.</li>
<li style="text-align: justify; "><b>In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?</b><br />a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.<br /><br />The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.<br /><br />It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.<br /><br />Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.<br /><br />There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.</li>
<li style="text-align: justify; "><b>What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?</b><br />a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.<br /><br />Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.<br /><br />Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.<br /><br />The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.</li>
<li style="text-align: justify; "><b>How is the jurisdiction of the data on the cloud determined?</b><br />This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.<br /><br />However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.<br /><br />The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.<br /><br />In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.<br /><br />In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.</li>
<li style="text-align: justify; "><b>Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?</b><br />a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].<br /><br />A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.</li>
<li style="text-align: justify; "><b>What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?</b><br />a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.<br /><br />Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - <a class="external-link" href="http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html">http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html</a>). Some standards you absolutely have to comply with for legal reasons.<br /><br />Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.<br /><br />The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.</li>
<li style="text-align: justify; "><b>What do you see as the big challenges for privacy in the cloud in the coming years?</b><br />a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.</li>
<li style="text-align: justify; "><b>Do you think encryption the answer to the private and public institutions snooping?</b><br />a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.<br /><br />There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.<br /><br />As a very popular <a class="external-link" href="http://xkcd.com/538/">XKCD</a> cartoon that has been shared around social media and has been cited in multiple security papers says -<br /><br />“A crypto nerd’s imagination”<br /><br />“His laptop’s encrypted. Let us build a million dollar cluster to crack it”<br />“No good! It is 4096 bit RSA”<br />“Blast, our evil plan is foiled”<br /><br />“What would actually happen”<br />“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”<br />“Got it”</li>
<li style="text-align: justify; "><b>Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?</b><br />a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.<br /><br />The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.<br /><br />Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.<br /><br />Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.<br /><br />Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.</li>
<li style="text-align: justify; "><b>There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?</b><br />a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.<br /><br />Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.<br /><br />Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.<br /><br />This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.<br /><br />User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.</li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian'>https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-09-06T09:37:47ZBlog Entry