The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 21 to 35.
Summary of the CIS workshop on the Draft Human DNA Profiling Bill 2012
https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012
<b>On March 1st, 2013, the Centre for Internet and Society organized a workshop which analysed the April 2012 draft Human DNA Profiling Bill and its potential implications on human rights in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p>Think you control who has access to your DNA data? That might just be a myth of the past. Today, clearly things have changed, as draft Bills with the objective of creating state, regional, and national DNA databases in India have been leaked over the last years. Plans of profiling certain residents in India are being unravelled as, apparently, the new policy when collecting, handling, analysing, sharing and storing DNA data is that all personal information is welcome; the more, the merrier!<span> </span></p>
<p>Who is behind all of this? The Centre for DNA Fingerprinting and Diagnostics in India created the 2007 draft DNA Profiling Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn1">[1]</a>, with the aim of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked which was created by the Department of Biotechnology. The most recent version of the Bill was drafted in April 2012 and seeks to create DNA databases at the state, regional and national level in India<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn2">[2]</a>. According to the latest 2012 draft Human DNA Profiling Bill, each DNA database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of identification in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and a DNA Profiling Board for overseeing the carrying out of the Act.</p>
<p>However, the 2012 draft Human DNA Profiling Bill lacks adequate safeguards and its various loopholes and overreaching provisions could create a potential for abuse. The creation of DNA databases is currently unregulated in India and although regulations should be enacted to prevent data breaches, the current Bill raises major concerns in regards to the collection, use, analysis and retention of DNA samples, DNA data and DNA profiles. In other words, the proposed DNA databases would not only be restricted to criminals…</p>
<h2><b>DNA databases...and Justice for All?</b></h2>
<p><img src="http://farm8.staticflickr.com/7197/6959954129_fefd0f928a.jpg" /></p>
<p class="italized">Source: <span> </span><a href="http://www.flickr.com/photos/libertasacademica/">Libertas Academica</a> on flickr</p>
<p class="italized"><a class="external-link" href="http://dnaphenomena.blogspot.in/2011/05/dna-profiling.html"></a>Du<span>ring the workshop </span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn3">[3]</a><span>on the 2012 draft Human DNA Profiling Bill, DNA</span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn4">[4]</a><span> was defined as a material that determines a persons´ hereditary traits, whilst DNA profiling</span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn5">[5]</a><span> was defined as the processing and analysis of unique sequences of parts of DNA. Thus the uniqueness of DNA data is clear and the implications that could potentially occur through its profiling could be tremendous. The 2007 DNA Profiling Bill has been amended, yet its current 2012 version appears not only to be more intrusive, but to also be extremely vague in terms of protecting data, whilst very deterministic in regards to the DNA Profiling Board´s power. A central question in the meeting was:</span></p>
<blockquote class="italized"><i>Should DNA databases be created at all? </i></blockquote>
<p><i> </i></p>
<p>The following concerns were raised and discussed during the workshop:</p>
<h3>● The myth of the infallibility of DNA evidence</h3>
<p>The Innocence Project<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn6">[6]</a>, which was presented at the workshop, appears to provide an appeal towards the storage of DNA samples and profiles, as it represents clients seeking post-conviction DNA testing to prove their innocence. According to statistics presented at the workshop, there have been 303 post-conviction exonerations in the United States, as a result of individuals proving their innocence through DNA testing. Though post-conviction exonerations can be useful, they cannot be the basis and main justification for creating DNA databases. Although DNA testing could enable post-conviction exonerations, errors in matching data remain a high probability and could result in innocent people being accused, arrested and prosecuted for crimes they did not commit. Thus, arguments towards the necessity and utility of the creation of DNA databases in India appear to be weak, especially since DNA evidence is <i>not </i>infallible<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn7">[7]</a>.</p>
<p>False matches can occur based on the type of profiling system used, and errors can take place in the chain of custody of the DNA sample, all of which indicate the weakness of DNA evidence being used. DNA data only provides<i> probabilities</i> of potential matches between DNA profiles and the larger the amount of DNA data collected, the larger the probability of an error in matching profiles<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn8">[8]</a>.</p>
<h3>● <b>The non-criteria of DNA data collection</b></h3>
<p>How and when can DNA data be collected? The amended draft 2012 Bill remains extremely vague and broad. In particular, the Bill states that <i>all</i> offences under the Indian Penal Code and other laws, such as the Immoral Traffic (Prevention) Act, 1956, are applicable instances of human DNA profiling. Section B(viii) of the Schedule states that human DNA profiling will be applicable for offences under <i>´any other law as may be specified by the regulations made by the Board´</i>. This incredibly vague section empowers the DNA Profiling Board with the ultimate power to decide upon the offences under which DNA data will be collected. The issue is this: most laws have loopholes. A Bill which lists applicable instances of human DNA profiling, under the umbrella of a potentially indefinite number of laws, exposes individuals to the collection of their DNA data, which could lead to potential abuse.</p>
<h3>● <b>The DNA Profiling Board´s power</b></h3>
<p>The DNA Profiling Board has ´absolute´ power, especially according to the 2012 draft Human DNA Profiling Bill. Some of the Board´s functions include providing recommendations for provision of privacy protection laws, regulations and practices relating to access to, or use of, stored DNA samples or DNA analyses<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn9">[9]</a>. The Board is also required to advise on all ethical and human rights issues, as well as to take ´necessary steps´ to protect privacy. However, it remains unclear how a Board which lacks human rights expertise will carry out such tasks.</p>
<p><b>No human rights experts</b></p>
<p><b> </b></p>
<p>Despite the various amendments<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn10">[10]</a> to the section on the composition of the Board, no privacy or human rights experts have been included. According to the Bill, the Board will be comprised of many molecular biologists and other scientists, while human rights experts have not been included to the list. This can potentially be problematic as a lack of expertise on privacy and human rights laws can lead to the regulation of DNA databases without taking civil liberties into consideration.</p>
<p><b>Vague authorisation for communication of DNA profiles</b></p>
<p><b> </b></p>
<p>The Bill also empowers the Board to ´authorise procedures for communication of DNA profiles for<i> civil proceedings</i> and for crime investigation by law enforcement and <i>other agencies</i>´<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn11">[11]</a>. Although the 2007 Bill <a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn12">[12]</a>restricted the Boards´ authorisation to crime investigation by law enforcement agencies, its 2012 amendment extends such authorisation to ´civil proceedings´ which can also be carried out by so-called ´other agencies´.<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn13">[13]</a> This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ remain vague.</p>
<p><b>Protecting the public</b></p>
<p><b> </b></p>
<p>The Board is also authorised to ´assist law enforcement agencies in using DNA techniques to protect the public´<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn14">[14]</a>. Over the last years, laws are being enacted that enable law enforcement agencies to use technologies for surveillance purposes in the name of ´public security´, and the 2012 draft Bill is no exception. Many security measures have been applied to ´protect the public´, such as CCTV cameras and other technologies, but their actual contribution to public safety still remains a controversial debate<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn15">[15]</a>. DNA techniques which would effectively protect the public have not been adequately proven, thus it remains unclear how the Board would assist law enforcement agencies.</p>
<p><b>Sharing data with international agencies…and regulating DNA laboratories</b></p>
<p>In addition to the above, the Board would also encourage cooperation between Indian investigation agencies and international agencies<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn16">[16]</a>. This would potentially enable the sharing of DNA data between third parties and would enhance the probability of data being leaked to unauthorised third parties.</p>
<p>The Board would <i>also </i>be authorised to regulate the standards, quality control and quality assurance obligations of the DNA laboratories<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn17">[17]</a>. The draft 2012 Bill ultimately gives <i>monopolistic control</i> to the DNA Profiling Board over<i> all</i> the procedures related to the handling of DNA data!</p>
<h3>● <b>The DNA Data Bank Manager</b></h3>
<p>According to the 2012 draft Human DNA Profiling Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn18">[18]</a>, it is the DNA Data Bank Manager who would carry out ´all operations of and concerning the National DNA Data Bank´. All such operations are not clearly specified. The powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.</p>
<p>The Bill also empowers the Manager to determine appropriate instances for the communication of information<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn19">[19]</a>. In other words, law enforcement agencies and DNA laboratories can request the disclosure of information from the DNA Data Bank Manager, without prior authorisation. The DNA Data Bank Manager is empowered to decide the requested data.</p>
<p><span> </span></p>
<ul>
<li><span>DNA access restrictions</span></li>
</ul>
<p> </p>
<p><span> </span><span>Are you a victim or a cleared suspect? You better be, if you want access to your data to be restricted! The 2012 draft Human DNA Profiling Bill </span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn20">[20]</a><span>states that access to information will be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect. The Bill is unclear as to how access to the data of non-victims or suspects is regulated.</span></p>
<h3>● Availability of DNA profiles and DNA samples</h3>
<p>According to the amended draft 2012 Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn21">[21]</a>, DNA profiles and samples can be made available in criminal cases, judicial proceedings and for defence purposes among others. However, ´criminal cases´ are loosely defined and could enable the availability of DNA data in low profile cases. Furthermore, the availability of DNA data is also enabled for the ´creation and maintenance of a<i> population statistics database</i>´. This is controversial because it remains unclear how such a database would be used.</p>
<h3>● Data destruction</h3>
<p>According to an amendment to section 37, DNA data will be kept on a ´permanent basis´ and the DNA Data Bank Manager will expunge a DNA profile only once the court has certified that an individual is no longer a suspect. This raises major concerns, as it does not clarify under what conditions individuals can have access to their data during its retention, nor does it give volunteers and missing persons the opportunity to have their data deleted from the data bank.</p>
<h2>Workshop conclusions</h2>
<p><img src="http://farm4.staticflickr.com/3235/3080247531_bf04a5cbe5.jpg" /></p>
<p>Source: <span> </span><a href="http://www.flickr.com/photos/micahb37/">micahb37</a> on flickr</p>
<p>The various loopholes in the Bill which can create a potential for abuse were discussed throughout the workshop, as well as various issues revolving around DNA data retention, as previously mentioned.<span> </span></p>
<p>During the workshop, some participants questioned the creation of DNA databases to begin with, while others argued that they are inevitable and that it is not a question of whether they should exist, but rather a question of how they should be regulated. All participants agreed upon the need for further safeguards to protect individuals´ right to privacy and other human rights. Further research on the necessity and utility of the creation of DNA databases in regards to human rights was recommended. In addition to all the above, the Ministry of Law and Justice was recommended to pilot the draft DNA Profiling Bill to ensure better provisions in regards to privacy and data protection.</p>
<p>A debate on the use of DNA data in civil cases versus criminal cases was largely discussed in the workshop, with concerns raised in regards to DNA sampling being enabled in civil cases. The fact that the terms ´civil cases´ and ´criminal cases´ remain broad, vague and not legally-specified, raised huge concerns in the workshop as this could enable the misuse of DNA data by authorities. Thus, the members attending the workshop recommended the creation of two separate Bills regulating the use of DNA data: a DNA Profiling Bill for Criminal Investigation and a DNA Profiling Bill for Research. The creation of such Bills would restrict the access to, collection, analysis, sharing of and retention of DNA data to strictly criminal investigation and research purposes.</p>
<p>However, even if separate Bills were created, who is to say that when implemented DNA in the database would not be abused? Criminal investigations can be loosely defined and research purposes can potentially cover anything and everything. So the question remains:</p>
<blockquote class="italized"><i>Should DNA databases be created at all? </i></blockquote>
<p><br clear="all" /></p>
<hr align="left" size="1" width="33%" />
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref1">[1]</a> Draft DNA Profiling Bill 2007, <a href="http://dbtindia.nic.in/DNA_Bill.pdf">http://dbtindia.nic.in/DNA_Bill.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref2">[2]</a> Human DNA Profiling Bill 2012: Working draft versión – 29th April 2012,</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref3">[3]</a> Centre for Internet and Society, <i>Analyzing the Draft Human DNA Profiling Bill 2012, </i>25 February 2013, <a href="https://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill">http://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref4">[4]</a> Genetics Home Reference: Your Guide to Understanding Genetic Conditions, <i>What is DNA?, </i><a href="http://ghr.nlm.nih.gov/handbook/basics/dna"><i>http://ghr.nlm.nih.gov/handbook/basics/dna</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref5">[5]</a> Shanna Freeman, <i>How DNA profiling Works, </i><a href="http://science.howstuffworks.com/dna-profiling.htm"><i>http://science.howstuffworks.com/dna-profiling.htm</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref6">[6]</a> Innocence Project, <i>DNA exoneree case profiles, </i><a href="http://www.innocenceproject.org/know/"><i>http://www.innocenceproject.org/know/</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref7">[7]</a> Australian Law Reform Commission (ALRC), <i>Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96), </i>´Criminal Proceedings: Reliability of DNA evidence´, Chapter 44, <a href="http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence">http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref8">[8]</a> Ibid.</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref9">[9]</a> Human DNA Profiling Bill 2012: Working draft version – 29th April 2012, Section 12(o, p, t), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref10">[10]</a> Ibid: Section 4(q)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref11">[11]</a> Ibid: Section 12(j)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref12">[12]</a> Draft DNA Profiling Bill 2007, Section 13, <a href="http://dbtindia.nic.in/DNA_Bill.pdf">http://dbtindia.nic.in/DNA_Bill.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref13">[13]</a> : Human DNA Profiling Bill 2012: Working draft version – 29<sup>th</sup> April 2012, Sections 12(j), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref14">[14]</a> Ibid: Section 12(l)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref15">[15]</a> Schneier, B.(2008), <i>Schneier on Security, </i>´CCTV cameras´, <a href="http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html">http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref16">[16]</a> Human DNA Profiling Bill 2012: Working draft version – 29<sup>th</sup> April 2012, Sections 12(u) and 12(v), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref17">[17]</a> Ibid: Section on the ´Standards, Quality Control and Quality Assurance Obligations of DNA Laboratories´</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref18">[18]</a> Ibid: Section 33</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref19">[19]</a> Ibid: Section 35</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref20">[20]</a> Ibid: Section 43</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref21">[21]</a> Ibid: Section 40</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012'>https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012</a>
</p>
No publishermariaWorkshopInternet GovernanceSAFEGUARDS2013-07-12T15:33:25ZBlog EntryComments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society submitted the following comments on the Information Technology (Guidelines for Cyber Cafe Rules), 2011.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p><b>I <span>Preliminary</span></b></p>
<p style="text-align: justify; ">1.1 This submission presents preliminary clause-by-clause comments from the Centre for Internet and Society (“<b>CIS</b>”) on the Information Technology (Guidelines for Cyber Café) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on 11 April 2011 (“<b>Cyber Café Rules</b>”).</p>
<p style="text-align: justify; ">1.2 This submission is for the consideration of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha. In its 21<sup>st</sup> Report, the Committee on Subordinate Legislation presciently noted that:</p>
<p style="text-align: justify; padding-left: 30px; ">“…<i>statutory rules ought to be framed and notified not only in time but utmost care and caution should also be exercised in their formulation and finalization so as to get rid of any avoidable discrepancies. As far as possible, the aim should be to prevent needless litigation arising subsequently from badly framed rules.</i>” [See the 21<sup>st</sup> Report of the Lok Sabha Committee on Subordinate Legislation presented on 16 December 2011 at pr. 2.1]</p>
<p style="text-align: justify; ">Unfortunately, the Cyber Café Rules have been poorly drafted, contain several discrepancies and, more seriously, may impinge upon constitutionally guaranteed freedoms of Indian citizens. The attention of the Committee on Subordinate Legislation is accordingly called to the following provisions of the Cyber Cafe Rules:</p>
<p><b>II <span>Validity of the Cyber Cafe Rules</span></b></p>
<p style="text-align: justify; ">2.1 The Cyber Cafe Rules are made in exercise of powers granted under section 87(2)(zg) read with section 79(2) of the Information Technology Act, 2000 (<b>“IT Act”</b>). Read together, these delegated powers invest the executive with the power to frame rules for exempting cyber cafes from liability for any third party information, data or communication link if they comply with Central Government guidelines. The empowerment made by section 87(2)(zg) of the IT Act pertains to:</p>
<p>“<i>the guidelines to be observed by the intermediaries under sub-section (2) of section 79</i>”</p>
<p>Sections 79 (1) and (2) state:</p>
<p>“<b><i>79. Exemption from liability of intermediary in certain cases. –</i></b><i> (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for <span>any third party information, data, or communication link made available or hosted by him</span>. </i></p>
<p><i>(2) The provisions of sub-section (1) shall apply if— </i></p>
<p><i>(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or</i></p>
<p><i>(b) the intermediary does not— </i></p>
<p><i>(i) initiate the transmission, </i></p>
<p><i>(ii) select the receiver of the transmission, and </i></p>
<p><i>(iii) select or modify the information contained in the transmission; </i></p>
<p><i>(c) the intermediary observes due diligence while discharging his duties under this Act and also observes <span>such other guidelines as the Central Government may prescribe in this behalf</span>.</i>”</p>
<p style="text-align: justify; ">2.2 Hence, section 79(2) permits the Central Government to prescribe guidelines for cyber cafes to comply with in order to claim the general exemption from liability granted by section 79(1) of the IT Act. The Cyber Cafe Rules constitute those guidelines. However, the liability from which cyber cafes may be exempted extends only to “<i>any third party information, data, or communication link made available or hosted</i>” by users of cyber cafes. In other words, the liability of cyber cafes (the exemption from which is supposed to be controlled by the Cyber Cafe Rules) is only in respect of the information, data or communication links of their users. No liability is assigned to cyber cafes for failing to collect identity information of their users. Therefore, the Cyber Cafe Rules made under the power granted by section 79(2)(c) of the IT Act cannot make cyber cafes liable for user identification information. In accordance with sections 79(2)(c) and 79(1) read with section 87(2)(zg) of the IT Act, the Cyber Cafe Rules may legitimately deal with the duties of cyber cafes in respect of any information, data or communication links of their users, but not in respect of user identification. However, the thrust of the Cyber Cafe Rules, and the pith of their provisions, is concerned solely with registering and identifying cyber cafe users including collecting their personal information, photographing them, storing their personal information and reporting these non-content related details to the police. There is even a foray into interior design to dictate the height limits of furniture inside cyber cafes. All of this may be a legitimate governance concern, but it cannot be undertaken by the Cyber Cafe Rules. <b>To the extent that the Cyber Cafe Rules deal with issues beyond those related to any information, data or communication links of cyber cafe users, the Rules exceed the permissible limit of delegated powers under section 79(2) and 87(2)(zg) of the IT Act and, consequently, are <i>ultra vires</i> the IT Act.</b></p>
<p style="text-align: justify; "><b>III Clause-by-Clause Analysis and Comments</b><span> </span></p>
<p style="text-align: justify; "><span>Rule 2 - Definitions</span><b> </b></p>
<p style="text-align: justify; ">3.1 Rule 2(1)(c) of the Cyber Cafe Rules defines a cyber cafe in accordance with the definition provided in section 2(1)(na) of the IT Act as follows:</p>
<p style="text-align: justify; ">“<i>“cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public</i>”</p>
<p style="text-align: justify; ">This definition of a cyber cafe is overbroad to bring within its ambit any establishment that offers internet access in the course of its business such as airports, restaurants and libraries. In addition, some State Road Transport Corporations offer wi-fi internet access on their buses; and, Indian Railways, as well as Bangalore Metro Rail Corporation Limited, plans to offer wi-fi internet access on some of its trains. These will all fall within the definition of “cyber cafe” as it is presently enacted. The definition of “cyber cafe” should be read down to only relate to commercial establishments that primarily offer internet access to the general public for a fee.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 2(1)(c) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“notwithstanding anything contained in clause (na) of sub-section (1) of section 2 of the Act, and for the purposes of these rules only, “cyber cafe” means, any commercial establishment which primarily offers access to the internet to members of the general public for consideration for any purpose but does not include any educational or academic institution, office or place where access to the internet is restricted to authorised persons only.”</p>
<p style="text-align: justify; ">3.2 Rule 2(1)(e) of the Cyber Cafe Rules defines “data” in accordance with the definition provided in section 2(1)(o) of the IT Act. However, the term “data” is not used anywhere in the Cyber Cafe Rules and so its definition is redundant. This is one of several instances of careless drafting of the Cyber Cafe Rules.</p>
<p><b>Therefore, it is proposed that the definition of “data” in rule 2(1)(e) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; ">3.3 Rule 2(1)(g) of the Cyber Cafe Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. While all cyber cafes are intermediaries, not all intermediaries are cyber cafes: there are different categories of intermediaries that are regulated by other rules under the IT Act. The Cyber Cafe Rules make no mention of any other category of intermediaries other than cyber cafes; indeed, the term “intermediary” is not used anywhere in the Cyber Cafe Rules. Its definition is therefore redundant.</p>
<p><b>Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p><span>Rule 3 - Agency for Registration of Cyber Cafes</span></p>
<p>4.1 Rule 3 of the Cyber Cafe Rules, which attempts to set out a registration regime for cyber cafes, as follows:</p>
<p style="text-align: justify; ">“<b><i>3. Agency for registration of cyber cafe. –</i></b><i> (1) All cyber cafes shall be registered with a unique registration number with an agency called as registration agency as notified by the Appropriate Government in this regard. The broad terms of registration shall include: </i></p>
<p><i>(i) name of establishment; </i></p>
<p><i>(ii) address with contact details including email address; </i></p>
<p><i>(iii) whether individual or partnership or sole properitership or society or company; </i></p>
<p><i>(iv) date of incorporation; </i></p>
<p><i>(v) name of owner/partner/proprietor/director; </i></p>
<p><i>(vi) whether registered or not (if yes, copy of registration with Registrar of Firms or Registrar of Companies or Societies); and </i></p>
<p><i>(vii) type of service to be provided from cyber cafe </i></p>
<p style="text-align: justify; "><i>Registration of cyber cafe may be followed up with a physical visit by an officer from the registration agency. </i></p>
<p style="text-align: justify; "><i>(2) The details of registration of cyber cafe shall be published on the website of the registration agency. </i></p>
<p style="text-align: justify; "><i>(3) The Appropriate Government shall make an endeavour to set up on-line registration facility to enable cyber cafe to register on-line. </i></p>
<p style="text-align: justify; "><i>(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.</i>”</p>
<p style="text-align: justify; ">CIS raises two unrelated and substantial objections to this provision: <span>firstly</span>, all cyber cafes across India are already registered under applicable local and municipal laws such as the relevant State Shops and Establishments Acts and the relevant Police Acts that provide detailed information to enable the relevant government to regulate cyber cafes; and, <span>secondly</span>, the provisions of rule 3 create an incomplete and clumsy registration regime that does not clearly establish a procedure for registration within a definite timeframe and does not address the consequences of a denial of registration.</p>
<p style="text-align: justify; ">4.2 At the outset, it is important to understand the distinction between registration and licensing. The state may identify certain areas or fields of business, or certain industries, to be regulated by the conditions of a licence in the public interest. These may include shops selling alcohol or guns; or, industries such as telecommunications, mining or nuclear power. Licences for various activities are issued by the state for a limited term on the basis of need and public interest and licensees are permitted to operate only within the term and conditions of the licence. Failure to observe licence conditions can result in the cancellation of the licence and other penalties, sometimes even criminal proceedings.</p>
<p style="text-align: justify; ">Registration, on the other hand, is an information-gathering activity that gives no power of intervention to the state unless there is a general violation of law. The primary statutory vehicle for achieving this registration are the various Shops and Establishments Acts of each State and Union Territory and other municipal registration regulations. For example, under section 5 of the Delhi Shops and Establishments Act, 1954, an establishment, which includes shops, commercial establishments and places of public amusement and entertainment, must fulfil the following registration requirements:</p>
<p style="text-align: justify; ">“<b><i>5. Registration of establishment. –</i></b><i> (1) Within the period specified in sub-section (5), the occupier of every establishment shall send to the Chief Inspector a statement in a prescribed form, together with such fees as may be prescribed, containing </i></p>
<p><i>(a) the name of the employer and the manager, if any; </i></p>
<p><i>(b) the postal address of the establishment; </i></p>
<p><i>(c) the name, if any, of the establishment, </i></p>
<p style="text-align: justify; "><i>(d) the category of the establishment, i.e. whether it is a shop, commercial establishment, residential hotel, restaurant eating house, theatre or other place of public amusement or entertainment; </i></p>
<p><i>(e) the number of employees working about the business of the establishment; and </i></p>
<p><i>(f) such other particulars as may be prescribed. </i></p>
<p style="text-align: justify; "><i>(2) On receipt of the statement and the fees, the Chief Inspector shall, on being satisfied about the correctness of the statement, register the establishment in the Register of Establishments in such manner as may be prescribed and shall issue, in a prescribed form, a registration certificate to the occupier. </i></p>
<p style="text-align: justify; "><i>(3) The registration certificate shall be prominently displayed at the establishment and shall be renewed at such intervals as may be prescribed in this respect. </i></p>
<p style="text-align: justify; "><i>(4) In the event of any doubt or difference of opinion between an occupier and the Chief Inspector as to the category to which shall after such enquiry, as it may think proper, decide the category of each establishment and the decision thereto shall be final for the purpose of this Act. </i></p>
<p style="text-align: justify; "><i>(5) Within ninety days from the date mentioned in column 2 below in respect of the establishment mentioned in column 1, the statement together with fees shall be sent to the Chief Inspector under sub-section (1).</i>”</p>
<p style="text-align: justify; ">Besides the registration regime, the Shops and Establishments Acts also enact inspection regimes to verify the accuracy of all registered information, the maintenance of labour standards and other public safety requirements. These are not addressed by the Cyber Cafe Rules.</p>
<p style="text-align: justify; ">4.3 In addition to the various Shops and Establishments Acts which prescribe registration procedures, <span>all premises within which cyber cafes operate are subject to a further licensing regime under the various State Police Acts</span> as places of public amusement and entertainment. For example, a cyber cafe is deemed to be a “place of public amusement” under section 2(9) of the Bombay Police Act, 1951 and therefore subject to the licensing, registration and regulatory provisions of the Rules for Licensing and Controlling Places of Public (Other than Cinemas) and Performances for Public Amusement including Cabaret Performances, Discotheque, Games, Poll Game, Parlours, Amusements Parlours providing Computer Games, Virtual Reality Games, Cyber Cafes with Net Connectivity, Bowling Alleys, Cards Rooms, Social Clubs, Sports Clubs, Meals and Tamasha Rules, 1960. Similar provisions exist in Delhi.</p>
<p style="text-align: justify; ">In view of these two-fold registration requirements under the Shops and Establishments Acts and relevant Police Acts, creating yet another layer of registration is unwarranted. The Cyber Cafe Rules do not prescribe any new registration requirement that has not already been covered by the Shops and Establishments Acts and Police Acts. Multiple overlapping legislations will create confusion within the various departments of the relevant government and, more importantly, will result in non-compliance.</p>
<p style="text-align: justify; ">4.4 Without prejudice to the preceding comments relating to already existing registration requirements under the Shops and Establishments Acts and Police Acts, rule 3 of the Cyber Cafe Rules are very poorly drafted and do not fulfil the requirements of a valid registration regime. Most State governments have not notified a registration agency for cyber cafes as required by the Cyber Cafe Rules, probably because appropriate provisions under the Shops and Establishments Acts already exist. No time-limit has been specified for the registration process. This means that the (as yet non-existent) registration agency may delay, whether out of inefficiency or malice, a registration application without consequences for the delay. This not only discourages small and medium enterprises to hinder economic growth, it also encourages corruption as cyber cafe operators will be forced to pay a bribe to receive their registration.</p>
<p style="text-align: justify; ">4.5 Furthermore, rule 3(4) of the Cyber Cafe Rules, which calls on the Central Government to notify rules made by State governments, reads as follows:</p>
<p style="text-align: justify; ">“<i>(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.</i>”</p>
<p style="text-align: justify; ">This nonsensical provision, which gives the Central Government the power to notify rules made by State governments, <i>prima facie</i> violates the constitutional scheme of division of legislative powers between the Union and States. Rules that have been made by State governments, the subject matter of which is within the legislative competence of the State legislatures, are notified by those State governments for application within their States and no separate notification of these rules can be done by the Central Government.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 3 be deleted in entirety and the remaining rules be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 4 - Identification of User</span><b> </b></p>
<p style="text-align: justify; ">5.1 Rule 4 of the Cyber Cafe Rules attempts to establish the identity of cyber cafe users. This is a legitimate and valid exercise to prevent unlawful use of cyber cafes. Sub-rule (1) of rule 4 reads as follows:</p>
<p>“<i>(1) The Cyber Cafe shall not allow any user to use its computer resource without the identity of the user being established. The intending user may establish his identify by producing a document which shall identify the users to the satisfaction of the Cyber Cafe. Such document may include any of the following:</i></p>
<p><i>(i) Identity card issued by any School or College; or </i></p>
<p><i>(ii) Photo Credit Card or debit card issued by a Bank or Post Office; or </i></p>
<p><i>(iii) Passport; or </i></p>
<p><i>(iv) Voter Identity Card; or </i></p>
<p><i>(v) Permanent Account Number (PAN) card issued by Income-Tax Authority; or </i></p>
<p><i>(vi) Photo Identity Card issued by the employer or any Government Agency; or </i></p>
<p><i>(vi) Driving License issued by the Appropriate Government; or </i></p>
<p><i>(vii) Unique Identification (UID) Number issued by the Unique Identification Authority of India (UIDAI).</i>”</p>
<p style="text-align: justify; ">The use of credits cards or debit cards to verify identity is specifically discouraged by the Reserve Bank of India because it directly results in identity theft, fraud and other financial crimes. Online credit card fraud results in large losses to individual card-holders and to banks. The other identity documents specified in rule 4 will suffice to accurately establish the identity of users.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that the use of credit or debit cards as a means of establishing identity in rule 4(1)(ii) be deleted and the remaining clauses in sub-rule (1) of rule 4 be accordingly renumbered.</b></p>
<p class="DefaultCxSpFirst">5.2 Rule 4(2) of the Cyber Café Rules compels the storage of photographs and other personal information of users by cyber cafés:</p>
<p>“<i>The Cyber Cafe shall keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorised representative of cyber cafe. Such record shall be securely maintained for a period of at least one year.</i>”</p>
<p style="text-align: justify; ">While this submission does not question the requirement of storing user information for the purposes of law enforcement, this rule 4(2) does not prescribe the standards of security, confidentiality and privacy that should govern the storage of photographs and other personal information by cyber cafes. Without such a prescription, cyber cafes will simply store photographs of users, including minors and women, and important personal information that can be misused, such as passport copies, in a file with no security. This is unacceptable. Besides endangering vulnerable user information, it makes identity theft and other offences easier to perpetrate. If cyber cafes are to collect, store and disclose personal information of users, they must be bound to strict standards that explicitly recognise their duties and obligations in relation to that personal information. In this regard, the attention of the Committee on Subordinate Legislation is called to CIS’ submission regarding the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
<p><b>Therefore, it is proposed that rule 4(2) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“Any information of any user collected by a cyber cafe under this rule shall be collected, handled, stored and disclosed in accordance with the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, for a period not exceeding six months from the date of collection of that information.”</p>
<p>5.3 Sub-rule (3) of rule 4 allows cyber cafe users to be photographed:</p>
<p style="text-align: justify; ">“<i>(3) In addition to the identity established by an user under sub-rule (1), he may be photographed by the Cyber Cafe using a web camera installed on one of the computers in the Cyber Cafe for establishing the identity of the user. Such web camera photographs, duly authenticated by the user and authorised representative of cyber cafe, shall be part of the log register which may be maintained in physical or electronic form.</i>”</p>
<p style="text-align: justify; ">Since the identity documents listed in rule 4(1) all contain a photograph of their owner, the need for further photography is unnecessary. This provision needlessly burdens cyber cafe owners, who will be required to store two sets of photographs of users – their photographic identity documents in addition to individual photographs, and invades the individual privacy rights of users who will be exposed to unnecessary photography by private cyber cafe operators. Granting a non-state entity the right to take photographs of other individuals to no apparent gain or purpose is avoidable, especially when no measures are prescribed to regulate the safe and lawful storage of such photographs. Without strict safety measures governing the taking and storing of photographs of users, including minor girls and women, the Cyber Cafe Rules leave open the possibility of gross misuse of these photographs.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that sub-rule (3) of rule 4 be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.</b></p>
<p>5.4 Sub-rue (4) of rule 4 reads as follows:</p>
<p>“<i>(4) A minor without photo Identity card shall be accompanied by an adult with any of the documents as required under sub-rule (1).</i>”</p>
<p style="text-align: justify; ">Regulating a minor’s access and use of the internet may serve a public good but it cannot be achieved by law. Information deemed unsuitable for minors that is available via other media, such as video, television or magazines, is not legally proscribed for minors. The law cannot and does not regulate their availability to minors. The protection of minors is an overriding public and jurisprudential concern, but law alone cannot achieve this end. Most minors do not possess photographic identity documents and rule 4(4) will, if implemented, result in internet access being taken away from minors. Restricting a minor’s ability to access useful, educational and other harmless content available on the internet is harmful to the public interest as it discourages education and awareness.</p>
<p><b>Therefore, it is proposed that rule 4(4) be amended to read as follows:</b></p>
<p style="text-align: justify; ">“A minor who does not possess any of the identity documents listed under sub-rule (1) of this rule may provide the name and address of his parent or guardian prior to using the cyber cafe.”</p>
<p style="text-align: justify; ">5.5 Rule 4(5) of the Cyber Cafe Rules states that a user “<i>shall be allowed to enter the cyber cafe after he has established his identity</i>.” However, since rule 4(1) already addresses identity verification by specifically preventing a cyber cafe from “<i>allow[ing] any user to use its computer resource without the identity of the user of the user being established</i>,” this rule 4(5) is redundant.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 4(4) be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.</b></p>
<p>5.6 Rule 4(6) of the Cyber Cafe Rules states:</p>
<p style="text-align: justify; ">“<i>(6) The Cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.</i>”</p>
<p style="text-align: justify; ">This provision is legally imprecise, poorly drafted and impossible to enforce. The nature of doubt or suspicion that is necessary before contacting the police is unclear. A cyber cafe may doubt whether a customer is able to pay the bill for his internet usage, or be suspicious because of the length of a person’s beard. Requiring the police to be called because someone is doubtful is ridiculous. Furthermore, reasonableness in law is a well-established concept of rationality; it is not open to interpretation. “Reasonable doubt” is a criminal law threshold that must be reached in order to secure a conviction. Reporting requirements must be clear and unambiguous.</p>
<p><b>Therefore, it is proposed that rule 4(6) be deleted.</b></p>
<p><span>Rule 5 - Log Register</span></p>
<p>6.1 Rule 5(3) of the Cyber Cafe Rules states:</p>
<p style="text-align: justify; ">“<i>(3) Cyber Cafe shall prepare a monthly report of the log register showing date- wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.</i>”</p>
<p style="text-align: justify; ">This provision is akin to telephone tapping. If phone companies are not required to report the call histories of each of their users and cable television providers not required to report individual viewing preferences, there is no reason for cyber cafes to report the internet usage of users. There may be instances where public interest may be served by monitoring the internet history of specific individuals, just as it is possible to tap an individual’s telephone if it is judicially determined that such a need exists. However, in the absence of such protective provisions to safeguard individual liberties, this sub-rule (3) is grossly violative of the individual right to privacy and should be removed.</p>
<p style="text-align: justify; "><b>Therefore, it is proposed that rule 5(3) be deleted and the remaining sub-rules of rule 5 be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 7<b> - </b>Inspection of Cyber Cafe</span></p>
<p>7.1 Rule 7 of the Cyber Cafe Rules provides for an inspection regime:</p>
<p style="text-align: justify; ">“<i>An officer autnorised by the registration agency, is authorised to check or inspect cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.</i>”</p>
<p style="text-align: justify; ">The corollary of a registration regime is an inspection regime. This is necessary to determine that the information provided during registration is accurate and remains updated. However, as stated in paragraphs 3.2 – 3.4 of this submission, a comprehensive and more easily enforceable registration and inspection regime already exists in the form of the various Shops and Establishments Acts in force across the country. Those provisions also provide for the consequences of an inspection, which the Cyber Cafe Rules do not.</p>
<p><b>Therefore, it is proposed that rule 7 be deleted.</b></p>
<p><b>IV <span>Summary</span></b></p>
<p>8.1 In sum:</p>
<p style="text-align: justify; ">(a) Under the delegated powers contained in section 87(2)(zg) read with section 79(2) of the IT Act, the Central Government does not have the competence to make rules for identifying cyber cafe users including collecting, storing and disclosing personal information of cyber cafe users nor for prescribing the interior design of cyber cafes and, to the extent that the Rules do so, they are <i>ultra vires</i> the parent statute;</p>
<p style="text-align: justify; ">(b) The attention of the Committee on Subordinate Legislation is invited to the following provisions of the Cyber Cafe Rules which require amendment or annulment:</p>
<ul>
<li>Rule 2(1)(c);</li>
<li>Rule 2(1)(e);</li>
<li>Rule 2(1)(g);</li>
<li>Rule 3(1);</li>
<li>Rule 3(4);</li>
<li>Rule 4(1);</li>
<li>Rule 4(2);</li>
<li>Rule 4(3);</li>
<li>Rule 4(4);</li>
<li>Rule 4(5);</li>
<li>Rule 4(6);</li>
<li>Rule 5(3); and</li>
<li>Rule 7.</li>
</ul>
<p style="text-align: justify; ">(c) The Cyber Cafe Rules are extremely poorly framed, rife with discrepancies and will give rise to litigation. They should be selectively annulled and, to prevent a repeat of the same mistakes, new rules may be framed in concert with experts, professional organisations and civil society in a democratic manner.</p>
<p style="text-align: justify; ">8.2 CIS would like to conclude by taking this opportunity to present its compliments to the Committee on Subordinate Legislation and to offer the Committee any assistance or support it may require.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-the-it-guidelines-for-cyber-cafe-rules-2011</a>
</p>
No publisherbhairavInternet GovernanceSAFEGUARDS2013-07-12T12:15:30ZBlog EntryData Retention in India
https://cis-india.org/internet-governance/blog/data-retention-in-india
<b>As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h3>The Debate around Data Retention</h3>
<p style="text-align: justify; ">According to the EU, data retention <i>“refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”</i>.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or <i>a priori </i>data<i> </i>retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.<a href="#fn2" name="fr2">[2] </a>Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.</p>
<h3 style="text-align: justify; ">Data Retention vs. Data Preservation</h3>
<p style="text-align: justify; ">Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.<a href="#fn3" name="fr3">[3]</a> Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.<a href="#fn4" name="fr4">[4]</a> Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.<a href="#fn5" name="fr5">[5]</a> Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.<a href="#fn6" name="fr6">[6]</a></p>
<h3>Data Retention in India</h3>
<p style="text-align: justify; ">In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.</p>
<h3>ISP License</h3>
<p style="text-align: justify; ">According to the ISP License,<a href="#fn7" name="fr7">[7]</a> there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.</p>
<p>According to the ISP License, each ISP must maintain:<b><span> </span></b></p>
<p><span> </span></p>
<ul>
<span> </span>
<li><span><b><span>Users and Services</span></b></span>: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><span><b><span>Outward Logins or Telnet</span></b></span>: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Packets</span>:</span></b> Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Subscribers</span>:</span></b> A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).</li>
<li style="text-align: justify; "><b><span><span>Internet Leased Line Customers</span>:</span></b> A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).</li>
</ul>
<ul>
<li style="text-align: justify; "><b><span><span>Diagram Records and Reasons</span>:</span></b> A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span><span>Commercial Records</span>:</span></span></b><span> All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span><span>Location</span>:</span></span></b> The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).</p>
<span> </span></li>
<span> </span>
<li style="text-align: justify; "><span> </span><b><span><span><span>Remote Activities</span>:</span></span></b><span> A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).</span></li>
</ul>
<h3>UASL License</h3>
<p style="text-align: justify; ">According to the UASL License<a href="#fn8" name="fr8">[8]</a>, <span>there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept. </span></p>
<p style="text-align: justify; "><span>According to the license, service providers must maintain and make available: </span></p>
<p style="text-align: justify; "> </p>
<ul>
<li style="text-align: justify; "><span><span><span> </span></span></span><b><span><span>Numbers</span></span><span>: </span></b><span>Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).</span></li>
<li style="text-align: justify; "> <b><span><span>Interception records: </span></span></b><span>Time, date and duration of interception when required (Section 41.10).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span>All call records:</span></span></b><span> All call data records handled by the system when required (Section 41.10). This includes:</span><b><span><span><br /></span></span></b></p>
<ol>
<li><b><span><span>Failed call records:</span></span></b><span> Call data records of failed call attempts when required. (Section 41.10).</span></li>
<li><b><span><span>Roaming subscriber records</span></span></b><span>: Call data records of roaming subscribers when required. (Section 41.10)</span></li>
</ol></li>
<li style="text-align: justify; "><b><span><span>Commercial records: </span></span></b><span>All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).</span></li>
<li style="text-align: justify; "> <b><span><span>Outgoing call records: </span></span></b><span>A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).</span></li>
<li style="text-align: justify; "> <b><span><span>Calling line Identification:</span></span></b><span> A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).</span></p>
</li>
<li style="text-align: justify; "> <b><span><span>Remote access activities:</span></span></b><span><span> </span>Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section<span> </span>41.20 (xv)).</span></li>
</ul>
<h3>RTI Request to <a href="https://cis-india.org/internet-governance/blog/bsnl-rti" class="internal-link">BSNL</a> and <a href="https://cis-india.org/internet-governance/blog/mtnl-rti-request.pdf" class="internal-link">MTNL</a><span> </span></h3>
<p style="text-align: justify; "><span>On September 10,<sup></sup> 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices: </span></p>
<p style="text-align: justify; "> </p>
<ul type="disc">
<li class="MsoNormal"><span>Does MTNL/BSNL store the following information/data:</span></li>
<ul type="circle">
<li class="MsoNormal"><span>Text message detail (To and from cell numbers, timestamps)</span></li>
<li class="MsoNormal"><span>Text message content (The text and/or data content of the SMS or MMS)</span></li>
<li class="MsoNormal"><span>Call detail records (Inbound and outbound phone numbers, call duration)</span></li>
<li class="MsoNormal"><span>Bill copies for postpaid and recharge/top-up billing details for prepaid</span></li>
<li class="MsoNormal"><span>Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)</span></li>
</ul>
<li class="MsoNormal"><span>If it does store data then</span></li>
<ul type="circle">
<li class="MsoNormal"><span>For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?</span></li>
<li class="MsoNormal"><span>What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
</ul>
</ul>
<h3>BSNL Response</h3>
<p>BSNL replied by stating that it stores at least three types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li style="text-align: justify; "><span><span> </span>IP session information - connection start end time, bytes in and out (three years offline)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>MAC address of the modem/router/device (three years offline)</span></li>
<li class="MsoNormal"><span>Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).</span></li>
</ol>
<h3>MTNL Response</h3>
<p>MTNL replied by stating that it stores at least () types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li class="MsoNormal" style="text-align:justify; "><span>Text message details (to and from cell number, timestamps) in the form of CDRs<span> </span>(one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Call detail records including inbound and outbound phone numbers and call duration (one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Bill copies from postpaid (one year) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Recharge details for prepaid (three months) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)</span></li>
</ol>
<p class="MsoNormal" style="text-align:justify; "><span>It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.<span> </span></span></p>
<h3><span><span>Conclusion </span></span></h3>
<p> <span>The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:</span></p>
<ul>
<li><span><span><span> </span></span></span><span>What constitutes a ‘commercial record’ which must be stored for one year by service providers?</span><span> </span></li>
<li><span>How much data is retained by service providers on an annual basis?</span><span> </span></li>
<li><span>What is the cost involved in retaining data? For the service provider? For the public?</span><span> </span></li>
<li><span>How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?</span><span> </span></li>
<li><span>How many criminal and civil cases rely on retained data?</span><span> </span></li>
<li><span>What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?</span></li>
</ul>
<p class="MsoListParagraph" style="text-align:justify; "><span>Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation. </span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection, <span> </span></span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level.<span> </span>If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:</span></p>
<p></p>
<ul>
<li><span><span><span> </span></span></span><span>Any request for preservation and access to records must be legitimate and proportional</span></li>
<li><span>Accessed and preserved records must be used only for the purpose indicated </span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Accessed and preserved records can only be shared with authorized authorities</span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Any access to preserved records that do not pertain to an investigation must be deleted </span></li>
</ul>
<p></p>
<p> </p>
<p class="MsoListParagraph" style="text-align:justify; "><span>These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place. </span></p>
<p></p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>].<span><span><span> </span></span></span>European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21st 2013<br />[<a href="#fr2" name="fn2">2</a>].Draft International Principles on Communications Surveillance and Human Rights: <a class="external-link" href="http://bit.ly/UpGA3D">http://bit.ly/UpGA3D</a><br />[<a href="#fr3" name="fn3">3</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a><a href="http://europa.eu/rapid/press-release_IP-12-530_en.htm"></a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr4" name="fn4">4</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr5" name="fn5">5</a>]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: <a class="external-link" href="http://bit.ly/WOfzaX">http://bit.ly/WOfzaX</a>. Last Accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr6" name="fn6">6</a>]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: <a class="external-link" href="http://bit.ly/VoQxQ9">http://bit.ly/VoQxQ9</a>. Last accessed: January 21<sup>st</sup> 2013<br />[<a href="#fr7" name="fn7">7</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.<br />[<a href="#fr8" name="fn8">8</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3<sup>rd</sup> 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/data-retention-in-india'>https://cis-india.org/internet-governance/blog/data-retention-in-india</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:51:13ZBlog EntryA Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications
https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications
<b>This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: <a class="external-link" href="http://necessaryandproportionate.net/">http://necessaryandproportionate.net/</a></p>
<p>The Principles:</p>
<p style="text-align: justify; "><b>1. </b><b>Principle - Legality</b><b>:</b><i> Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.</p>
<li><b>The Indian Telegraph Act, 1885</b>
<ul>
<li style="text-align: justify; "> <i>The Indian Telegraph Amendment Rules 2007: </i>These<i> </i>Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL)</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Internet Services</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li><b>The Information Technology Act, 2000</b>
<ul>
<li style="text-align: justify; "><i>Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource. </li>
<li style="text-align: justify; "><i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.</li>
</ul>
</li>
</ul>
</li>
<p><i> </i></p>
<p><b>2. </b><b>Principle - Legitimate Purpose</b>:<i> Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.</p>
<p style="text-align: justify; ">Below are the circumstances for which access is allowed by each Act, Rule, and License:</p>
<li><b>The TA Rules 2007</b>: Interception is allowed in the following circumstances: <br />
<ul>
<li>On the occurrence of any public emergency</li>
</ul>
<ul>
<li>In the interest of the public safety</li>
</ul>
<ul>
<li>In the interests of the sovereignty and integrity of India</li>
</ul>
<ul>
<li>The security of the state</li>
</ul>
<ul>
<li>Friendly relations with foreign states</li>
</ul>
<ul>
<li>Public order</li>
</ul>
<ul>
<li>Preventing incitement to the commission of an offence</li>
</ul>
</li>
<li><b>ITA Interception and Monitoring Rules</b>: Interception, monitoring, and decryption of communications is allowed in the following circumstances:</li>
<ul>
<li>In the interest of the sovereignty or integrity of India, </li>
<li>Defense of India</li>
<li>Security of the state</li>
<li>Friendly relations with foreign states</li>
<li>Public order </li>
<li>Preventing incitement to the commission of any cognizable offence relating to the above </li>
<li>For investigation of any offence </li>
</ul>
<li style="text-align: justify; "><b>ITA Monitoring of Traffic Data Rules:</b> Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security: </li>
<ul>
<li>Forecasting of imminent cyber incidents </li>
<li>Monitoring network application with traffic data or information on computer resources </li>
<li>Identification and determination of viruses or computer contaminant </li>
<li>Tracking cyber security breaches or cyber security incidents </li>
<li>Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants </li>
<li style="text-align: justify; ">Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security. </li>
<li style="text-align: justify; ">Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.</li>
<li style="text-align: justify; ">Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.</li>
<li>Any other matter relating to cyber security. </li>
</ul>
<li><b>UASL License</b>: Assistance must be provided to the government for the following reasons and times: </li>
<ul>
<li>Reasons defined in the Telegraph Act. <b>(Section 41.20 (xix))</b></li>
<li>National Security. <b>(Section 41.20 (xvii))</b></li>
<li style="text-align: justify; ">To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)</li>
<li style="text-align: justify; ">Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. <b>(Section 40.4)</b></li>
<li>In the interests of security. <b>(Section 41.7)</b></li>
<li>For security reasons. <b>(Section 41.20 (iii))</b></li>
</ul>
<li><b>ISP License: </b>Assistance must be provided to the government for the following reasons and times:</li>
<ul>
<li>To counteract espionage, subversive act, sabotage, or any other unlawful activity. <b>(Section 34.1)</b></li>
<li>In the interests of security. <b>(Section 34.4)</b></li>
<li>For security reasons. <b>(Section 34.28 (iii))</b></li>
<li>Reasons defined in the Telegraph Act. <b>(Section 35.2)</b></li>
</ul>
<p style="text-align: justify; "><b>3. </b><b>Principle - Necessity</b>: <i>Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA <i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules</i>, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.</p>
<p>Below are summaries of the relevant provisions:</p>
<ul>
<li style="text-align: justify; "><b>TA Rules 2007</b>: Any order for interception issued by the competent authority must contain reasons for the direction <b>(Section 2).</b> While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means <b>(Section 3).</b></li>
<li style="text-align: justify; "><b>ITA Interception and Monitoring Rules: </b>Any direction issued by the competent authority must contain reasons for such direction <b>(Section 7). </b>The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means <b>(Section 8).</b></li>
<li style="text-align: justify; "><b>ITA Traffic Monitoring Rules:</b> Any direction issued by the competent authority must contain reasons for the direction <b>(Section 3(3)).</b></li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b></li>
</ul>
<p><b>4. </b><b><i>Principle - Adequacy</i></b><i>:</i> <i>Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure. </i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.</p>
<p style="text-align: justify; "><b>5. </b><b>Principle - Competent Authority</b>: <i>Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.</p>
<p>Below are summaries of relevant provisions:</p>
<li style="text-align: justify; "><b>The TA Rules 2007</b>: Under the Telegraph Act the authorizing authorities are:
<ul>
<li>The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level</li>
<li>The Secretary to the State Government in charge of the Home Department in the case of the State Government. </li>
<li>In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.</li>
<li>In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. <b>(Section 1(2))</b>. </li>
<li><b>ITA Interception and Monitoring Rules: </b>Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
<ul>
<li>The Secretary in the Ministry of Home Affairs in case of the Central Government.</li>
<li>The Secretary in charge of the Home Department, in case of a State Government or Union Territory. </li>
<li>In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority. </li>
<li>In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. <b>(Section 3)</b>.</li>
</ul>
</li>
<li><b>ITA Monitoring and Collecting Traffic Data Rules:</b> Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
<ul>
<li>The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. <b>(Section 2(d))</b>.</li>
<li>An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. <b>(Section 9 (2))</b>. </li>
</ul>
</li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b> </li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>6. </b><b>Principle - Proportionality</b>:<i> Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation. </i></p>
<p style="text-align: justify; "><b>Indian Legislation</b>: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA <i>Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA <i>Safeguards for Monitoring and Collecting Traffic Data or Information Rules</i>.</p>
<p style="text-align: justify; ">Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.</p>
<p>Below is a summary of the relevant provisions:</p>
<li><b>TA Rules 2007: </b>
<ul>
<li style="text-align: justify; ">Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. <b>(Section 19)</b>.</li>
<li style="text-align: justify; ">Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. <b>(Section 3)</b>.</li>
<li style="text-align: justify; ">The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. <b>(Section 4)</b>. </li>
<li style="text-align: justify; ">The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 6)</b>.</li>
<li><b> ITA Interception and Monitoring Rules:</b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 7)</b>.</li>
<li style="text-align: justify; ">The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. <b>(Section 8)</b>.</li>
<li style="text-align: justify; ">The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. <b>(Section 9)</b>. </li>
<li style="text-align: justify; ">The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 10)</b>.</li>
</ul>
</li>
<li><b>ITA Traffic and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 3(3))</b>.</li>
<li style="text-align: justify; ">Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. <b>(Section 8)</b>.</li>
</ul>
</li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>7. </b><b>Principle - Due process</b>:<i> Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.</p>
<li><b> TA Rules 2007:</b>
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
<li><b>ITA Interception and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules:</b>
<ul>
<li style="text-align: justify; ">The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>8. </b><b>Principle - User notification</b>:<i> Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>9. </b><b>Principle - Transparency about use of government surveillance</b>: <i>The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>10. </b><b><i>Principle - Oversight</i></b><i>:</i> <i>An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)</i><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are requirements for a review committee to be established.<i> </i>The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li><b>TA Rules 2007</b>:
<ul>
<li style="text-align: justify; ">A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. <b>(Section 17)</b>.<b> </b>Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. <b>(Section 2)</b>.</li>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 22)</b>. </li>
</ul>
</li>
<li><b>ITA Traffic Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 7)</b>.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>11. </b><b>Principles - Integrity of communications and systems</b>: <i>It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA<i> Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.</p>
<p><b> </b></p>
<p>Relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007</b>: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. <b>(Section 20, 20A 21, 23).</b></li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules: </b>The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 20)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules</b>: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 5&6)</b>.</li>
<li style="text-align: justify; "><b>UASL License:</b> The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. <b>(Section 39.1, Section 39.2, Section 41.4)</b>.</li>
<li style="text-align: justify; "><b>ISP License:</b> The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. <b>(Section 32.1)</b> The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. <b>(Section 32.2</b>) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. <b>(Section 32.3)</b>.</li>
<p>Provisions requiring the provision of facilities, assistance, and retention:</p>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction <b>(Section 13(2))</b>.</li>
<li style="text-align: justify; ">If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. <b>(Section 17)</b>. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. <b>(Section 4(7))</b>.</li>
</ul>
</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. <b>(Section 39.1)</b>. </li>
<li style="text-align: justify; ">The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.<b>(Section 40.4)</b>.<b> </b></li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 41.11)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. <b>(Section 41.14)</b>. The database of subscribers must also be made available to the licensor or its representatives. <b>(Section 41.16)</b>.</li>
<li style="text-align: justify; ">The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. <b>(Section 41.17)</b>.</li>
<li style="text-align: justify; ">Calling Line Identification must be provided and the network should also support Malicious Call Identification.<b> (Section 41.18)</b>.</li>
<li style="text-align: justify; ">Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis <b>(Section 41.19)</b>.</li>
<li style="text-align: justify; ">Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. <b>(Section 41.19(iv))</b>.</li>
<li style="text-align: justify; ">The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. <b>(41.20 (ix))</b>.</li>
<li style="text-align: justify; ">On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. <b>(41.20 (x))</b></li>
<li style="text-align: justify; ">Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(41.20 (xiv))</b>. </li>
<li>A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. <b>(Section 41.20 (xv))</b>.</li>
<li>For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. <b>(Section 41.20 (xx))</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. <b>(Section 2.2(vii))</b>. </li>
<li style="text-align: justify; ">The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. <b>(Section 9.1)</b>.</li>
<li style="text-align: justify; ">The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. <b>(Section 30.1)</b>.</li>
<li style="text-align: justify; ">The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. <b>(Section 34.1)</b>.</li>
<li style="text-align: justify; ">In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. <b>(Section 34.4)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. <b>(Section 34.6)</b>.</li>
<li style="text-align: justify; ">The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. <b>(Section 34.7)</b>.</li>
<li style="text-align: justify; ">ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. <b>(Section 34.8)</b>.<b> </b></li>
<li style="text-align: justify; ">The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 34.9)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. <b>(Section 34.12)</b>.</li>
<li style="text-align: justify; ">The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies.<b> (Section 34.13)</b>. </li>
<li style="text-align: justify; ">Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. <b>(Section 34.15)</b>.</li>
<li style="text-align: justify; ">The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. <b>(Section 34.22)</b>. </li>
<li style="text-align: justify; ">The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. <b>(Section 34.23)</b>.</li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
<li style="text-align: justify; ">Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. <b>(Section 34.27 (a(v))</b>.</li>
<li style="text-align: justify; ">The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. <b>(Section 34.27 (ix))</b>.</li>
<li style="text-align: justify; ">On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. <b>(Section 34.27 (x))</b>.</li>
<li style="text-align: justify; ">Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(Section 34.27 (xiv))</b>.</li>
<li style="text-align: justify; ">A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. <b>(Section 34.27 (xv))</b>.</li>
<li style="text-align: justify; ">ISPs must provide access of their network and other facilities, as well as books to security agencies. <b>(Section 34.27 (xx))</b>.</li>
</ul>
</li>
<p> </p>
<p><b> </b></p>
<p style="text-align: justify; "><b>12. </b><b>Principle - Safeguards for international cooperation</b>:<i> In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.</p>
<p>Below is a summary of the relevant provisions:</p>
<li style="text-align: justify; "><b>ITA 2000</b>: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. <b>(Section 1(2))</b> </li>
<li style="text-align: justify; "><b>UASL License:</b> The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. <b>(section (41.20 (viii))</b></li>
<li style="text-align: justify; "><b>ISP License:</b> For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. <b>(Section 34.28 (iii)) </b>ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) <b>(Section 34.28 (viii))</b></li>
<p style="text-align: justify; "><b>13. </b><b><i>Principle - Safeguards against illegitimate access</i></b><i>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007:</b> The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation<b>. (Section 20, 20A, 23, and 24 Indian Telegraph Act)</b>.</li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 21)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 6)</b>.</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. <b>(Section 41.20 (xix))</b>.</li>
<li style="text-align: justify; ">Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. <b>(Section 34.28 (xix))</b>.</li>
<li style="text-align: justify; ">The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. <b>(Section 8.4)</b>.</li>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
</ul>
</li>
<p style="text-align: justify; "><b>14. </b><b><i>Principle - Cost of surveillance</i></b><b><i>:</i></b><i> The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.</p>
<p>Below are summaries of relevant provisions:</p>
<li><b>UASL License</b>:
<ul>
<li style="text-align: justify; "> Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. <b>(Section 41.20 (xvi))</b>.</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. <b>(Section 34.7)</b>. </li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
</ul>
</li>
</ul>
</li>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications'>https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:40:51ZBlog EntryAn Interview with Suresh Ramasubramanian
https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian
<b>Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud. </b>
<ol>
<li style="text-align: justify; "><b>You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?</b><br />a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.<br /><br />In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.<br /><br />This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.<br /><br />There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.</li>
<li style="text-align: justify; "><b>In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?</b><br />a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.<br /><br />The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.<br /><br />It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.<br /><br />Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.<br /><br />There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.</li>
<li style="text-align: justify; "><b>What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?</b><br />a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.<br /><br />Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.<br /><br />Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.<br /><br />The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.</li>
<li style="text-align: justify; "><b>How is the jurisdiction of the data on the cloud determined?</b><br />This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.<br /><br />However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.<br /><br />The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.<br /><br />In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.<br /><br />In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.</li>
<li style="text-align: justify; "><b>Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?</b><br />a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].<br /><br />A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.</li>
<li style="text-align: justify; "><b>What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?</b><br />a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.<br /><br />Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - <a class="external-link" href="http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html">http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html</a>). Some standards you absolutely have to comply with for legal reasons.<br /><br />Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.<br /><br />The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.</li>
<li style="text-align: justify; "><b>What do you see as the big challenges for privacy in the cloud in the coming years?</b><br />a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.</li>
<li style="text-align: justify; "><b>Do you think encryption the answer to the private and public institutions snooping?</b><br />a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.<br /><br />There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.<br /><br />As a very popular <a class="external-link" href="http://xkcd.com/538/">XKCD</a> cartoon that has been shared around social media and has been cited in multiple security papers says -<br /><br />“A crypto nerd’s imagination”<br /><br />“His laptop’s encrypted. Let us build a million dollar cluster to crack it”<br />“No good! It is 4096 bit RSA”<br />“Blast, our evil plan is foiled”<br /><br />“What would actually happen”<br />“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”<br />“Got it”</li>
<li style="text-align: justify; "><b>Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?</b><br />a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.<br /><br />The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.<br /><br />Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.<br /><br />Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.<br /><br />Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.</li>
<li style="text-align: justify; "><b>There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?</b><br />a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.<br /><br />Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.<br /><br />Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.<br /><br />This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.<br /><br />User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.</li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian'>https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-09-06T09:37:47ZBlog EntryIndia's Biometric Identification Programs and Privacy Concerns
https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns
<b>The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.
</b>
<p> </p>
<hr />
<p style="text-align: justify;">Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. <em>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</em>.</p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify;">Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.</p>
<h3 style="text-align: justify;">‘Big Data’ and Privacy Issues</h3>
<p style="text-align: justify;">Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,<a name="fr1" href="#fn1">[1]</a> the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.<a name="fr2" href="#fn2">[2]</a> The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.</p>
<h3 style="text-align: justify;">Biometric ID and Theft of Private Data</h3>
<p style="text-align: justify;">The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.</p>
<h3 style="text-align: justify;">Biometric data and Potential Misuse</h3>
<p style="text-align: justify;">Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.<a name="fr4" href="#fn4">[4]</a> The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]</p>
<p style="text-align: justify;">A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.<a name="fr5" href="#fn5">[5]</a> Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.<a name="fr6" href="#fn6">[6]</a> With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.<a name="fr7" href="#fn7">[7]</a></p>
<p style="text-align: justify;">With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.<a name="fr8" href="#fn8">[8]</a> Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]</p>
<p style="text-align: justify;">Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.</p>
<hr />
<p>[<a name="fn1" href="#fr1">1</a>]. <a href="http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections">http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections</a>.</p>
<p>[<a name="fn2" href="#fr2">2</a>]. <a href="http://www.wired.com/threatlevel/2008/03/hackers-publish">http://www.wired.com/threatlevel/2008/03/hackers-publish</a>.</p>
<p>[<a name="fn3" href="#fr3">3</a>].<a href="https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions">https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions</a>.</p>
<p>[<a name="fn4" href="#fr4">4</a>]. <a href="http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001">http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001</a>.</p>
<p>[<a name="fn5" href="#fr5">5</a>]. <a href="http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece">http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece</a>.</p>
<p>[<a name="fn6" href="#fr6">6</a>]. <a href="http://news.bbc.co.uk/2/hi/8691753.stm">http://news.bbc.co.uk/2/hi/8691753.stm</a></p>
<p>[<a name="fn7" href="#fr7">7</a>]. Supra note 1.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns'>https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns</a>
</p>
No publisherdivijSAFEGUARDSInternet GovernancePrivacy2016-07-21T10:51:42ZBlog EntryComments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Sensitive Personal Data Rules. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p><b>I <span><span>Preliminary</span></span></b></p>
<p style="text-align: justify; ">1.1 The Centre for Internet and Society (<b>“CIS”</b>) is pleased to present this submission on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011 (<b>“Sensitive Personal Data Rules” or “Rules”</b>) to the Committee on Subordinate Legislation of the Fifteenth Lok Sabha.</p>
<p style="text-align: justify; ">1.2 The protection of personal information lies at the heart of the right to privacy; and, for this reason, it is an imperative legislative and policy concern in liberal democracies around the world. In India, although remedies for invasions of privacy exist in tort law and despite the Supreme Court of India according limited constitutional recognition to the right to privacy<a href="#fn1" name="fr1">[1]</a>, there have never been codified provisions protecting the privacy of individuals and their personal information.</p>
<p style="text-align: justify; ">The Sensitive Personal Data Rules represent India’s first legislative attempt to recognise that all persons have a right to protect the privacy of their personal information. However, the Rules suffer from numerous conceptual, substantive and procedural weaknesses, including drafting defects, which demand scrutiny and rectification. The interpretation and applicability of the Rules was further confused when, on 24 August 2011, the Department of Information Technology of the Ministry of Communications attempted to reinterpret the Rules through a press release oblivious to the universally accepted basic proposition that law cannot be made or reinterpreted via press releases.<a href="#fn2" name="fr2">[2]</a> Therefore, the attention of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha is called to the following submissions:</p>
<p style="text-align: justify; "><b>II <span>Principles to Facilitate Appraisal</span></b><br />2.1 The Sensitive Personal Data Rules are an important step towards building a legal regime that protects the privacy of individuals whilst enabling the secure collection, use and storage of personal information by state and private entities. The Rules are to be welcomed in principle. However, at present, the Rules construct an incomplete regime that does not adequately protect privacy and, for this reason, falls short of internationally accepted data protection standards.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">This not only harms the personal liberties of Indian citizens, it also affects the ability of Indian companies to conduct commerce in foreign countries. More importantly, the Rules offer no protection against the state.</p>
<p>2.2 To enact a comprehensive personal information protection regime, CIS believes that the Rules should proceed on the basis of the following broad principles:</p>
<p>(a) <span>Principle of Notice / Prior Knowledge</span></p>
<p style="text-align: justify; ">All persons from whom personal information is collected have a right to know, before the personal information is collected and, where applicable, at any point thereafter: (i) of an impending collection of personal information; (ii) the content and nature of the personal information being collected; (iii) the purpose for which the personal information is being collected; (iv) the broad identities of all natural and juristic persons who will have access to the collected personal information; (v) the manner in which the collected personal information will be used; (vi) the duration for which the collected personal information will be stored; (vii) whether the collected personal information will be disclosed to third parties including the police and other law enforcement agencies; (viii) of the manner in which they may access, check, modify or withdraw their collected personal information; (ix) the security practices and safeguards that will govern the sanctity of the collected personal information; (x) of all privacy policies and other policies in relation to the collected personal information; (xi) of any breaches in the security, safety, privacy and sanctity of the collected personal information; and, (xii) the procedure for recourse, including identities and contact details of ombudsmen and grievance redress officers, in relation to any misuse of the collected personal information.</p>
<p>(b) <span>Principle of Consent</span></p>
<p style="text-align: justify; ">Personal information must only be collected once the person to whom it pertains has consented to its collection. Such consent must be informed, explicit and freely given. Informed consent is conditional upon the fulfilment of the principle of notice/prior knowledge set out in the preceding paragraph. Consent must be expressly given: the person to whom the personal information to be collected pertains must grant explicit and affirmative permission to collect personal information; and, he must know, or be made aware, of any action of his that will constitute such consent. Consent that is obtained using threats or coercion, such as a threat of refusal to provide services, does not constitute valid consent. Any person whose personal information has been consensually collected may, at any time, withdraw such consent for any or no reason and, consequently, his personal information, including his identity, must be destroyed. When consent is withdrawn in this manner, the person who withdrew consent may be denied any service that requires the use of the personal information for which consent was withdrawn.</p>
<p>(c) <span>Principle of Necessity / Collection Limitation</span></p>
<p style="text-align: justify; ">Personal information must only be collected when, where and to the extent necessary. Necessity cannot be established in general; there must be a specific nexus connecting the content of the personal information to the purpose of its collection. Only the minimal amount of personal information necessary to achieve the purpose should be collected. If a purpose exists that warrants a temporally specific, or an event-dependent, collection of personal information, such a collection must only take place when that specific time is reached or that event occurs. If the purpose of personal information is dependent upon, or specific to, a geographical area or location, that personal information must only be collected from that geographical area or location.</p>
<p>(d) <span>Right to be Forgotten / Principle of Purpose Limitation</span></p>
<p style="text-align: justify; ">Once collected, personal information must be processed, used, stored or otherwise only for the purpose for which it was collected. If the purpose for which personal information was collected is achieved, the collected personal information must be destroyed and the person to whom that personal information pertained must be ‘forgotten.’ Similarly, collected personal information must be destroyed and the person to whom it pertained ‘forgotten’ if the purpose for which it was collected expires or ceases to exist. Personal information collected for a certain purpose cannot be used or stored for another purpose nor even used or stored for a similar purpose to arise in the future without the express and informed consent of the person from whom it was collected in accordance with the principles of notice/prior knowledge and consent.</p>
<p>(e) <span>Right of Access</span></p>
<p style="text-align: justify; ">All persons from whom personal information is collected have a right to access that personal information at any point following its collection to check its accuracy, make corrections or modifications and have destroyed that which is inaccurate. Where personal information of more than one person is held in an aggregated form such that affording one person access to it may endanger the right to privacy of another person, the entity holding the aggregated personal information must, to the best of its ability, identify the portion of the personal information that pertains to the person seeking access and make it available to him. All persons from whom personal information is collected must be given copies of their personal information upon request.</p>
<p>(f) <span>Principle regarding Disclosure</span></p>
<p style="text-align: justify; ">Personal information, once collected, must never be disclosed. However, if the person to whom certain personal information pertains consents to its disclosure in accordance with the principle of consent after he has been made aware of the proposed disclosee and other details related to the personal information in accordance with the principle of notice/prior knowledge, the personal information may be disclosed. Consent to a disclosure of this nature may be obtained even during collection of the personal information if the person to whom it pertains expressly consents to its future disclosure. Notwithstanding the rule against disclosure and the consent exception to the rule, personal information may be disclosed to the police or other law enforcement agencies on certain absolute conditions. Since the protection of personal information is a policy imperative, the conditions permitting its disclosure must be founded on a clear and serious law enforcement need that overrides the right to privacy; and, in addition, the disclosure conditions must be strict, construed narrowly and, in the event of ambiguity, interpreted to favour the individual right to privacy. Therefore, (i) there must be a demonstrable need to access personal information in connection with a criminal offence; (ii) only that amount of personal information that is sufficient to satisfy the need must be disclosed; and, (iii), since such a disclosure is non-consensual, it must follow a minimal due process regime that at least immediately notifies the person concerned and affords him the right to protest the disclosure.</p>
<p>(g) <span>Principle of Security</span></p>
<p style="text-align: justify; ">All personal information must be protected to absolutely maintain its sanctity, confidentiality and privacy by implementing safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure and other risks. Such a level of protection must include physical, administrative and technical safeguards that are constantly and consistently audited. Protection measures must be revised to incorporate stronger measures and mechanisms as and when they arise.</p>
<p>(h) <span>Principle of Transparency / ‘Open-ness’</span></p>
<p>All practices, procedures and policies governing personal information must be made available to the person to whom that personal information pertains in a simple and easy-to-understand manner. This includes policies relating to the privacy, security and disclosure of that personal information. If an entity that seeks to collect personal information does not have these policies, it must immediately draft, publish and display such policies in addition to making them available to the person from whom it seeks to collect personal information before the collection can begin.</p>
<p>(i) <span>Principle of Accountability</span></p>
<p style="text-align: justify; ">Liability attaches to the possession of personal information of another person. Since rights and duties, such as those in relation to privacy of personal information, are predicated on accountability, this principle binds all entities that seek to possess personal information of another person. As a result, an entity seeking to collect, use, process, store or disclose personal information of another person is accountable to that person for complying with all these principles as well as the provisions of any law. The misuse of personal information causes harm to the person to whom it pertains to attract and civil and criminal penalties.</p>
<p style="text-align: justify; ">2.3 These principles are reflective of internationally accepted best practices to form the basis upon which Indian legislation to protect personal information should be drafted. The Sensitive Personal Data Rules, in their current form, fall far short of the achieving the substantive intent of these principles. <b>CIS submits that either (i) the Sensitive Personal Data Rules should be replaced with new and comprehensive legislation that speaks to the objectives and purpose of these principles, or (ii) the Sensitive Personal Data Rules are radically modified by amendment to bring Indian law to par with world standards.</b> Nevertheless, without prejudice to the preceding submission, CIS offers the following clause-by-clause comments on the Sensitive Personal Data Rules:</p>
<p style="text-align: justify; "><b>III <span><span>Clause-by-Clause Analysis and Comments</span></span></b></p>
<p style="text-align: justify; "><b><span>Rule 2 - Definitions</span></b></p>
<p>3.1.1 Rule 2(1)(b) of the Sensitive Personal Data Rules defines “biometrics” as follows:</p>
<p style="text-align: justify; "><i>"Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes.</i></p>
<p style="text-align: justify; ">3.1.2 <span>Firstly</span>, the Sensitive Personal Data Rules do not use the term “biometrics.” Instead, rule 3(vi), which defines sensitive personal data, uses the term “biometric information.” It is unclear why rule 2(1)(b) provides a definition of the technologies by which information is obtained instead of clearly identify the information that constitutes sensitive personal data. This is one of several examples of poor drafting of the Sensitive Personal Data Rules. <span>Secondly</span>, biometric information is not used only for authentication; there are many other reasons for collecting and using biometric information. For instance, DNA is widely collected and used for medical research. Restricting the application of the definition to only that biometric information that is used for authentication is illogical to deprive the Rules of meaning.</p>
<p><b>3.1.3 Therefore, it is proposed that rule 2(1)(b) be re-drafted to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">““Biometric information” means any information relating to the physical, physiological or behavioural characteristics of an individual which enable their unique identification including, but not limited to, fingerprints, retinas, irises, voice patterns, facial patterns, Deoxyribonucleic acid (DNA) and genetic information.”</p>
<p style="text-align: justify; ">3.2.1 Rule 2(1)(c) of the Sensitive Personal Data Rules defines “body corporate” in accordance with the definition provided in clause (i) of the Explanation to section 43A of the Information Technology Act, 2000 (<b>“IT Act”</b>) as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.</i></p>
<p style="text-align: justify; ">3.2.2 <span>Firstly</span>, this definition of a body corporate is poorly drafted to extend beyond incorporated entities to bring within its ambit even unincorporated professional organisations such as societies and associations which, by their very nature, are not bodies corporate.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">This is an arbitrary reinterpretation of the fundamental principles of company law. As it presently stands, this peculiar definition will extend to public and private limited companies, including incorporated public sector undertakings, ordinary and limited liability partnerships, firms, sole proprietorships, societies and associations; but, <span><span>will exclude public and private trusts</span></span><a href="#fn5" name="fr5">[5]</a> <span>and unincorporated public authorities</span>. Hence, whereas non-governmental organisations that are organised as societies will fall within the definition of “body corporate,” those that are organised as trusts will not. Similarly, incorporated public authorities such as Delhi Transport Corporation and even municipal corporations such as the Municipal Corporation of Delhi will fall within the definition of “body corporate” but unincorporated public authorities such as the New Delhi Municipal Council and the Delhi Development Authority will not. This is a <i>prima facie</i> violation of the fundamental right of all persons to be treated equally under the law guaranteed by Article 14 of the Constitution of India.</p>
<p style="text-align: justify; ">3.2.3 <span>Secondly</span>, whereas state entities and public authorities often collect and use sensitive personal data, with the exception of state corporations the Sensitive Personal Data Rules do not apply to the state. This means that the procedural safeguards offered by the Rules do not bind the police and other law enforcement agencies allowing them a virtually unfettered right to collect and use, even misuse, sensitive personal data without consequence. Further, state entities such as the Unique Identification Authority of India or the various State Housing Boards which collect, handle, process, use and store sensitive personal data are not covered by the Rules and remain unregulated. It is not possible to include these unincorporated entities within the definition of a body corporate; but, in pursuance of the principles set out in paragraph 2.2 of this submission, the Rules should be expanded to all state entities, whether incorporated or not.</p>
<p><b>3.2.4 Therefore, it is proposed that rule 2(1)(c) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">““body corporate” means the body corporate defined in sub-section (7) of section 2 read with section 3 of the Companies Act, 1956 (1 of 1956) and includes those entities which the Central Government may, by notification in the Official Gazette, specify in this behalf but shall not include societies registered under the Societies Registration Act, 1860 (21 of 1860), trusts created under the Indian Trusts Act, 1882 (2 of 1882) or any other association of individuals that is not a legal entity apart from the members constituting it and which does not enjoy perpetual succession.”</p>
<p style="text-align: justify; "><b>Further, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to societies registered under the Societies Registration Act, 1860 and trusts created under the Indian Trusts Act, 1882 in a manner reflective of their distinctiveness from bodies corporate</b>.</p>
<p style="text-align: justify; "><b>Furthermore, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to public authorities and the state as defined in Article 12 of the Constitution of India</b>.</p>
<p>3.3.1 Rule 2(1)(d) of the Sensitive Personal Data Rules defines “cyber incidents” as follows:</p>
<p style="padding-left: 30px; text-align: justify; "><i>"Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.</i></p>
<p style="text-align: justify; ">3.3.2 Before examining the provisions of this clause, CIS questions the need for this definition. The term “<i>cyber incidents</i>” is used only once in these rules: the proviso to rule 6(1) which specifies the conditions upon which personal information or sensitive personal data may be disclosed to the police or other law enforcement authorities without the prior consent of the person to whom the information pertains. An analysis of rule 6(1) is contained at paragraphs 3.11.1 – 3.11.4 of this submission. <span>Firstly</span>, personal information and sensitive personal data should only be disclosed in connection with the prevention, investigation and prosecution of an existing offence. Offences cannot be created in the definitions clause of sub-statutory rules, they can only be created by a parent statute or another statute. <span>Secondly</span>, the scope and content of “cyber incidents” are already covered by section 43 of the IT Act. When read with section 66 of IT Act, an offence is created that is larger than the scope of the term “cyber incidents” to render this definition redundant.</p>
<p style="text-align: justify; "><b>3.3.3 Therefore, it is proposed that the definition of “cyber incidents” in rule 2(1)(d) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; ">3.4.1 Rule 2(1)(g) of the Sensitive Personal Data Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. However, the term “intermediary” is not used anywhere in the Sensitive Personal Data Rules and so its definition is redundant. This is another instance of careless drafting of the Sensitive Personal Data Rules.</p>
<p style="text-align: justify; "><b>3.4.2 Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.</b></p>
<p style="text-align: justify; "><span>Rule 3 - Sensitive Personal Data</span><b> </b></p>
<p>3.5.1 Rule 3 of the Sensitive Personal Data Rules provides an aggregated definition of sensitive personal data as follows:</p>
<p style="text-align: justify; "><i>Sensitive personal data or information of a person means such personal information which consists of information relating to – </i></p>
<p><i>(i) password; </i></p>
<p style="text-align: justify; "><i>(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; </i></p>
<p style="text-align: justify; "><i>(iii) physical, physiological and mental health condition; </i></p>
<p><i>(iv) sexual orientation; </i></p>
<p><i>(v) medical records and history; </i></p>
<p><i>(vi) Biometric information; </i></p>
<p style="text-align: justify; "><i>(vii) any detail relating to the above clauses as provided to body corporate for providing service; and </i></p>
<p style="text-align: justify; "><i>(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: </i></p>
<p><i> </i></p>
<p style="text-align: justify; "><i>provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.</i></p>
<p style="text-align: justify; ">3.5.2 In accordance with the principle that certain kinds of personal information are particularly sensitive, due to the intimate nature of their content in relation to the right to privacy, to invite privileged protective measures regarding the collection, handling, processing, use and storage of such sensitive personal data, it is surprising that rule 3 does not protect electronic communication records of individuals. Emails and chat logs as well as records of internet activity such as online search histories are particularly vulnerable to abuse and misuse and should be accorded privileged protection.</p>
<p><b>3.5.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:</b></p>
<p>“Sensitive personal data or information of a person means personal information as to that person’s –</p>
<p>(i) passwords and encryption keys;</p>
<p>(ii) financial information including, but not limited to, information relating to his bank accounts, credit cards, debit cards, negotiable instruments, debt and other payment details;</p>
<p>(iii) physical, physiological and mental condition;</p>
<p>(iv) sexual activity and sexual orientation;</p>
<p>(v) medical records and history;</p>
<p>(vi) biometric information; and</p>
<p>(vii) electronic communication records including, but not limited to, emails, chat logs and other communications made using a computer;</p>
<p>and shall include any data or information related to the sensitive personal data or information set out in this rule that is provided to, or received by, a body corporate.</p>
<p style="text-align: justify; ">Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”</p>
<p style="text-align: justify; "><span>Rule 4 - Privacy and Disclosure Policy</span></p>
<p>3.6.1 Rule 4 of the Sensitive Personal Data Rules, which obligates certain bodies corporate to publish privacy and disclosure policies for personal information, states:</p>
<p style="text-align: justify; "><b><i>Body corporate to provide policy for privacy and disclosure of information. – </i></b><i>(1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for –</i></p>
<p><i>(i) Clear and easily accessible statements of its practices and policies; </i></p>
<p><i>(ii) type of personal or sensitive personal data or information collected under rule 3; </i></p>
<p><i>(iii) purpose of collection and usage of such information; </i></p>
<p><i>(iv) disclosure of information including sensitive personal data or information as provided in rule 6; </i></p>
<p><i>(v) reasonable security practices and procedures as provided under rule 8. </i></p>
<p style="text-align: justify; ">3.6.2 This rule is very badly drafted, contains several discrepancies and is legally imprecise. <span>Firstly</span>, this rule is overbroad to bind all bodies corporate that receive and use information, as opposed to “personal information” or “sensitive personal data.” All bodies corporate receive and use information, even a vegetable seller uses information relating to vegetables and prices; but, not all bodies corporate receive and use personal information and even fewer bodies corporate receive and use sensitive personal data. The application of this provision should turn on the reception and use of personal information, which includes sensitive personal data, and not simply information. <span>Secondly</span>, although this rule only applies when a provider of information provides information, the term “provider of information” is undefined. It may mean any single individual who gives his personal information to a body corporate, or it may even mean another entity that outsources or subcontracts work that involves the handling of personal information. This lack of clarity compromises the enforceability of this rule. The government’s press release of 24 August 2011 acknowledged this error but since it is impossible, not to mention unconstitutional, for a statutory instrument like these Rules to be amended, modified, interpreted or clarified by a press release, CIS is inclined to ignore the press release altogether. It is illogical that privacy policies not be required when personal information is directly given by a single individual. This rule should bind all bodies corporate that receive and use personal information irrespective of the source of the personal information. <span>Thirdly</span>, it is unclear whether separate privacy policies are required for personal information and for sensitive personal data. There is a distinction between personal information and sensitive personal data and since these Sensitive Personal Data Rules deal with the protection of sensitive personal data, this rule 4 should unambiguously mandate the publishing of privacy policies in relation to sensitive personal data. Any additional requirement for personal information must be set out to clearly mark its difference from sensitive personal data. <span>Fourthly</span>, because of sloppy drafting, the publishing duties of the body corporate in respect of any sensitive personal data are unclear. For example, the phrase “<i>personal or sensitive personal data or information</i>” used in clause (ii) is meaningless since “personal information” and “sensitive personal data or information” are defined terms.</p>
<p><b>3.6.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:</b></p>
<p style="text-align: justify; ">“<b>Duty to publish certain policies. – </b>(1) Any body corporate that collects, receives, possesses, stores, deals with or handles personal information or sensitive personal data from any source whatsoever shall, prior to collecting, receiving, possessing, storing, dealing with or handling such personal information or sensitive personal data, publish and prominently display the policies listed in sub-rule (2) in relation to such personal information and sensitive personal data.</p>
<p>(2) In accordance with sub-rule (1) of this rule, all bodies corporate shall publish separate policies for personal information and sensitive personal data that clearly state –</p>
<p style="text-align: justify; ">(i) the meanings of personal information and sensitive personal data in accordance with these rules;</p>
<p style="text-align: justify; ">(ii) the practices and policies of that body corporate in relation to personal information and sensitive personal data;</p>
<p style="text-align: justify; ">(iii) descriptive details of the nature and type of personal information and sensitive personal data collected, received, possessed, stored or handled by that body corporate;</p>
<p style="text-align: justify; ">(iv) the purpose for which such personal information and sensitive personal data is collected, received, possessed, stored or handled by that body corporate;</p>
<p style="text-align: justify; ">(v) the manner and conditions upon which such personal information and sensitive personal data may be disclosed in accordance with rule 6 of these rules; and</p>
<p style="text-align: justify; ">(vi) the reasonable security practices and procedures governing such personal information and sensitive personal data in accordance with rule 8 of these rules.”</p>
<p style="text-align: justify; "><span>Rule 5 - Collection of Information</span></p>
<p>3.7.1 Rule 5(1) of the Sensitive Personal Data Rules lays down the requirement of consent before personal information can be collected as follows:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.</i></p>
<p style="text-align: justify; ">3.7.2 <span>Firstly</span>, the principle and requirement of consent is of overriding importance when collecting personal information, which includes sensitive personal data. Pursuant to the principles laid down in paragraph 2.2 of this submission, consent must be informed, explicit and freely given. Since sub-rule (3) of rule 5 attempts to secure the informed consent of persons giving personal information, this sub-rule must establish that all personal information can only be collected upon explicit consent that is freely given, irrespective of the medium and manner in which it is given. <span>Secondly</span>, it may be noted that sub-rule (1) only applies to sensitive personal data and not to other personal information that is not sensitive personal data. This is ill advised. <span>Thirdly</span>, this sub-rule relating to actual collection of personal information should follow a provision establishing the principle of necessity before collection can begin. The principle of necessity is currently laid down in sub-rule (2) of rule 5 which should be re-numbered to precede this sub-rule relating to collection.</p>
<p><b>3.7.3 Therefore, it is proposed that rule 5(1) be re-numbered to sub-rule (2) of rule 5 and re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to collecting that personal information or sensitive personal data, obtain the express and informed consent of that person in any manner, and through any medium, that may be convenient but shall not obtain such consent through threat, duress or coercion.”</p>
<p>3.8.1 Rule 5(2) of the Sensitive Personal Data Rules sets out the principle of necessity governing the collection of personal information as follows:</p>
<p><i>Body corporate or any person on its behalf shall not collect sensitive personal data or information unless — </i></p>
<p style="text-align: justify; "><i>(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and </i></p>
<p style="text-align: justify; "><i>(b) the collection of the sensitive personal data or information is considered necessary for that purpose.</i></p>
<p style="text-align: justify; ">3.8.2 <span>Firstly</span>, before allowing a body corporate to collect personal information, which includes sensitive personal data, the law should strictly ensure that the collection of such personal information is necessary. Necessity cannot be established in general, there must be a nexus connecting the personal information to the purpose for which the personal information is sought to be collected. This important sub-rule sets out the principles upon which personal information can be collected; and, should therefore be the first sub-rule of rule 5. <span>Secondly</span>, this sub-rule only applies to sensitive personal data instead of all personal information. It is in the public interest that the principle of necessity applies to all personal information, including sensitive personal data.</p>
<p style="text-align: justify; ">3.8.3 <b>Therefore, it is proposed that rule 5(2) be re-numbered to sub-rule (1) of rule 5 and re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall collect any personal information or sensitive personal data of a person unless it clearly establishes that –</p>
<p style="padding-left: 30px; text-align: justify; ">(a) the personal information or sensitive personal data is collected for a lawful purpose that is directly connected to a function or activity of the body corporate; and</p>
<p style="padding-left: 30px; text-align: justify; ">(b) the collection of the personal information or sensitive personal data is necessary to achieve that lawful purpose.”</p>
<p style="text-align: justify; ">3.9.1 Rule 5(3) of the Sensitive Personal Data Rules attempts to create an informed consent regime for the collection of personal information as follows:</p>
<p style="text-align: justify; "><i>While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of — </i></p>
<p><i>(a) the fact that the information is being collected; </i></p>
<p><i>(b) the purpose for which the information is being collected; </i></p>
<p><i>(c) the intended recipients of the information; and </i></p>
<p><i>(d) the name and address of — </i></p>
<p><i>(i) the agency that is collecting the information; and </i></p>
<p><i>(ii) the agency that will retain the information.</i></p>
<p style="text-align: justify; ">3.9.2 <span>Firstly</span>, this sub-rule (3) betrays the carelessness of its drafters by bringing within its application any and all information collected by a body corporate from a person instead of only personal information or sensitive personal data. <span>Secondly</span>, this provision is crucial to establishing a regime of informed consent before personal information is given by a person to a body corporate. For consent to be informed, the person giving consent must be made aware of not only the collection of that personal information or sensitive personal data, but also the purpose for which it is being collected, the manner in which it will be used, the intended recipients to whom it will be sent or made accessible, the duration for which it will be stored, the conditions upon which it may be disclosed, the conditions upon which it may be destroyed as well as the identities of all persons who will collect, receive, possess, store, deal with or handle that personal information or sensitive personal data. <span>Thirdly</span>, the use of the phrase “<i>take such steps as are, in the circumstances, reasonable</i>” dilutes the purpose of this provision and compromises the establishment of an informed consent regime. Instead, the use of the term “reasonable efforts”, which has an understood meaning in law, will suffice to protect individuals while giving bodies corporate sufficient latitude to conduct their business.</p>
<p><b>3.9.3 Therefore, it is proposed that rule 5(3) be re-drafted to read as follows:</b></p>
<p>“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to such collection, make reasonable efforts to inform that person of the following details in respect of his personal information or sensitive personal data –</p>
<p>(a) the fact that it is being collected;</p>
<p>(b) the purpose for which it is being collected;</p>
<p>(c) the manner in which it will be used;</p>
<p>(d) the intended recipients to whom it will be sent or made available;</p>
<p>(e) the duration for which it will be stored;</p>
<p>(f) the conditions upon which it may be disclosed;</p>
<p>(g) the conditions upon which it may be destroyed; and</p>
<p>(h) the identities of all persons and bodies corporate who will collect, receive, possess, store, deal with or handle it.”</p>
<p style="text-align: justify; ">3.10.1 Rule 5(4) of the Sensitive Personal Data Rules lays down temporal restrictions to the retention of personal information:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.</i></p>
<p style="text-align: justify; ">3.10.2 Since this sub-rule (4) only applies to sensitive personal data instead of all personal information, bodies corporate are permitted to hold personal information of persons that is not sensitive personal data for as long as they like even after the necessity that informed the collection of that personal information expires and the purpose for which it was collected ends. This is a dangerous provision that deprives the owners of personal information of the ability to control its possession to jeopardise their right to privacy. The Sensitive Personal Data Rules should prescribe a temporal limit to the storage of all personal information by bodies corporate.</p>
<p><b>3.10.3 Therefore, it is proposed that rule 5(4) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall store, retain or hold personal information or sensitive personal data for a period longer than is required to achieve the purpose for which that personal information or sensitive personal data was collected.”</p>
<p style="text-align: justify; "><span>Rule 6 - Disclosure of Information</span></p>
<p style="text-align: justify; ">3.11.1 Rule 6(1) of the Sensitive Personal Data Rules, which deals with the crucial issue of disclosure of personal information, states:</p>
<p style="text-align: justify; "><i>Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation: </i></p>
<p><i> </i></p>
<p style="text-align: justify; "><i>Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.</i></p>
<p style="text-align: justify; ">3.11.2 In addition to errors and discrepancies in drafting, this sub-rule contains wide and vague conditions of disclosure of sensitive personal data to gravely impair the privacy rights and personal liberties of persons to whom such sensitive personal data pertains. A summary of drafting errors and discrepancies follows: <span>Firstly</span>, this sub-rule only applies to sensitive personal data instead of all personal information. The protection of personal information that is not sensitive personal data is an essential element of the right to privacy; hence, prohibiting bodies corporate from disclosing personal information at will is an important public interest prerogative. <span>Secondly</span>, the use of the phrase “<i>any third party</i>” lends vagueness to this provision since the term “third party” has not been defined. <span>Thirdly</span>, the repeated use of the undefined phrase “<i>provider of information</i>” throughout these Rules and in this sub-rule is confusing since, as pointed out in paragraph 3.6.2 of this submission, it could mean either or both of the single individual who consents to the collection of his personal information or another entity that transfers personal information to the body corporate.</p>
<p style="text-align: justify; ">3.11.3 Further, the conditions upon which bodies corporate may disclose personal information and sensitive personal data without the consent of the person to whom it pertains are dangerously wide. <span>Firstly</span>, the disclosure of personal information and sensitive personal data when it is “<i>necessary for compliance of a legal obligation</i>” is an extremely low protection standard. The law must intelligently specify the exact conditions upon which disclosure sans consent is possible; since the protection of personal information is a public interest priority, the conditions upon which it may be disclosed must outweigh this priority to be significant and serious enough to imperil the nation or endanger public interest. The disclosure of personal information and sensitive personal data for mere compliance of a legal obligation, such as failure to pay an electricity bill, is farcical. <span>Secondly</span>, the proviso sets out the conditions upon which the state, through its law enforcement agencies, may access personal information and sensitive personal data without the consent of the person to whom it pertains. Empowering the police with access to personal information can serve a public good if, and only if, it results in the prevention or resolution of crime; if not, this provision will give the police carte blanche to misuse and abuse this privilege. Hence, personal information should only be disclosed for the prevention, investigation and prosecution of an existing criminal offence. <span>Thirdly</span>, the definition and use of the term “<i>cyber incidents</i>” is unnecessary because section 43 of the IT Act already lists all such incidents. In addition, when read with section 66 of the IT Act, there emerges a clear list of offences to empower the police to seek non-consensual disclosure of personal information to obviate the need for any further new terminology. <span>In sum</span>, with regard to the non-consensual disclosure of personal information for the purposes of law enforcement: a demonstrable need to access personal information to prevent, investigate or prosecute crime must exist; only that amount of personal information sufficient to satisfy the need must be disclosed; and, finally, no disclosure may be permitted without clearly laid down procedural safeguards that fulfil the requirements of a minimal due process regime.</p>
<p><b>3.11.4 Therefore, it is proposed that rule 6(1) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“No body corporate shall disclose any personal information or sensitive personal data to anyone whosoever without the prior express consent of the person to whom the personal information or sensitive personal data to be disclosed pertains.</p>
<p style="padding-left: 30px; text-align: justify; ">Provided that if the personal information or sensitive personal data was collected pursuant to an agreement that expressly authorises the body corporate to disclose such personal information or sensitive personal data, and if the person to whom the personal information or sensitive personal data pertains was aware of this authorisation prior to such collection, the body corporate may disclose the personal information or sensitive personal data without obtaining the consent of the person to whom it pertains in the form and manner specified in such agreement.</p>
<p style="padding-left: 30px; text-align: justify; ">Provided further that if a reasonable threat to national security, defence or public order exists, or if the disclosure of personal information or sensitive personal data is necessary to prevent, investigate or prosecute a criminal offence, the body corporate shall, upon receiving a written request from the police or other law enforcement authority containing the particulars and details of the personal information or sensitive personal data to be disclosed, disclose such personal information or sensitive personal data to such police or other law enforcement authority without the prior consent of the person to whom it pertains.”</p>
<p>3.12.1 Rule 6(2) of the Sensitive Personal Data Rules creates an additional disclosure mechanism:</p>
<p style="padding-left: 30px; text-align: justify; "><i>Notwithstanding anything contain in sub-rule (1), any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.</i></p>
<p style="text-align: justify; ">3.12.2 This sub-rule is overbroad to enable anyone’s sensitive personal data to be disclosed to any other person without the application of any standards of necessity, proportionality or due process and without the person to whom the sensitive personal data pertains having any recourse or remedy. Such provisions are the hallmarks of authoritarian and police states and have no place in a liberal democracy. For instance, the invocation of this sub-rule will enable a police constable in Delhi to exercise unfettered power to access the biometric information or credit card details of a politician in Kerala since an order of a policeman constitutes “<i>an order under the law</i>”. Pursuant to our submission in paragraph 3.11.4, adequate measures exist to secure the disclosure of personal information or sensitive public data in the public interest. The balance of convenience between privacy and public order has already been struck. This sub-rule should be removed.</p>
<p style="text-align: justify; "><b>3.12.3 Therefore, it is proposed that rule 6(2) be deleted and the remaining sub-rules in rule 6 be accordingly renumbered.</b></p>
<p>3.13.1 Rule 6(4) of the Sensitive Personal Data Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.</i></p>
<p style="text-align: justify; ">3.13.2 <span>Firstly</span>, as mentioned elsewhere in this submission, the phrase “<i>third party</i>” has not been defined. This is a drafting discrepancy that must be rectified. <span>Secondly</span>, this sub-rule only encompasses sensitive personal data and not other personal information that is not sensitive personal data. <span>Thirdly</span>, it may be necessary, in the interests of business or otherwise, for personal information or sensitive personal data that has been lawfully disclosed to a third person to be disclosed further if the person to whom that personal information consents to it.</p>
<p><b>3.13.3 Therefore, it is proposed that rule 6(4) be re-drafted to read as follows:</b></p>
<p style="padding-left: 30px; text-align: justify; ">“Personal information and sensitive personal data that has been lawfully disclosed by a body corporate to a person who is not the person to whom such personal information or sensitive personal data pertains in accordance with the provisions of these rules may be disclosed further upon obtaining the prior and express consent of the person to whom it pertains.”</p>
<p style="text-align: justify; "><span>Rule 7 - Transfer of Information</span></p>
<p style="text-align: justify; ">3.14.1 Rule 7 of the Sensitive Personal Data Rules sets out the conditions upon which bodies corporate may transfer personal information or sensitive personal data to other bodies corporate in pursuance of a business arrangement:</p>
<p style="padding-left: 30px; text-align: justify; "><i>A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.</i></p>
<p style="text-align: justify; ">3.14.2 This provision allows personal information and sensitive personal data to be transferred across international borders to other bodies corporate in pursuance of a business agreement. The transfer of such information is a common feature of international commerce in which Indian information technology companies participate with significant success. Within India too, personal information and sensitive personal data is routinely transferred between companies in furtherance of an outsourced business model. Besides affecting ease of business, the sub-rule also affects the ability of persons to control their personal information and sensitive personal data. However, the sub-rule has been poorly drafted: <span>firstly</span>, the simultaneous use of the phrases “<i>provider of information</i>” and “<i>such person</i>” is imprecise and misleading; <span>secondly</span>, the person to whom any personal information or sensitive personal data pertains must pre-consent to the transfer of such information.</p>
<p><b>3.14.3 Therefore, it is proposed that rule 7 be re-drafted to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“A body corporate may transfer any personal information or sensitive personal data in its possession to another body corporate, whether located in India or otherwise, if the transfer is pursuant to an agreement that binds the other body corporate to same, similar or stronger measures of privacy, protection, storage, use and disclosure of personal information and sensitive personal data as are contained in these rules, and if the express and informed consent of the person to whom the personal information or sensitive personal data pertains is obtained prior to the transfer.”</p>
<p style="text-align: justify; "><span>Rule 8 - Reasonable Security Practices</span></p>
<p style="text-align: justify; ">3.15.1 Following rule 8(1) of the Sensitive Personal Data Rules that prescribes reasonable security practices and procedures necessary for protecting personal information and sensitive personal data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection standards required by rule 8(1):</p>
<p style="padding-left: 30px; "><i>The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).</i></p>
<p style="text-align: justify; ">3.15.2 ISO/IEC 27001 is an information security management system standard that is prescribed by the International Organisation for Standardisation and the International Electrotechnical Commission. CIS raises no objection to the content or quality of the ISO/IEC 27001 standard. However, to achieve ISO/IEC 27001 compliance and certification, one must first purchase a copy of the standard. A copy of the ISO/IEC 27001 standard costs approximately Rs. _____/-. The cost of putting in place the protective measures required by the ISO/IEC 27001 standard are higher: these include the cost of literature and training, the cost of external assistance, the cost of technology, the cost of employees’ time and the cost of certification.</p>
<p style="text-align: justify; "><b>3.15.3 Therefore, to bring these standards within the reach of small and medium-sized Indian bodies corporate, an appropriate Indian authority, such as the Bureau of Indian Standards, should re-issue affordable standards that are equivalent to ISO/IEC 27001. </b></p>
<p style="text-align: justify; "><b>IV <span>The Press Release of 24 August 2011</span></b></p>
<p style="text-align: justify; ">4.1 The shoddy drafting of the Sensitive Personal Data Rules resulted in national and international confusion about its interpretation. However, instead of promptly correcting the embarrassingly numerous errors in the Rules, the Department of Information Technology of the Ministry of Communications and Information Technology chose to issue a press release on 24 August 2011 that was published on the website of the Press Information Bureau. The content of that press release is brought to the attention of the Committee of Subordinate Legislation as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000.</i></p>
<p style="text-align: justify; padding-left: 30px; "><i>Press Note</i></p>
<p style="padding-left: 30px; text-align: justify; "><i>The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>Ministry of Communications & Information Technology (Dept. of Information Technology) </i></p>
<p style="padding-left: 30px; text-align: justify; "><i>Press Information Bureau, Government of India, Bhadra 2, 1933, August 24, 2011</i></p>
<p><i> </i></p>
<p style="padding-left: 30px; "><i>SP/ska <br /> (Release ID :74990)</i></p>
<p style="text-align: justify; ">4.2 It is apparent from a plain reading of the text that this press release seeks to re-interpret the application of rules 5 and 6 of the Sensitive Personal Data Rules insofar as they apply to Indian bodies corporate receiving personal information collected by another company outside India. Also, it seeks to define the term “providers of information” to address the confusion created by the repeated use this term in the Rules. Further, it re-interprets the scope and application of rule 4 relating to duty of bodies corporate to publish certain policies. Furthermore, it seeks to amend the provisions of rule 5(1) relating to manner and medium of obtaining consent prior to collecting personal information.</p>
<p style="text-align: justify; ">4.3 At the outset, it must be understood that a press release is not valid law. According to Article 13(3) of the Constitution of India,</p>
<p style="padding-left: 30px; text-align: justify; ">...<i>law</i> <i>includes any Ordinance, order, bye law, rule, regulation, notification, custom or usages having in the territory of India the force of law.</i></p>
<p style="text-align: justify; ">Law includes orders made in exercise of a statutory power as also orders and notifications made in exercise of a power conferred by statutory rules.</p>
<p style="padding-left: 30px; text-align: justify; ">[See, <i>Edward Mills</i> AIR 1955 SC 25 at pr. 12, <i>Babaji Kondaji Garad</i> 1984 (1) SCR 767 at pp. 779-780 and <i>Indramani Pyarelal Gupta</i> 1963 (1) SCR 721 at pp. 73-744]</p>
<p>Sub-delegated orders, made in exercise of a power conferred by statutory rules, cannot modify the rules.</p>
<p></p>
<p style="padding-left: 30px; "> <span>[See, <i>Raj Narain Singh</i> AIR 1954 SC 569 and <i>Re Delhi Laws Act</i> AIR 1951 SC 332]</span></p>
<p style="text-align: justify; "></p>
<p style="text-align: justify; "> <span>Therefore, press releases, which are not made or issued in exercise of a delegated or sub-delegated power are not “law” and cannot modify statutory rules.</span></p>
<p style="text-align: justify; "><span><b>V <span>Summary</span></b></span></p>
<p style="text-align: justify; "> </p>
<p class="MsoNormal"><span>5.1<span> </span>CIS submits that the following provisions of the Sensitive Personal Data Rules be amended or annulled</span></p>
<ul>
<li><span> </span><span>Rule 2(1)(b);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(c);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(d);</span><span><span> </span></span></li>
<li><span>Rule 2(1)(g);</span><span><span> </span></span></li>
<li><span>Rule 3;</span><span><span> </span></span></li>
<li><span>Rule 4(1);</span><span> </span></li>
<li><span>Rule 5(1);</span><span><span> </span></span></li>
<li><span>Rule 5(2);</span><span><span> </span></span></li>
<li><span>Rule 5(3);</span><span><span> </span></span></li>
<li><span>Rule 5(4);</span><span><span> </span></span></li>
<li><span>Rule 6(1);</span><span><span> </span></span></li>
<li><span>Rule 6(1) Proviso;</span><span><span> </span></span></li>
<li><span>Rule 6(2);</span><span><span> </span></span></li>
<li><span>Rule 6(4);</span><span><span> </span></span></li>
<li><span>Rule 7; and</span><span><span> </span></span></li>
<li><span>Rule 8.</span></li>
</ul>
<p style="text-align: justify; ">5.2 CIS submits that the Committee on Subordinate Legislation <span>should take a serious view of the press release issued by the </span><span>Department of Information Technology of the Ministry of Communications and Information Technology on 24 August 2011.</span></p>
<p style="text-align: justify; "><span>5.3 CIS submits </span><span>that in exercise of the powers granted to the Committee on Subordinate Legislation under Rules 317 and 320 of the Lok Sabha Rules of Procedure, the provisions of the Sensitive Personal Data Rules listed in the preceding paragraph 5.1 should be annulled; and, the Committee may be pleased to consider and recommend as an alternative the amendments proposed by CIS in this submission.</span></p>
<p style="text-align: justify; "><span>5.4 CIS thanks the Committee on Subordinate Legislation for the opportunity to present this submission and reiterates its commitment to supporting the Committee with any clarification, question or other requirement it may have.</span></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. See generally, <i>Kharak Singh</i> AIR 1963 SC 1295, <i>Gobind</i> (1975) 2 SCC 148, <i>R. Rajagopal</i> (1994) 6 SCC 632, <i>People’s Union for Civil Liberties</i> (1997) 1 SCC 301 and <i>Canara Bank</i> (2005) 1 SCC 496.</p>
<p>[<a href="#fr2" name="fn2">2</a>]. See <i>infra</i> pr. 4.3.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. See, for comparison, Directive 95/46/EC of 24 October 1995 of the European Parliament and Council, the Data Protection Act, 1998 of the United Kingdom and the Proposed EU Regulation on on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).</p>
<p class="MsoFootnoteText">[<a href="#fr4" name="fn4">4</a>].<span>See generally, <i>Board of Trustees of Ayurvedic College</i> AIR 1962 SC 458 and <i>S. P. Mittal</i> AIR 1983 SC 1.</span></p>
<p style="text-align: justify; "> </p>
<p>[<a href="#fr5" name="fn5">5</a>]. <span>See </span><span>generally, <i>W. O. Holdsworth</i> AIR 1957 SC 887 and <i>Duli Chand</i> AIR 1984 Del 145.</span></p>
<div id="_mcePaste"> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T12:13:53ZBlog EntryComments on the Information Technology (Electronic Service Delivery) Rules, 2011
https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011
<b>Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Information Technology (Electronic Services Delivery) Rules, 2011. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; "><b>I <span><span>Preliminary</span></span></b></p>
<p style="text-align: justify; ">1.1 This submission presents comments from the Centre for Internet and Society (<b>“CIS”</b>) on the Information Technology (Electronic Service Delivery) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 316(E) on 11 April 2011 (<b>“ESD Rules”</b> or <b>“Rules”</b>).</p>
<p style="text-align: justify; ">1.2 The ESD Rules were notified only eight months before the Electronic Delivery of Services Bill, 2011 was tabled in the Lok Sabha on 27 December 2011 (Bill 137 of 2011) (<b>“EDS Bill” </b>or<b> “Bill”</b>). Both the ESD Rules and the EDS Bill are concerned with enabling computer-based electronic delivery of government services to Indian citizens (<b>“electronic service delivery”</b>). Both the Rules and the Bill originate from the same government department: the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology. Since the EDS Bill seeks to enact a comprehensive legislative framework for mandating and enforcing electronic service delivery, the purpose of the ESD Rules are called into question.</p>
<p style="text-align: justify; "><b>II <span><span>Basic Issues Regarding Electronic Service Delivery</span></span></b></p>
<p style="text-align: justify; ">2.1 CIS believes that there are significant conceptual issues regarding electronic service delivery that demand attention. The Department-related Parliamentary Standing Committee on Information Technology of the Fifteenth Lok Sabha (<b>“Standing Committee”</b>) raised a few concerns when it submitted its 37th Report on the EDS Bill on 29 August 2012. There is a clear need for a national debate on the manner of effecting exclusive electronic service delivery to the exclusion of manual service delivery. Some of these issues are briefly summarised as follows:</p>
<p style="text-align: justify; ">(a) Mandatory exclusive electronic service delivery pre-supposes the ability of all Indian citizens to easily access such mechanisms. While there are no authoritative national statistics on familiarity with computer-related technologies, it is apparent that a large majority of Indians, most of whom are likely to be already marginalised and vulnerable, are totally unfamiliar with such technologies to endanger their ability to receive basic government services;</p>
<p style="text-align: justify; ">(b) Consequent upon mandatory exclusive electronic service delivery for basic government services, a large group of ‘middlemen’ will arise to facilitate access for that majority of Indians who cannot otherwise access these services. This group will control the interface between citizens and their government. As a result, citizens’ access to governance will deteriorate. This problem may be mitigated to a certain extent by creating a new class of public servants to solely facilitate access to electronic service delivery mechanisms;</p>
<p style="text-align: justify; ">(c) The issue of governmental incapacity at the citizen-government interface might be addressed by contracting private service providers to operate mandatory exclusive electronic service delivery mechanisms. However, it is difficult to see how commercialising access to essential government services serves the public interest, especially when public funds will be expended to meet the costs of private service providers. Permitting private service providers to charge a fee from the general public to allow access to essential government services is also ill advised;</p>
<p style="text-align: justify; ">(d) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must be accompanied by strong data protection measures to ensure the sanctity of sensitive personal information shared online with the state. At present, there are no specific laws that bind the state, or its agents, to the stringent requirements of privacy necessary to protect personal liberties. In the same vein, strong data security measures are necessary to prevent sensitive personal information from being compromised or lost;</p>
<p style="text-align: justify; ">(e) All electronic service delivery, whether mandatory to the exclusion of other service delivery mechanisms or offered simultaneously with manual service delivery, must ensure ease and equality of accessibility. For this reason, electronic service delivery mechanisms should conform to the National Policy on Open Standards, 2010 (or the proposed National Electronic Access Policy which is currently awaiting adoption), the Interoperability Framework for E-Governance in India and the Website Guidelines of the National Informatics Centre;</p>
<p style="text-align: justify; ">(f) Electronic service delivery requires infrastructure which India does not currently have but can develop. Only 1.44 per cent of India’s population has access to a broadband internet connection<a href="#fn1" name="fr1">[1]</a> and current daily energy demand far exceeds supply. On the other hand, the number of broadband subscribers is increasing,<a href="#fn2" name="fr2">[2]</a> the annual installed capacity for electricity generation is growing<a href="#fn3" name="fr3">[3]</a> and the literacy rate is increasing.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">2.2 The ESD Rules do not address any of the issues raised in the preceding paragraph. As a result, they cannot be seen to represent the result of a national consensus on the crucial question of mandating exclusive electronic service delivery and the means of enforcing such a scheme. Further, very few of the provisions of the Rules are binding; instead, the Rules appear to be drafted to serve as a minimal model for electronic service delivery. <b>In this background, CIS believes that the Rules should be treated as an incomplete arrangement that prescribe the minimal standards necessary to bind private service providers before comprehensive and statutory electronic service delivery legislation is enacted, perhaps in the form of the EDS Bill or otherwise. </b>Therefore, without prejudice to the issues raised in the preceding paragraph, CIS offers the following comments on the provisions of the Rules while reserving the opportunity to make substantive submissions on electronic service delivery in general to an appropriate forum at a later date.</p>
<p style="text-align: justify; "><b>III <span>Improper Exercise of Subordinate Legislative Power</span></b></p>
<p style="text-align: justify; ">3.1 Rule 317 of the Rules of Procedure and Conduct of Business in the Lok Sabha (Fourteenth Edition, July 2010) (<b>“Rules of Procedure”</b>), which empowers the Committee on Subordinate Legislation to scrutinise exercises of statutory delegation of legislative powers for impropriety, states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>There shall be a Committee on Subordinate Legislation to scrutinize and report to the House whether the powers to make regulations, rules, subrules, bye-laws etc., conferred by the Constitution or delegated by Parliament are being properly exercised within such delegation.</i></p>
<p style="text-align: justify; ">Further, the Committee on Subordinate Legislation is specifically empowered by rule 320(vii) of the Rules of Procedure to examine any provision of the ESD Rules to consider “<i>whether it appears to make some unusual or unexpected use of the powers conferred by the Constitution or the Act pursuant to which it is made.</i>”</p>
<p style="text-align: justify; ">3.2 Accordingly, the attention of the Committee on Subordinate Legislation is called to an improper exercise of delegated power under rule 3(1) of the ESD Rules, which states:</p>
<p style="padding-left: 30px; "><i>The appropriate Government may on its own or through an agency authorised by it, deliver public services through electronically- enabled kiosks or any other electronic service delivery mechanism.</i></p>
<p style="text-align: justify; "><b>This sub-rule (1) empowers both the Central Government and State Governments to provide electronic service delivery on their own.</b></p>
<p style="text-align: justify; ">3.3 The ESD Rules are made in exercise of delegated powers conferred under section 87(2)(ca) read with section 6-A(2) of the Information Technology Act, 2000 (<b>“IT Act”</b>). Section 87(2)(ca) of the IT Act empowers the Central Government to make rules to provide for:</p>
<p style="padding-left: 30px; text-align: justify; "><i>the manner in which the authorised service provider may collect, retain and appropriate service charges under sub-section (2) of section 6-A.</i></p>
<p>Section 6-A(2) of the IT Act states:</p>
<p style="padding-left: 30px; text-align: justify; "><i>The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.</i></p>
<p style="text-align: justify; "><i>Prima facie</i>, the delegated powers under section 87(2)(ca) read with section 6-A(2) of the IT Act, in exercise of which the ESD Rules are made, only permit delegated legislation to regulate private service providers, <span>they do not permit the executive to exercise these powers to empower itself to conduct electronic service delivery on its own</span>.<b> Therefore, to the extent that the ESD Rules authorise the Central Government and State Governments to provide electronic service delivery on their own, such authorisation constitutes an improper exercise of delegated power and is <i>ultra vires</i> the IT Act.</b> This may be resolved by deriving the delegated legislative competence of the ESD Rules from section 87(1) of the IT Act, instead of section 87(2)(ca) read with section 6-A(2).</p>
<p style="text-align: justify; "><b>IV <span>Clause-by-Clause Comments</span></b></p>
<p style="text-align: justify; "><span>Rule 2 - Definitions</span></p>
<p>4.1.1 Rule 2(c) of the ESD Rules states:</p>
<p style="text-align: justify; "><i>"authorised agent" means an agent of the appropriate Government or service provider and includes an operator of an electronically enabled kiosk who is permitted under these rules to deliver public services to the users with the help of a computer resource or any communication device, by following the procedure specified in the rules</i></p>
<p style="text-align: justify; ">In accordance with the argument regarding improper exercise of delegated power contained in paragraphs 3.1 – 3.3 of this submission, the appropriate Government cannot undertake electronic service delivery under these Rules. Consequently, the appropriate Government cannot appoint an agent to provide electronic service delivery on behalf, and under the control, of the appropriate Government since, as the principal, the appropriate Government would be responsible for the acts of its agents. Instead, private service providers may provide electronic service delivery as contractees of the appropriate Government who might enter into such contracts as a sovereign contractor. Therefore, only a private service provider may appoint an authorised agent under these Rules.</p>
<p style="text-align: justify; "><b>4.1.2 Therefore, it is proposed that rule 2(c) is amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">““authorised agent” means an agent of a service provider, and includes an operator of an electronically enabled kiosk, who is permitted under these rules to deliver public services with the help of a computer resource or any communication device, by following the procedure specified in these rules”</p>
<p style="text-align: justify; ">Rule 3 - <span>System of Electronic Service Delivery</span></p>
<p>4.2.1 Rule 3(3) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may determine the manner of encrypting sensitive electronic records requiring confidentiality, white they are electronically signed.</i></p>
<p style="text-align: justify; ">This sub-rule is supposed to prescribe stringent standards to maintain the security, confidentiality and privacy of all personal information used during electronic service delivery transactions. In the absence of transactional security, electronic service delivery will invite fraud, theft and other misuse to impugn its viability as a means of delivering public services. However, the use of the term “<i>may</i>” leaves the prescription of security standards up to the discretion of the appropriate Government. Further, the language of the sub-rule is unclear and imprecise.</p>
<p>4.2.2 <b>Therefore, it is proposed that rule 3(3) is amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“The appropriate Government shall, prior to any electronic service delivery, determine the manner of encrypting electronic records and shall prescribe standards for maintaining the safety, security, confidentiality and privacy of all information collected or used in the course of electronic service delivery.”</p>
<p>4.3.1 Rule 3(5) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may allow receipt of payments made by adopting the Electronic Service Delivery System to be a deemed receipt of payment effected in compliance with the financial code and treasury code of such Government.</i></p>
<p style="text-align: justify; "><span>Firstly</span>, if these Rules enable payments to be made electronically, they must also validate the receipt of these payments. Inviting citizens to make electronic payments for government services without recognising the receipt of those payments is farcical to attract abusive and corrupt practices. Therefore, it is imperative that these Rules compulsorily recognise receipt of payments, either by deeming their receipt to be valid receipts under existing law or by specially recognising their receipt by other means including the law of evidence. Either way, electronic receipts of electronic payments must be accorded the validity in law that manual/paper receipts have; and, copies of such electronic receipts must be capable of being adduced in evidence. <span>Secondly</span>, the use of the phrase “<i>financial code and treasury code</i>” is avoidable since these terms are undefined.</p>
<p><b>4.3.2 Therefore, it is proposed that rule 3(5) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“Any receipt of payment made by electronic service delivery shall be deemed to be a valid receipt of such payment under applicable law and shall be capable of being adduced as evidence of such payment.”</p>
<p>4.4.1 Rule 3(6) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may authorise service providers or their authorised agents to collect, retain and appropriate such service charges as may be specified by the appropriate Government for the purpose of providing such services from the person availing such services: </i></p>
<p><i> </i></p>
<p style="text-align: justify; padding-left: 30px; "><i>Provided that the apportioned service charges shall be clearly indicated on the receipt to be given to the person availing the services.</i></p>
<p style="text-align: justify; ">This sub-rule is an almost verbatim reproduction of the provisions of section 6-A(2) of the IT Act which reads as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate such service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service.</i></p>
<p style="text-align: justify; ">Since the IT Act specifically delegates to the appropriate Governments the power to authorise service providers to levy charges, rule 3(6) of the ESD Rules that merely copies the provisions of the parent statute is meaningless. The purpose of delegated legislation is to give effect to the provisions of a statute by specifying the manner in which statutory provisions shall be implemented. Copying and pasting statutory provisions is a absurd misuse of delegated legislative powers.</p>
<p style="text-align: justify; "><b>4.4.2 Therefore, it is proposed that sub-rule (6) is deleted and the remaining sub-rules of rule 3 are renumbered.</b></p>
<p>4.5.1 Rule 3(7) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government shall by notification specify the scale of service charges which may be charged and collected by the service providers and their authorised agents for various kinds of services.</i></p>
<p>This is an almost verbatim reproduction of the provisions of section 6-A(4) of the IT Act which reads as follows:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section.</i></p>
<p style="text-align: justify; ">As noted in paragraph 4.3.1 of this submission, the purpose of delegated legislation is not to copy the provisions of the parent statute, but to amplify the scope of the delegated power and the manner of effecting its implementation.</p>
<p style="text-align: justify; "><b>4.5.2 Therefore, it is proposed that sub-rule (7) is deleted and the remaining sub-rules of rule 3 are renumbered.</b></p>
<p>4.6.1 Rule 3(8) of the ESD Rules states:</p>
<p style="text-align: justify; padding-left: 30px; "><i>The appropriate Government may also determine the norms on service levels to be complied with by the Service Provider and the authorised agents.</i></p>
<p style="text-align: justify; ">There is no quarrel with the power of the government to determine norms for, or directly prescribe, service levels to regulate service providers. However, without a scheme of statutory or sub-statutory penalties for contravention of the prescribed service levels, a sub-delegated service level cannot enforce any penalties. Simply put, <span>the state cannot enforce penalties unless authorised by law</span>. Unfortunately, rule 3(8) contains no such authorisation. Service levels for service providers without a regime of penalties for non-compliance is meaningless, especially since service providers will be engaged in providing access to essential government services.</p>
<p><b>4.6.2 Therefore, it is proposed that rule 3(8) be amended to read as follows:</b></p>
<p style="text-align: justify; padding-left: 30px; ">“The appropriate Government shall prescribe service levels to be complied with by all service providers and their authorised agents which shall include penalties for failure to comply with such service levels.”</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. Thirty-Seventh Report of the Standing Committee on Information Technology (2011-12) on the Electronic Delivery of Services Bill, 2011 (New Delhi: Lok Sabha Secretariat, 29 August 2012) at pp. 13, 17 and 34. See also, <i>Telecom Sector in India: A Decadal Profile</i> (New Delhi: Telecom Regulatory Authority of India, 8 June 2012).</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Annual Report (2011-12) of the Department of Telecommunications, Ministry of Communications and Information Technology, Government of India (New Delhi: Department of Telecommunications, 2012) at pp. 5 and 1-3.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Report of the Working Group on Power of the Twelfth Plan (New Delhi: Planning Commission, Government of India, January 2012).</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. Provisional Report of the Census of India 2011 (New Delhi: Registrar General and Census Commissioner, 2011) from p. 124.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011'>https://cis-india.org/internet-governance/blog/comments-on-it-electronic-service-delivery-rules-2011</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T12:12:16ZBlog EntrySpy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry
https://cis-india.org/internet-governance/blog/spy-files-three
<b>In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights. </b>
<p align="JUSTIFY">Last month, WikiLeaks released <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html">“</a><a href="http://wikileaks.org/spyfiles3.html">Spy</a><a href="http://wikileaks.org/spyfiles3.html"> </a><a href="http://wikileaks.org/spyfiles3.html">Files</a><a href="http://wikileaks.org/spyfiles3.html"> 3”</a></span>, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.</p>
<h2><b>So what do the latest Spy Files reveal about India?</b></h2>
<p align="JUSTIFY">When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">India</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">is</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">once</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">again</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">on</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">the</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">list</a></span> with some of the most controversial spyware.</p>
<h3><b>ISS World Surveillance Trade Shows</b></h3>
<p align="JUSTIFY">The latest Spy Files include a <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">of</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">the</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013</a></span> -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. <span style="text-decoration: underline;"><a href="http://www.issworldtraining.com/iss_ap/">This</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">years</a><a href="http://www.issworldtraining.com/iss_ap/">’ </a><a href="http://www.issworldtraining.com/iss_ap/">ISS</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">World</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">Asia</a></span> will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The<span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">leaked</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013 </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a></span> entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.</p>
<p align="JUSTIFY">The following table lists the <a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"><i><span style="text-decoration: underline;">Indian</span></i></a><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">attendees</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">at</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">last</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">years</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a></span>:</p>
<table class="plain">
<tbody>
<tr>
<th>
<p align="JUSTIFY"><span><span><b>Law Enforcement, Defense and Interior Security Attendees</b></span></span></p>
</th><th>
<p align="JUSTIFY"><span><span><b>Telecom Operators and Private Enterprises Attendees</b></span></span></p>
</th><th>
<p align="JUSTIFY"><span><span><b>ISS Vendors and Technology Integrators Attendees</b></span></span></p>
</th>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Andhra Pradesh India Police</span></span></span></p>
</td>
<td>
<p align="JUSTIFY">BT</p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>AGC Networks</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>CBI Academy</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Cogence Investment Bank</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Aqsacom India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Government of India, Telecom Department</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>India Reliance Communications</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>ClearTrail Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Cabinet Secretariat</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Span Telecom Pvt. Ldt. </span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Foundation Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Centre for Development of Telematics (C-DOT)</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY">Kommlabs</p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Chandigarh Police</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Paladion Networks</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Defence Agency</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Polaris Wireless</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India General Police</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Polixel Security Systems</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Intelligence Department</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Pyramid Cyber Security</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India National Institute of Criminology</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Schleicher Group</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India office LOKAYUKTA NCT DELHI</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Span Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Police Department, A.P.</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>TATA India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Tamil Nadu Police Department</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Tata Consultancy Services</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Indian Police Service, Vigilance</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Telecommunications India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Indian Telecommunications Authority</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Vehere Interactive</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>NTRO India</span></span></span></p>
</td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>SAIC Indian Tamil Nadu Police</span></span></span></p>
</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<table class="plain">
<tbody>
<tr>
<th> 17 4 15<br /></th>
</tr>
</tbody>
</table>
<p align="JUSTIFY">According to the above table - which is based on data from the <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">WikiLeaks</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013 </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a></span>- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.</p>
<p align="JUSTIFY">In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.</p>
<h3><b>ClearTrail Technologies</b></h3>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.clear-trail.com/">ClearTrail</a><a href="http://www.clear-trail.com/"> </a><a href="http://www.clear-trail.com/">Technologies</a></span> is an Indian company based in Indore. The document titled <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Internet</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Monitoring</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Suite</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a></span> from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:</p>
<p align="JUSTIFY"><b>1. ComTrail: Mass Monitoring of IP and Voice Networks</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a> is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.</p>
<p align="JUSTIFY">ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.</p>
<p align="JUSTIFY">Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.</p>
<p align="JUSTIFY">In short, ComTrail’s key features include the following:</p>
<p align="JUSTIFY">- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links</p>
<p align="JUSTIFY">- Doubles up as Targeted Monitoring System</p>
<p align="JUSTIFY">- On demand data retention, capacity exceeding several years</p>
<p align="JUSTIFY">- Instant Analysis across thousands of Terabytes</p>
<p align="JUSTIFY">- Correlates Identities across multiple networks</p>
<p align="JUSTIFY">- Speaker Recognition and Target Location</p>
<p align="JUSTIFY"><b>2. xTrail: Targeted IP Monitoring</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">xTrail</span></a> is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.</p>
<p align="JUSTIFY">Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.</p>
<p align="JUSTIFY">In short, xTrail’s key features include the following:</p>
<p align="JUSTIFY">- Pure passive probe</p>
<p align="JUSTIFY">- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways</p>
<p align="JUSTIFY">- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic</p>
<p align="JUSTIFY">- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location</p>
<p align="JUSTIFY">- Huge data retention, rich analysis interface and tamper proof court evidence</p>
<p align="JUSTIFY">- Easily integrates with any existing centralized monitoring system for extended coverage</p>
<p align="JUSTIFY"><b>3. QuickTrail: Tactical Wi-Fi Monitoring</b></p>
<p align="JUSTIFY">Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.</p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.</p>
<p align="JUSTIFY">According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.</p>
<p align="JUSTIFY">In short, QuickTrail’s key features include the following:</p>
<p align="JUSTIFY">- Conveniently housed in a laptop computer</p>
<p align="JUSTIFY">- Intercepts Wi-Fi and wired LANs in five different ways</p>
<p align="JUSTIFY">- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks</p>
<p align="JUSTIFY">- Deploys spyware into a target’s machine</p>
<p align="JUSTIFY">- Monitor’s Gmail, Yahoo and all other HTTPS-based communications</p>
<p align="JUSTIFY">- Reconstructs webmails, chats, VoIP calls, news groups and social networks</p>
<p align="JUSTIFY"><b>4. mTrail: Off-The-Air Interception</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.</p>
<p align="JUSTIFY">The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.</p>
<p align="JUSTIFY">Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.</p>
<p align="JUSTIFY">In short, mTrail’s key features include the following:</p>
<p align="JUSTIFY">- Designed for passive interception of GSM communications</p>
<p align="JUSTIFY">- Intercepts Voice and SMS “off-the-air”</p>
<p align="JUSTIFY">- Detects the location of the target</p>
<p align="JUSTIFY">- Can be deployed as a fixed unit or mounted in a surveillance van</p>
<p align="JUSTIFY">- No support required from GSM operator</p>
<p align="JUSTIFY"><b>5. Astra: Remote Monitoring and Infection framework</b></p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a></span> is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.</p>
<p align="JUSTIFY">The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment <i>without</i> requiring any physical access to the target device.</p>
<p align="JUSTIFY">In particular, Astra can push bot to <i>any</i> targeted machine sharing the <i>same</i> LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.</p>
<p align="JUSTIFY">Astra’s key features include the following:</p>
<p align="JUSTIFY">- Proactive intelligence gathering</p>
<p align="JUSTIFY">- End-to-end remote infection and monitoring framework</p>
<p align="JUSTIFY">- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots</p>
<p align="JUSTIFY">- Designed for centralized management of thousands of targets</p>
<p align="JUSTIFY">- A wide range of deployment mechanisms to optimize success ration</p>
<p align="JUSTIFY">- Non-traceable, non-detectable delivery mechanism</p>
<p align="JUSTIFY">- Intrusive yet stealthy</p>
<p align="JUSTIFY">- Easy interface for handling most complex tasks</p>
<p align="JUSTIFY">- Successfully tested over the current top 10 anti-virus available in the market</p>
<p align="JUSTIFY">- No third party dependencies</p>
<p align="JUSTIFY">- Free from any back-door intervention</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Technologies</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">argue</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">that</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">they</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">meet</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">lawful</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">interception</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">regulatory</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">requirements</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a></span>across the globe. In particular, they claim that their products are compliant with <a href="http://www.etsi.org/technologies-clusters/technologies/regulation-legislation"><span style="text-decoration: underline;">ETSI</span></a> and <span style="text-decoration: underline;"><a href="http://cryptome.org/laes/calea-require.pdf">CALEA</a><a href="http://cryptome.org/laes/calea-require.pdf"> </a><a href="http://cryptome.org/laes/calea-require.pdf">regulations</a></span> and that they are efficient to cater to region specific requirements as well.</p>
<p align="JUSTIFY">The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">Telesoft</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">Technologies</a></span>, <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf">AGT</a><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf">International</a></span> and <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">Verint</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">Systems</a></span>. In particular, <span style="text-decoration: underline;"><a href="http://verint.com/">Verint</a><a href="http://verint.com/"> </a><a href="http://verint.com/">Systems</a></span> has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:</p>
<p align="JUSTIFY">- Impact 360 Speech Analytics</p>
<p align="JUSTIFY">- Impact 360 Text Analytics</p>
<p align="JUSTIFY">- Nextiva Video Management Software (VMS)</p>
<p align="JUSTIFY">- Nextiva Physical Security Information Management (PSIM)</p>
<p align="JUSTIFY">- Nextiva Network Video Recorders (NVRs)</p>
<p align="JUSTIFY">- Nextiva Video Business Intelligence (VBI)</p>
<p align="JUSTIFY">- Nextiva Surveillance Analytics</p>
<p align="JUSTIFY">- Nextiva IP cameras</p>
<p align="JUSTIFY">- CYBERVISION Network Security</p>
<p align="JUSTIFY">- ENGAGE suite</p>
<p align="JUSTIFY">- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)</p>
<p align="JUSTIFY">- RELIANT</p>
<p align="JUSTIFY">- STAR-GATE</p>
<p>- VANTAGE</p>
<p align="JUSTIFY">While <span style="text-decoration: underline;"><a href="http://verint.com/">Verint</a><a href="http://verint.com/"> </a><a href="http://verint.com/">Systems</a></span> claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, <span style="text-decoration: underline;"><a href="http://www.issworldtraining.com/iss_europe/">Verint</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">Systems</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">has</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">participated</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">in</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">ISS</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">World</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">Trade</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">shows</a></span> which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.</p>
<h2><b>And what do the latest Spy Files mean for India?</b></h2>
<p align="JUSTIFY">Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:</p>
<p align="JUSTIFY">1. The Central Monitoring System (CMS)</p>
<p align="JUSTIFY">2. Is any of this surveillance even legal in India?</p>
<p align="JUSTIFY">3. Can such surveillance result in the violation of human rights?</p>
<h3><b>Spy Files 3...and the Central Monitoring System (CMS)</b></h3>
<p align="JUSTIFY">Following the <a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">Mumbai</a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html"> 2008 </a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">terrorist</a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html"> </a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">attacks</a>, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> (</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">)</a>. As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to<b> </b><span>install the gear which enables law enforcement agencies to carry</span> out the Central Monitoring System under the <a href="http://www.dot.gov.in/licensing/access-services">Unified</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Access</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Services</a><a href="http://www.dot.gov.in/licensing/access-services"> (</a><a href="http://www.dot.gov.in/licensing/access-services">UAS</a><a href="http://www.dot.gov.in/licensing/access-services">) </a><a href="http://www.dot.gov.in/licensing/access-services">License</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Agreement</a>.</p>
<p align="JUSTIFY">The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is <span style="text-decoration: underline;"><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">Rs</a><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">. 4 </a><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">billion</a></span>. In addition to <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">equipping</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">government</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">agencies</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a></span>with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements<span style="text-decoration: underline;"><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">regional</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Internet</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Monitoring</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Systems</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">, </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">such</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">as</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">that</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">of</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Assam</a></span>, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.</p>
<p align="JUSTIFY">However, data monitored and collected through the CMS will be stored in a<span style="text-decoration: underline;"><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access"> </a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access">centralised</a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access"> </a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access">database</a></span>, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">bigger</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">amount</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">of</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">data</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">, </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">bigger</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">probability</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">of</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">an</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">error</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">in</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">matching</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">profiles</a></span>, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">regarding</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">the</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">CMS</a></span> mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.</p>
<p align="JUSTIFY">Interestingly enough, Indian law enforcement agencies which attended <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">last</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">years</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">trade</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">shows</a></span> are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">agencies</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">which</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">will</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">have</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">access</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">to</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a></span>: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.</p>
<p align="JUSTIFY">Furthermore, Spy Files 3 entail a <a href="http://wikileaks.org/spyfiles3.html#an1">list</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">of</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">last</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">years</a><a href="http://wikileaks.org/spyfiles3.html#an1">’ </a><a href="http://wikileaks.org/spyfiles3.html#an1">ISS</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">World</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">security</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">company</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">attendees</a>, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">solutions</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">for</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">targeted</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">and</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">mass</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">monitoring</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">of</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">IP</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">and</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">voice</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">networks</a>, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.</p>
<p align="JUSTIFY">In fact, ClearTrail states in its brochure that its <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ComTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">product</a> is equipped to handle millions of communications per day, while its <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">xTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">product</a> can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">” </a>is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is <i>not </i>equipping the CMS? <span>And what are the odds that such technology is </span><i><span>not</span></i><span> being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?</span></p>
<h3><b>Spy Files 3...and the legality of India’s surveillance technologies</b></h3>
<p align="JUSTIFY">ClearTrail Technologies’ <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">brochure</span></a> -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with <a href="http://www.etsi.org/technologies-clusters/technologies/regulation-legislation"><span style="text-decoration: underline;">ETSI</span></a> and <span style="text-decoration: underline;"><a href="http://cryptome.org/laes/calea-require.pdf">CALEA</a><a href="http://cryptome.org/laes/calea-require.pdf"> </a><a href="http://cryptome.org/laes/calea-require.pdf">regulations</a></span>. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply <i>within</i> India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.</p>
<p align="JUSTIFY">India has five laws which regulate surveillance:</p>
<p align="JUSTIFY">1. The <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a></span>, 1885</p>
<p align="JUSTIFY">2. The <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Office</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a></span>, 1898</p>
<p align="JUSTIFY">3. The <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a></span>, 1933</p>
<p align="JUSTIFY">4. The <span style="text-decoration: underline;"><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Code</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">of</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Criminal</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Procedure</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> (</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">CrPc</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">)</a></span>, 1973: Section 91</p>
<p align="JUSTIFY">5. The <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a></span>, 2008</p>
<p align="JUSTIFY">The <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Offices</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a></span> does not cover electronic communications and the <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a></span>lacks procedures which would determine if surveillance should be targeted or not. Neither the <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a></span> nor the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a></span> cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.</p>
<p align="JUSTIFY">The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">a</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">public</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">emergency</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">or</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">for</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">public</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">safety</a>. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.</p>
<p align="JUSTIFY">The interception of Internet communications is mainly covered by the <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">2009 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Rules</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">under</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">the</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Information</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Technology</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Act</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 2008 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">and</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Sections</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 69 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">and</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 69</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">B</a> are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.</p>
<p align="JUSTIFY">While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the <i>mass</i> surveillance of communications. In other words, ClearTrail’s products, such as <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a>, which enable the mass interception of IP networks, lack legal backing. However, the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Unified</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Access</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Services</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> (</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">) </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a></span> regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.</p>
<p align="JUSTIFY">Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">even</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">without</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">a</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">warrant</a>, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> product.</p>
<p align="JUSTIFY"><span>More importantly, following <a class="external-link" href="http://www.financialexpress.com/news/states-begin-to-surrender-offair-phone-snooping-equipment/957859">allegations</a> that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a <a class="external-link" href="http://m.indianexpress.com/news/state-govts-hand-over-few-offair-phonetapping-sets-to-centre/1185166/">compete ban on use of such equipment</a> and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it. </span></p>
<p align="JUSTIFY">ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a> product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such <a href="http://www.dot.gov.in/licensing/access-services"><span style="text-decoration: underline;">licenses</span></a> mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> is technically legal or not. The <a class="external-link" href="http://www.auspi.in/policies/UASL.pdf">UAS License agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a>mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.</p>
<p align="JUSTIFY">The issue of data retention arises from <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">leaked</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">brochure</a>. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.</p>
<p align="JUSTIFY"><a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 7 of the Information Technology (Amendment) Act, 2008</a>, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.</p>
<p align="JUSTIFY">Data retention requirements for service providers are included in the <a href="https://cis-india.org/internet-governance/blog/data-retention-in-india" class="external-link">ISP and UASL licenses</a> and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.</p>
<p align="JUSTIFY">India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">spy</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">products</a></span> are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">agreement</a></span> regarding the Central Monitoring System.</p>
<p align="JUSTIFY">In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the <a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a> mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while <a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">India</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">’</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">s</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a>, <a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a>and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.</p>
<p align="JUSTIFY">One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to <span style="text-decoration: underline;"><a href="http://www.outlookindia.com/article.aspx?265192">Saikat</a><a href="http://www.outlookindia.com/article.aspx?265192"> </a><a href="http://www.outlookindia.com/article.aspx?265192">Datta</a></span>, an investigative journalist, a senior privacy telecom official stated:</p>
<blockquote class="italized">“<i>Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?” </i></blockquote>
<p style="text-align: justify; "></p>
<h3><b>Spy Files 3...and human rights in India</b></h3>
<p align="JUSTIFY">The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ClearTrail</span></a>, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.</p>
<p align="JUSTIFY">In particular, ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a> provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">xTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a></span>enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.</p>
<p align="JUSTIFY">And indeed, carrying a mobile phone is like carrying a GPS device, especially since <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">we</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">are</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">all</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">suspicious</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">until</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">proven</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">innocent</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">. </a></span></p>
<p align="JUSTIFY">And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">Astra</span></a>. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can <i>remotely</i> push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">we</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">should</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">all</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">have</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">something</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">to</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">hide</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">! </a></span></p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">Privacy</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">us</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">from</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">abuse</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">from</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">those</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">in</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">power</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a></span>and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">products</a></span> - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.</p>
<p align="JUSTIFY">And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, <span style="text-decoration: underline;"><a href="http://www.timeshighereducation.co.uk/402844.article">a</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">UK</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">student</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">studying</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">Islamic</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">terrorism</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">for</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">his</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">Masters</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">dissertation</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">was</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">detained</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">for</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">six</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">days</a><a href="http://www.timeshighereducation.co.uk/402844.article">.</a></span> The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.</p>
<p align="JUSTIFY">This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.</p>
<p align="JUSTIFY">This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">“</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">have</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">something</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">to</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">hide</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">”</a></span>, as that is the only way to protect us from abuse by those in power.</p>
<p align="JUSTIFY">In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ClearTrail</span></a>, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the <a class="external-link" href="https://en.necessaryandproportionate.org/text">International Principles on Communications Surveillance and Human Rights.</a></p>
<p align="JUSTIFY">Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.</p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">This article was <a class="external-link" href="http://www.medianama.com/2013/11/223-spy-files-3-wikileaks-sheds-more-light-on-the-global-surveillance-industry-cis-india/">cross-posted in Medianama </a>on 6th November 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/spy-files-three'>https://cis-india.org/internet-governance/blog/spy-files-three</a>
</p>
No publishermariaPrivacyInternet GovernanceSAFEGUARDSFeaturedHomepage2013-11-14T16:21:00ZBlog EntryWhy 'Facebook' is More Dangerous than the Government Spying on You
https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you
<b>In this article, Maria Xynou looks at state and corporate surveillance in India and analyzes why our "choice" to hand over our personal data can potentially be more harmful than traditional, top-down, state surveillance. Read this article and perhaps reconsider your "choice" to use social networking sites, such as Facebook. </b>
<p align="JUSTIFY"><i>Do you have a profile on Facebook?</i> Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:</p>
<p align="JUSTIFY">“<i>Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”</i></p>
<h2><span><b>The Indian Surveillance State</b></span></h2>
<p align="JUSTIFY">Following <span style="text-decoration: underline;"><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">Snowden</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">’</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">s</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html"> </a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">revelations</a></span>, there’s finally been more talk about surveillance. But what is surveillance?</p>
<p align="JUSTIFY">David Lyon - who directs the <span style="text-decoration: underline;"><a href="http://www.sscqueens.org/">Surveillance</a><a href="http://www.sscqueens.org/"> </a><a href="http://www.sscqueens.org/">Studies</a><a href="http://www.sscqueens.org/"> </a><a href="http://www.sscqueens.org/">Centre</a></span> - <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">defines</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a></span> as <i>“any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”</i>. <a href="http://www.polity.co.uk/book.asp?ref=9780745635910"><span style="text-decoration: underline;">Surveillance</span></a> can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.</p>
<h3><b>State Surveillance</b></h3>
<p align="JUSTIFY">The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a <i>real </i>issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!</p>
<p align="JUSTIFY">The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:</p>
<p align="JUSTIFY">1. They create surveillance schemes, such as the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> (</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">)</a></span>, which carry out targeted and/or mass surveillance</p>
<p align="JUSTIFY">2. They create laws, guidelines and license agreements, such as the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span>, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply</p>
<p align="JUSTIFY">3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance</p>
<p align="JUSTIFY">While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.</p>
<p align="JUSTIFY">In particular, surveillance in India is regulated under five laws: the <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> 1885</a></span>, the <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Office</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> 1898</a></span>, the <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> 1933</a></span>, <span style="text-decoration: underline;"><a href="http://indiankanoon.org/doc/911085/">section</a><a href="http://indiankanoon.org/doc/911085/"> 91 </a><a href="http://indiankanoon.org/doc/911085/">of</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">the</a><a href="http://indiankanoon.org/doc/911085/"> 1973 </a><a href="http://indiankanoon.org/doc/911085/">Code</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">of</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">Criminal</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">Procedure</a><a href="http://indiankanoon.org/doc/911085/"> (</a><a href="http://indiankanoon.org/doc/911085/">CrPc</a><a href="http://indiankanoon.org/doc/911085/">)</a></span> and the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span>. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.</p>
<p align="JUSTIFY">While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the<span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span> allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.</p>
<p align="JUSTIFY">Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in <a href="http://www.ministryoflies.com/1984.pdf"><span style="text-decoration: underline;">“1984”</span></a>. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The <span style="text-decoration: underline;"><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">arrest</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">of</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">two</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">Indian</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">women</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">last</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">November</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">over</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">a</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">Facebook</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">post</a></span> reminds us of this.</p>
<p align="JUSTIFY">Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">regarding</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">the</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Central</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Monitoring</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">System</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> (</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">CMS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">) </a></span>not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/data-services/internet-services">numerous</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">guidelines</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">and</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">license</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">agreements</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">for</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">ISPs</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">and</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">telecom</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">operators</a></span>, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new <span style="text-decoration: underline;"><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">National</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Cyber</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Security</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Policy</a></span>, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.</p>
<p align="JUSTIFY">As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, <span style="text-decoration: underline;"><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">India</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">’</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">s</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Computer</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Emergency</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Response</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Team</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> (</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">CERT</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">)</a></span> is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.</p>
<p align="JUSTIFY">The <span style="text-decoration: underline;"><a href="http://ncrb.gov.in/cctns.htm">Crime</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">and</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Criminal</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Tracking</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">and</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Network</a><a href="http://ncrb.gov.in/cctns.htm"> & </a><a href="http://ncrb.gov.in/cctns.htm">Systems</a><a href="http://ncrb.gov.in/cctns.htm"> (</a><a href="http://ncrb.gov.in/cctns.htm">CCTNS</a><a href="http://ncrb.gov.in/cctns.htm">)</a></span> is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.</p>
<p align="JUSTIFY">Similarly, the <span style="text-decoration: underline;"><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">National</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> </a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">Intelligence</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> </a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">Grid</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> (</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">NATGRID</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">)</a></span> is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.</p>
<p align="JUSTIFY">However, the most controversial surveillance scheme being implemented in India is probably the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a></span> (CMS). While several states, such as Assam, already have <span style="text-decoration: underline;"><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Internet</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Monitoring</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Systems</a></span> in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.</p>
<p align="JUSTIFY">And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">surveillance</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">industry</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">in</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">India</a></span> is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to <span style="text-decoration: underline;"><a href="https://cis-india.org/cisprivacymonitor">CIS</a><a href="https://cis-india.org/cisprivacymonitor">’ </a><a href="https://cis-india.org/cisprivacymonitor">India</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Privacy</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Monitor</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Map</a></span> - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the <span style="text-decoration: underline;"><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">DRDO</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">’</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">s</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/"> “</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">Netra</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">”</a></span> - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.</p>
<p align="JUSTIFY">But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, <span style="text-decoration: underline;"><a href="http://www.clear-trail.com/">ClearTrail</a><a href="http://www.clear-trail.com/"> </a><a href="http://www.clear-trail.com/">Technologies</a></span> is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">surveillance</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">software</a></span> which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">surveillance</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">trade</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">shows</a></span>, otherwise known as “the wiretappers’ ball”.</p>
<h3><b>Corporate Surveillance</b></h3>
<p align="JUSTIFY">When I ask people about corporate surveillance, the answer I usually get is: <i>“Corporations only care about their profit - they don’t do surveillance per se”</i>. And while that may be true, <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">David</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">Lyon</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">’</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">s</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">definition</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">of</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a></span> - as <i>“any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” </i>- may indicate otherwise.</p>
<p align="JUSTIFY">Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">allow</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">law</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">enforcement</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">to</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">tap</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">into</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">their</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">servers</a></span>. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.</p>
<p align="JUSTIFY">So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">involves</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">the</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">collection</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">of</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">personal</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">data</a></span> - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, <i>is</i> surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, <span style="text-decoration: underline;"><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">“</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">if</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">the</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">product</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">is</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">free</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">, </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">you</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">are</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">the</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">product</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">”</a></span>.</p>
<p align="JUSTIFY">Now if we look at online corporations more closely, we can probably identify three categories:</p>
<p align="JUSTIFY">1. Websites through which we <i>buy products </i>and hand over our personal details - e.g. Amazon</p>
<p align="JUSTIFY">2. Websites through which we <i>use services</i> and hand over our personal details - e.g. flight ticket</p>
<p align="JUSTIFY">3. Websites through which we <i>communicate</i> and hand over our personal details - e.g. Facebook</p>
<p align="JUSTIFY">And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:</p>
<p align="JUSTIFY">- <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">Disclose</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">such</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">data</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">to</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">law</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">enforcement</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">agencies</a></span></p>
<p align="JUSTIFY">- <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">Allow</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">law</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">enforcement</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">agencies</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">to</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">tap</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">into</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">their</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">servers</a></span></p>
<p align="JUSTIFY">- Sell such data to “third parties”</p>
<p align="JUSTIFY">What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we <i><span style="text-decoration: underline;"><a href="https://www.eff.org/wp/know-your-rights">consent</a><a href="https://www.eff.org/wp/know-your-rights"> </a></span></i><span style="text-decoration: underline;"><a href="https://www.eff.org/wp/know-your-rights">to</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">the</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">handing</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">over</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">of</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">our</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">personal</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">information</a></span>. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of <i>“choice”</i>. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.</p>
<h2 align="JUSTIFY"><span><b>State Surveillance </b></span><i><b>vs.</b></i><span><b> Corporate Surveillance</b></span></h2>
<p align="JUSTIFY">Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, <span style="text-decoration: underline;"><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">collects</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> 20 </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">times</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">more</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">data</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">per</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">day</a></span> than the NSA in total. In addition, Facebook has <a href="http://www.ft.com/cms/s/0/7536d216-0f36-11e3-ae66-00144feabdc0.html#axzz2jDSrZPHv"><span style="text-decoration: underline;">claimed</span></a> that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.</p>
<p align="JUSTIFY">Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the <a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"><i><span style="text-decoration: underline;">analysis</span></i></a><span style="text-decoration: underline;"><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"> </a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance">of</a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"> </a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance">data</a></span>, which in turn involves <span style="text-decoration: underline;"><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">pattern</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">matching</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">and</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">profiling</a></span>, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because <i>we “choose”</i> to hand over our data!</p>
<p align="JUSTIFY">Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: <a href="http://edition.cnn.com/2010/TECH/04/14/oppmann.off.the.grid/"><i><span style="text-decoration: underline;">convenience</span></i></a>. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.</p>
<p align="JUSTIFY">The irony in all of this is that, while many people reacted to <span style="text-decoration: underline;"><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">Snowden</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">’</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">s</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html"> </a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">revelations</a></span> on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.</p>
<p align="JUSTIFY">In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a <i>direct</i> threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas <span style="text-decoration: underline;"><a href="https://www.schneier.com/essay-155.html">they</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">rarely</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">react</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">to</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">what</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">does</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">not</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">directly</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">affect</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">them</a></span>. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">University</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">students</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">have</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">protested</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">on</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">the</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">streets</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">against</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">the</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">installation</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">of</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">CCTV</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">cameras</a></span>, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:</p>
<p align="JUSTIFY">- Personal photos</p>
<p align="JUSTIFY">- Biometrics (possibly through photos)</p>
<p align="JUSTIFY">- Family members</p>
<p align="JUSTIFY">- Friends and acquaintances</p>
<p align="JUSTIFY">- Habits, hobbies and interests</p>
<p align="JUSTIFY">- Location (through IP address)</p>
<p align="JUSTIFY">- Places visited</p>
<p align="JUSTIFY">- Economic standing (based on pictures, comments, etc.)</p>
<p align="JUSTIFY">- Educational background</p>
<p align="JUSTIFY">- Ideas and opinions (which may be political, religious, etc.)</p>
<p align="JUSTIFY">- Activities</p>
<p align="JUSTIFY">- Affiliations</p>
<p align="JUSTIFY">The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that <span style="text-decoration: underline;"><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">we</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">can</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">never</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">really</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">know</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">how</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">much</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">data</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">we</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">are</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">disclosing</a></span>, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. <i>It all really comes down to who is looking at our data, when and why.</i></p>
<p align="JUSTIFY">For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is <span style="text-decoration: underline;"><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">“</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">Anarchism</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">and</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">other</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">Essays</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">”</a></span> by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.</p>
<p align="JUSTIFY">In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.</p>
<p align="JUSTIFY">Today, governments don’t judge us and take decisions based on our version of our data, but<span style="text-decoration: underline;"><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">based</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">on</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">what</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">our</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">data</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">says</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">about</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">us</a></span>. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.</p>
<p align="JUSTIFY">Most companies <span style="text-decoration: underline;"><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">retain</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">data</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">indefinitely</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">or</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">for</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">a</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">long</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">period</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">of</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">time</a></span>, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/spy-files-three">every</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">bit</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">data</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">may</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">potentially</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">entails</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">various</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">other</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">bits</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">data</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">that</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">we</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">are</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">not</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">even</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">aware</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a></span>. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an <i><span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">illusionary</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">sense</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">of</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">control</a></span></i><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"><span style="text-decoration: underline;"> </span></a>over their personal data.</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">Social</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">network</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">analysis</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">software</a></span> is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to <span style="text-decoration: underline;"><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf">match</a><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf"> </a><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf">patterns</a></span>. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.</p>
<p align="JUSTIFY">In data mining, <span style="text-decoration: underline;"><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf">behavioural</a><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf"> </a><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf">statistics</a></span> are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we<span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">voluntarily</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">disclose</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">massive</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">amounts</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">of</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">data</a></span> about ourselves - is that it appears to come down to <i>public control</i>.</p>
<p align="JUSTIFY">According to security expert Bruce Schneier, <span style="text-decoration: underline;"><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">data</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">today</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">is</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">a</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">byproduct</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">of</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">the</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">Information</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">Society</a></span>. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an <i>indirect </i>threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.</p>
<p align="JUSTIFY">Hannah Arendt argued that a main prerequisite and component of totalitarian power is <span style="text-decoration: underline;"><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">support</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">by</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">the</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">masses</a></span>. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, <span style="text-decoration: underline;"><a href="https://cis-india.org/cisprivacymonitor">CCTV</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">cameras</a></span> are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as <span style="text-decoration: underline;"><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Spy</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Coca</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Cola</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">cans</a></span> - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the <span style="text-decoration: underline;"><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">Central</a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml"> </a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">Monitoring</a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml"> </a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">System</a></span> in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access <i>choose </i>to share their personal data through the use of social networking sites.</p>
<p align="JUSTIFY">Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just <span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">convenient</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">to</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">be</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">on</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">Facebook</a></span>. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.</p>
<p align="JUSTIFY">In the long term, what does this mean? Well, it seems like we will probably be <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">more</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">acceptive</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">towards</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">more</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">authoritarian</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">power</a></span>, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.</p>
<p align="JUSTIFY">What’s particularly interesting though about surveillance today is that it is fueled and <span style="text-decoration: underline;"><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">enabled</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">through</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">our</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">freedom</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">of</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">speech</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">and</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">general</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">Internet</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">freedom</a></span>. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the <span style="text-decoration: underline;"><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Chinese</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">versions</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">of</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Facebook</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">and</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Twitter</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a></span>- it’s probably no coincidence.</p>
<p align="JUSTIFY">While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t <i>choose </i>to hand over our personal data to begin with, none of the above would have been possible.</p>
<p align="JUSTIFY">The real danger in the Digital Age is not necessarily surveillance per se, but our <i>choice</i> to voluntarily disclose our personal data.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you'>https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-23T08:38:30ZBlog EntryState Surveillance and Human Rights Camp: Summary
https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary
<b>On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.</p>
<p style="text-align: justify; ">The camp also served as a platform for collaboration on the <i>Draft International Principles on Communications Surveillance and Human Rights</i>. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.</p>
<p>The draft principles were institutionalized for a number of reasons including:</p>
<ul>
<li style="text-align: justify; ">Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data. </li>
<li style="text-align: justify; ">Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated. </li>
<li style="text-align: justify; ">New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.</li>
<li style="text-align: justify; ">Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual. </li>
</ul>
<p style="text-align: justify; ">This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.</p>
<p>A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed <a class="external-link" href="http://necessaryandproportionate.net/">here</a><a href="http://necessaryandproportionate.net/">.</a></p>
<h2 style="text-align: justify; ">Summary of the Draft International Principles on Communications Surveillance and Human Rights</h2>
<p style="text-align: justify; "><b>Legality</b>: Any surveillance of communications undertaken by the government must be codified by statute. <b> </b></p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow surveillance of communications for legitimate purposes.<b> </b></p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes. <b> </b></p>
<p style="text-align: justify; "><b>Competent Authority</b>: Any authorization for surveillance of communications must be made by a competent and independent authority. <b> </b></p>
<p style="text-align: justify; "><b>Proportionality</b>: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose. <b> </b></p>
<p style="text-align: justify; "><b>Due process</b>: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.<b> </b></p>
<p style="text-align: justify; "><b>User notification</b>: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information. <b> </b></p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The governments ability to survey communications and the process for surveillance should be transparent to the public. <b> </b></p>
<p style="text-align: justify; "><b>Oversight</b>: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications. <b> </b></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.<b> </b></p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: When governments work with other governments across borders to fight crime, the higher/highest standard should apply. <b> </b></p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications. <b> </b></p>
<p><b>Cost of surveillance</b>: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.</p>
<h3>Types of Data</h3>
<p style="text-align: justify; ">The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.</p>
<h3 style="text-align: justify; ">Ways of Accessing Data</h3>
<p style="text-align: justify; ">Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.</p>
<h3 style="text-align: justify; ">Access and Technology</h3>
<p style="text-align: justify; ">In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).<a href="#fn4" name="fr4">[4]</a> Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.<a href="#fn5" name="fr5">[5]</a> With this information it is possible to read the actual content of packets, and identify the program or service being used.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".<a href="#fn8" name="fr8">[8]</a></p>
<h3 style="text-align: justify; ">Access and Legislation</h3>
<p style="text-align: justify; ">The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.</p>
<hr />
<p style="text-align: justify; "><a href="#fr1" name="fn1">1</a>]. EFF. Mandatory Data Retention: United States. Available at: <a class="external-link" href="https://www.eff.org/issues/mandatory-data-retention/us">https://www.eff.org/issues/mandatory-data-retention/us</a><br />[<a href="#fr2" name="fn2">2</a>].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. <a class="external-link" href="http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/">http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/</a><br />[<a href="#fr3" name="fn3">3</a>]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: <a class="external-link" href="http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0">http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0</a><br />[<a href="#fr4" name="fn4">4</a>]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: <a class="external-link" href="http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html">http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html</a><br />[<a href="#fr5" name="fn5">5</a>]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: <a class="external-link" href="http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works">http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works</a><br />[<a href="#fr6" name="fn6">6</a>]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: <a class="external-link" href="http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609">http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609</a><br />[<a href="#fr7" name="fn7">7</a>]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: <a class="external-link" href="http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&amp;_a=viewarticle&amp;kbarticleid=138">http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138</a><br />[<a href="#fr8" name="fn8">8</a>].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: <a class="external-link" href="http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/">http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary'>https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary</a>
</p>
No publisherelonnaiInternet GovernanceSAFEGUARDS2013-07-12T16:02:51ZBlog EntryReport on the 3rd Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18th May 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><span>Following the first two Privacy Round Tables in Delhi and Bangalore, this report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18</span><sup>th</sup><span> May 2013.</span></p>
<h2><span><span><b>Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´</b></span></span></h2>
<h2 style="text-align: justify; "></h2>
<p style="text-align: justify; ">The third Privacy Round Table meeting began with an overview of the paper on “Strengthening Privacy Protection through Co-Regulation” by the Data Security Council of India (DSCI). In particular, the DSCI pointed out that although the IT (Amendment) Act 2008 lays down the data protection provisions in the country, it has its limitations in terms of applicability, which is why a comprehensive privacy law is required in India. The DSCI provided a brief overview of the Report of the Group of Experts on Privacy (drafted in the Justice AP Shah Committee) and argued that in light of the UID scheme, NATRGID, DNA profiling and the Central Monitoring System (CMS), privacy concerns have arisen and legislation which would provide safeguards in India is necessary. However, the DSCI emphasized that although they support the enactment of privacy legislation which would safeguard Indians from potential abuse, the economic value of data needs to be taken into account and bureaucratic structures which would hinder the work of businesses should be avoided.</p>
<p style="text-align: justify; ">The DSCI supported the enactment of privacy legislation and highlighted its significance, but also emphasized that such a legal framework should support the economic value of data. The DSCI appeared to favour the enactment of privacy legislation as it would not only oblige the Indian government to protect individuals´ sensitive personal data, but it would also attract more international customers to Indian online companies. That being said, the DSCI argued that it is important to secure a context for privacy based on Indian standards, rather than on global privacy standards, since the applicability of global standards in India has proven to be weak. The privacy bill should cover all dimensions (including, but not limited to, interception and surveillance) and the misuse of data should be legally prevented and prohibited. Yet, strict regulations on the use of data could potentially have a negative effect on companies’ competitive advantage in the market, which is why the DSCI proposed a co-regulatory framework – if not self-regulation.</p>
<p style="text-align: justify; ">In particular, the DSCI argued that companies should be obliged to provide security assurances to their customers and that regulation should not restrict the way they handle customers´ data, especially since customers <i>choose </i>to use a specific service in every case. This argument was countered by a participant who argued that in many cases, customers may not have alternative choices for services and that the issue of “choice” and consent is complicated. Thus it was argued that companies should comply with regulations which restrict the manner with which they handle customers´ data. Another participant argued that a significant amount of data is collected without users´ consent (such as through cookies) and that in most cases, companies are not accountable in regards to how they use the data, who they share it with or how long they retain it. Another participant who also countered the co-regulatory framework suggested by the DSCI argued that regulations are required for smartphones, especially since there is currently very low accountability as to how SMS data is being used or shared. Other participants also argued that, in every case, individual consent should be acquired prior to the collection, processing, retention, and disclosure of data and that that individual should have the right to access his/her data and make possible corrections.</p>
<p style="text-align: justify; ">The DSCI firmly supported its position on co-regulation by arguing that not only would companies provide security assurances to customers, but that they would also be accountable to the Privacy Commissioner through the provision of a detailed report on how they handle their customers´ data. Furthermore, the DSCI pointed out that in the U.S. and in Europe, companies provide privacy policies and security assurances and that this is considered to be adequate. Given the immense economic value of data in the Digital Age and the severe effects regulation would have on the market, the DSCI argued that co-regulation is the best solution to ensure that both individuals´ right to privacy and the market are protected.</p>
<p style="text-align: justify; ">The discussion on co-regulation proceeded with a debate on what type of sanctions should be applied to those who do not comply with privacy regulations. However, a participant argued that if a self-regulatory model was enforced and companies did not comply with privacy principles, the question of what would happen to individuals´ data would still remain. It was argued that neither self-regulation nor co-regulation provides any assurances to the individual in regards to how his/her data is protected and that once data is breached, there is very little that can be done to eliminate the damage. In particular, the participant argued that self-regulation and co-regulation provide very few assurances that data will not be illegally disclosed and breached. The DSCI responded to this argument by stating that in the case of a data breach, the both the Privacy Commissioner and the individual in question would have to be informed and that this issue would be further investigated. Other participants agreed that co-regulation should not be an option and argued that the way co-regulation would benefit the public has not been adequately proven.</p>
<p style="text-align: justify; ">The DSCI countered the above arguments by stating that the industry is in a better position to understand privacy issues than the government due to the various products that it produces. Industries also have better outreach than the Indian government and could enhance awareness to both other companies and individuals in terms of data protection, which is why the code of practice should be created by the industry and validated by the government. This argument was countered by a participant who stated that if the industry decides to participate in the enforcement process, this would potentially create a situation of conflict of interest and could be challenged by the courts in the future. The participant argued that an industry with a self-regulatory code of practice may be problematic, especially since there would be inadequate checks and balances on how data is being handled.</p>
<p style="text-align: justify; ">Another participant argued that the Indian government does not appear to take responsibility for the right to privacy, as it is not considered to be a fundamental human right; this being said, a co-regulatory framework could be more appropriate, especially since the industry has better insights on how data is being protected on an international level. Thus it was argued that the government could create high level principles and that the industry would comply. However, a participant argued that every company is susceptible to some type of violation and that in such a case, both self-regulation and co-regulation would be highly problematic. It was argued that, as any company could probably violate users´ data in some way down the line either way, self-regulation or co-regulation would probably not be the most beneficial option for the industry. This argument was supplemented by another participant who stated that co-regulation would mandate the industry and the Privacy Commissioner as the ultimate authorities to handle users´ data and that this could potentially lead to major violations, especially due to inadequate accountability towards users.</p>
<p style="text-align: justify; ">Co-regulation was once again supported by the DSCI through the argument that customers <i>choose </i>to use specific services and that by doing so, they should comply with the security measures and privacy policies provided. However, a participant asked whether other stakeholders should be involved, as well as what type of <i>incentives</i> companies have in order to comply with regulations and to protect users´ data. Another participant argued that the very definition of privacy remains vague and that co-regulation should not be an option, since the industry could be violating individuals´ privacy without even realising it. Another issue which was raised is how data would be protected when many companies have servers based in other countries. The DSCI responded by arguing that checks and balances would be in place to deal with all the above concerns, yet a general consensus on co-regulation did not appear to have been reached.</p>
<h1 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h1>
<h2 style="text-align: justify; ">Discussion of definitions: Chapter II</h2>
<p style="text-align: justify; ">The sections of the draft Privacy (Protection) Bill 2013 were discussed during the second session of the third Privacy Round Table meeting. In particular, the session started with a discussion on whether the draft Privacy (Protection) Bill 2013 should be split into two separate Bills, where the one would focus on data protection and the other on surveillance and interception. The split of a Bill on data protection to two consecutive Bills was also proposed, where the one would focus on data protection binding the public sector and the other on data protection binding the private sector. As the draft Privacy (Protection) Bill 2013 is in line with global privacy standards, the possibility of splitting the Bill to focus separately on the sections mentioned above was seriously considered.</p>
<p style="text-align: justify; ">The discussion on the definitions laid out in Chapter 2 of the draft Privacy (Protection) Bill 2013 started with a debate around the definitions of personal data and sensitive personal data and what exactly they should include. It was pointed out that the Data Protection Act of the UK has a much broader definition for the term ´sensitive personal data´ and it was recommended that the Indian draft Privacy (Protection) Bill complies with it. Other participants argued that a controversy lies in India on whether the government would conduct a caste census and if that were to be the case, such data (also including, but not limited to, religion and ethnic origin) should be included in the legal definition for ´sensitive personal data´ to safeguard individuals from potential abuse. Furthermore, the fact that the term ´sensitive personal data´ does not have a harmonious nature in the U.S. and in Europe was raised, especially since that would make it more difficult for India to comply to global privacy standards.</p>
<p style="text-align: justify; ">The broadness of the definition for ´sensitive personal data´ was raised as a potential problematic issue, especially since it may not be realistic to expect companies in the long term to protect everything it may include. The participants debated on whether financial information should be included in the definition of ´sensitive personal data´, but a consensus was not reached. Other participants argued that the terms ´data subject´ and ´data controller´ should be carefully defined, as well as that a generic definition for the term ´genetic data´ should be included in the Bill. Furthermore, it was argued that the word ´monitor´ should be included in the definitions of the Bill and that the universal norms in regards to the definitions should apply to each and every state in India. It was also noted that organizational affiliation, such as a trade union membership, should also be included in the definitions of the Bill, since the lack of legal protection may potentially have social and political implications.</p>
<p style="text-align: justify; "><b>Discussion of “Protection of Personal Data”: Chapter III </b><b> </b></p>
<p style="text-align: justify; ">The discussion on the data protection chapter of the draft Privacy (Protection) Bill began with the recommendation that data collected by companies should comply with a confidentiality agreement. Another participant argued that the UK looks at every financial mechanism to trace how information flows and that India should do the same to protect individuals´ personal data. It was also argued that when an individual is constantly under surveillance, that individual´s behaviour is more controlled and that extra accountability should be required for the use of CCTV cameras. In particular, it was argued that when entities outside the jurisdiction gain access to CCTV data, they should be accountable as to how they use it. Furthermore, it was argued that the Bill should provide provisions on how data is used abroad, especially when it is stored in foreign servers. <b> </b></p>
<p style="text-align: justify; "><b>Issue of Consent</b></p>
<p style="text-align: justify; ">The meeting proceeded with a discussion of Section 6 and it was pointed out that consent needs to be a prerequisite to data collection. Furthermore, conditions laid out in section 3 would have to be met, through which the individual would have to be informed prior to any data collection, processing, disclosure and retention of data. Section 11 of the Bill entails an accuracy provision, through which individuals have the right to access the data withheld about them and make any necessary corrections. A participant argued that the transmission of data should also be included in the Bill and that the transmitter would have to be responsible for the accuracy of the data. Another participant argued that transmitters should be responsible for the integrity of the data, but that individuals should be responsible for its accuracy. However, such arguments were countered by a participant who argued that it is not practically possible to inform individuals every time there is a change in their data.</p>
<p style="text-align: justify; "><b>Outsourcing of Data</b></p>
<p style="text-align: justify; ">It was further recommended that outsourcing guidelines should be created and implemented, which would specify the agents responsible for outsourcing data. On this note, the fact that a large volume of Indian data is being outsourced to the U.S. under the Patriot Act was discussed. In particular, it was pointed out that most data retention servers are based in the U.S., which makes it difficult for Indians to be able to be informed about which data is being collected, whether it is being processed, shared, disclosed and/or retained. A participant argued that most companies have special provisions which guarantee that data will not cross borders and that it actually depends on the type of ISP handling the data.</p>
<p style="text-align: justify; ">Another issue which was raised was that, although a consumer may have control over his/her data at the first stage, that individual ultimately loses control over his/her data in the next stages when data is being shared and/or disclosed without his/her knowledge or consent. Not only is this problematic because individuals lose control over their data, but also because the issue of accountability arises, as it is hard to determine who is responsible for the data once it has been shared and disclosed. Some participants suggested that such a problem could possibly be solved if the data subject is informed by the data processor that its data is being outsourced, as well as of the specific parties the data is being outsourced to. Another participant argued that it does not matter who the data is being outsourced to, but the manner of its use is what really matters.</p>
<p style="text-align: justify; "><b>Data Retention</b></p>
<p style="text-align: justify; ">Acting on the powers given by POTA, it was argued that 50,000 arrests have been made. Out of these arrests, only seven convictions have been made, yet the data of thousands of individuals can be stored for many years under POTA. Thus, it was pointed out that it is crucial that the individual is informed when his/her data is destroyed and that such data is not retained indefinitely. This was supplemented by a participant who argued that most countries in the West have data retention laws and that India should too. Other participants argued that data retention does not end with data destruction, but with the return of the data to the individual and the assurance that it is not stored elsewhere. However, several participants argued that the return of data is not always possible, especially since parties may lack the infrastructure to take back their data.</p>
<p style="text-align: justify; ">It was pointed out that civil society groups have claimed that collected data should be destroyed within a specific time period, but the debate remains polarized. In particular, some participants argued that data should be retained indefinitely, as the purpose of data collection may change within time and that data may be valuable in dealing with crime and terrorism in the future. This was countered by participants who argued that the indefinite retention of data may potentially lead to human rights violations, especially if the government handling the data is non-democratic. Another participant argued that the fact that data may be collected for purpose A, processed for purpose B and retained or disclosed for purpose C can be very problematic in terms of human rights violations in the future. Furthermore, another participant stated that destruction should mean that data is no longer accessible and that is should not only apply to present data, but also to past data, such as archives.</p>
<p style="text-align: justify; "><b>Data Processing</b></p>
<p style="text-align: justify; ">The processing of personal data is regulated in section 8 of the draft Privacy (Protection) Bill 2013. A participant argued that the responsibility should lie with the person doing the outsourcing of the data (the data collector). Another participant raised the issue that although banks acquire consent prior to collection and use of data, they subsequently use that data for any form of data processing and disclosure. Credit information requires specific permission and it was argued that the same should apply to other types of personal data. Consent should be acquired for every new purpose other than the original purpose for data collection. It was strongly argued that general consent should not cover every possible disclosure, sharing and processing of data. Another issue which was raised in terms of data processing is that Indian data could be compromised through global cooperation or pre-existing cooperation with third parties.</p>
<p style="text-align: justify; "><b>Data Disclosure</b></p>
<p style="text-align: justify; ">The disclosure of personal data was highlighted as one of the most important provisions within the draft Privacy (Protection) Bill 2013. In particular, three types of disclosure were pointed out: (1) disclosure with consent, (2) disclosure in outsourcing, (3) disclosure for law enforcement purposes. Within this discussion, principle liability issues were raised, as well as whether the data of a deceased person should be disclosed. Other participants raised the issue of data being disclosed by international third parties, who gain access to it through cooperation with Indian law enforcement agencies and cases of dual criminality in terms of the misuse of data abroad were raised. A participant highlighted three points: (1) the subject who has responsibility for the processing of data, (2) any obligation under law should be made applicable to the party receiving the information, (3) applicable laws for outsourcing Indian data to international third parties. It was emphasized that the failure to address these three points could potentially lead to a conflict of laws.</p>
<p style="text-align: justify; ">According to a participant, a non-disclosure agreement should be a prerequisite to outsourcing. This was preceded by a discussion on the conditions for data disclosure under the draft Privacy (Protection) Bill 2013 and it was recommended that if data is disclosed without the consent of the individual, the individual should be informed within one year. It was also pointed out that disclosure of data in furtherance of a court order should not be included in the Bill because courts in India tend to be inconsistent. This was followed by a discussion on whether power should be invested in the High Court in terms of data disclosure.</p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; ">The third Privacy Round Table ended with a brief discussion on the fourth chapter of the draft Privacy (Protection) Bill 2013, which regulates the interception of communications. Following an overview of the sections and their content, a participant argued that interception does not necessarily need to be covered in the draft Privacy (Protection) Bill, as it is already covered in the Telegraph Act. This was countered by participants who argued that the interception of communications can potentially lead to a major violation of the right to privacy and other human rights, which is why it should be included in the draft Privacy (Protection) Bill. Other participants argued that a requirement that intercepted communication remains confidential is necessary, but that there is no need to include privacy officers in this. Some participants proposed that an exception for sting operations should be included in this chapter.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p style="text-align: justify; ">The third Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting'>https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:35:22ZBlog EntryThe Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!
https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers
<b>Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out! </b>
<hr />
<p style="text-align: justify; ">This blog post has been <a class="external-link" href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">cross-posted</a> in Medianama on May 8, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">So yes, we live in an <a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">Internet Surveillance State</a>. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?</p>
<p style="text-align: justify; "><span>Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it</span><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting"> lacks privacy legislation </a><span>which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.</span></p>
<p style="text-align: justify; "><span>The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?</span></p>
<h2><b>A glimpse of the surveillance industry in India</b></h2>
<p style="text-align: justify; "><span>In light of the </span><a href="http://uidai.gov.in/">UID scheme</a><span>, the </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">National Intelligence Grid</a><span> (NATGRID), the </span><a href="http://ncrb.nic.in/cctns.htm">Crime and Criminal Tracking Network System</a><span> (CCTNS) and the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a><span> (CMS), who supplies law enforcement agencies the technology to surveille us?</span></p>
<p style="text-align: justify; "><span>In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies </span><a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html">simultaneously produce internet monitoring software and encryption tools</a><span>! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.</span></p>
<p style="text-align: justify; ">Companies selling surveillance technology in India are listed in <a href="https://cis-india.org/internet-governance/blog/table-1.pdf" class="internal-link">Table 1</a>. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.</p>
<p style="text-align: justify; "><span><a href="https://cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> shows the types of surveillance technology produced and sold by these 76 companies.</span></p>
<p style="text-align: justify; ">The graph below is based on <a href="https://cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> and shows which types of surveillance are produced the most by the 76 companies.</p>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy_of_Surveillancetechgraph.png" alt="Surveillance Graph" class="image-inline" title="Surveillance Graph" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Graph on types of surveillance sold to law enforcement agencies by 76 companies in India</p>
<p style="text-align: justify; "><span>Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the </span><a href="http://www.economist.com/node/21542814">UID scheme</a><span> which is rapidly expanding across India. Only </span><a href="http://www.clear-trail.com/">one company</a><span> from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System (CMS)</a><span>, especially since the project would have to monitor and mine Big Data.</span></p>
<p style="text-align: justify; "><span>On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since </span><a href="https://opennet.net/research/profiles/india">the majority of the population in India does not even have Internet access</a><span>. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while </span><a href="http://www.thehindu.com/news/national/half-of-indias-homes-have-cellphones-but-not-toilets/article2992061.ece">more than half the population owns mobile phones</a><span>. Seeing as companies, such as </span><a href="http://www.clear-trail.com/">ClearTrail Technologies</a><span> and </span><a href="http://www.shoghicom.com/">Shoghi Communications</a><span>, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.</span></p>
<h2>Did you Know:</h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/spywarepic.jpg" alt="Spyware" class="image-inline" title="Spyware" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>CARLOS62 on flickr </span></p>
<ol>
<li>WSS Security Solutions Pvt. Ltd. is <a href="http://www.wssgroup.in/aboutus.html">north India´s first CCTV zone</a></li>
<li>Speck Systems Limited was <a href="http://www.specksystems.com/sub-links/Strengths/core-strengths-UAV.htm">the first Indian company to design, manufacture and fly a micro UAV indigenously</a></li>
<li>Mobile Spy India (Retina-X Studios) has the following <a href="http://www.mobilespy.co.in/">mobile spying features</a>: </li>
</ol>
<ul>
<li><i>SniperSpy</i>: remotely monitors smartphones and computers from any location</li>
</ul>
<ul>
<li><i>Mobile Spy: </i>monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces</li>
</ul>
<p>4. Infoserve India Private Limited produces an<a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html"> Internet monitoring System</a> with the following features:</p>
<ul>
<li>Intelligence gathering for an entire state or a region</li>
<li>Builds a chain of suspects from a single start point</li>
<li>Data loss of less than 2%</li>
<li>2nd Generation Interception System</li>
<li>Advanced link analysis and pattern matching algorithms</li>
<li>Completely Automated System</li>
<li>Data Processing of up to 10 G/s</li>
<li>Automated alerts on the capture of suspicious data (usually based on keywords)</li>
</ul>
<p>5. ClearTrail Technologies<b> </b>deploys <a href="https://www.documentcloud.org/documents/409231-111-cleartrail.html#document/p3/a68269">spyware into a target´s machine</a><br />6. Spy Impex<b> </b>sells <a href="http://www.tradedir.in/s/coca-cola-tin-camera">Coca Cola Tin Cameras</a>!<br />7. Nice Deal<b> </b>also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and <a href="http://www.indiamart.com/nicedeal/spy-hidden-cameras.html">Lighter Video Cameras</a> to name a few...<br />8. Raviraj Technologies<b> </b>is an Indian company which supplies <a href="http://www.ravirajtech.com/index.html">RFID and biometric technology</a> to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?</p>
<ul>
<li style="text-align: justify; ">Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further <a href="http://www.rogerclarke.com/DV/Biometrics.html">oppression</a> within these countries </li>
</ul>
<ul>
<li style="text-align: justify; ">Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards</li>
</ul>
<h2><b>“I´m not a terrorist, I have nothing to hide!”</b></h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/surveillancetechpic.jpg" alt="Surveillance Tec" class="image-inline" title="Surveillance Tec" /></th>
</tr>
</tbody>
</table>
<p><span> </span><a href="http://www.flickr.com/photos/r1chard/">r1chardm</a> on flickr</p>
<p style="text-align: justify; ">It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:</p>
<blockquote class="italized"><i>“I´m not a terrorist, I have nothing to hide!”</i></blockquote>
<p style="text-align: justify; "><span>Indeed. You may not be a terrorist...and you may </span><i>think </i><span>you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?</span></p>
<p style="text-align: justify; "><span>Last year at the </span><a href="http://lcaunderthestars.org.au/programme/schedule">linux.conf.au</a><span>, </span><a href="http://www.youtube.com/watch?v=GMN2360LM_U">Jacob Appelbaum</a><span> stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. </span><a href="http://www.schneier.com/essay-155.html">Bruce Schneier</a><span> has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.</span></p>
<p style="text-align: justify; "><span>That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, </span><a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">we are all potentially suspects</a><span>. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called </span><a href="http://www.computerworld.com/s/article/9176265/Half_of_social_networkers_post_risky_information_study_finds_">´risky information´</a><span>. As long as our data is being surveilled, we are all suspects, which means that </span><a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239412">we can all potentially be arrested, interrogated and maybe even tortured</a><span>, just like any other criminal suspect.</span></p>
<p style="text-align: justify; "><span>But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The </span><a href="http://www.sourcesecurity.com/news/articles/co-1753-ga.4047.html">market appears to demand for surveillance technologies</a><span> because a pre-existing </span><a href="http://www.abc.net.au/tv/bigideas/stories/2012/04/16/3476847.htm">surveillance culture</a><span> has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as </span><a href="http://money.cnn.com/magazines/fortune/global500/2012/snapshots/284.html">3M</a><span>, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that </span><a href="http://www.sscqueens.org/davidlyon/">surveillance is being socially integrated</a><span>. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.</span></p>
<p style="text-align: justify; "><span>By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">NATGRID </a><span>and the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><span> in India- or by handing over our data, </span><a href="http://www.schneier.com/essay-167.html"><i>we </i></a><a href="http://www.schneier.com/essay-167.html">are fuelling the surveillance state</a><span>. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution </span><i>and </i><span>of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.</span></p>
<p style="text-align: justify; "><span>Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because </span><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting">India lacks privacy legislation </a><span>which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.</span></p>
<p style="text-align: justify; "><span>Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as </span><a href="http://www.ravirajtech.com/index.html">Raviraj Technologies</a><span>, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus </span><a href="https://www.privacyinternational.org/reports/our-response-to-eu-consultation-on-legality-of-exporting-surveillance-and-censorship-3">export controls</a><span> are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even </span><a href="http://edition.cnn.com/2013/03/15/world/asia/u-n-drone-objections">murdered</a><span> in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers'>https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers</a>
</p>
No publishermariasurveillance technologiesInternet GovernanceSAFEGUARDS2013-07-12T11:59:10ZBlog EntryA Comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012
https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills
<b>In this post, Maria Xynou gives us a comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p>Last April, the most recent version of the DNA Profiling Bill was leaked in India. The draft 2007 DNA Profiling Bill failed to adequately regulate the collection, use, sharing, analysis and retention of DNA samples, profiles and data, whilst its various loopholes created a potential for abuse. However, its 2012 amended version is not much of an improvement. On the contrary, it excessively empowers the DNA Profiling Board, while remaining vague in terms of collection, use, analysis, sharing and storage of DNA samples, profiles and data. Due to its ambiguity and lack of adequate safeguards, the draft April 2012 Human DNA Profiling Bill can potentially enable the infringement of the right to privacy and other human rights.</p>
<h2><b>Draft 2007 DNA Profiling Bill <i>vs.</i> Draft 2012 Human DNA Profiling Bill</b></h2>
<h3><b> </b><b>1. </b><b>Composition of the DNA Profiling Board</b></h3>
<p><b>Amendment:</b> The Draft 2007 DNA Profiling Bill listed the members which would be appointed by the Central Government to comprise the DNA Profiling Board. A social scientist of national eminence, as stated in section 4(q) of Chapter 3, was included. However, the specific section has been deleted from the Draft 2012 Human DNA Profiling Bill and no other social scientist has been added to the list of members to comprise the DNA Profiling Board. Despite the amendments to the section on the composition of the Board, no privacy or human rights expert has been included.</p>
<p><b>Analysis:</b> The lack of human rights experts on the board can potentially be problematic as a lack of expertise on privacy laws and other human rights laws can lead to the regulation of DNA databases without taking privacy and other civil liberties into consideration.</p>
<ul>
<li><b>DNA 2007 Bill (Section 4): </b><i>“The DNA Profiling Board shall consist of the following members appointed by the Central Government from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics , social sciences, law and criminal justice or any other discipline which would, in the opinion of the Central Government, be useful to DNA Profiling , namely: (a) a Renowned Molecular Biologist to be appointed by the Central Government Chairperson, (b) Secretary, Ministry of Law and Justice, or his nominee ex-officio Member; (c) Chairman, Bar Council of India, New Delhi or his nominee ex-officio Member; (d) Vice Chancellor, NALSAR University of Law, Hyderabad ex-officio Member; (e) Director, Central Bureau of Investigation or his nominee ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, New Delhi ex-officio Member; (g) Director, National Crime Records Bureau, New Delhi ex-officio Member; (h) Director, National Institute of Criminology and Forensic Sciences, New Delhi ex-officio Member; (i) a Forensic DNA Expert to be nominated by Secretary, Ministry of Home Affairs, New Delhi, Government of India Member; (j) a DNA Expert from All India Institute of Medical Sciences, New Delhi to be nominated by its Director, Member; (k) a Population Geneticist to be nominated by the President, Indian National Science Academy, New Delhi Member; (l) an Expert to be nominated by the Director, Indian Institute of Science, Bangalore Member; (m) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi ex-officio Member; (n) Director, Centre for Cellular and Molecular Biology, Hyderabad ex-officio Member; (o) Representative of the Department of Bio-technology, Government of India, New Delhi to be nominated by Secretary, DBT, Ministry of S&T, Government of India Member; (p) The Chairman, National Bioethics Committee of Department of Biotechnology, Government of India, New Delhi ex-officio Member; (q) a Social Scientist of National Eminence to be nominated by Secretary, MHRD, Government of India Member; (r) four Directors General of Police representing different regions of the country to be nominated by MHA Members; (s) two expert Members to be nominated by the Chairperson Members (t) Manager, National DNA Data Bank ex-officio Member; (u) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad ex-officio Member Secretary”</i><b> </b></li>
</ul>
<p><b> </b></p>
<ul>
<li><b>DNA April 2012 Bill (Section 4):</b><i>“The Board shall consist of the following Members appointed from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics, social sciences, law and criminal justice or any other discipline which would be useful to DNA profiling, namely:- (a) A renowned molecular biologist to be appointed by the Central Government- Chairperson; (b) Vice Chancellor of a National Law University established under an Act of Legislature to be nominated by the Chairperson- ex-officio Member; (c) Director, Central Bureau of Investigation or his nominee (not below the rank of Joint Director)- ex-officio Member; (d) Director, National Institute of Criminology and Forensic Sciences, New Delhi- ex-officio Member;(e) Director General of Police of a State to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member</i><b> </b><i>(g) Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (h) Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (i) Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member; (j) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- exofficio Member; (k) Financial Adviser, Department of Biotechnology, Government of India or his nominee- ex-officio Member; (l) Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members; (m) A population geneticist to be nominated by the President, Indian National Science Academy, New Delhi- Member; (n) A representative of the Department of Biotechnology, Government of India to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Member; (o) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad- ex-officio Member- Secretary” </i></li>
</ul>
<p><i><br /></i></p>
<h3><b>2. </b><b>Powers and functions of the Chief Executive Officer</b></h3>
<p><b>Amendment:</b> Although the Chief Executive Officer´s (CEO) powers and functions are set out in the 2007 Draft DNA Bill, these have been deleted from the amended 2012 Draft Bill. The Draft 2012 Bill merely states how the CEO will be appointed, the CEO´s status and that the CEO should report to the Member Secretary of the Board. As for the powers and functions of the CEO, the 2012 Bill states that they will be specified by the Board, without any reference to what type of duties the CEO would be eligible for. Furthermore, section 10(3) has been added which determines that the CEO will be ´a scientist with understanding of genetics and molecular biology´.</p>
<p><b>Analysis:</b> The lack of legal guidelines which would determine the scope of such regulations indicates that the CEO´s power is subject to the Board. This could create a potential for abuse, as the CEO´s power and the criteria for the creation of the regulations by the Board are not legally specified. Although an understanding of genetics and molecular biology is a necessary prerequisite for the specific CEO, an official understanding of privacy and human rights laws should also be a prerequisite to ensure that tasks are carried out adequately in regards to privacy and data protection.</p>
<ul>
<li><b>DNA 2007 Bill (Section 11):</b><i>“(1) The DNA Profiling Board shall have a Chief Executive Officer who shall be appointed by the Selection Committee consisting of Chairperson and four other members nominated by the DNA Profiling Board. (2) The Chief Executive Officer shall be of the rank of Joint Secretary to the Govt. of India and report to the Member Secretary of the DNA Profiling Board. (3)The Chief Executive Officer appointed under sub-section (1)shall exercise powers of general superintendence over the affairs of the DNA Profiling Board and its day-to-day management under the direction and control of the Member Secretary. (4) The Chief Executive Officer shall be responsible for the furnishing of all returns, reports and statements required to be furnished, under this Act and any other law for the time being in force, to the Central Government. (5) It shall be the duty of the Chief Executive Officer to place before the DNA Profiling Board for its consideration and decision any matter of financial importance if the Financial Adviser suggests to him in writing that such matter be placed before the DNA Profiling Board.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 10): </b><i>“(1) There shall be a Chief Executive Officer of the Board who shall be appointed by a selection committee consisting of the Chairperson and four other Members nominated by the Board. (2) The Chief Executive Officer shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board. (3) The Chief Executive Officer shall be a scientist with understanding of genetics and molecular biology. (4) The Chief Executive Officer appointed under subsection (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>3. </b><b>Functions of the Board</b></h3>
<p><b>Amendment:</b> The section on the functions of the DNA Profiling Board of the 2007 Draft DNA Profiling Bill has been amended. In particular, sub-section 12(j) of the Draft 2012 Human DNA Profiling Bill states that the Board would ´authorise procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies´. The equivalent sub-section in the 2007 Draft DNA Bill restricted the Board´s authorisation to crime investigation by law enforcement agencies, and did not include civil proceedings and other agencies.</p>
<p><b>Analysis:</b> This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ are not defined and remain vague. The broad use of the terms ´other agencies´ and ´civil proceedings´ could create a potential for abuse, as it is unclear which parties would be authorised to use DNA profiles and under what conditions, nor is it clear what ´civil proceedings´ entail.</p>
<p><b>DNA 2007 Bill (Section 13(x)): </b><i>The DNA Profiling Board constituted under section 3 of this Act shall exercise and discharge the following powers and functions, namely: “authorize communication of DNA profile for crime investigation by</i><b> </b><i>law enforcement agencies;” </i><b> </b></p>
<p><b>DNA April 2012 Bill (Section 12(j)): </b><i>The Board shall exercise and discharge the following functions for the purposes of this Act, namely: “authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies;”</i></p>
<h3><i> </i><b>4. </b><b>Regional DNA Data Banks</b></h3>
<p><b>Amendment:</b> Section 33(1) of the 2007 Draft DNA Profiling Bill has been amended and its 2012 version (section 32(1)) states that the Central Government will establish a National DNA Data Bank and ´as many Regional DNA Data Banks thereunder, for every state or group of States, as necessary´.</p>
<p><b>Analysis:</b> This amendment enables the potential establishment of infinite regional DNA Data Banks without setting out the conditions for their function, how they would use data, how long they would retain it for or who they would share it with. The establishment of such regional data banks could potentially enable the access to, analysis, sharing and retention of huge volumes of DNA data without adequate regulatory frameworks restricting their function.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(1)): </b><i>“The Central Government shall, by a notification published in the</i><b> </b><i>Gazette of India, establish a National DNA Data Bank.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(1)): </b><i>“The Central Government shall, by notification, establish a National DNA Data Bank and as many Regional DNA Data Banks thereunder for every State or a group of States, as necessary.</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>5. </b><b>Data sharing</b></h3>
<p>Section 33(2) of the 2007 Draft DNA Profiling Bill has been amended and section 32(2) of the 2012 draft Human DNA Profiling Bill includes that every state government should establish a State DNA Data Bank which should share the information with the National DNA Data Bank.</p>
<p>This sharing of DNA data between state and national DNA Data Banks could potentially increase the probability of data being accessed, shared, analysed and retained by unauthorised third parties. Furthermore, specific details, such as which information should be shared, how often and under what conditions, have not been specified.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(2)): </b><i>“A State Government may, by notification in the Official Gazette, establish a State DNA Data Bank.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(2)):</b><i>“Every State Government may, by notification, establish a State DNA Data Bank which shall share the information with the National DNA Data Bank.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>6. </b><b>Data retention</b></h3>
<p><b>Amendment:</b> Section 32(3) of the 2012 draft DNA Bill has been amended from its original 2007 form to include that regulations on the retention of DNA data would be drafted by the DNA Profiling Board.</p>
<p><b>Analysis:</b> This amendment does not set out the DNA data retention period, nor who would have the authority to access such data and under what conditions. Furthermore, regulations on the retention of such data would be drafted by the DNA Profiling Board, which could increase their probability of being subject to bias and lack of transparency.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(3)): </b><i>“The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA Profiles received from different</i><b> </b><i>laboratories in the format as may be specified by regulations.”</i> <b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(3)): </b><i>“The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA profiles received from different laboratories in the format as may be specified by the regulations made by the Board.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>7. </b><b>Data Bank Manager</b></h3>
<p><b>Amendment:</b> Section 33 has been added to the 2012 draft Human DNA Profiling Bill and establishes a DNA Data Bank Manager, who would carry out ´all operations of and concerning the National DNA Data Bank´.</p>
<p><b>Analysis:</b> All such operations are not clearly specified and could create a potential for abuse. The DNA Data Manager would have the same type of status as the Chief Executive Officer, but he/she would be required to have an understanding of computer applications and statistics, possibly to support data mining efforts. However, the powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.</p>
<ul>
<li><b>DNA 2012 Bill (Section 33):</b><i>“(1) All operations of and concerning the National DNA Data Bank shall be carried out under the supervision of a DNA Data Bank Manager who shall be appointed by a selection committee consisting of Chairperson and four other Members nominated by the Board.(2) The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board.(3) The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics. (4) The DNA Data Bank Manager appointed under sub-section (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>8. </b><b>Communication of DNA profiles to foreign agencies</b></h3>
<p><b>Amendment:</b> The 2007 Draft DNA Profiling Bill has been amended and sub-sections 35(2, 3) have been excluded from the 2012 Draft Human DNA Profiling Bill. These sub-clauses prohibited the use of DNA profiles for purposes other than the administration of the Act, as well as the communication of DNA profiles. Furthermore, sub-section 36(1) has been added to the 2012 Bill, which authorises the communication of DNA profiles to international agencies for the purposes of crime investigation.</p>
<p><b>Analysis:</b> The exclusion of sub-sections 35(2, 3) from the 2012 Bill indicates that the use and communication of DNA profiles without prior authorisation may be legally permitted, which raises major privacy concerns. Sub-section 36(1) does not define a ´crime investigation´, which indicates that DNA profiles could be shared with international agencies for loosely defined ´criminal investigations´ or even for civil proceedings. The lack of a strict definition to the term ´crime investigation´, as well as the broad reference to foreign states and international agencies raises concerns, as it remains unclear who will have access to information, for how long, under what conditions and whether that data will be retained.</p>
<ul>
<li><b>DNA 2007 Bill (Sections 35(2,3)): </b><i>“(2) No person who receives the DNA profile for entry in the DNA Data Bank shall use it or allow it to be used for purposes other than for the administration of this Act. (3) No person shall, except in accordance with the provisions hereinabove, communicate or authorize communication, or allow to be communicated a DNA profile that is contained in the DNA Data Bank or information that is referred to in sub-section (1) of Section 34”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 36(1)): </b><i>“On receipt of a DNA profile from the government of a foreign state, an international organisation established by the governments of states or an institution of any such government or international organization, the National DNA Data Bank Manager may compare the DNA profile with those in the DNA Data Bank in order to determine whether it is already contained in the Data Bank and may then communicate through Central Bureau of Investigation or any other appropriate agency of the Central Government and with the prior approval of the Central Government information referred to in subsection (1) of section 35 to that government, international organisation or institution.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>9. </b><b>Data destruction</b></h3>
<p><b>Amendment:</b> Section 37 of the 2007 draft DNA Profiling Bill states that the DNA Data Bank Manager shall expunge the DNA analysis of a person from the DNA index once the court has certified that the conviction of a person has been set aside. The 2007 Bill had no particular reference to data retention. The equivalent clause (37) of the 2012 draft DNA Bill, however, not only states that individuals´ DNA data will be kept on a ´permanent basis´, but also that the DNA Data Bank Manager shall expunge a DNA profile under the same conditions under the 2007 Bill.</p>
<p><b>Analysis:</b> This amendment indicates that Indians´ DNA data will be kept indefinitely and that it will be deleted only once the court has cleared an individual from conviction. This raises major concerns, as it does not clarify under what conditions individuals can have access to data during its retention, nor does it give ´non-convicts´ the opportunity to have their data deleted from the data bank.</p>
<ul>
<li><b>DNA 2007 Bill (Section 37): </b><i>“The Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person included in the DNA data bank has been set aside, expunge forthwith the DNA analysis of such person from the DNA index. Explanation:- For the purposes of this section, a court order is not ‘final’ till the expiry of the period of limitation for filing an appeal, or revision application, or review if permissible under the law, with respect to the order setting aside the conviction.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 37):</b><i>“(1) Subject to sub-sections (2) and (3), the information in the offenders’ index pertaining to a convict shall be kept on a permanent basis. (2) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the person in respect of whom the information is included in the offenders’ index has been acquitted of the charge against him, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed. (3) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person in respect of whom the information is included in the offenders’ index has been set aside, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>10. </b><b>Use of DNA profiles and DNA samples and records</b></h3>
<p><b>Amendment</b>: Section 39 of the 2007 draft DNA Profiling Bill has been amended and the equivalent section of the 2012 DNA Bill (section 39) states that DNA profiles, samples and records can be used for purposes related to ´other civil matters´ and ´other purposes´, as specified by the regulations made by the DNA Profiling Board.</p>
<p><b>Analysis:</b> The vague use of the terms ´other civil matters´ and ´other purposes´ can create a potential for abuse, especially since the Board will not be comprised by an adequate amount of members with legal expertise on civil matters. This section enables the use of DNA data for potentially any purpose, as long as it is enabled by the Board. Furthermore, the section does not specify <i>who </i>can be authorised to use DNA data under such conditions, which raises further concerns.</p>
<ul>
<li><b>DNA 2007 Bill (Section 39):</b> <i>“(1)All DNA profiles, samples and records shall solely be used for the purpose of facilitating identification of the perpetrator(s) of a specified</i><b> </b><i>offence: Provided that such records or samples may be used to identify victims of</i><b> </b><i>accidents, disasters or missing persons or for such other purposes.</i><b> </b><i>(2) Information stored on the DNA data base system may be accessed by the authorized persons for the purposes of: (i) forensic comparison permitted under this Act; (ii) administering the DNA data base system; (iii) accessing any information contained in the DNA database system</i><b> </b><i>by law enforcement officers or any other persons, as may be</i><b> </b><i>prescribed, in accordance with provisions of any law for the time</i><b> </b><i>being in force; (iv) inquest or inquiry; (v) any other purpose as may be prescribed: Provided that nothing contained in this section shall apply to information</i><b> </b><i>which may be used to determine the identity of any person.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 39): </b><i>“All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule: Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part I of the Schedule or for other purposes as may be specified by the regulations made by the Board.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>11. </b><b>Availability of DNA profiles and DNA samples</b></h3>
<p><b>Amendment:</b> Section 40 of the 2007 draft DNA Bill has been amended and an extra paragraph has been included to the equivalent 2012 Bill. In particular, section 40 enables the availability of DNA profiles and samples in criminal cases, judicial proceedings and for defence purposes among others.</p>
<p><b>Analysis:</b> ´Criminal cases´ are loosely defined and could enable the availability of DNA data on low profile cases.</p>
<ul>
<li><b>DNA 2007 Bill (Section 40):</b><i>“The information on DNA profiles, samples and DNA identification records</i><b> </b><i>shall be made available only : (i) to law enforcement agencies for identification purposes in a criminal</i><b> </b><i>case; (ii) in judicial proceedings, in accordance with the rules of</i><b> </b><i>admissibility of evidence; (iii) for facilitating decisions in cases of criminal prosecution; (iv) for defense purposes, to a victim or the accused to the extent relevant and in connection with the case in which such accused is charged; (v) for population statistics data base, identification, research and</i><b> </b><i>protocol development, or for quality control provided that it does not</i><b> </b><i>contain any personally identifiable information and does not violate ethical norms, as specified by rules. (vi) for any other purposes as specified by rules.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 40):</b><i>“Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely:- (a) for identification purposes in criminal cases, to law enforcement agencies; (b) in judicial proceedings, in accordance with the rules of admissibility of evidence; (c) for facilitating decisions in cases of criminal prosecution; (d) for defence purposes, to the accused to the extent relevant and in connection with the case in which such accused is charged; (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms; or (f) in the case of investigations related to civil dispute and other civil matter listed in Part I of the Schedule, to the concerned parties to the said civil dispute or civil matter and to the concerned judicial officer or authority; or (g) for any other purposes, as may be prescribed.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>12. </b><b>Restriction on access to information in DNA Data Banks</b></h3>
<p><b>Amendment:</b> Section 43 has been added to the 2012 draft Human DNA Profiling Bill which states that access to information shall be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect.</p>
<p><b>Analysis:</b> This section implies that everyone who does not belong in these two categories has his/her data exposed to (unauthorised) access by third parties.</p>
<ul>
<li><b>DNA April 2012 Bill (Section 43): </b><i>“Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from- (a) a victim of an offence which forms or formed the object of the relevant investigation, or (b) a person who has been excluded as a suspect in the relevant investigation.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>13. </b><b>Board exemption from tax on wealth and income, profits and gains</b></h3>
<p><b>Amendment:</b> Section 53 of the 2007 draft DNA Bill on “Returns and Reports” on behalf of the Board has been deleted and section 62 on the Board exemption from tax on wealth and income, profits and gains, has been added to the 2012 DNA Bill.</p>
<p><b>Analysis:</b> Although the 2007 DNA Bill stated that the Central Government was authorised to issue directions, this has been replaced by section 64 of the 2012 DNA Bill, which authorises the DNA Profiling Board to issue directions.</p>
<ul>
<li><b>DNA 2007 Bill (Section 53):</b><i>“(1) The DNA Profiling Board shall furnish to the Central Government at</i><b> </b><i>such time and in such form and manner as may be specified by rules or </i><b> </b><i>as the Central Government may direct, such returns and statements as</i><b> </b><i>the Central Government may, from time to time, require. (2) Without prejudice to the provisions of sub-section (1), the DNA Profiling</i><b> </b><i>Board shall, within ninety days after the end of each financial</i><b> </b><i>year, submit to the Central Government a report in such form, as may be</i><b> </b><i>prescribed, giving a true and full account of its activities, policy and</i><b> </b><i>programmes during the previous financial year. (3) A copy of the report received under sub-section (2) shall be laid, as soon may be after it is received, before each House of Parliament.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 62): “</b><i>Notwithstanding anything contained in- (a) the Wealth-tax Act, 1957; (b) the Income-tax Act, 1961; or (c) any other enactment for the time being in force relating to tax, including tax on wealth, income, profits or gains or the provision of services,- the Board shall not be liable to pay wealth-tax, income-tax or any other tax in respect of its wealth, income, profits or gains derived.”</i><b> </b></li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills'>https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:32:08ZBlog EntryHacking without borders: The future of artificial intelligence and surveillance
https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance
<b>In this post, Maria Xynou looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p class="Normal1">Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.</p>
<h2><b>Combat Zones That See (CTS)</b></h2>
<p><b><img src="http://farm5.staticflickr.com/4137/4749564682_9ab88cb4d1.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/swanksalot/">swanksalot</a> on flickr</p>
<p class="Normal1">Ten years ago DARPA started funding the<a href="http://www.freerepublic.com/focus/f-news/939608/posts"> Combat Zones That See (CTS)</a> project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.</p>
<p class="Normal1">Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that<span> <a class="external-link" href="http://www.wired.com/politics/law/news/2003/07/59471">40 million surveillance cameras were already in use around the </a></span><a class="external-link" href="http://www.wired.com/politics/law/news/2003/07/59471">world </a>by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. <a href="http://www.wired.com/politics/law/news/2003/07/59471">Police</a> in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.</p>
<p class="Normal1">However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.</p>
<h2><b>Mind´s Eye</b></h2>
<p><b><img src="http://farm9.staticflickr.com/8425/7775805386_8260b7836c.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/58687716@N05/">watchingfrogsboil</a> on flickr</p>
<p class="Normal1">A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a <a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">thinking camera</a>. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Minds_Eye.aspx">´visual intelligence´</a>. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to <a href="http://phys.org/news/2012-10-surveillance-tech-carnegie-mellon.html">predict future human activities and situations</a>.</p>
<p class="Normal1">Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. <a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">General</a><a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/"> </a><a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">James Cartwright</a>, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Minds_Eye.aspx">operationally significant activity</a> and predicting outcomes.</p>
<p class="Normal1">Mounting these <a href="http://www.dailygalaxy.com/my_weblog/2011/01/minds-eye-darpas-new-thinking-camera-will-transform-the-world-of-surveillance.html">smart cameras on drones</a> is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?</p>
<h2><b>SyNAPSE</b></h2>
<p><b><img src="http://farm9.staticflickr.com/8230/8384110298_da510e0347.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/healthblog/">A Health Blog</a> on flickr</p>
<p class="Normal1">The <i>Terminator </i>could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the <a href="http://www.artificialbrains.com/darpa-synapse-program">Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE)</a> programme. Is DARPA funding the creation of the <i>Terminator</i>? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.</p>
<p class="Normal1">SyNAPSE is a programme which aims to develop <a href="http://celest.bu.edu/outreach-and-impacts/the-synapse-project">electronic neuromorphic machine technology</a> which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received<a href="http://www.artificialbrains.com/darpa-synapse-program"> $102.6 million</a> in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create <a href="http://www.darpa.mil/Our_Work/DSO/Programs/Systems_of_Neuromorphic_Adaptive_Plastic_Scalable_Electronics_(SYNAPSE).aspx">biological neural systems </a>which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s <a href="http://www.ibm.com/smarterplanet/us/en/business_analytics/article/cognitive_computing.html">cognitive computers</a> would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.</p>
<p class="Normal1">Although this original type of computational device could be beneficial to <a href="http://www.ibm.com/smarterplanet/us/en/business_analytics/article/cognitive_computing.html">predict natural disasters</a> and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.</p>
<p class="Normal1">Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.</p>
<h2><b>Brain-Computer Interface (BCI)</b></h2>
<p><b><br /></b></p>
<p><iframe frameborder="0" height="360" src="http://www.youtube.com/embed/qCSSBEXBCbY?feature=player_embedded" width="640"></iframe></p>
<p class="Normal1">Remember Orwell's ´<i>Thought Police</i>´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in <i>1984</i>. Unlike the ´<i>Thought Police</i>´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can <i>literally </i>read our thoughts.</p>
<p class="Normal1">Once again, DARPA appears to be funding one of the world´s most innovative projects: the <a href="http://www.wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain/">Brain-Computer Interface (BCI)</a>. The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph -<a href="http://www.extremetech.com/wp-content/uploads/2012/08/brain-hacking-accuracy-chart.jpg"> an EEG</a>) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely <i>thinking </i>of the action.</p>
<p class="Normal1">Ten years ago it was reported that the brains of <a href="http://www.newscientist.com/article/dn2237">rats</a> and <a href="http://news.bbc.co.uk/2/hi/health/3186850.stm">monkeys</a> could control robot arms through the use of such technologies. A few years later<a href="http://www.newscientist.com/article/dn4540"> brainstem implants</a> were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as<a href="http://www.cyborgdb.org/mckeever.htm"> to control robotic limbs with their thoughts</a>. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally <i>thinking </i>about them, while using a BCI.</p>
<p class="Normal1">Brain-controlled robotic limbs could change the lives of disabled persons, but<a href="http://www.guardian.co.uk/science/2007/feb/09/neuroscience.ethicsofscience"> ethical concerns</a> have arisen in regards to the BCI´s mind-reading ability. If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain? Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out <a href="http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data">sensitive data</a>, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the <i>P300 response</i>, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to <a href="http://www.digitaltrends.com/cool-tech/this-is-your-brain-on-silicon/">DARPA</a>:</p>
<blockquote class="italized"><i>´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´</i></blockquote>
<p class="Normal1">This constitutes the human brain as<a class="external-link" href="http://www.wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain/"> a <span>new warfighting </span>domain</a> of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.</p>
<p class="Normal1">Security expert, Barnaby Jack, of IOActive demonstrated the <a href="http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt">vulnerability of biotechnological systems</a>, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.</p>
<p class="Normal1">Will BCI be used in the future to<a href="http://www.guardian.co.uk/science/2007/feb/09/neuroscience.ethicsofscience"> interrogate terrorists and suspects</a>? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our <i>thoughts</i> - can potentially be hacked? Human rights are essential because they protect us from those in power; but the <i>privacy of our thoughts</i> is even more important, because without it, we can have no human rights, no individuality.</p>
<p class="Normal1">Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals. Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.</p>
<p class="Normal1">Apparently, anyone can<a href="http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data"> buy Emotiv or Neurosky BCI online</a> to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance'>https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:30:27ZBlog Entry