Centre for Internet and Society

Interview with Mr. Reijo Aarnio - Finnish Data Protection Ombudsman

maria — 2013-07-19T13:02:14Z

Maria Xynou recently interviewed Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, at the CIS' 5th Privacy Round Table. View this interview and gain an insight on recommendations for better data protection in India!

Mr. Reijo Aarnio - the Finnish Data Protection Ombudsman - was interviewed on the following questions:

1. What activities and functions does the Finnish data commissioner's office undertake?

2. What powers does the Finnish Data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?

3. How is the office of the Finnish data protection commissioner funded?

4. What is the organizational structure at the Office of the Finnish Data Protection Commissioner and the responsibilities of the key executives?

5. If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?

6. What challenges has your office faced?

7. What is the most common type of privacy violation that your office is faced with?

8. Does your office differ from other EU data protection commissioner offices?

9. How do you think data should be regulated in India?

10. Do you support the idea of co-regulation or self-regulation?

11. How can India protect its citizens' data when it is stored in foreign servers?

For more details visit https://cis-india.org/internet-governance/blog/interview-with-finnish-data-protection-ombudsman

Parsing the Cyber Security Policy

chinmayi — 2013-07-22T06:37:56Z

An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble, says Chinmayi Arun.

Chinmayi Arun's article was published in the Hoot on July 13, 2013 and later cross-posted in the Free Speech Initiative the same day.

We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of Anonymous, which carried out a series of attacks, including the website run by Computer Emergency Response Team India (CERT-In) which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as Stuxnet, the digital worm. More proximate and personal are perhaps the phishing attacks, which are on the rise.

We therefore run a great risk if we leave air-traffic control, defense resources or databases containing several citizens’ personal data vulnerable. Sure, there is no doubt that efforts towards better cyber-security are needed. A cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. We need to carefully examine the government’s efforts to handle cyber-security, how effective it is and whether its actions do not have too many negative spillovers.

The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of its real impact will be ascertainable only after the language to be used in the law is available. Nevertheless, the scope of the policy remains ambiguous so far, leading to much speculation about the different ways in which it might be intrusive.

One Size Fits All?

The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore, while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business.

For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security. Depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure.

It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions.

Race to the Top

Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble.

The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.

Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s endeavour, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them!

Investigation of Security Threats

Although much of the policy focuses on defensive measures that can be taken against security breaches, it is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive measures may be taken.

The policy has outlined the need for a ‘Cyber Crisis Management Plan’ to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’. This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner.

This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the kind of paternalistic state intrusion that might be conceived to give effect to this.

Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared. Of course, how the policy will be put into place will only become clear as the terms governing its various parts emerge. But one hopes the necessary internal direct action to ensure the government agencies’ information networks are secure is already well underway.

It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise.

Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy

Snooping technology: Will CMS work in India?

praskrishna — 2013-07-22T07:19:02Z

The Indian government plans to spend $132 million on setting up its brand new Central Monitoring System this year.

Pierre Fitter's article was published in FirstPost on July 17, 2013. Pranesh Prakash is quoted.

Several articles have raised valid questions about privacy violations, including this one by Danish Raza. Elsewhere, Pranesh Prakash has raised important points about how CMS may actually violate several laws and at least one Supreme Court verdict.

I ask a much more basic question: will CMS work? Can it really help security agencies eavesdrop on criminals and terrorists, despite several known technical hurdles?

	Encryption In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

Encryption

In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

This story illustrates a fundamental loophole at the heart of CMS. A criminal, using free and easy-to-use software, can protect his data from even the most advanced surveillance tools available in law enforcement. NSA whistle blower Edward Snowden himself used encrypted email to communicate with journalists at the Guardian. In an online chat where he took questions from the public, Snowden noted that encryption was “one of the few things that you can rely on” to protect you from the eavesdropping behemoth created of the NSA.

It should hardly be surprising then, that terror groups have been encrypting their emails and data for at least the last five years. In fact Al Qaeda developed its own encryption software called ‘Mujahideen Secrets’, to encrypt emails, chat sessions and files. Version two of Mujahideen Secrets even included a tool to delete files securely so that they could not be recovered using special software if the computer was captured. Al Qaeda’s links to several terror groups operating in India has been widely reported in the past. It is not inconceivable that they have shared their encryption software with their comrades-in-arms.

Over the years it has become easier to encrypt one’s communication. YouTube tutorials train even novice users to set up email encryption within minutes. Phone calls, text messages and online chats can also be encrypted with free, easy-to-install apps.

The biggest problem with encryption is that it is virtually impossible to break the code in a time frame that’s useful for law-enforcement purposes. Without getting too technical, modern encryption relies calculating the prime factors of very, very large integers. In 2009, a group of some of the world’s best-known mathematicians and cryptographers reported that it took them four years to factor a 768-bit integer. They estimated it would take 1,000 times longer to factorise a 1024-bit integer. GPG, which is the most widely-used email encryption software, allows users up to 4096-bit encryption. Unless you have the password to the encrypted files, it would take you a very long time to crack the encryption.

Here’s an example to help you understand why encryption makes CMS redundant. Let’s say the system intercepts an encrypted email sent by a LeT handler in Karachi to a sleeper cell in Mumbai. The email contains instructions to detonate a bomb in a specific market at a specific time four days from now. Even if India’s intelligence agencies managed to link up every computer they had available to process the encryption, they would still not be able to crack it in time to learn the details and stop the attack.

What about ‘Metadata’?

It should be noted that encryption only protects the body of the email. The metadata, including the sender’s and receiver’s email addresses remain unencrypted, else the service provider would be unable to send the email to its destination. Law enforcement agencies often partner with email providers to track down the exact computer on which tell-tale emails were read.

However, this method of tracing criminals has a limitation. Programs such as TOR and Hotspot Shield disguise the IP address of a user’s PC. For example, when I use TOR, Facebook will often ask me to confirm my identity as it sees me as logging in from an unfamiliar location. TOR has thousands of servers around the world through which it bounces your data before sending it to its destination.

There is another limitation to using metadata. Due to obvious legal hurdles, CMS will only be deployed to capture communication within India. If terrorists were planning an attack from elsewhere in India’s neighbourhood (as happened with 26/11), we would have to rely on that country’s intelligence services for an alert. Good luck with that!

To make untraceable phone calls, terrorists have been known to use “burner” phones. These are pre-paid phones that are easily available in the US and other countries that do not require an ID for such mobile connections. They can be topped up using cash, which makes their prolonged using even more untraceable.

Even if CMS allowed spooks to listen to these calls, it would not be able to tell who was talking to whom. From details that emerged following the Abbottabad operation that killed Osama bin Laden, we also know that terrorists have been trained to turn off their phones and remove the battery to prevent being tracked even while not on a call.

So what is CMS good for?

If terrorist communications can easily be hidden from CMS, you have to wonder why the government is going through all the effort and expense to set up such a system. What good can come off the mass hoovering of data of ordinary citizens’?

Imagine if CMS intercepted a ‘BBM chat’ between two businessmen, who were discussing a contract that could affect the business interests of a government MP.

Imagine the government getting access to emails exchanged between a journalist and a source in the IAS who wants to expose a major corruption scandal involving a cabinet minister.

Imagine if the government had access to phone calls between two opposition politicians discussing election strategies.

What if CMS tracks a PhD candidate who is researching Naxal terror and has downloaded Naxal pamphlets? What if this researcher has been able to establish contact with Naxals for an interview. Can the government use such data to charge him with participating in a Naxal conspiracy, even if his only intention was to research their motivations? In a country where chief ministers label their critics as “Naxals” for merely raising questions, are we certain we want such unmitigated power in the government’s hands?

These are all questions well worth asking, especially since the ostensible reason for setting up the CMS—monitoring terrorists and criminals—is a fool’s errand at best.

For more details visit https://cis-india.org/news/firstpost-pierre-fitter-july-17-2013-snooping-technology

Data protection experts slam state for sending mass SMSes

praskrishna — 2012-03-27T03:46:00Z

Experts in the field of data protection, privacy law and media have criticised the West Bengal government's mass SMS sent to individuals, companies and media houses through private mobile networks last Friday. Lara Choksey reports this in an article published in the Statesman on March 25, 2012.

The government's use of private data in order to spread political messages is ethically dubious and dangerous, say some. The SMS indirectly refers to The Telegraph's publication of the Poonam Pandey tweet, warning against the transmission of “provocative and indecent photographs for hurting the religious sentiments of people and disrupting communal harmony.” It urges recipients to “frustrate the designs of … unscrupulous people and maintain peace and communal harmony,” and is signed by “Mamata Banerjee, Chief Minister”.

Speaking to The Statesman on Saturday, Mumbai-based media lecturer Ms Geeta Seshu identified two issues with the government sending out political messages through mobile phone networks.

Firstly, from an ethical standpoint, the unchecked freedom of mobile phone companies to hand out private data is “completely wrong”, she said.

Secondly, the use of government funds for such dissemination needs to be transparent. If the state government has used public funds to distribute its message through a mobile phone network, then this information should be readily available, said Ms Seshu.

The Telecom Regulation Authority of India's (Trai) unsolicited commercial communications regulations allow unsolicited advertising through mobile phone networks.

Mr Apar Gupta, partner of Delhi-based law firm Advani and Co., explained, “The regulations are not wide enough to prohibit communications from a political party.” He observed, “Using SMS messages is a very efficient propaganda tool because so many people have access to mobile phones.”

Mobile phone networks such as Vodafone make it clear in their privacy policies that the personal data of its customers “may be used for inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party” (source Vodafone website).

Any third party ~ governmental or corporate ~ can therefore access the company's directory of private mobile numbers at the discretion of the network in question.

It is not yet clear which government department coordinated the SMS, or what funds were used to cover the costs. Representatives from the ministry of information and cultural affairs were not able to shed a light on the matter. “I know that a message was sent out,” said the I & CA director Umapada Chatterjee, "But it was not sent from this department. I do not know that information.”

Some commentators did not condemn the government's SMS. Delhi High Court lawyer and cyber law expert, Mr Praveen Dalal, criticised the publication of the Poonam Pandey tweet on the grounds of it violating the due diligence guidelines of the Cyber Law of India. He commented, “If casual and careless publications … continue, there would be no other option left for the government but to regulate their affairs in a more intrusive manner.”

However, executive director of the Centre for Internet and Society, Mr Sunil Abraham, called the state government's use of unsolicited SMS a “clear abuse of the powers afforded by elected office.” Mr Abraham explained that elected representatives would be justified in such measures, and in utilising public funds, in the event of a disaster, or when public order, public health or national security are compromised.

“However in this case, the government is abusing the provisions of the law and using this incident as a pretext to threaten media professionals with surveillance and to intimidate for the purposes of reigning in free speech,” he told The Statesman. The chief minister was unavailable to make a comment on the matter.

Read the original published in the Statesman

For more details visit https://cis-india.org/news/data-protection-experts-slam-state-for-sending-mass-smses

Eight Key Privacy Events in India in the Year 2015

Amber Sinha — 2016-01-03T05:43:42Z

As the year draws to a close, we are enumerating some of the key privacy related events in India that transpired in 2015. Much like the last few years, this year, too, was an eventful one in the context of privacy.

While we did not witness, as one had hoped, any progress in the passage of a privacy law, the year saw significant developments with respect to the ongoing Aadhaar case. The statement by the Attorney General, India's foremost law officer, that there is a lack of clarity over whether the right to privacy is a fundamental right, and the fact the the matter is yet unresolved was a huge setback to the jurisprudence on privacy. [1] However, the court has recognised a purpose limitation as applicable into the Aadhaar scheme, limiting the sharing of any information collected during the enrollment of residents in UID. A draft Encryption Policy was released and almost immediately withdrawn in the face of severe public backlash, and an updated Human DNA Profiling Bill was made available for comments. Prime Minister Narendra Modi's much publicised project "Digital India" was in news throughout the year, and it also attracted its' fair share of criticism in light of the lack of privacy safeguards it offered. Internationally, a lawsuit brought by Maximilian Schrems, an Austrian privacy activist, dealt a body blow to the fifteen year old Safe Harbour Framework in place for data transfers between EU and USA. Below, we look at what were, according to us, the eight most important privacy events in India, in 2015.

1. August 11, 2015 order on Aadhaar not being compulsory

In 2012, a writ petition was filed by Judge K S Puttaswamy challenging the government's policy in its attempt to enroll all residents of India in the UID project and linking the Aadhaar card with various government services. A number of other petitioners who filed cases against the Aadhaar scheme have also been linked with this petition and the court has been hearing them together. On September 11, 2015, the Supreme Court reiterated its position in earlier orders made on September 23, 2013 and March 24, 2014 stating that the Aadhaar card shall not be made compulsory for any government services. [2] Building on its earlier position, the court passed the following orders:

a) The government must give wide publicity in the media that it was not mandatory for a resident to obtain an Aadhaar card,

b) The production of an Aadhaar card would not be a condition for obtaining any benefits otherwise due to a citizen,

c) Aadhaar card would not be used for any purpose other than the PDS Scheme, for distribution of foodgrains and cooking fuel such as kerosene and for the LPG distribution scheme.

d) The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation.[3]

Despite this being the fifth court order given by the Supreme Court[4] stating that the Aadhaar card cannot be a mandatory requirement for access to government services or subsidies, repeated violations continue. One of the violations which has been widely reported is the continued requirement of an Aadhaar number to set up a Digital Locker account which also led to activist, Sudhir Yadav filing a petition in the Supreme Court.[5]

2. No Right to Privacy - Attorney General to SC

The Attorney General, Mukul Rohatgi argued before the Supreme Court in the Aadhaar case that the Constitution of India did not provide for a fundamental Right to Privacy.[6] He referred to the body of case in the Supreme Court dealing with this issue and made a reference to the 1954 case, MP Sharma v. Satish Chandra[7] stating that there was "clear divergence of opinion" on the Right to Privacy and termed it as "a classic case of unclear position of law." He also referred to the discussion on this matter in the Constitutional Assembly Debates and pointed to the fact the framers of the Constitution did not intend for this to be a fundamental right. He said the matter needed to be referred to a nine judge Constitution bench.[8] This raises serious questions over the jurisprudence developed by the Supreme Court on the right to privacy over the last five decades. The matter is currently pending resolution by a larger bench which needs to be constituted by the Chief Justice of India.

3. Shreya Singhal judgment and Section 69A, IT Act

In the much celebrated judgment, Shreya Singhal v. Union of India, in March 2015, the Supreme Court struck down Section 66A of the Information Technology Act, 2000 as unconstitutional and laid down guidelines for online takedowns under the Internet intermediary rules. However, significantly, the court also upheld Section 69A and the blocking rules under this provision. It was held to be a narrowly-drawn provision with adequate safeguards. The rules prescribe a procedure for blocking which involves receipt of a blocking request, examination of the request by the Committee and a review committee which performs oversight functions. However, commentators have pointed to the opacity of the process in the rules under this provisions. While the rules mandate that a hearing is given to the originator of the content, this safeguard is widely disregarded. The judgment did not discuss Section 69 of the Information Technology Act, 2000 which deal with decrypting of electronic communication, however, the Department of Electronic and Information Technology brought up this issue subsequently, through a Draft Encryption Policy, discussed below.

4. Circulation and recall of Draft Encryption Policy

On October 19, 2015, the Department of Electronic and Information Technology (DeitY) released for public comment a draft National Encryption Policy. The draft received an immediate and severe backlash from commentators, and was withdrawn by September 22, 2015. [9] The government blamed a junior official for the poor drafting of the document and noted that it had been released without a review by the Telecom Minister, Ravi Shankar Prasad and other senior officials.[10] The main areas of contention were a requirement that individuals store plain text versions of all encrypted communication for a period of 90 days, to be made available to law enforcement agencies on demand; the government's right to prescribe key-strength, algorithms and ciphers; and only government-notified encryption products and vendors registered with the government being allowed to be used for encryption.[11] The purport of the above was to limit the ways in which citizens could encrypt electronic communication, and to allow adequate access to law enforcement agencies. The requirement to keep all encrypted information in plain text format for a period of 90 days garnered particular criticism as it would allow for creation of a 'honeypot' of unencrypted data, which could attract theft and attacks.[12] The withdrawal of the draft policy is not the final chapter in this story, as the Telecom Minister has promised that the Department will come back with a revised policy. [13] This attempt to put restrictions on use of encryption technologies is not only in line with a host of surveillance initiatives that have mushroomed in India in the last few years,[14] but also finds resonance with a global trend which has seen various governments and law enforcement organisations argue against encryption. [15]

5. Privacy concerns raised about Digital India

The Digital India initiative includes over thirty Mission Mode Projects in various stages of implementation. [16] All of these projects entail collection of vast quantities of personally identifiable information of the citizens. However, most of these initiatives do not have clearly laid down privacy policies.[17] There is also a lack of properly articulated access control mechanisms and doubts over important issues such as data ownership owing to most projects involving public private partnership which involves private organisation collecting, processing and retaining large amounts of data. [18] Ahead of Prime Minister Modi's visit to the US, over 100 hundred prominent US based academics released a statement raising concerns about "lack of safeguards about privacy of information, and thus its potential for abuse" in the Digital India project. [19] It has been pointed out that the initiatives could enable a "cradle-to-grave digital identity that is unique, lifelong, and authenticable, and it plans to widely use the already mired in controversy Aadhaar program as the identification system." [20]

6. Issues with Human DNA Profiling Bill, 2015

The Human DNA Profiling Bill, 2015 envisions the creation of national and regional DNA databases comprising DNA profiles of the categories of persons specified in the Bill.[21] The categories include offenders, suspects, missing persons, unknown deceased persons, volunteers and such other categories specified by the DNA Profiling Board which has oversight over these banks. The Bill grants wide discretionary powers to the Board to introduce new DNA indices and make DNA profiles available for new purposes it may deem fit. [22] These, and the lack of proper safeguards surrounding issues like consent, retention and collection pose serious privacy risks if the Bill becomes a law. Significantly, there is no element of purpose limitation in the proposed law, which would allow the DNA samples to be re-used for unspecified purposes.[23]

7. Impact of the Schrems ruling on India

In Schrems v. Data Protection Commissioner, the Court of Justice in European Union (CJEU) annulled the Commission Decision 2000/520 according to which US data protection rules were deemed sufficient to satisfy EU privacy rules enabling transfers of personal data from EU to US, otherwise known as the 'Safe Harbour' framework. The court ruled that broad formulations of derogations on grounds of national security, public interest and law enforcement in place in the US goes beyond the test of proportionality and necessity under the Data Protection rules.[24] This judgment could also have implications for the data processing industry in India. For a few years now, a framework similar to the Safe Harbour has been under discussion for transfer of data between India and EU. The lack of a privacy legislation has been among the significant hurdles in arriving at a framework.[25] In the absence of a Safe Harbour framework, the companies in India rely on alternate mechanisms such as Binding Corporate Rules (BCR) or Model Contractual Clauses. These contracts impose the obligation on the data exporters and importers to ensure that 'adequate level of data protection' is provided. The Schrems judgement makes it clear that 'adequate level of data protection' entails a regime that is 'essentially equivalent' to that envisioned under Directive 95/46.[26] What this means is that any new framework of protection between EU and other countries like US or India will necessarily have to meet this test of essential equivalence. The PRISM programme in the US and a host of surveillance programmes that have been initiated by the government in India in the last few years could pose problems in satisfying this test of essential equivalence as they do not conform to the proportionality and necessity principles.

8. The definition of "unfair trade practices" in the Consumer Protection Bill, 2015

The Consumer Protection Bill, 2015, tabled in the Parliament towards the end of the monsoon session[27] has introduced an expansive definition of the term "unfair trade practices." The definition as per the Bill includes the disclosure "to any other person any personal information given in confidence by the consumer."[28] This clause exclude from the scope of unfair trade practices, disclosures under provisions of any law in force or in public interest. This provision could have significant impact on the personal data protection law in India. Currently, the only law governing data protection law are the Reasonable security practices and procedures and sensitive personal data or information Rules, 2011[29] prescribed under Section 43A of the Information Technology Act, 2000. Under these rules, sensitive personal data or information is protected in that their disclosure requires prior permission from the data subject. [30] For other kinds of personal information not categorized as sensitive personal data or information, the only recourse of data subjects in case to claim breach of the terms of privacy policy which constitutes a lawful contract. [31] The Consumer Protection Bill, 2015, if enacted as law, could significantly expand the scope of protection available to data subjects. First, unlike the Section 43A rules, the provisions of the Bill would be applicable to physical as well as electronic collection of personal information. Second, disclosure to a third party of personal information other than sensitive personal data or information could also have similar 'prior permission' criteria under the Bill, if it can be shown that the information was shared by the consumer in confidence.

What we see above are events largely built around a few trends that we have been witnessing in the context of privacy in India, in particular and across the world, in general. Lack of privacy safeguards in initiatives like the Aadhaar project and Digital India is symptomatic of policies that are not comprehensive in their scope, and consequently fail to address key concerns. Dr Usha Ramanathan has called these policies "powerpoint based policies" which are implemented based on proposals which are superficial in their scope and do not give due regard to their impact on a host of issues. [32] Second, the privacy concerns posed by the draft Encryption Policy and the Human DNA Profiling Bill point to the motive of surveillance that is in line with other projects introduced with the intent to protect and preserve national security. [33] Third, the incidents that championed the cause of privacy like the Schrems judgment have largely been initiated by activists and civil society actors, and have typically entailed the involvement of the judiciary, often the single recourse of actors in the campaign for the protection of civil rights. It must be noted that jurisprudence on the right to privacy in India has not moved beyond the guidelines set forth by the Supreme Court in PUCL v. Union of India.[34] However, new mass surveillance programmes and massive collection of personal data by both public and private parties through various schemes mandated a re-look at the standards laid down twenty years ago. The privacy issue pending resolution by a larger bench in the Aadhaar case affords an opportunity to revisit those principles in light of how surveillance has changed in the last two decades and strengthen privacy and data protection.

^{^[1]} Right to Privacy not a fundamental right, cannot be invoked to scrap Aadhar: Centre tells Supreme Court, available at http://articles.economictimes.indiatimes.com/2015-07-23/news/64773078_1_fundamental-right-attorney-general-mukul-rohatgi-privacy

^{^[2]} SC allows govt to link Aadhaar card with PDS and LPG subsidies, available at http://timesofindia.indiatimes.com/india/SC-allows-govt-to-link-Aadhaar-card-with-PDS-and-LPG-subsidies/articleshow/48436223.cms

^{^[3]} http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

^{^[4]} Five SC Orders Later, Aadhaar Requirement Continues to Haunt Many, available at http://thewire.in/2015/09/19/five-sc-orders-later-aadhaar-requirement-continues-to-haunt-many-11065/

[5] Digital Locker scheme challenged in Supreme Court, available at http://www.moneylife.in/article/digital-locker-scheme-challenged-in-supreme-court/42607.html

^{^[6]} Privacy not a fundamental right, argues Mukul Rohatgi for Govt as Govt affidavit says otherwise, available at http://www.legallyindia.com/Constitutional-law/privacy-not-a-fundamental-right-argues-mukul-rohatgi-for-govt-as-govt-affidavit-says-otherwise

^{^[7]} 1954 SCR 1077.

^{^[8]} Supra Note 1.

^{^[9]} Government to withdraw draft encryption policy, available at http://www.thehindu.com/news/national/govt-to-withdraw-draft-encryption-policy/article7677348.ece

^{^[10]} Encryption policy poorly worded by officer: Telecom Minister Ravi Shankar Prasad, available at http://economictimes.indiatimes.com/articleshow/49068406.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

^{^[11]} Updated: India's draft encryption policy puts user privacy in danger, available at http://www.medianama.com/2015/09/223-india-draft-encryption-policy/

^{^[12]} Bhairav Acharya, The short-lived adventure of India's encryption policy, available at http://notacoda.net/2015/10/10/the-short-lived-adventure-of-indias-encryption-policy/

^{^[13]} Supra Note 9.

^{^[14]} Maria Xynou, Big democracy, big surveillance: India's surveillance state, available at https://www.opendemocracy.net/opensecurity/maria-xynou/big-democracy-big-surveillance-indias-surveillance-state

^{^[15]} China passes controversial anti-terrorism law to access encrypted user accounts, available at http://www.theverge.com/2015/12/27/10670346/china-passes-law-to-access-encrypted-communications ; Police renew call against encryption technology that can help hide terrorists, available at http://www.washingtontimes.com/news/2015/nov/16/paris-terror-attacks-renew-encryption-technology-s/?page=all .

^{^[16]} http://www.mmp.cips.org.in/digital-india/

[17] http://slides.com/cisindia/big-data-in-indian-governance-preliminary-findings#/

^{^[18]} Indira Jaising, Digital India Schemes Must Be Preceded by a Data Protection and Privacy Law, available at http://thewire.in/2015/07/04/digital-india-schemes-must-be-preceded-by-a-data-protection-and-privacy-law-5471/

^{^[19]} US academics raise privacy concerns over 'Digital India' campaign, available at http://yourstory.com/2015/08/us-digital-india-campaign/

^{^[20]} Lisa Hayes, Digital India's Impact on Privacy: Aadhaar numbers, biometrics, and more, available at https://cdt.org/blog/digital-indias-impact-on-privacy-aadhaar-numbers-biometrics-and-more/

^{^[21]} http://www.prsindia.org/uploads/media//draft/Draft%20Human%20DNA%20Profiling%20Bill%202015.pdf

^{^[22]} Comments on India's Human DNA Profiling Bill (June 2015 version), available at http://www.genewatch.org/uploads/f03c6d66a9b354535738483c1c3d49e4/IndiaDNABill_FGPI_15.pdf

^{^[23]} Elonnai Hickok, Vanya Rakesh and Vipul Kharbanda, CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015, available at http://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015

^{^[24]} http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

^{^[25]} Jyoti Pandey, Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India, available at http://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india

^{^[26]} Simon Cox, Case Watch: Making Sense of the Schrems Ruling on Data Transfer, available at https://www.opensocietyfoundations.org/voices/case-watch-making-sense-schrems-ruling-data-transfer

^{^[27]} http://www.prsindia.org/billtrack/the-consumer-protection-bill-2015-3965/

^{^[28]} Section 2(41) (I) of the Consumer Protection Bill, 2015.

^{^[29]} http://www.ijlt.in/pdffiles/IT-%28Reasonable%20Security%20Practices%29-Rules-2011.pdf

^{^[30]} Rule 6 of Reasonable security practices and procedures and sensitive personal data or information Rules, 2011

^{^[31]} Rule 4 of Reasonable security practices and procedures and sensitive personal data or information Rules, 2011

^{^[32]} http://cis-india.org/internet-governance/events/communication-rights-in-the-age-of-digital-technology

^{^[33]} Supra Note 11.

^{^[34]} Chaitanya Ramachandra, PUCL V. Union of India Revisited: Why India's Sureveillance Law must be redesigned for the Digital Age, available at http://nujslawreview.org/wp-content/uploads/2015/10/Chaitanya-Ramachandran.pdf

For more details visit https://cis-india.org/internet-governance/blog/eight-key-privacy-events-in-india-in-the-year-2015

Unbundling Issues of Privacy, Data Security, Identity Matrics, for Financial Inclusion

praskrishna — 2016-01-03T10:45:19Z

This event was organized by Indicus Foundation and MicroSave on December 10, 2015 at the Metropolitan Hotel and Spa, New Delhi. Sunil Abraham was a speaker.

While the initiative towards financial inclusion has gathered new impetus with the PMJDY and the accelerated roll out of benefits, there is also a parallel narrative of concerns over the legality and fundamental constitutionality of identity verification, which is a centre piece for delivery of financial benefits and services. These divergent narratives have now reached the Supreme Court.

At one end of the spectrum are the voices that avow the power of biometric technology to irrepudiately establish biological identity; at the other, the alarmism over targeting, concentration and misuse of personal information contained in the world’s biggest personal database. There is also a third extreme position of whether Indian citizens are entitled to the right to privacy constitutionally, and whether the right to privacy includes the right to refuse a national identity number or metric altogether. That India has yet to enact a Privacy Bill and the National Identity Authority Bill on which rests the statutory basis for UIDAI and Aadhaar only adds to the quagmire.

Several issues lie intertwined in this miasma: Privacy as an absolute right; Definition and Limits of Personal Information and Sensitive Personal Information; Consent protocols over use of personal information; Data Security; Appropriate and inclusive technology platforms; and Responsibilities and Liabilities governing the use of personal information for bonafide purposes. These straddle multiple domains: data accuracy and irrepudiability; storage, security and encryption; and sharing of information for transaction processing including across national boundaries. Unfortunately, all of these tend to get lumped together in the public debate.

The aim of this workshop is to unbundle the issues and understand each of them from the perspective of financial inclusion, to be able to answer these questions:

How essential and critical is a unified Identity metric for digital financial transactions? How essential is that such a metric be biometric?
To what extent does the centralised storage of biometric data represent risks of personal safety and national security, compared to the information on election voter lists, passport offices, census data, and bank accounts?
What are the possible sources of transactional risk and security breaches in data sharing, and what are the international best practices?
Is the present Aadhaar architecture robust enough to: address all the genuine and reasonable concerns over leakage and misuse of sensitive personal information; and to ensure that no genuine identity holder is turned away from a service, entitlement or benefit to which (s)he has a right or claim?

In this direction, we have the privilege to interact in this workshop with experts from The Centre for Internet and Society, and Data Security Council of India who have been at the forefront of the discussions on privacy and data security aspects of technology based innovations including for financial inclusion.

Download the Workshop Schedule here

For more details visit https://cis-india.org/internet-governance/news/unbundling-issues-of-privacy-data-security-identity-matrics-for-financial-inclusion

Human Rights in the Age of Digital Technology: A Conference to Discuss the Evolution of Privacy and Surveillance

Amber Sinha — 2016-01-11T02:12:49Z

The Centre for Internet and Society organised a conference in roundtable format called ‘Human Rights in the Age of Digital Technology: A Conference to discuss the evolution of Privacy and Surveillance. The conference was held at Indian Habitat Centre on October 30, 2015. The conference was designed to be a forum for discussion, knowledge exchange and agenda building to draw a shared road map for the coming months.

In India, the Right to Privacy has been interpreted to mean an individual's’ right to be left alone. In the age of massive use of Information and Communications Technology, it has become imperative to have this right protected. The Supreme Court has held in a number of its decisions that the right to privacy is implicit in the fundamental right to life and personal liberty under Article 21 of the Indian Constitution, though Part III does not explicitly mention this right. The Supreme Court has identified the right to privacy most often in the context of state surveillance and introduced the standards of compelling state interest, targetted surveillance and oversight mechanism which have been incorporated in the forms of rules under the Indian Telegraph Act, 1885. Of late, privacy concerns have gained importance in India due to the initiation of national programmes like the UID Scheme, DNA Profiling, the National Encryption Policy, etc. attracting criticism for their impact on the right to privacy. To add to the growing concerns, the Attorney General, Mukul Rohatgi argued in the ongoing Aadhaar case that the judicial position on whether the right to privacy is a fundamental right is unclear and has questioned the entire body of jurisprudence on right to privacy in the last few decades.

Participation

The roundtable saw participation from various civil society organisation such as Centre for Communication Governance, The Internet Democracy Project, as well as individual researchers like Dr. Usha Ramanathan and Colonel Mathew.

Introductions

Vipul Kharbanda, Consultant, CIS made the introductions and laid down the agenda for the day. Vipul presented a brief overview of the kind of work of CIS is engaged in around privacy and surveillance, in areas including among others, the Human DNA Profiling Bill, 2014, the Aadhaar Project, the Privacy Bill and surveillance laws in India. It was also highlighted that CIS was engaged in work in the field of Big Data in light of the growing voices wanting to use Big Data in the Smart Cities projects, etc and one of the questions was to analyse whether the 9 Privacy Principles would still be valid in a Big Data and IoT paradigm.

The Aadhaar Case

Dr. Usha Ramanathan began by calling the Aadhaar project an identification project as opposed to an identity project. She brought up various aspects of project ranging from the myth of voluntariness, the strong and often misleading marketing that has driven the project, the lack of mandate to collect biometric data and the problems with the technology itself. She highlighted inconsistencies, irrationalities and lack of process that has characterised the Aadhaar project since its inception. A common theme that she identified in how the project has been run was the element of ad-hoc-ness about many important decisions taken on a national scale and migrating from existing systems to the Aadhaar framework. She particularly highlighted the fact that as civil society actors trying to make sense of the project, an acute problem faced was the lack of credible information available. In that respect, she termed it as ‘powerpoint-driven project’ with a focus on information collection but little information available about the project itself. Another issue that Dr. Ramanathan brought up was that the lack of concern that had been exhibited by most people in sharing their biometric information without being aware of what it would be used, was in some ways symptomatic of they way we had begun to interact with technology and willingly giving information about ourselves, with little thought. Dr Ramanathan’s presentation detailed the response to the project from various quarters in the form of petitions in different high courts in India, how the cases were received by the courts and the contradictory response from the government at various stages. Alongside, she also sought to place the Aadhaar case in the context of various debates and issues, like its conflict with the National Population Register, exclusion, issues around ownership of data collected, national security implications and impact on privacy and surveillance. Aside from the above issues, Dr. Ramanathan also posited that the kind of flat idea of identity envisaged by projects like Aadhaar is problematic in that it adversely impacts how people can live, act and define themselves. In summation, she termed the behavior of the government as irresponsible for the manner in which it has changed its stand on issues to suit the expediency of the moment, and was particularly severe on the Attorney General raising questions about the existence of a fundamental right to privacy and casually putting in peril jurisprudence on civil liberties that has evolved over decades.

Colonel Mathew concurred with Dr. Ramanathan that the Aadhaar Project was not about identity but about identification. Prasanna developed on this further saying that while identity was a right unto the individual, identification was something done to you by others. Colonel Mathew further presented a brief history of the Aadhaar case, and how the significant developments over the last few years have played out in the courts. One of the important questions that Colonel Mathew addressed was the claim of uniqueness made by the UID project. He pointed to research conducted by Hans Varghese Mathew which analysed the data on biometric collection and processing released by the UID and demonstrated that there was a clear probability of a duplication in 1 out of every 97 enrolments. He also questioned the oft-repeated claim that UID would give identification to those without it and allow them to access welfare schemes. In this context, he pointed at the failures of the introducer system and the fact that only 0.03% of those registered have been enrolled through the introducer system. Colonel Mathew also questioned the change in stance by the ruling party, BJP which had earlier declared that the UID project should be scrapped as it was a threat to national security. According to him, the prime mover of the scheme were corporate interests outside the country interested in the data to be collected. This, he claimed created very serious risks to the national security. Prasanna further added to this point stating that while, on the face of it, some of the claims of threats to national security may sound alarmist in nature, if one were to critically study the manner in which the data had collected for this project, the concerns appeared justified.

The Draft Encryption Policy

Amber Sinha, Policy Officer at CIS, made a presentation on the brief appearance of the Draft Encryption Policy which was released in October this year, and withdrawn by the government within a day. Amber provided an overview of the policy emphasising on clauses around limitations on kind of encryption algorithms and key sizes individuals and organisations could use and the ill-advised procedures that needed to be followed. After the presentation, the topic was opened for discussion. The initial part of the discussion was focussed on specific clauses that threatened privacy and could serve the ends of enabling greater surveillance of the electronic communications of individuals and organisations, most notably having an exhaustive list of encryption algorithms, and the requirement to keep all encrypted communication in plain text format for a period of 90 days. We also attempted to locate the draft policy in the context of privacy debates in India as well as the global response to encryption. Amber emphasised that while mandating minimum standards of encryption for communication between government agencies may be a honorable motive, as it is concerned with matters of national security, however when this is extended to private parties and involved imposes upward thresholds on the kinds of encryption they can use, it stems from the motive of surveillance. Nayantara, of The Internet Democracy Project, pointed out that there had been global push back against encryption by governments in various countries like US, Russia, China, Pakistan, Israel, UK, Tunisia and Morocco. In India also, the IT Act places limits on encryption. Her points stands further buttressed by the calls against encryption in the aftermath of the terrorist attacks in Paris last month.

It also intended to have a session on the Human DNA Profiling Bill led by Dr. Menaka Guruswamy. However, due to certain issues in scheduling and paucity of time, we were not able to have the session.

Questions Raised

On Aadhaar, some of the questions raised included the question of applicability of the Section 43A, IT Act rules to the private parties involved in the process. The issue of whether Aadhaar can be tool against corruption was raised by Vipul. However, Colonel Mathew demonstrated through his research that issues like corruption in the TPDS system and MNREGA which Aadhaar is supposed to solve, are not effectively addressed by it but that there were simpler solutions to these problems.

Ranjit raised questions about the different contexts of privacy, and referred to the work of Helen Nissenbaum. He spoke about the history of freely providing biometric information in India, initially for property documents and how it has gradually been used for surveillance. He argued has due to this tradition, many people in India do not view sharing of biometric information as infringing on their privacy. Dipesh Jain, student at Jindal Global Law School pointed to challenges like how individual privacy is perceived in India, its various contexts, and people resorting to the oft-quoted dictum of ‘why do you want privacy if you have nothing to hide’. In the context, it is pertinent to mention the response of Edward Snowden to this question who said, “Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.” Aakash Solanki, researcher

Vipul and Amber also touched upon the new challenges that are upon us in a world of Big Data where traditional ways to ensure data protection through data minimisation principle and the methods like anonymisation may not work. With advances in computer science and mathematics threatening to re-identify anonymized datasets, and more and more reliances of secondary uses of data coupled with the inadequacy of the idea of informed consent, a significant paradigm shift may be required in how we view privacy laws.

A number of action items going forward were also discussed, where different individuals volunteered to lead research on issues like the UBCC set up by the UIDAI, GSTN, the first national data utility, looking the recourses available to individual where his data is held by parties outside India’s jurisdiction.

For more details visit https://cis-india.org/internet-governance/blog/human-rights-in-the-age-of-digital-technology-a-conference-to-discuss-the-evolution-of-privacy-and-surveillance

Reply to RTI Application under RTI Act of 2005 from Vanya Rakesh

vanya — 2016-01-13T02:40:57Z

Unique Identification Authority of India replied to the RTI application filed by Vanya Rakesh.

Madam,

Please refer to your RTI application dated 3.12.2015 received in the Division on 10.12.2015 on the subject mentioned above requesting to provide the information in electronic form via the email address vanya@cis-india.org, copies of the artwork in print media released by UIDAI to create awareness about use of Aadhaar not being mandatory.
I am directed to furnish herewith in electronic form, copy of the artwork in print media released / published in the epapers edition of the Times of India and Dainik Jagran in their respective editions of dated 29.8.2015 in a soft copy, about obtaining of Aadhaar not being mandatory for a citizen, as desired.
In case, you want to go for an appeal in connection with the information provided, you may appeal to the Appellate Authority indicated below within thirty days from the date of receipt of this letter.
Shri Harish Lal Verma,
Deputy Director (Media),
Unique Identification Authority of India
3nd Floor, Tower – II, Jeevan Bharati Building,
New Delhi – 110001.

Yours faithfully,

(T Gou Khangin)
Section Officer & CPIO Media Division

Copy for information to: Deputy Director (Establishment) & Nodal CPIO

Below scanned copies:

RTI Reply

Coverage in Dainik Jagran

Download the coverage in the Times of India here. Read the earlier blog entry here.

For more details visit https://cis-india.org/internet-governance/blog/reply-to-rti-application-under-rti-act-of-2005-from-vanya-rakesh

Anti-Spam Laws in Different Jurisdictions: A Comparative Analysis

Rakshanda Deka — 2015-07-02T16:21:01Z

This paper is divided into three sections. The first section puts forth a comparative table of the spam laws of five different countries - the United States of America, Australia, Canada, Singapore and the United Kingdom - based on eight distinct parameters- jurisdiction of the legislation, definition of ‘spam’, understanding of consent, labelling requirements, types of senders covered, entities empowered to sue, exceptions made and penalties prescribed. The second section is a brief background of the problem of spam and it attempts to establish the context in which the paper is written. The third section is a critical analysis of the laws covered in the first section. In an effort to spot the various loopholes in these laws and suggest effective alternatives, this section points out the distinctions between the various legislations and discusses briefly their respective advantages and disadvantages.

Note:- This analysis is a part of a larger attempt at formulating a model anti-spam law for India by analyzing the existing spam laws across the world.

	CAN-SPAM Act, 2003	Spam Act, 2003 (Australia)	Spam Control Act, 2007 (Singapore)	Canada's Anti-Spam Legislation, 2014	The Privacy and Electronic Communications (EC Directive) Regulations, 2003 (United Kingdom)
Jurisdiction	National Jurisdiction. The defendant must be either an inhabitant of the United States or have a physical place of business in the US.[1]	National Jurisdiction. Must have an "Australian link" i.e. (a) the message originates in Australia; or (b) the individual or organisation who sent the message, or authorised the sending of the message, is: (i) an individual who is physically present in Australia when the message is sent; or (ii) an organisation whose central management and control is in Australia when the message is sent; or (c) the computer, server or device that is used to access the message is located in Australia; or (d) the relevant electronic account-holder is: (i) an individual who is physically present in Australia when the message is Spam Act, 2003, § 7 Spam Control Act, 2007, § 7(2) Canada's Anti-Spam Legislation, 2014, §accessed; or (ii) an organisation that carries on business or activities in Australia when the message is accessed; or (e) if the message cannot be delivered because the relevant electronic address does not exist-assuming that the electronic address existed, it is reasonably likely that the message would have been accessed using a computer, server or device located in Australia.[2]	National Jurisdiction. Must have a "Singapore link" An electronic message has a Singapore link in the following circumstances: (a) the message originates in Singapore; (b) the sender of the message is - (i) an individual who is physically present in Singapore when the message is sent; or (ii) an entity whose central management and control is in Singapore when the message is sent; © the computer, mobile telephone, server or device that is used to access the message is located in Singapore; the recipient of the message is- (i) an individual who is physically present in Singapore when the message is accessed; or (ii)an entity that carries on business or activities in Singapore when the message is accessed; or (e) if the message cannot be delivered because the relevant electronic address has ceased to exist (assuming that the electronic address existed), it is reasonably likely that the message would have been accessed using a computer, mobile telephone, server or device located in Singapore.[3]	Extends to cases where the mail originates in a foreign state but is accessed in Canada Section 6 of the CASL prohibits the sending of unsolicited CEMs.[4] As per Section 12 of the CASL, A person contravenes section 6 only if a computer system located in Canada is used to send or access the electronic message. CASL applies to CEMs sent from, or accessed in, Canada.[5] So, if a CEM is sent to Canadians from another jurisdiction, CASL will apply. Notably, there is an exception where the person sending the message "reasonably believes" that the message will be accessed in one of a list of prescribed jurisdictions with anti-spam laws thought to be 'substantially similar' to CASL and the message complies with the laws of that jurisdiction.	European Union These regulations can be enforced against a person or a company anywhere in the European Union who violates the regulations.
Definition Of Spam	"unsolicited, commercial, electronic mail"[6], where a commercial electronic mail is "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"[7]	"unsolicited commercial electronic messages" where electronic message means a message sent "using an internet carriage service or any other listed carriage service; and to an electronic address in connection with: an e-mail account; or an instant messaging account; or a telephone account; or a similar accounts."[8]	"unsolicited commercial electronic message sent in bulk", where a CEM is unsolicited if the recipient did not- i) request to receive the message; or ii)consent to the receipt of the message;[9] and CEMs shall be deemed to be sent in bulk if a person sends, causes to be sent or authorizes the sending of- a) more than 100 messages containing the same subject matter during a 24-hour period; b) more than 1,000 messages containing the same subject matter during a 30-day period; c) more than 10,000 messages containing the same subject matter during a one-year period.	"unsolicited, commercial, electronic message"[10] where, an "electronic message" means a message sent by any means of telecommunication, including a text, sound, voice or image message.[11]	These rules apply to all unsolicited direct marketing communications by automatic call machines[12], fax[13], calls[14] or e-mail[15]. Where, "direct marketing" is defined as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals"[16] The UK used its discretion to include voice-to-voice telephone calls as well.
Consent Requirement	Opt-out	Opt-in	Opt-out	Opt-in	Opt-in
Consent Requirement	CEMs are unlawful unless the message provides- (i)clear and conspicuous identification that the message is an advertisement or solicitation; (ii)clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and (iii) a valid physical postal address of the sender.[17]	Section 16 prohibits the sending of unsolicited commercial electronic messages. However, where a recipient has consented to the sending of the message, the said prohibition does not apply.[18] Consent means: (a) express consent; or (b) consent that can reasonably be inferred from: (i) the conduct; and (ii) the business and other relationships; of the individual or organisation concerned.[19]	CEMs are unlawful unless the message contains- 1 a) an electronic mail address, an Internet location address, a telephone number, a facsimile number or a postal address that the recipient may use to submit an unsubscribe request; and b) a statement the above information may be utilized to send an unsubscribe request. 2. Where the unsolicited CEM is received by text or multimedia message sent to a mobile telephone number, the CEM must include a mobile telephone number to which the recipient may send an unsubscribe request. [20]	Under the CASL, it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless, (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) The message must- (i) set out prescribed information that identifies the person who sent the message and the person - if different - on whose behalf it is sent; (ii) set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph (i); and (iii) set out an unsubscribe mechanism in accordance with subsection 11(1) of CASL.[21]	Under Section 19 , A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in the circumstances where the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent by, or at the instigation of, the caller on that line. Under Section 20 , A person shall neither transmit, nor instigate the transmission of, unsolicited communications for direct marketing purposes by means of a facsimile machine where the called line is that of an individual or a company except in the circumstances where the individual subscriber has previously notified the caller that he consents for the time being to such communications being sent by, or at the instigation of, the caller. Under Section 21, A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line. Under Section 22 , a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
Labelling Requirements	Warning Labels mandatory on e-mails containing pornographic content No person may send to a protected computer, any commercial electronic mail message that includes sexually oriented material and- (a) fail to include in subject heading for the electronic mail message the marks or notices prescribed by the law; or (B) fail to provide that the matter in the message that is initially viewable to the recipient, when the message is opened by any recipient and absent any further actions by the recipient, includes only- (i) material which the recipient has consented to; (ii) the identifier information required to be included in pursuance Section 5(5); and (iii) Instructions on how to access, or a mechanism to access, the sexually oriented material.[22]	Not Applicable.	True e-mail title and clear identification of advertisements with "ADV" label Every unsolicited CEM must contain- a) where there is a subject field, a title which is not false or misleading as to the content of the message; b) the letters "<ADV>" with a space before the title in the subject field or if there is no subject field, in the words first appearing in the message to clearly identify that the message is an advertisement; c) header information that is not false or misleading; and d) an accurate and functional e-mail address or telephone number by which the sender can be readily contacted.[23]	Not Applicable.	Not Applicable.
Other Banned/Restricted Activities	Illegal Access- Prohibition Against Predatory and Abusive Commercial E-Mail- "Whoever, in or affecting interstate or foreign commerce, knowingly- (1) accesses a protected computer without authorization, and intentionally initiates the transmission of multiple CEMs from or through such computer, (2) uses a protected computer to relay or retransmit multiple CEMs, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages, (3) materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages, (4) registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names, or (5) falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses, or conspires to do so, shall be punished as provided for in the Act.[24]	Supply of address harvesting software and harvested‑address lists "A person must not supply or offer to supply: (a) address‑harvesting software; or (b) a right to use address‑harvesting software; or (c) a harvested address list; or (d) a right to use a harvested‑address list; to another person if: (e) the supplier is: (i) an individual who is physically present in Australia at the time of the supply or offer; or (ii) a body corporate or partnership that carries on business or activities in Australia at the time of the supply or offer; or (f) the customer is: (i) an individual who is physically present in Australia at the time of the supply or offer; or (ii) a body corporate or partnership that carries on business or activities in Australia at the time of the supply or offer."	Dictionary Attacks and Address harvesting software "No person shall send, cause to be sent, or authorize the sending of, an electronic message to electronic addresses generated or obtained through the use of- a) a dictionary attack; b) address harvesting software.[25] Where, "dictionary attack" means the method which by which the electronic address of a recipient is obtained using an automated means that generates possible electronic addresses by combining names, letters, numbers, punctuation marks or symbols into numerous permutations.[26] And, "address harvesting software" means software that is specifically designed or marketed for use for- a)searching the Internet for electronic addresses; and, b) collecting, compiling, capturing or otherwise harvesting those electronic addresses."[27]	Altering Transmission Data "It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless (a) the alteration is made with the express consent of the sender or the person to whom the message is sent, and the person altering or causing to be altered the data complies with subsection 11(4) of CASL; or (b) the alteration is made in accordance with a court order.[28] Installation of Computer Program A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5) of the CASL; or (b) the person is acting in accordance with a court order. (2) A person contravenes subsection (1) only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions."[29]	Electronic mail for direct marketing purposes where the identity or address of the sender is concealed A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail- (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; or (b)where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided.
Types of Senders Covered	Spammers and beneficiaries- the term ''sender'', when used with respect to a commercial electronic mail message, means a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message."[30]	Spammers and beneficiaries- A person must not send, or cause to be sent, a commercial electronic message that: (a) has an Australian link; and (b) is not a designated commercial electronic message.[31]	Spammers, beneficiaries, and providers of support services "sender" means a person who sends a message, causes the message to be sent, or authorizes the sending of the message.[32] Further, persons aiding or abetting the offences under Section 9 or 11 are also punishable under the Act.[33]	Spammers and beneficiaries- Under Section 6, it is prohibited to send or cause or permit to be sent to an electronic address a CEM. Under Section 7, It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in a CEM. Under Section 8, A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system.	Spammers and beneficiaries- The texts of Sections 19, 20, 21 and 22 all prohibit the transmission as well as the instigation of the transmission of, communications for direct marketing purposes without the consent of the recipient.
Who Can Sue	FTC[34], Attorney Generals[35], ISPs and IAPs[36] and most recently even companies/private entities[37]	Australian Communications and Media Agency (ACMA)[38]	Any injured party, including individual users.[39]	Any injured party, including individual users.[40]	Any person who suffers damage by reason of any contravention of any of the requirements of these Regulations.[41]
Exceptions	Transactional or Relationship Messages [42] where, The term ''transactional or relationship message'' means an electronic mail message the primary purpose of which is- (i) to facilitate, complete, or confirm a commercial transaction; (ii) to provide warranty information, product recall information, etc. with respect to a commercial product or service used or purchased by the recipient; (iii) to provide notifications- (I) concerning a change in the terms or features of; (II) of a change in the recipient's standing or status with respect to; or (III) information with respect to a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender; (iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or (v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.	Designated Commercial Electronic Message (DCEM). A DCEM is a message containing purely factual information, any related comments of non-commercial nature and some limited commercial information as to the identity of the sender company/individual.[43] A message is a DCEMs if- a) the sending of the message is authorized by any of the following bodies: (i) a government body; (ii) a registered political party; (iii) a religious organization; (iv) a charity or charitable institution; and (b) the message relates to goods or services; and (c) the body is the supplier, or prospective supplier, of the goods or services concerned.[44] Messages from educational institutions: an electronic message is a *DCEM* if: (a) the sending of the message is authorised by an educational institution; and (b) either or both of the following subparagraphs applies: (i) the relevant electronic account‑holder is, or has been, enrolled as a student in that institution; (ii) a member or former member of the household of the relevant electronic account‑holder is, or has been, enrolled as a student in that institution; and (c) the message relates to goods or services; and (d) the institution is the supplier, or prospective supplier, of the goods or services concerned.	Electronic Messages authorized by the Government[45] The Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in the public interest or in the interests of public security or national defence.[46] A certificate signed by the Minister shall be conclusive evidence of existence of a public emergency and the other above stated matters.[47]	Family and Personal relationships, where "Family relationship" is a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship who have had direct, voluntary two-way communications; and "personal relationship" means a relationship between two people who have had direct, voluntary two-way communications where it would be reasonable to conclude that the relationship is personal.[48] Mails sent to an individual who practices a particular commercial activity with the mail containing solely an inquiry or application related to that activity[49]. A mail which - provides a quote or estimate for the supply of a product, goods, a service, etc. if requested by the recipient; · facilitates, completes or confirms a commercial transaction that the recipient previously agreed to enter into with the sender; · provides warranty information, product recall information etc. about a product, goods or a service that the recipient uses, has used or has purchased; · provides notification of factual information about- (i) the ongoing use or ongoing purchase by the recipient of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship by the sender, or · provides information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, is currently participating or is currently enrolled; · delivers a product, goods or a service, including updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that they have previously entered into with the sender.[50] · Telecommunications service provider merely because the service provider provides a telecommunications service that enables the transmission of the message.[51] · CEMs which are two-way voice communication between individuals sent by means of a facsimile or a voice recording sent to a telephone account.[52]	A person may send or instigate the sending of electronic mail for the purposes of direct marketing where - (a) the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person's similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.[53]
Penalties	Civil and Criminal Statutory damages- Amount calculated by multiplying the number of violations by up to $250. Total amount of damages may not exceed $2,000,000. [54] Imprisonment- upto 5 years.[55] Forfeiture from the offender, of- i) any property, real or personal, constituting or traceable to gross proceeds obtained from such offense; ii) any equipment, software, or other technology used or intended to be used to commit or to facilitate the commission of such offense.[56]	Civil only For a body corporate without prior record, for upto 2 contraventions, civil penalty should not exceed i) 100 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 50 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 2000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 1000 penalty units in any other case. For a body corporate with prior record, for upto 2 contravention, civil penalty should not exceed i) 500 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 250 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 10,000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 5,000 penalty units in any other case. For a person without prior record, for upto 2 contraventions, civil penalty should not exceed i) 20 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 10 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 400 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 200 penalty units in any other case. For a person with prior record, for upto 2 contravention, civil penalty should not exceed i) 100 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 50 penalty units in any other case. For more than 2 contraventions, civil penalty should not exceed i) 2,000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or (9); or ii) 1,000 penalty units in any other case.[57]	Civil only i) Injunction ii) Damages- calculated in terms of loss suffered as a direct or indirect result of the contravention of the Act. ii) Statutory Damages not exceeding $25 for each CEM; and not exceeding in the aggregate $1 million, unless the plaintiff proves that his actual loss from such CEMs exceeds $1 million.[58] iii)Costs of litigation to the plaintiff.[59]	Civil only Administrative Monetary Penalty , the purpose of which is to promote compliance with the Act and not to punish.[60] The maximum penalty for a violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.[61]	Civil on private action; Criminal for non-compliance with IC's notice A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage.[62] The enforcement authority for these regulations is Britain's Information Commissioner who oversees both the Act and the Regulations, and investigates complaints and makes findings in the form of various types of notices.[63] Failure to comply with any notice issued by the Information Commissioner is a criminal offence and is punishable with a fine of upto £5000 in England and Wales and £10,000 Scotland.[64]

THE PROBLEM OF SPAM -WHY IT PERSISTS

As per a study conducted by Kaspersky Lab in 2014, 66.34% of all messages exchanged over the internet were spam.[65] Over the 2000s, several countries recognized the threats posed by spam and enacted specific legislations to tackle the same. The ones taken into consideration in this paper are the CAN-SPAM Act, 2003 of the United States, Canada's Anti-Spam Legislation, 2014, The Spam Act, 2003 of Australia, Singapore's Spam Control Act, 2007 and The Privacy and Electronic Communications (EC Directive) Regulations, 2003 (United Kingdom). As will be analyzed in the course of this paper, none of these laws have evolved to become comprehensive mechanisms for combating spam yet. Nevertheless, post the enactment of these laws, spam has reduced as a percentage of the net email traffic; however, the absolute quantity of spam has increased owing to the exponential growth of email traffic universally.[66]

Who Benefits from Spam?

1. Commercial establishments - Spamming is one of the most cost-effective means of promoting products and services to a large number of potential customers. Spams are not necessarily duplicitous and often contain legitimate information to which a fraction of the recipients respond positively. As per a recent study, for spam to be profitable, only 1 in 25,000 spam recipients needs to open the email, get enticed, and make a gray-market purchase.[67]

2. Non-commercial establishments benefitting from advertisements - Many seemingly non-profit messages benefit from revenue generated through advertisements when recipients visit their site. Advertisers pay these sites either per click or per impression.

3. Spammers - The costs incurred by spammers largely include the cost of e-mail/phone number harvesting and the cost of paying botnet operators. As compared to the revenue generated as a percentage of profits earned by the merchant on whose behalf spam messages are sent, these costs are negligible.[68]

Thus, spamming proves to be an activity that involves minimal investment and often yields some response from prospective clients.

The impact of spam is clearly widespread. Presently, India lacks a specific anti-spam legislation. In consideration of the swelling growth of spam across the globe and the increasing number of Indian users, it is of utmost urgency that a specific legislation is formulated to tackle the issue.

OBSERVATIONS AND ANALYSIS

1. Definition of Spam

a. 'Spam' must be defined in a technologically neutral manner

The legislations analyzed in this paper deal with either one or a cluster of modes of communication through which spam may be sent. However, it is essential that 'spam' is defined in a manner that is technologically neutral. Most commercial spam is aimed at promoting products and services to a large number of prospective customers. Thus, making only spam e-mails illegal, like the CAN-SPAM Act does, fails to address the issue wholly as companies would always retain the option of sending unsolicited messages through other communicative devices. It becomes an issue of merely switching modes of communication without there being any actual deterrence to spamming. Thus, a narrow understanding of spam, limiting it to one or few modes of communication, is problematic and for a model law, a broader definition that discourages unsolicited messages sent via any network is warranted.

b. Non-commercial spam must also be addressed

The five legislations examined in this paper address only the issue of unsolicited 'commercial' mails/messages. For instance, under the CAN-SPAM, a commercial mail means " any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service". Singapore's Spam Control Act defines a commercial message in a similar fashion but more elaborately. CASL, while limiting the scope of the law to commercial mail, additionally prescribes that such communication need not have a profit motive. Australia's Spam Act defines a commercial message as a message that has the purpose of offering, advertising or promoting goods or services or the supplier or prospective supplier of goods or services. Under the EC Directive, the term used is 'marketing communication'; however, in essence, it includes only commercial communications.[69] These definitions suffer from an obvious exclusion error. It is known from experience that not all unsolicited messages received are in pursuance of commercial interests. Often, unsolicited mails and messages are received with explicit sexual content as well as promoting political and religious agendas sent by party volunteers.

Thus, it would be in higher consonance with the greater aim of curbing spam to broaden the scope of these legislations to address both commercial as well as non-commercial messages.

c. Bulk requirement and its quantification

The Singaporean law makes 'sent in bulk' a mandatory requirement for spam. However, deciding what quantity of a particular message qualifies it as bulk is difficult. If an objective threshold is set, say 100 messages in 24 hours, then anything short of that, say even 99 messages, go unaddressed simply because it does not meet the statutory requirement of being in bulk. This enables spammers to misuse the law by marginally falling short of the threshold and still continuing to spam. The issue here is comparable to the one faced in setting age as bar to criminal culpability. No matter what, any number arrived at is likely to be arbitrary and consequently subject of criticism. A possible way to tackle this would be to strengthen the unsubscribe mechanisms by virtue of which individuals are able to, at the very least, stop receiving unsolicited mails. For the determination of threshold for State action and its feasibility, a much more detailed study is merited.

2. Consent Requirement

	Opt- out Model	Opt-in Model	Double Opt-in Model
Countries following the model	United States of America and Singapore	Canada, Australia and the United Kingdom	None at present.
When messages may be sent	At all times until recipient voluntarily opts out/unsubscribes.	Only after the recipient voluntarily opts-in/subscribes to receive messages by submitting his/her contact details to be part of a particular mailing list.	Only after the recipient responds in the affirmative to the confirmation mail sent by the sender on receiving an opt-in request from the recipient.
Specific requirements	1. The mail/message must bear a clear identifier of its content. E.g. marked as 'ADVT' for advertisements; 2. An 'unsubscribe' option must be provided in the message which may be utilized by the recipient to express his/her disinterest in the message; and 3. The message must conspicuously bear a valid physical postal address.	N/A	N/A
Advantages	Promotes commercial speech rights- Since the default position presumes the right to market, average collection rates are considerably higher as more emails can be sent to more people.	1. Reduction in unsolicited messages- Commercial messages are not sent until the recipient voluntarily consents to receiving such messages by submitting his/her contact information. 2. Availability of unsubscribe option- Even after a recipient voluntarily opts in, he/she still has the right to withdraw from such messages by unsubscribing.	1. Ensures people are entering their information correctly, which equals a cleaner list and lowers bounce rates. 2. Reduces the probability of spam complaints because subscribers have had to take the extra step to confirm their consent.
Disadvantages	1. This merely places the burden of reduction of spam on the recipients. 2. The functionality of the 'unsubscribe' link is itself questionable. Very often these links themselves are fraudulent. In such a case, the recipient is further harmed before any opting-out can even take place. 3. In the absence of any strict regulatory oversight, there exists no incentive for the senders to strictly address unsubscribe requests.	1. Consent may be obtained in fact but not in spirit through inconspicuous pre-ticked check boxes. 2. E-mail addresses may be added to a list by spambots. Where, the person 'opted-in' may not actually be the person opting in. 3. Errors may be made when entering emails; a typo may result in someone submitting an address that is not theirs. 4. Legitimate addresses may be added by someone who does not own the address.	1. Genuine subscribers may not understand clearly the confirmation process and fail to click the verification link. 2. Confirmation emails may get stuck in spam filters.

The comparison above highlights that the opt-out model as well as the opt-in model may leave loopholes. The opt-in model has been advocated for as the better model as compared to the opt-out model as it prohibits the sending of messages unless the recipient consents to receiving such messages. However, as pointed out above, in this model consent may be given by entities other than the owner of the contact details. In such a situation, a double opt-in model may be a viable option to contemplate as it is the only model where it can be ensured that only the addressee is enabled to successfully opt-in.[70]

Presently, the double opt-in model has not been adopted by any of the countries discussed in this paper. Nonetheless, it seems to have the potential to aid the fight against spam more effectively than the existing models. Its real efficacy however, shall be proven only on practical implementation.

3. Exceptions

a. Family and Personal Relationships

Under the CASL, an exception is made for 'personal relationships' and 'family relationship'. However, these terms are defined quite narrowly. For instance, family relationship is defined as 'a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication'.^[71] This implies that in a situation where an individual wants to send a message offering to sell something to an individual in his extended family, say his cousins, doing so without obtaining their consent first, would qualify his mail as spam under the CASL. This would become especially problematic in the Indian context where comparatively larger family structures prevail.

In the anti-spam legislations of the other four countries, no such exceptions are made. Quite obviously, these exceptions are of crucial significance and must be provided in any anti-spam legislation; however, it is important that they are defined in a manner such that their actual purpose i.e. of exclusion of familial and personal relationships from regulations applicable to spammers, is effectively achieved and the law does not become a creator for unnecessary litigation.

b. Transactional Messages

The term 'transactional messages' is used only under the CAN-SPAM Act of the USA. It basically covers messages sent when the recipient stands in an existing transactional relationship with the sender and the mail contains information specific to the recipient. It also includes employment relationships. In CASL, a similar exception is made under Section 6(6). The section is worded almost identically as the CAN-SPAM provision, though the term 'transactional messages' is not used. In the UK laws, messages for the purpose of direct marketing may be sent where the contact information of the recipient is received in the course of the sale or negotiations for the sale of a product or service to that recipient, thus implying an existing transactional relationship. One added proviso under the UK law is that the recipient must be clearly and distinctively given the opportunity to object, free of charge and in an easy manner, to the use of the e-mail address when collected and on the occasion of each message in case the customer has not initially refused such use.[72]

An exception for transactional messages is essential to ensure freedom of commercial speech rights even while effectively tackling spam. In the formulation of a model law, a combination of the American and the English laws may be workable.

c. Governmental Messages

The Spam Act, 2003 of Australia makes an exemption for 'designated commercial electronic message (DCEM)'. This exemption is to avoid any unintended restriction on communication between the government and the community.^[73] In order to be a DCEM, a message must-

1. Be authorized by the government;

2. Contain purely factual information and any related comments of non-commercial nature; and

3. Contain some information as to the identity of the sender company/individual.

DCEMs need not always be sent by government bodies and may also be sent by third parties authorized by the government.^[74] Such messages are exempt from the consent requirement as well as the unsubscribe option requirement but must comply with the identifier requirement. However, where government bodies are operating in a competitive environment, the provisions of the act would apply normally to them.^[75]

Similarly, Singapore's Spam Control Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in public interest or in the interests of public security or national defence.

These exemptions are essential in order to enable free communication of important information between the government and the citizens. The Singaporean wording of the exception is rather broad and would give the government immense space for misusing the law. Such a wording might be more effective if supplemented with the Australian proviso wherein governmental communications operating in a competitive environment are excluded.

4. Penalties

a. Penalties must be higher than benefit from spamming

If the penalty prescribed itself is too low, such that loss suffered from paying penalties is lower than net benefit from spamming, the spammer is not sufficiently deterred. Four out of the five countries analyzed in this paper prescribe only civil penalties in the form of fines for spamming. Recently, a Facebook spammer was found to have made a profit of $200 million in a year.[76] For instance, as noted above, the Australian law sets a limit for penalty at $1 million. Thus, such a penalty would constitute a small fraction of the profit from spamming and would not deter a spammer.

b. High penalty does not imply effective deterrence where probability of prosecution is low.

The CAN-SPAM Act prescribes the harshest penalties including both civil as well as criminal penalties. However, it has been rather ineffective in reducing spam. This is for the reason that this Act is more about how to spam legally than anything else. It is more like- ' you can spam but do not use false headers.'[77] As a consequence, unintentional spam from ignorant commercial establishments has reduced. However, due to easy compliance standards, the 'real' spammers still go undetected to a large extent.[78] Thus, even moderate penalties may serve as good deterrents where the probability of prosecution is high.

c. Effective enforcement is the key to effective deterrence.

The cornerstone of an effective spam law is effective enforcement. Penalties must be enforced in a manner that the cost of punishment is always higher than the benefit from spamming and the probability of conviction is high. In order to implement legislative measures effectively, governments should also undertake an information campaign on spam issues targeting users, business communities, private sector groups and other stakeholders as the one primary reason for sustenance of spam is the response received from certain recipients. Such supplementary activities would also facilitate the preservation of commercial rights as excessive penalties could inhibit regular commercial activities.

CONCLUSION

The observations made in this paper are crucial to the formulation of a model anti-spam law for India. The most important part of any ant-spam legislation would be the definition of 'spam' which, as established above, must be technologically neutral in order to be able to address as much unsolicited communication as possible. On the question of consent, a double opt-in is what this paper would propose. This model has been contemplated and recommended by academic and policy researchers as a possibly more effective consent model for spam laws; however, it has not been codified as a legal regime till date. It could be a rather groundbreaking approach that India could adopt as this clearly is the only model where 'opting-in' is realized in fact and in spirit. Further, exceptions are necessary in order to prevent the abuse of laws making certain such exceptions do not suffer from inclusive or exclusion errors. A combination of the exceptions under the Australian and the American laws seems ideal at this stage of research. In terms of penalty, this paper observed that only prescribing harsh penalties is not sufficient to effectively deter spammers but efficient modes of enforcement have to be formulated to ensure actual deterrence. Lastly, while a well-drafted national anti-spam legislation is clearly the need of the hour for India; additional steps have to be taken towards sensitizing citizens to the fact that the problem of spam is real and a costly threat to the communications infrastructure of the country and combat has to begin at the individual level.

[1] CAN-SPAM Act, § 7706(f) (7).

[2] Spam Act, 2003, § 7

[3] Spam Control Act, 2007, § 7(2)

[4] Canada's Anti-Spam Legislation, 2014, § 6.

[5] Canada's Anti-Spam Legislation, 2014, § 12.

[6] 15 U.S.C. § 7701 (2003).

[7] CAN-SPAM Act, Section 3 (2)(A)

[8] Spam Act, 2003, § 6

[9] Spam Control Act, 2007, § 5(1)

[10] Canada's Anti-Spam Legislation, 2014, § 6

[11] Canada's Anti-Spam Legislation, 2014, § 1(1)

[12] Regulation 19, EC Directives, 2003

[13] Regulation 20, EC Directives, 2003

[14] Regulation 21, EC Directives, 2003

[15] Regulation 22, EC Directives, 2003

[16] Section 11, Data Protection Act, 1998

[17] CAN-SPAM Act, Section 5(5)

[18] Spam Act, 2003, § 16(2)

[19] Spam Act, 2003, Schedule 2 (2)

[20] Spam Control Act, 2007 Section 11, Schedule 2(2)

[21] Canada's Anti-Spam Legislation, 2014, Section 6

[22] CAN-SPAM Act, 2003, Section 5(d)

[23] Spam Control Act, 2007, Schedule 2, 3(1), Section 11

[24] Chapter 47 of title 18, U.S.C., § 1037, inserted through an amendment by the CAN-SPAM Act, § 4(a) (1); '§ 5(A)(1).

[25] Spam Control Act, 2007, '§ 9

[26] Spam Control Act, 2007, '§ 2

[27] Spam Control Act, 2007, '§ 2

[28] Canada's Anti-Spam Legislation, 2014, § 7

[29] Canada's Anti-Spam Legislation, 2014, § 8

[30] CAN-SPAM Act, 2003, § 3(16)(A)

[31] Spam Act, 2003, Section 16(1), Section 8

[32] Spam Control Act, 2007, § 2

[33] Spam Control Act, 2007, § 12

[34] CAN-SPAM Act, 2003, § 7(a)(c)(d)

[35] CAN-SPAM Act, 2003, § 7(f)

[36] CAN-SPAM Act, 2003, § 7(g)

[37] MySpace, Inc. v. The Globe.com, Inc., 2007 WL 1686966 (C.D. Cal., Feb. 27, 2007)

[38] Spam Act, 2003, § 26(1)

[39] Spam Control Act, 2007, § 13

[40] Canada's Anti-Spam Legislation, § 47

[41] Regulation 30(1), EC Directives, 2003

[42] CAN-SPAM Act, 2003, § 3(2)(B)

[43] Spam Act, 2003, Schedule 1, § 2

[44] Spam Act, 2003, Schedule 1, § 3

[45] Spam Control Act, 2007, § 7(3)

[46] Spam Control Act, 2007, First Schedule Clause (1)

[47] Spam Control Act, 2007, First Schedule Clause (2)

[48] Canada's Anti-Spam Legislation, § 6(5a)

[49] Canada's Anti-Spam Legislation, § 6(5b)

[50] Canada's Anti-Spam Legislation, § 6(6)

[51] Canada's Anti-Spam Legislation, § 7

[52] Canada's Anti-Spam Legislation, § 8

[53]Section 22(3), EC Directives, 2003

[54] CAN-SPAM Act, § 7 (f)(3)(A).

[55] CAN-SPAM Act, § 4 (b)

[56] CAN-SPAM Act, § 4 (c)

[57] Spam Act, 2003, Sections 24, 25

[58] Spam Control Act, 2007, § 14

[59] Spam Control Act, 2007, § 15

[60] Canada's Anti-Spam Legislation, 2014, § 20(2)

[61] Canada's Anti-Spam Legislation, 2014, § 20(4)

[62] Regulation 30(1), EC Directive, 2003

[63] Regulations 31-32, EC Directive, 2003

[64] Section 47 and 60, Data Protection Act, 1998

[65] Spam and Phishing Statistics Report Q1-2014, Kaspersky Lab

http://usa.kaspersky.com/internet-security-center/threats/spam-statistics-report-q1-2014#.VVQxNndqN5I (last accessed 29^th May, 2015)

[66] Snow and Jayakar, Krishna, Can We Can Spam? A Comparison of National Spam Regulations, August 15, 2013. TPRC 41: The 41st Research Conference on Communication, Information and Internet Policy.

[67] Justin Rao and David Reiley, The Economics of Spam, Vol. 26, No. 3 The Journal of Economic Perspectives (2012), p. 104.

[68] Supra n. 66; p. 7

[69] Refer Table in Section 1.

[70] Dr. Ralph F. Wilson, Spam, Spam Bots, and Double Opt-in E-mail Lists, April 21, 2010; available at http://webmarketingtoday.com/articles/wilson-double-optin/ (last accessed 29^th May 2015).

[71] Section 2(a), Electronic Commerce Protection Regulations, http://fightspam.gc.ca/eic/site/030.nsf/eng/00273.html (last accessed 29^th May 2015)

[72] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[73] Spam Act 2003- A Practical Guide for Government, Australian Communications Authority, available at- http://www.acma.gov.au/webwr/consumer_info/spam/spam_act_pracguide_govt.pdf (last accessed 29^th May 2015)

[74] Ibid

[75] Id

[76] Charles Arthur, Facebook spammers make $200m just posting links, researchers say, The Guardian, 28^th August 2013, http://www.theguardian.com/technology/2013/aug/28/facebook-spam-202-million-italian-research (last accessed 29^th May, 2015)

[77] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[78] Carolyn Duffy Marsan, CAN-SPAM: What went wrong?, 6^th October 2008, available at

http://www.networkworld.com/article/2276180/security/can-spam--what-went-wrong-.html (last accessed 29^th May, 2015)

For more details visit https://cis-india.org/internet-governance/blog/anti-spam-laws-in-different-jurisdictions

'IRCTC’s Aadhaar play can violate SC order and derail National Security'

praskrishna — 2015-07-07T15:10:08Z

Your online railway bookings are going to become a wee bit more difficult if they aren’t already so.

The blog entry by Shubhra Rishi was published by CIO.IN on July 1, 2015. Sunil Abraham gave his inputs.

That is, if the IRCTC makes Aadhaar card compulsory during the registration process for e-ticketing. The move, according to a recent announcement by IRCTC, will ensure that users registering on the IRCTC website are properly identified of their identity and address through the Aadhaar card number verification.

So in case, you already have an Aadhaar card, then you need not worry. For those who don't have it yet or are reluctant to apply for it, are in for a tough time.

According to Sandip Dutta, public relations officer at IRCTC, the plan, although still in the preliminary state, is to make Aadhaar compulsory which will prevent touts from further exploiting the e-ticketing platform.

IRCTC which already has around three crore registered users, adds 15,000 new registrations every day. Just to give you the scale of an IRCTC website, a 15-minute tatkal window has about 1,000,000 people trying to log on to the IRCTC website. This means a new user won't be able to book a railway ticket on the IRCTC site until he owns an Aadhaar card.

Also Read: Indian CISO don’t trust UID with their data

"This is a complete overkill and will only result in harassment of an ordinary citizen," says Sunil Abraham, executive director at The Centre for Internet & Society. "Aadhaar, he says, should be used to prevent politicians and bureaucrats from engaging in big-ticket fraud or whole-sale corruption. It should be used to make the state more accountable to citizens and not the other way around. It is unfortunate that techno-utopians are using biometric technology to fight retail corruption or small-ticket fraud.

If IRCTC makes Aadhaar mandatory for user registrations, they will be in direct violation of the Supreme Court's interim order of September 23, 2013 where it has ordered that no person should suffer for not getting the Aadhaar card in spite of the authority making it mandatory, since government says it is voluntary.

On March 24, 2014 again, the Supreme Court reiterated its earlier order of 2013 and directed all government authorities and departments to modify their forms/circulars, etc., so as to not compulsorily require an Aadhaar number. In the same order the Supreme Court also restrained the UIDAI from transferring any biometric data to any agency without the consent of the person in writing as an interim measure.

According to cyber law expert and Supreme Court Lawyer, Pavan Duggal, till the time Aadhaar has been brought to a legislative sanctity, no government agency must make it compulsory and if they do so, they will be in gross violation of the order and will be held for contempt of court. "The National Identification Authority of India Bill that intends to give statutory backing to UIDAI (introduced in Rajya Sabha in 2010) is yet to be passed by the Parliament. Aadhaar is also non-compliant with the Information Technology Act 2000," says Duggal. Aadhaar, he says, is the unwanted child that hasn't proven legitimacy yet.

The illegitimacy, which continues to prevail due to several anomalies in the UIDAI’s Aadhaar allotment process. In March this year, about 20 million people enrolled in Delhi for an Aadhaar identification number, according to Census. However, the UIDAI generated about 17.7 million unique numbers in Delhi, about a million more than the city population.

In another incident, Aadhaar numbers were assigned to adult residents in 13 of the country's 36 states, and union territories surpassed their respective population as per 2011 census figures. However, the UIDAI blames that ‘gaps’ in census evaluation may have resulted in inaccuracy of the population data.

There have also been bizarre instances in the past where some Aadhaar cards displayed pictures of an empty chair, a tree, and a dog instead of the actual applicant.

So how does it aid unscrupulous elements in misusing the flaws of the Aadhaar card system?

To start with, Aadhaar captures biometrics of a user, which is neither permanent nor immovable, says Dr. Anupam Saraph, innovator, professor and an advisor in governance, informatics and strategic planning.

"Biometrics change during the life of a person, sometimes even within a year, or without warning. Biometrics can be easily stolen, replicated or misused as has been demonstrated by instances of fingerprints and iris scans of high profile targets being hacked. The enrollment agencies that have captured the biometric have the entire demographic and biometric database in their possession and as such it can be misused or stolen. Once the biometric fails or is stolen, all the functions that have crept to link access to the biometric are denied with little or no recourse to the victim," says Saraph.

“Another benign scenario may be large scale fake bookings to make tickets pricier, the malignant scenario will be entire trains used to transfer armies of anti-nationals and terrorists. Therefore, the Railway Minister must rise to cancel any such plans," says Saraph, and the Home Minister and Defence Minister must immediately scrap the linkage of Aadhaar to any database, require that the entire UID is destroyed as was done in the UK. “This kind of compromise requires the initiation of a time-bound judicial probe by a retired CAG and Supreme Court Judge supported by the CBI to investigate the exposure of the country to serious threats to national security due to UID,” he says.

And therefore, the bigger question isn't whether Aadhaar should be made compulsory or not, but whether it is a foolproof method to validate someone's identity. If it isn’t, then why is IRCTC playing the Aadhaar card?

For more details visit https://cis-india.org/internet-governance/news/cio-july-1-2015-irctc-aadhaar-play-can-violate-sc-order-and-derail-national-security

CIS Cybersecurity Series (Part 24) – Shantanu Ghosh

purba — 2015-07-15T14:58:50Z

CIS interviews Shantanu Ghosh, Managing Director, Symantec Product Operations, India, as part of the Cybersecurity Series.

“Remember that India is also a land where there are a lot of people who are beginning to use computing devices for the first time in their lives. For many people, their smartphone is their first computing device because they have never had computers in the past. For them, the challenge is how do you make sure that they understand that that can be a threat too. It can be a threat not only to their bank accounts, with their financial information, but even to their private lives.”

Centre for Internet and Society presents its twenty fourth installment of the CIS Cybersecurity Series.”

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Shantanu Ghosh is the Managing Director of Symantec Product Operations, India. He also runs the Data Centre Security Group for Symantec globally.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-24-2013-shantanu-ghosh

A Dissent Note to the Expert Committee for DNA Profiling

elonnai — 2016-07-21T11:01:44Z

The Centre for Internet and Society has participated in the Expert Committee for DNA Profiling constituted by the Department of Biotechnology in 2012 for the purpose of deliberating on and finalizing the draft Human DNA Profiling Bill and appreciates this opportunity. CIS respectively dissents from the January 2015 draft of the Bill.

Click for DNA Bill Functions, DNA List of Offences, and CIS Note on DNA Bill. A modified version was published by Citizen Matters Bangalore on July 28.

Based on the final draft of the Human DNA Profiling Bill that was circulated on the 13th of January 2015 by the committee, the Centre for Internet and Society is issuing this note of dissent on the following grounds:

The Centre for Internet and Society has made a number of submissions to the committee regarding different aspects of the Bill including recommendations for the functions of the board, offences for which DNA can be collected, and a general note on the Bill. Though the Centre for Internet and Society recognizes that the present form of the Bill contains stronger language regarding human rights and privacy, we do not find these to be adequate and believe that the core concerns or recommendations submitted to the committee by CIS have not been incorporated into the Bill.

The Centre for Internet and Society has foundational objections to the collection of DNA profiles for non-forensic purposes. In the current form the DNA Bill provides for collection of DNA for the following non forensic purposes:

Section 31(4) provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.
Section 38 defines the permitted uses of DNA profiles and DNA samples including: identifying victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases listed in Part I of the Schedule or for other purposes as may be specified by regulation.
Section 39 defines the permitted instances of when DNA profiles or DNA samples may be made available and include: for the creation and maintenance of a population statistics Data Bank that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.
Part I of the schedule lists laws, disputes, and offences for which DNA profiles and DNA samples can be used. These include, among others, the Motor Vehicles Act, 1988, parental disputes, issues relating to pedigree, issues relating to assisted reproductive technologies, issues relating to transplantation of human organs, issues relating to immigration and emigration, issues relating to establishment of individual identity, any other civil matter as may be specified by the regulations, medical negligence, unidentified human remains, identification of abandoned or disputed children.

While rejecting non-forensic use entirely, we have specific substantive and procedural objections to the provisions relating to forensic profiling in the present version of the Bill. These include:

Over delegation of powers to the board: The DNA Board currently has vast powers as delegated by Section 12 including:
“authorizing procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies, establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies, specifying by regulations the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule, undertaking any other activity which in the opinion of the Board advances the purposes of this Act.”

Section 65 gives the Board the power to make regulations for a number purposes including: “other purposes in addition to identification of victims of accidents, disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases lists in Part I of the Schedule for which records or samples may be used under section 38, other laws, if any, to be included under item (viii) of para B of Part I of the Schedule, other civil matters, if any, to be included under item (vii) of para C of Part I of the Schedule, and authorization of other persons, if any, for collection of non intimate body samples and for performance of non-intimate forensic procedures, under Part III of the Schedule.

Ideally these powers would lie with the legislative or judicial branch. Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board and section 68 specifically states that “no civil court shall have jurisdiction to entertain any suit or proceeding in respect to any matter which the Board is empowered by or under this Act to determine.”

The above represents only a few instances of the overly broad powers that have been given to the Board. Indeed, the Bill gives the Board the power to make regulations for 37 different aspects relating to the collection, storage, use, sharing, analysis, and deletion of DNA samples and DNA profiles. As a result, the Bill establishes a Board that controls the entire ecosystem of DNA collection, analysis, and use in India without strong external oversight or accountability.
Key terms undefined: Section 31 (5) states that the “indices maintained in every DNA Data Bank will include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 1 of the Act, and of records relating thereto, in accordance with the standards as may be specified by the regulations.”

The term’ DNA analysis’ is not defined in the Act, yet it is a critical term as any information based on such an analysis and associated records can be included in the DNA Database.
Low standards for sharing of information: Section 34 empowers the DNA Data Bank Manager to compare a received DNA profile with the profiles stored in the databank and for the purposes of any investigation or criminal prosecution, communicate the information regarding the received DNA profile to any court, tribunal, law enforcement agencies, or DNA laboratory which the DNA Data Bank Manager considers is concerned with it.

The decision to share compared profiles and with whom should be made by an independent third party authority, rather than the DNA Bank Manager. Furthermore, this provision isvague and although the intention seems to be that the DNA profiles should be matched and the results communicated only in certain cases, the generic wording could take into its ambit every instance of receipt of a DNA profile. For eg. the regulations envisaged under section 31(4)(g) may prescribe for a DNA Data Bank for medical purposes, but section 34 as it is currently worded may include DNA profiles of patients to be compared and their information released to various agencies by the Data Bank Manager as an unintentional consequence.
Missing privacy safeguards: Though the Bill refers to security and privacy procedures that labs are to follow, these have been left to be developed and implemented by the DNA Board. Thus, except for bare minimum standards and penalties addressing the access, sharing, and use of data – the Bill contains no privacy safeguards.

In our interactions with the committee we have asked that the Bill be brought in line with the nine national privacy principles established by the Report of the Group of Experts on Privacy submitted to the Planning Commission in 2012. This has not been done.

For more details visit https://cis-india.org/internet-governance/blog/dna-dissent

7th Best Practices Meet 2015

praskrishna — 2015-07-17T13:11:20Z

Data Security Council of India (DSCI) organized the 7th edition of its Best Practices Meet (BPM) from July 9 - 10, 2015 at Hotel ITC Gardenia in Bengaluru. BPM2015 had “Architecting Security for Digital Transformation” as its theme. Sunil Abraham and Elonnai Hickok were speakers at this event.

The two-day deliberations, reflected on policy, endeavours at national and industry levels, proposed industry steps, market response, best practices, industry standards and technology designs and see how they play their roles in architecting of information systems and enterprise security within organizations. Sunil Abraham was a panelist in the session "Architecting Security for transformation to Digital India". Elonnai Hickok was a panelist in the session "Steering privacy in the age of extreme innovation technology & business models."

See the Agenda

For more details visit https://cis-india.org/internet-governance/news/best-practices-meet-2015

Big Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011

elonnai — 2015-08-11T07:01:12Z

Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.This blog provides an initial evaluation of how Big Data could impact India's current data protection standards.

Experts and regulators across the globe are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.

Below is an initial evaluation of how Big Data could impact India's current data protection standards.

India currently does not have comprehensive privacy legislation - but the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 formed under section 43A of the Information Technology Act 2000[1] define a data protection framework for the processing of digital data by Body Corporate. Big Data practices will impact a number of the provisions found in the Rules:

Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As per the IT Act, Body Corporate is defined as "Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities."

The present scope of the Rules excludes from its purview a number of actors that do or could have access to Big Data or use Big Data practices. The Rules would not apply to government bodies or individuals collecting and using Big Data. Yet, with technologies such as IoT and the rise of Smart Cities across India – a range of government, public, and private organizations and actors could have access to Big Data.

Definition of personal and sensitive personal data: Rule 2(i) defines personal information as "information that relates to a natural person which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."

Rule 3 defines sensitive personal information as:

Password,
Financial information,
Physical/physiological/mental health condition,
Sexual orientation,
Medical records and history,
Biometric information

The present definition of personal data hinges on the factor of identification (data that is capable of identifying a person). Yet this definition does not encompass information that is associated to an already identified individual - such as habits, location, or activity.

The definition of personal data also addresses only the identification of 'such person' and does not address data that is related to a particular person but that also reveals identifying information about another person - either directly - or when combined with other data points.

By listing specific categories of sensitive personal information, the Rules do not account for additional types of sensitive personal information that might be generated or correlated through the use of Big Data analytics.

Importantly, the definitions of sensitive personal information or personal information do not address how personal or sensitive personal information - when anonymized or aggregated – should be treated.

Consent: Rule 5(1) requires that Body Corporate must, prior to collection, obtain consent in writing through letter or fax or email from the provider of sensitive personal data regarding the use of that data.

In a context where services are delivered with little or no human interaction, data is collected through sensors, data is collected on a real time and regular basis, and data is used and re-used for multiple and differing purposes - it is not practical, and often not possible, for consent to be obtained through writing, letter, fax, or email for each instance of data collection and for each use.

Notice of Collection: Rule 5(3) requires Body Corporate to provide the individual with a notice during collection of information that details the fact that information is being collected, the purpose for which the information is being collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information. Furthermore body corporate should not retain information for longer than is required to meet lawful purposes.

Though this provision acts as an important element of transparency, in the context of Big Data, communicating the purpose for which data is collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information could prove to be difficult to communicate as they are likely to encompass numerous agencies and change depending upon the analysis being done.

Access and correction: Rule 5(6) provides individuals with the ability to access sensitive personal information held by the body corporate and correct any inaccurate information.

This provision would be difficult to implement effectively in the context of Big Data as vast amounts of data are being generated and collected on an ongoing and real time basis and often without the knowledge of the individual.

Purpose Limitation: Rule 5(5) requires that body corporate should use information only of the purpose which it has been collected.

In the context of Big Data this provision would overlook the re-use of data that is inherent in such practices.

Security: Rule 8 states that any Body Corporate or person on its behalf will be understood to have complied with reasonable security practices and procedures if they have implemented such practices and have in place codes that address managerial, technical, operational and physical security control measures. These codes could follow the IS/ISO/IEC 27001 standard or another government approved and audited standard.

This provision importantly requires that data controllers collecting and processing data have in place strong security practices. In the context of Big Data – the security of devices that might be generating or collecting data and algorithms processing and analysing data is critical. Once generated, it might be challenging to ensure the data is being transferred to or being analysed by organisations that comply with such security practices as listed.

Data Breach : Rule 8 requires that if a data breach occurs, Body Corporate would have to be able to demonstrate that they have implemented their documented information security codes.

Though this provision holds a company accountable for the implementation of security practices, it does not address how a company should be held accountable for a large scale data breach as in the context of Big Data the scope and impact of a data breach is on a much larger scale.

Opt in and out and ability to withdraw consent : Rule 5(7) requires Body Corporate or any person on its behalf, prior to the collection of information - including sensitive personal information - must give the individual the option of not providing information and must give the individual the option of withdrawing consent. Such withdrawal must be sent in writing to the body corporate.

The feasibility of such a provision in the context of Big Data is unclear, especially in light of the fact that Big Data practices draw upon large amounts of data, generated often in real time, and from a variety of sources.

Disclosure of Information: Rule 6 maintains that disclosure of sensitive personal data can only take place with permission from the provider of such information or as agreed to through a lawful contract.

This provision addresses disclosure and does not take into account the “sharing” of information that is enabled through networked devices, as well as the increasing practice of companies to share anonymized or aggregated data.

Privacy Policy : Rule 4 requires that body corporate have in place a privacy policy on their website that provides clear and accessible statements of its practices and policies, type of personal or sensitive personal information that is being collected, purpose of the collection, usage of the information, disclosure of the information, and the reasonable security practices and procedures that have been put in place to secure the information.

In the context of Big Data where data from a variety of sources is being collected, used, and re-used it is important for policies to 'follow data' and appear in a contextualized manner. The current requirement of having Body Corporate post a single overarching privacy policy on its website could prove to be inadequate.

Remedy : Section 43A of the Act holds that if a body corporate is negligent in implementing and maintain reasonable security practices and procedures which results in wrongful loss or wrongful gain to any person, the body corporate can be held liable to pay compensation to the affected person.

This provision will provide limited remedy for an affected individual in the context of Big Data. Though important to help prevent data breaches resulting from negligent data practices, implementation of reasonable security practices and procedures cannot be the only hinging point for determining liability of a Body Corporate for violations and many of the harms possible through Big Data are not in the form of wrongful loss or wrongful gain to another person. Indeed many harms possible through Big Data are non-economic in nature – including physical invasion of privacy, and discriminatory practices that can arise from decisions based on Big Data analytics. Nor does the provision address the potential for future damage that can result from a 'Big Data data breach'.

The safeguards noted in the above section are not the only legal provisions that speak to privacy in India. There are over fifty sectoral legislation that have provisions addressing privacy - for example provisions addressing confidentiality of health and banking information. The government of India is also in the process of drafting a privacy legislation. In 2012 the Report of the Group of Experts on Privacy provided recommendations for a privacy framework in India. The Report envisioned a framework of co-regulation - with sector level self regulatory organization developing privacy codes (that are not lower than the defined national privacy principles) and that are enforced by a privacy commissioner.[2] Perhaps this method would be optimal for the regulation of Big Data- allowing for the needed flexibility and specificity in standards and device development. Though the Report notes that individuals can seek remedy from the court and the Privacy Commissioner can issue fines for a violation, the development of privacy legislation in India has yet to clearly integrate the importance of due process and remedy. With the onset of Big Data - this will become more important than ever.

Conclusion

The use and generation of Big Data in India is growing. Plans such as free wifi zones in cities[3], city wide CCTV networks with facial recognition capabilities[4], and the implementation of an identity/authentication platform for public and private services[5], are indicators towards a move of data generation that is networked and centralized, and where the line between public and private is blurred through the vast amount of data that is collected.

In such developments and innovations what is privacy and what role does privacy play? Is it the archaic inhibitor - limiting the sharing and use of data for new and innovative purposes? Will it be defined purely by legislative norms or through device/platform design as well? Is it a notion that makes consumers think twice about using a product or service or is it a practice that enables consumer and citizen uptake and trust and allows for the growth and adoption of these services?

How privacy will be regulated and how it will be perceived is still evolving across jurisdictions, technologies, and cultures - but it is clear that privacy is not being and cannot be overlooked. Governments across the world are reforming and considering current and future privacy regulation targeted towards life in a quantified society. As the Indian government begins to roll out initiatives that create a "Digital India" indeed a "quantified India", taking privacy into consideration could facilitate the uptake, expansion, and success of these practices and services. As the Indian government pursues the opportunities possible through Big Data it will be useful to review existing privacy protections and deliberate on if, and in what form, future protections for privacy and other rights will be needed.

[1]Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[2]Group of Experts on Privacy. (2012). Report of the Group of Experts on Privacy. New Delhi: Planning Commission, Government of India. Retrieved May 20, 2015, from http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[3] NDTV. “Free Public Wi-Fi Facility in Delhi to Have Daily Data Limit. NDTV, May 25^th 2015, Available at: http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857. Accessed: July 2^nd 2015.

[4]FindBiometrics Global Identity Management. “Surat Police Get NEC Facial Recognition CCTV System”. July 21^st 2015. Available at: http://findbiometrics.com/surat-police-nec-facial-recognition-27214/

[5]UIDAI Official Website. Available at: https://uidai.gov.in/

For more details visit https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011

Right to Privacy in Peril

vipul — 2015-08-13T15:32:18Z

It seems to have become quite a fad, especially amongst journalists, to use this headline and claim that the right to privacy which we consider so inherent to our being, is under attack. However, when I use this heading in this piece I am not referring to the rampant illegal surveillance being done by the government, or the widely reported recent raids on consenting (unmarried) adults who were staying in hotel rooms in Mumbai. I am talking about the fact that the Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist.

In an order dated August 11, 2015 the Supreme Court finally gave in to the arguments advanced by the Attorney General and admitted that there is some “unresolved contradiction” regarding the existence of a constitutional “right to privacy” under the Indian Constitution and requested that a Constitutional Bench of appropriate strength.

The Supreme Court was hearing a petition challenging the implementation of the Adhaar Card Scheme of the government, where one of the grounds to challenge the scheme was that it was violative of the right to privacy guaranteed to all citizens under the Constitution of India. However to counter this argument, the State (via the Attorney General) challenged the very concept that the Constitution of India guarantees a right to privacy by relying on an “unresolved contradiction” in judicial pronouncements on the issue, which so far had only been of academic interest. This “unresolved contradiction” arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[1] and Kharak Singh v. State of U.P. & Others,[2] (decided by Eight and Six Judges respectively) the Supreme Court has categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[3] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India.[4] Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal & Another v. State of Tamil Nadu & Others,[5] (popularly known as Auto Shanker’s case) and People’s Union for Civil Liberties (PUCL) v. Union of India & Another.[6] However, as was noticed by the Supreme Court in its August 11 order, all these judgments were decided by two or three Judges only.

The petitioners on the other hand made a number of arguments to counter those made by the Attorney General to the effect that the fundamental right to privacy is well established under Indian law and that there is no need to refer the matter to a Constitutional Bench. These arguments are:

(i) The observations made in M.P. Sharma regarding the absence of right to privacy are not part of the ratio decidendi of that case and, therefore, do not bind the subsequent smaller Benches such as R. Rajagopal and PUCL.

(ii) Even in Kharak Singh it was held that the right of a person not to be disturbed at his residence by the State is recognized to be a part of a fundamental right guaranteed under Article 21. It was argued that this is nothing but an aspect of privacy. The observation in para 20 of the majority judgment (quoted in footnote 2 above) at best can be construed only to mean that there is no fundamental right of privacy against the State’s authority to keep surveillance on the activities of a person. However, they argued that such a conclusion cannot be good law any more in view of the express declaration made by a seven-Judge bench decision of this Court in Maneka Gandhi v. Union of India & Another.[7]

(iii) Both M.P. Sharma (supra) and Kharak Singh (supra) were decided on an interpretation of the Constitution based on the principles expounded in A.K. Gopalan v. State of Madras,[8] which have themselves been declared wrong by a larger Bench in Rustom Cavasjee Cooper v. Union of India.[9]

Other than the points above, it was also argued that world over in all the countries where Anglo-Saxon jurisprudence is followed, ‘privacy’ is recognized as an important aspect of the liberty of human beings. The petitioners also submitted that it was too late in the day for the Union of India to argue that the Constitution of India does not recognize privacy as an aspect of the liberty under Article 21 of the Constitution of India.

However these arguments of the petitioners were not enough to convince the Supreme Court that there is no doubt regarding the existence and contours of the right to privacy in India. The Court, swayed by the arguments presented by the Attorney General, admitted that questions of far reaching importance for the Constitution were at issue and needed to be decided by a Constitutional Bench.

Giving some insight into its reasoning to refer this issue to a Constitutional Bench, the Court did seem to suggest that its decision to refer the matter to a larger bench was more an exercise in judicial propriety than an action driven by some genuine contradiction in the law. The Court said that if the observations in M.P. Sharma (supra) and Kharak Singh (supra) were accepted as the law of the land, the fundamental rights guaranteed under the Constitution of India would get “denuded of vigour and vitality”. However the Court felt that institutional integrity and judicial discipline require that smaller benches of the Court follow the decisions of larger benches, unless they have very good reasons for not doing so, and since in this case it appears that the same was not done therefore the Court referred the matter to a larger bench to scrutinize the ratio of M.P. Sharma (supra) and Kharak Singh (supra) and decide the judicial correctness of subsequent two judge and three judge bench decisions which have asserted or referred to the right to privacy.

[1] AIR 1954 SC 300. In para 18 of the Judgment it was held: “A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction.”

[2] AIR 1963 SC 1295. In para 20 of the judgment it was held: “… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitutionand therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

[3] (1975) 2 SCC 148.

[4] It is interesting to note that while the decisions in both Kharak Singh and Gobind were given in the context of similar facts (challenging the power of the police to make frequent domiciliary visits both during the day and night at the house of the petitioner) while the majority in Kharak Singh specifically denied the existence of a fundamental right to privacy, however they held the conduct of the police to be violative of the right to personal liberty guaranteed under Article 21, since the Regulations under which the police actions were undertaken were themselves held invalid. On the other hand, while Gobind held that a fundamental right to privacy does exist in Indian law, it may be interfered with by the State through procedure established by law and therefore upheld the actions of the police since they were acting under validly issued Regulations.

[5] (1994) 6 SCC 632.

[6] (1997) 1 SCC 301.

[7] (1978) 1 SCC 248.

[8] AIR 1950 SC 27.

[9] (1970) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/right-to-privacy-in-peril