The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
State Surveillance and Human Rights Camp: Summary
https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary
<b>On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.</p>
<p style="text-align: justify; ">The camp also served as a platform for collaboration on the <i>Draft International Principles on Communications Surveillance and Human Rights</i>. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.</p>
<p>The draft principles were institutionalized for a number of reasons including:</p>
<ul>
<li style="text-align: justify; ">Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data. </li>
<li style="text-align: justify; ">Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated. </li>
<li style="text-align: justify; ">New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.</li>
<li style="text-align: justify; ">Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual. </li>
</ul>
<p style="text-align: justify; ">This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.</p>
<p>A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed <a class="external-link" href="http://necessaryandproportionate.net/">here</a><a href="http://necessaryandproportionate.net/">.</a></p>
<h2 style="text-align: justify; ">Summary of the Draft International Principles on Communications Surveillance and Human Rights</h2>
<p style="text-align: justify; "><b>Legality</b>: Any surveillance of communications undertaken by the government must be codified by statute. <b> </b></p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow surveillance of communications for legitimate purposes.<b> </b></p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes. <b> </b></p>
<p style="text-align: justify; "><b>Competent Authority</b>: Any authorization for surveillance of communications must be made by a competent and independent authority. <b> </b></p>
<p style="text-align: justify; "><b>Proportionality</b>: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose. <b> </b></p>
<p style="text-align: justify; "><b>Due process</b>: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.<b> </b></p>
<p style="text-align: justify; "><b>User notification</b>: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information. <b> </b></p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The governments ability to survey communications and the process for surveillance should be transparent to the public. <b> </b></p>
<p style="text-align: justify; "><b>Oversight</b>: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications. <b> </b></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.<b> </b></p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: When governments work with other governments across borders to fight crime, the higher/highest standard should apply. <b> </b></p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications. <b> </b></p>
<p><b>Cost of surveillance</b>: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.</p>
<h3>Types of Data</h3>
<p style="text-align: justify; ">The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.</p>
<h3 style="text-align: justify; ">Ways of Accessing Data</h3>
<p style="text-align: justify; ">Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.</p>
<h3 style="text-align: justify; ">Access and Technology</h3>
<p style="text-align: justify; ">In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).<a href="#fn4" name="fr4">[4]</a> Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.<a href="#fn5" name="fr5">[5]</a> With this information it is possible to read the actual content of packets, and identify the program or service being used.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".<a href="#fn8" name="fr8">[8]</a></p>
<h3 style="text-align: justify; ">Access and Legislation</h3>
<p style="text-align: justify; ">The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.</p>
<hr />
<p style="text-align: justify; "><a href="#fr1" name="fn1">1</a>]. EFF. Mandatory Data Retention: United States. Available at: <a class="external-link" href="https://www.eff.org/issues/mandatory-data-retention/us">https://www.eff.org/issues/mandatory-data-retention/us</a><br />[<a href="#fr2" name="fn2">2</a>].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. <a class="external-link" href="http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/">http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/</a><br />[<a href="#fr3" name="fn3">3</a>]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: <a class="external-link" href="http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0">http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0</a><br />[<a href="#fr4" name="fn4">4</a>]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: <a class="external-link" href="http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html">http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html</a><br />[<a href="#fr5" name="fn5">5</a>]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: <a class="external-link" href="http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works">http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works</a><br />[<a href="#fr6" name="fn6">6</a>]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: <a class="external-link" href="http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609">http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609</a><br />[<a href="#fr7" name="fn7">7</a>]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: <a class="external-link" href="http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&amp;_a=viewarticle&amp;kbarticleid=138">http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138</a><br />[<a href="#fr8" name="fn8">8</a>].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: <a class="external-link" href="http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/">http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary'>https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary</a>
</p>
No publisherelonnaiInternet GovernanceSAFEGUARDS2013-07-12T16:02:51ZBlog EntryReport on the 3rd Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18th May 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><span>Following the first two Privacy Round Tables in Delhi and Bangalore, this report entails an overview of the discussions and recommendations of the third Privacy Round Table meeting in Chennai, on 18</span><sup>th</sup><span> May 2013.</span></p>
<h2><span><span><b>Overview of DSCI´s paper on ´Strengthening Privacy Protection through Co-Regulation´</b></span></span></h2>
<h2 style="text-align: justify; "></h2>
<p style="text-align: justify; ">The third Privacy Round Table meeting began with an overview of the paper on “Strengthening Privacy Protection through Co-Regulation” by the Data Security Council of India (DSCI). In particular, the DSCI pointed out that although the IT (Amendment) Act 2008 lays down the data protection provisions in the country, it has its limitations in terms of applicability, which is why a comprehensive privacy law is required in India. The DSCI provided a brief overview of the Report of the Group of Experts on Privacy (drafted in the Justice AP Shah Committee) and argued that in light of the UID scheme, NATRGID, DNA profiling and the Central Monitoring System (CMS), privacy concerns have arisen and legislation which would provide safeguards in India is necessary. However, the DSCI emphasized that although they support the enactment of privacy legislation which would safeguard Indians from potential abuse, the economic value of data needs to be taken into account and bureaucratic structures which would hinder the work of businesses should be avoided.</p>
<p style="text-align: justify; ">The DSCI supported the enactment of privacy legislation and highlighted its significance, but also emphasized that such a legal framework should support the economic value of data. The DSCI appeared to favour the enactment of privacy legislation as it would not only oblige the Indian government to protect individuals´ sensitive personal data, but it would also attract more international customers to Indian online companies. That being said, the DSCI argued that it is important to secure a context for privacy based on Indian standards, rather than on global privacy standards, since the applicability of global standards in India has proven to be weak. The privacy bill should cover all dimensions (including, but not limited to, interception and surveillance) and the misuse of data should be legally prevented and prohibited. Yet, strict regulations on the use of data could potentially have a negative effect on companies’ competitive advantage in the market, which is why the DSCI proposed a co-regulatory framework – if not self-regulation.</p>
<p style="text-align: justify; ">In particular, the DSCI argued that companies should be obliged to provide security assurances to their customers and that regulation should not restrict the way they handle customers´ data, especially since customers <i>choose </i>to use a specific service in every case. This argument was countered by a participant who argued that in many cases, customers may not have alternative choices for services and that the issue of “choice” and consent is complicated. Thus it was argued that companies should comply with regulations which restrict the manner with which they handle customers´ data. Another participant argued that a significant amount of data is collected without users´ consent (such as through cookies) and that in most cases, companies are not accountable in regards to how they use the data, who they share it with or how long they retain it. Another participant who also countered the co-regulatory framework suggested by the DSCI argued that regulations are required for smartphones, especially since there is currently very low accountability as to how SMS data is being used or shared. Other participants also argued that, in every case, individual consent should be acquired prior to the collection, processing, retention, and disclosure of data and that that individual should have the right to access his/her data and make possible corrections.</p>
<p style="text-align: justify; ">The DSCI firmly supported its position on co-regulation by arguing that not only would companies provide security assurances to customers, but that they would also be accountable to the Privacy Commissioner through the provision of a detailed report on how they handle their customers´ data. Furthermore, the DSCI pointed out that in the U.S. and in Europe, companies provide privacy policies and security assurances and that this is considered to be adequate. Given the immense economic value of data in the Digital Age and the severe effects regulation would have on the market, the DSCI argued that co-regulation is the best solution to ensure that both individuals´ right to privacy and the market are protected.</p>
<p style="text-align: justify; ">The discussion on co-regulation proceeded with a debate on what type of sanctions should be applied to those who do not comply with privacy regulations. However, a participant argued that if a self-regulatory model was enforced and companies did not comply with privacy principles, the question of what would happen to individuals´ data would still remain. It was argued that neither self-regulation nor co-regulation provides any assurances to the individual in regards to how his/her data is protected and that once data is breached, there is very little that can be done to eliminate the damage. In particular, the participant argued that self-regulation and co-regulation provide very few assurances that data will not be illegally disclosed and breached. The DSCI responded to this argument by stating that in the case of a data breach, the both the Privacy Commissioner and the individual in question would have to be informed and that this issue would be further investigated. Other participants agreed that co-regulation should not be an option and argued that the way co-regulation would benefit the public has not been adequately proven.</p>
<p style="text-align: justify; ">The DSCI countered the above arguments by stating that the industry is in a better position to understand privacy issues than the government due to the various products that it produces. Industries also have better outreach than the Indian government and could enhance awareness to both other companies and individuals in terms of data protection, which is why the code of practice should be created by the industry and validated by the government. This argument was countered by a participant who stated that if the industry decides to participate in the enforcement process, this would potentially create a situation of conflict of interest and could be challenged by the courts in the future. The participant argued that an industry with a self-regulatory code of practice may be problematic, especially since there would be inadequate checks and balances on how data is being handled.</p>
<p style="text-align: justify; ">Another participant argued that the Indian government does not appear to take responsibility for the right to privacy, as it is not considered to be a fundamental human right; this being said, a co-regulatory framework could be more appropriate, especially since the industry has better insights on how data is being protected on an international level. Thus it was argued that the government could create high level principles and that the industry would comply. However, a participant argued that every company is susceptible to some type of violation and that in such a case, both self-regulation and co-regulation would be highly problematic. It was argued that, as any company could probably violate users´ data in some way down the line either way, self-regulation or co-regulation would probably not be the most beneficial option for the industry. This argument was supplemented by another participant who stated that co-regulation would mandate the industry and the Privacy Commissioner as the ultimate authorities to handle users´ data and that this could potentially lead to major violations, especially due to inadequate accountability towards users.</p>
<p style="text-align: justify; ">Co-regulation was once again supported by the DSCI through the argument that customers <i>choose </i>to use specific services and that by doing so, they should comply with the security measures and privacy policies provided. However, a participant asked whether other stakeholders should be involved, as well as what type of <i>incentives</i> companies have in order to comply with regulations and to protect users´ data. Another participant argued that the very definition of privacy remains vague and that co-regulation should not be an option, since the industry could be violating individuals´ privacy without even realising it. Another issue which was raised is how data would be protected when many companies have servers based in other countries. The DSCI responded by arguing that checks and balances would be in place to deal with all the above concerns, yet a general consensus on co-regulation did not appear to have been reached.</p>
<h1 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h1>
<h2 style="text-align: justify; ">Discussion of definitions: Chapter II</h2>
<p style="text-align: justify; ">The sections of the draft Privacy (Protection) Bill 2013 were discussed during the second session of the third Privacy Round Table meeting. In particular, the session started with a discussion on whether the draft Privacy (Protection) Bill 2013 should be split into two separate Bills, where the one would focus on data protection and the other on surveillance and interception. The split of a Bill on data protection to two consecutive Bills was also proposed, where the one would focus on data protection binding the public sector and the other on data protection binding the private sector. As the draft Privacy (Protection) Bill 2013 is in line with global privacy standards, the possibility of splitting the Bill to focus separately on the sections mentioned above was seriously considered.</p>
<p style="text-align: justify; ">The discussion on the definitions laid out in Chapter 2 of the draft Privacy (Protection) Bill 2013 started with a debate around the definitions of personal data and sensitive personal data and what exactly they should include. It was pointed out that the Data Protection Act of the UK has a much broader definition for the term ´sensitive personal data´ and it was recommended that the Indian draft Privacy (Protection) Bill complies with it. Other participants argued that a controversy lies in India on whether the government would conduct a caste census and if that were to be the case, such data (also including, but not limited to, religion and ethnic origin) should be included in the legal definition for ´sensitive personal data´ to safeguard individuals from potential abuse. Furthermore, the fact that the term ´sensitive personal data´ does not have a harmonious nature in the U.S. and in Europe was raised, especially since that would make it more difficult for India to comply to global privacy standards.</p>
<p style="text-align: justify; ">The broadness of the definition for ´sensitive personal data´ was raised as a potential problematic issue, especially since it may not be realistic to expect companies in the long term to protect everything it may include. The participants debated on whether financial information should be included in the definition of ´sensitive personal data´, but a consensus was not reached. Other participants argued that the terms ´data subject´ and ´data controller´ should be carefully defined, as well as that a generic definition for the term ´genetic data´ should be included in the Bill. Furthermore, it was argued that the word ´monitor´ should be included in the definitions of the Bill and that the universal norms in regards to the definitions should apply to each and every state in India. It was also noted that organizational affiliation, such as a trade union membership, should also be included in the definitions of the Bill, since the lack of legal protection may potentially have social and political implications.</p>
<p style="text-align: justify; "><b>Discussion of “Protection of Personal Data”: Chapter III </b><b> </b></p>
<p style="text-align: justify; ">The discussion on the data protection chapter of the draft Privacy (Protection) Bill began with the recommendation that data collected by companies should comply with a confidentiality agreement. Another participant argued that the UK looks at every financial mechanism to trace how information flows and that India should do the same to protect individuals´ personal data. It was also argued that when an individual is constantly under surveillance, that individual´s behaviour is more controlled and that extra accountability should be required for the use of CCTV cameras. In particular, it was argued that when entities outside the jurisdiction gain access to CCTV data, they should be accountable as to how they use it. Furthermore, it was argued that the Bill should provide provisions on how data is used abroad, especially when it is stored in foreign servers. <b> </b></p>
<p style="text-align: justify; "><b>Issue of Consent</b></p>
<p style="text-align: justify; ">The meeting proceeded with a discussion of Section 6 and it was pointed out that consent needs to be a prerequisite to data collection. Furthermore, conditions laid out in section 3 would have to be met, through which the individual would have to be informed prior to any data collection, processing, disclosure and retention of data. Section 11 of the Bill entails an accuracy provision, through which individuals have the right to access the data withheld about them and make any necessary corrections. A participant argued that the transmission of data should also be included in the Bill and that the transmitter would have to be responsible for the accuracy of the data. Another participant argued that transmitters should be responsible for the integrity of the data, but that individuals should be responsible for its accuracy. However, such arguments were countered by a participant who argued that it is not practically possible to inform individuals every time there is a change in their data.</p>
<p style="text-align: justify; "><b>Outsourcing of Data</b></p>
<p style="text-align: justify; ">It was further recommended that outsourcing guidelines should be created and implemented, which would specify the agents responsible for outsourcing data. On this note, the fact that a large volume of Indian data is being outsourced to the U.S. under the Patriot Act was discussed. In particular, it was pointed out that most data retention servers are based in the U.S., which makes it difficult for Indians to be able to be informed about which data is being collected, whether it is being processed, shared, disclosed and/or retained. A participant argued that most companies have special provisions which guarantee that data will not cross borders and that it actually depends on the type of ISP handling the data.</p>
<p style="text-align: justify; ">Another issue which was raised was that, although a consumer may have control over his/her data at the first stage, that individual ultimately loses control over his/her data in the next stages when data is being shared and/or disclosed without his/her knowledge or consent. Not only is this problematic because individuals lose control over their data, but also because the issue of accountability arises, as it is hard to determine who is responsible for the data once it has been shared and disclosed. Some participants suggested that such a problem could possibly be solved if the data subject is informed by the data processor that its data is being outsourced, as well as of the specific parties the data is being outsourced to. Another participant argued that it does not matter who the data is being outsourced to, but the manner of its use is what really matters.</p>
<p style="text-align: justify; "><b>Data Retention</b></p>
<p style="text-align: justify; ">Acting on the powers given by POTA, it was argued that 50,000 arrests have been made. Out of these arrests, only seven convictions have been made, yet the data of thousands of individuals can be stored for many years under POTA. Thus, it was pointed out that it is crucial that the individual is informed when his/her data is destroyed and that such data is not retained indefinitely. This was supplemented by a participant who argued that most countries in the West have data retention laws and that India should too. Other participants argued that data retention does not end with data destruction, but with the return of the data to the individual and the assurance that it is not stored elsewhere. However, several participants argued that the return of data is not always possible, especially since parties may lack the infrastructure to take back their data.</p>
<p style="text-align: justify; ">It was pointed out that civil society groups have claimed that collected data should be destroyed within a specific time period, but the debate remains polarized. In particular, some participants argued that data should be retained indefinitely, as the purpose of data collection may change within time and that data may be valuable in dealing with crime and terrorism in the future. This was countered by participants who argued that the indefinite retention of data may potentially lead to human rights violations, especially if the government handling the data is non-democratic. Another participant argued that the fact that data may be collected for purpose A, processed for purpose B and retained or disclosed for purpose C can be very problematic in terms of human rights violations in the future. Furthermore, another participant stated that destruction should mean that data is no longer accessible and that is should not only apply to present data, but also to past data, such as archives.</p>
<p style="text-align: justify; "><b>Data Processing</b></p>
<p style="text-align: justify; ">The processing of personal data is regulated in section 8 of the draft Privacy (Protection) Bill 2013. A participant argued that the responsibility should lie with the person doing the outsourcing of the data (the data collector). Another participant raised the issue that although banks acquire consent prior to collection and use of data, they subsequently use that data for any form of data processing and disclosure. Credit information requires specific permission and it was argued that the same should apply to other types of personal data. Consent should be acquired for every new purpose other than the original purpose for data collection. It was strongly argued that general consent should not cover every possible disclosure, sharing and processing of data. Another issue which was raised in terms of data processing is that Indian data could be compromised through global cooperation or pre-existing cooperation with third parties.</p>
<p style="text-align: justify; "><b>Data Disclosure</b></p>
<p style="text-align: justify; ">The disclosure of personal data was highlighted as one of the most important provisions within the draft Privacy (Protection) Bill 2013. In particular, three types of disclosure were pointed out: (1) disclosure with consent, (2) disclosure in outsourcing, (3) disclosure for law enforcement purposes. Within this discussion, principle liability issues were raised, as well as whether the data of a deceased person should be disclosed. Other participants raised the issue of data being disclosed by international third parties, who gain access to it through cooperation with Indian law enforcement agencies and cases of dual criminality in terms of the misuse of data abroad were raised. A participant highlighted three points: (1) the subject who has responsibility for the processing of data, (2) any obligation under law should be made applicable to the party receiving the information, (3) applicable laws for outsourcing Indian data to international third parties. It was emphasized that the failure to address these three points could potentially lead to a conflict of laws.</p>
<p style="text-align: justify; ">According to a participant, a non-disclosure agreement should be a prerequisite to outsourcing. This was preceded by a discussion on the conditions for data disclosure under the draft Privacy (Protection) Bill 2013 and it was recommended that if data is disclosed without the consent of the individual, the individual should be informed within one year. It was also pointed out that disclosure of data in furtherance of a court order should not be included in the Bill because courts in India tend to be inconsistent. This was followed by a discussion on whether power should be invested in the High Court in terms of data disclosure.</p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; ">The third Privacy Round Table ended with a brief discussion on the fourth chapter of the draft Privacy (Protection) Bill 2013, which regulates the interception of communications. Following an overview of the sections and their content, a participant argued that interception does not necessarily need to be covered in the draft Privacy (Protection) Bill, as it is already covered in the Telegraph Act. This was countered by participants who argued that the interception of communications can potentially lead to a major violation of the right to privacy and other human rights, which is why it should be included in the draft Privacy (Protection) Bill. Other participants argued that a requirement that intercepted communication remains confidential is necessary, but that there is no need to include privacy officers in this. Some participants proposed that an exception for sting operations should be included in this chapter.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p style="text-align: justify; ">The third Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting'>https://cis-india.org/internet-governance/blog/report-on-the-third-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:35:22ZBlog EntryThe Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!
https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers
<b>Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out! </b>
<hr />
<p style="text-align: justify; ">This blog post has been <a class="external-link" href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">cross-posted</a> in Medianama on May 8, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">So yes, we live in an <a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">Internet Surveillance State</a>. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?</p>
<p style="text-align: justify; "><span>Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it</span><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting"> lacks privacy legislation </a><span>which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.</span></p>
<p style="text-align: justify; "><span>The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?</span></p>
<h2><b>A glimpse of the surveillance industry in India</b></h2>
<p style="text-align: justify; "><span>In light of the </span><a href="http://uidai.gov.in/">UID scheme</a><span>, the </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">National Intelligence Grid</a><span> (NATGRID), the </span><a href="http://ncrb.nic.in/cctns.htm">Crime and Criminal Tracking Network System</a><span> (CCTNS) and the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a><span> (CMS), who supplies law enforcement agencies the technology to surveille us?</span></p>
<p style="text-align: justify; "><span>In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies </span><a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html">simultaneously produce internet monitoring software and encryption tools</a><span>! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.</span></p>
<p style="text-align: justify; ">Companies selling surveillance technology in India are listed in <a href="https://cis-india.org/internet-governance/blog/table-1.pdf" class="internal-link">Table 1</a>. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.</p>
<p style="text-align: justify; "><span><a href="https://cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> shows the types of surveillance technology produced and sold by these 76 companies.</span></p>
<p style="text-align: justify; ">The graph below is based on <a href="https://cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> and shows which types of surveillance are produced the most by the 76 companies.</p>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy_of_Surveillancetechgraph.png" alt="Surveillance Graph" class="image-inline" title="Surveillance Graph" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Graph on types of surveillance sold to law enforcement agencies by 76 companies in India</p>
<p style="text-align: justify; "><span>Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the </span><a href="http://www.economist.com/node/21542814">UID scheme</a><span> which is rapidly expanding across India. Only </span><a href="http://www.clear-trail.com/">one company</a><span> from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System (CMS)</a><span>, especially since the project would have to monitor and mine Big Data.</span></p>
<p style="text-align: justify; "><span>On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since </span><a href="https://opennet.net/research/profiles/india">the majority of the population in India does not even have Internet access</a><span>. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while </span><a href="http://www.thehindu.com/news/national/half-of-indias-homes-have-cellphones-but-not-toilets/article2992061.ece">more than half the population owns mobile phones</a><span>. Seeing as companies, such as </span><a href="http://www.clear-trail.com/">ClearTrail Technologies</a><span> and </span><a href="http://www.shoghicom.com/">Shoghi Communications</a><span>, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.</span></p>
<h2>Did you Know:</h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/spywarepic.jpg" alt="Spyware" class="image-inline" title="Spyware" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>CARLOS62 on flickr </span></p>
<ol>
<li>WSS Security Solutions Pvt. Ltd. is <a href="http://www.wssgroup.in/aboutus.html">north India´s first CCTV zone</a></li>
<li>Speck Systems Limited was <a href="http://www.specksystems.com/sub-links/Strengths/core-strengths-UAV.htm">the first Indian company to design, manufacture and fly a micro UAV indigenously</a></li>
<li>Mobile Spy India (Retina-X Studios) has the following <a href="http://www.mobilespy.co.in/">mobile spying features</a>: </li>
</ol>
<ul>
<li><i>SniperSpy</i>: remotely monitors smartphones and computers from any location</li>
</ul>
<ul>
<li><i>Mobile Spy: </i>monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces</li>
</ul>
<p>4. Infoserve India Private Limited produces an<a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html"> Internet monitoring System</a> with the following features:</p>
<ul>
<li>Intelligence gathering for an entire state or a region</li>
<li>Builds a chain of suspects from a single start point</li>
<li>Data loss of less than 2%</li>
<li>2nd Generation Interception System</li>
<li>Advanced link analysis and pattern matching algorithms</li>
<li>Completely Automated System</li>
<li>Data Processing of up to 10 G/s</li>
<li>Automated alerts on the capture of suspicious data (usually based on keywords)</li>
</ul>
<p>5. ClearTrail Technologies<b> </b>deploys <a href="https://www.documentcloud.org/documents/409231-111-cleartrail.html#document/p3/a68269">spyware into a target´s machine</a><br />6. Spy Impex<b> </b>sells <a href="http://www.tradedir.in/s/coca-cola-tin-camera">Coca Cola Tin Cameras</a>!<br />7. Nice Deal<b> </b>also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and <a href="http://www.indiamart.com/nicedeal/spy-hidden-cameras.html">Lighter Video Cameras</a> to name a few...<br />8. Raviraj Technologies<b> </b>is an Indian company which supplies <a href="http://www.ravirajtech.com/index.html">RFID and biometric technology</a> to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?</p>
<ul>
<li style="text-align: justify; ">Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further <a href="http://www.rogerclarke.com/DV/Biometrics.html">oppression</a> within these countries </li>
</ul>
<ul>
<li style="text-align: justify; ">Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards</li>
</ul>
<h2><b>“I´m not a terrorist, I have nothing to hide!”</b></h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/surveillancetechpic.jpg" alt="Surveillance Tec" class="image-inline" title="Surveillance Tec" /></th>
</tr>
</tbody>
</table>
<p><span> </span><a href="http://www.flickr.com/photos/r1chard/">r1chardm</a> on flickr</p>
<p style="text-align: justify; ">It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:</p>
<blockquote class="italized"><i>“I´m not a terrorist, I have nothing to hide!”</i></blockquote>
<p style="text-align: justify; "><span>Indeed. You may not be a terrorist...and you may </span><i>think </i><span>you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?</span></p>
<p style="text-align: justify; "><span>Last year at the </span><a href="http://lcaunderthestars.org.au/programme/schedule">linux.conf.au</a><span>, </span><a href="http://www.youtube.com/watch?v=GMN2360LM_U">Jacob Appelbaum</a><span> stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. </span><a href="http://www.schneier.com/essay-155.html">Bruce Schneier</a><span> has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.</span></p>
<p style="text-align: justify; "><span>That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, </span><a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">we are all potentially suspects</a><span>. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called </span><a href="http://www.computerworld.com/s/article/9176265/Half_of_social_networkers_post_risky_information_study_finds_">´risky information´</a><span>. As long as our data is being surveilled, we are all suspects, which means that </span><a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239412">we can all potentially be arrested, interrogated and maybe even tortured</a><span>, just like any other criminal suspect.</span></p>
<p style="text-align: justify; "><span>But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The </span><a href="http://www.sourcesecurity.com/news/articles/co-1753-ga.4047.html">market appears to demand for surveillance technologies</a><span> because a pre-existing </span><a href="http://www.abc.net.au/tv/bigideas/stories/2012/04/16/3476847.htm">surveillance culture</a><span> has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as </span><a href="http://money.cnn.com/magazines/fortune/global500/2012/snapshots/284.html">3M</a><span>, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that </span><a href="http://www.sscqueens.org/davidlyon/">surveillance is being socially integrated</a><span>. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.</span></p>
<p style="text-align: justify; "><span>By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">NATGRID </a><span>and the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><span> in India- or by handing over our data, </span><a href="http://www.schneier.com/essay-167.html"><i>we </i></a><a href="http://www.schneier.com/essay-167.html">are fuelling the surveillance state</a><span>. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution </span><i>and </i><span>of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.</span></p>
<p style="text-align: justify; "><span>Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because </span><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting">India lacks privacy legislation </a><span>which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.</span></p>
<p style="text-align: justify; "><span>Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as </span><a href="http://www.ravirajtech.com/index.html">Raviraj Technologies</a><span>, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus </span><a href="https://www.privacyinternational.org/reports/our-response-to-eu-consultation-on-legality-of-exporting-surveillance-and-censorship-3">export controls</a><span> are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even </span><a href="http://edition.cnn.com/2013/03/15/world/asia/u-n-drone-objections">murdered</a><span> in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers'>https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers</a>
</p>
No publishermariasurveillance technologiesInternet GovernanceSAFEGUARDS2013-07-12T11:59:10ZBlog EntryA Comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012
https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills
<b>In this post, Maria Xynou gives us a comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p>Last April, the most recent version of the DNA Profiling Bill was leaked in India. The draft 2007 DNA Profiling Bill failed to adequately regulate the collection, use, sharing, analysis and retention of DNA samples, profiles and data, whilst its various loopholes created a potential for abuse. However, its 2012 amended version is not much of an improvement. On the contrary, it excessively empowers the DNA Profiling Board, while remaining vague in terms of collection, use, analysis, sharing and storage of DNA samples, profiles and data. Due to its ambiguity and lack of adequate safeguards, the draft April 2012 Human DNA Profiling Bill can potentially enable the infringement of the right to privacy and other human rights.</p>
<h2><b>Draft 2007 DNA Profiling Bill <i>vs.</i> Draft 2012 Human DNA Profiling Bill</b></h2>
<h3><b> </b><b>1. </b><b>Composition of the DNA Profiling Board</b></h3>
<p><b>Amendment:</b> The Draft 2007 DNA Profiling Bill listed the members which would be appointed by the Central Government to comprise the DNA Profiling Board. A social scientist of national eminence, as stated in section 4(q) of Chapter 3, was included. However, the specific section has been deleted from the Draft 2012 Human DNA Profiling Bill and no other social scientist has been added to the list of members to comprise the DNA Profiling Board. Despite the amendments to the section on the composition of the Board, no privacy or human rights expert has been included.</p>
<p><b>Analysis:</b> The lack of human rights experts on the board can potentially be problematic as a lack of expertise on privacy laws and other human rights laws can lead to the regulation of DNA databases without taking privacy and other civil liberties into consideration.</p>
<ul>
<li><b>DNA 2007 Bill (Section 4): </b><i>“The DNA Profiling Board shall consist of the following members appointed by the Central Government from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics , social sciences, law and criminal justice or any other discipline which would, in the opinion of the Central Government, be useful to DNA Profiling , namely: (a) a Renowned Molecular Biologist to be appointed by the Central Government Chairperson, (b) Secretary, Ministry of Law and Justice, or his nominee ex-officio Member; (c) Chairman, Bar Council of India, New Delhi or his nominee ex-officio Member; (d) Vice Chancellor, NALSAR University of Law, Hyderabad ex-officio Member; (e) Director, Central Bureau of Investigation or his nominee ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, New Delhi ex-officio Member; (g) Director, National Crime Records Bureau, New Delhi ex-officio Member; (h) Director, National Institute of Criminology and Forensic Sciences, New Delhi ex-officio Member; (i) a Forensic DNA Expert to be nominated by Secretary, Ministry of Home Affairs, New Delhi, Government of India Member; (j) a DNA Expert from All India Institute of Medical Sciences, New Delhi to be nominated by its Director, Member; (k) a Population Geneticist to be nominated by the President, Indian National Science Academy, New Delhi Member; (l) an Expert to be nominated by the Director, Indian Institute of Science, Bangalore Member; (m) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi ex-officio Member; (n) Director, Centre for Cellular and Molecular Biology, Hyderabad ex-officio Member; (o) Representative of the Department of Bio-technology, Government of India, New Delhi to be nominated by Secretary, DBT, Ministry of S&T, Government of India Member; (p) The Chairman, National Bioethics Committee of Department of Biotechnology, Government of India, New Delhi ex-officio Member; (q) a Social Scientist of National Eminence to be nominated by Secretary, MHRD, Government of India Member; (r) four Directors General of Police representing different regions of the country to be nominated by MHA Members; (s) two expert Members to be nominated by the Chairperson Members (t) Manager, National DNA Data Bank ex-officio Member; (u) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad ex-officio Member Secretary”</i><b> </b></li>
</ul>
<p><b> </b></p>
<ul>
<li><b>DNA April 2012 Bill (Section 4):</b><i>“The Board shall consist of the following Members appointed from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics, social sciences, law and criminal justice or any other discipline which would be useful to DNA profiling, namely:- (a) A renowned molecular biologist to be appointed by the Central Government- Chairperson; (b) Vice Chancellor of a National Law University established under an Act of Legislature to be nominated by the Chairperson- ex-officio Member; (c) Director, Central Bureau of Investigation or his nominee (not below the rank of Joint Director)- ex-officio Member; (d) Director, National Institute of Criminology and Forensic Sciences, New Delhi- ex-officio Member;(e) Director General of Police of a State to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member</i><b> </b><i>(g) Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (h) Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (i) Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member; (j) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- exofficio Member; (k) Financial Adviser, Department of Biotechnology, Government of India or his nominee- ex-officio Member; (l) Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members; (m) A population geneticist to be nominated by the President, Indian National Science Academy, New Delhi- Member; (n) A representative of the Department of Biotechnology, Government of India to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Member; (o) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad- ex-officio Member- Secretary” </i></li>
</ul>
<p><i><br /></i></p>
<h3><b>2. </b><b>Powers and functions of the Chief Executive Officer</b></h3>
<p><b>Amendment:</b> Although the Chief Executive Officer´s (CEO) powers and functions are set out in the 2007 Draft DNA Bill, these have been deleted from the amended 2012 Draft Bill. The Draft 2012 Bill merely states how the CEO will be appointed, the CEO´s status and that the CEO should report to the Member Secretary of the Board. As for the powers and functions of the CEO, the 2012 Bill states that they will be specified by the Board, without any reference to what type of duties the CEO would be eligible for. Furthermore, section 10(3) has been added which determines that the CEO will be ´a scientist with understanding of genetics and molecular biology´.</p>
<p><b>Analysis:</b> The lack of legal guidelines which would determine the scope of such regulations indicates that the CEO´s power is subject to the Board. This could create a potential for abuse, as the CEO´s power and the criteria for the creation of the regulations by the Board are not legally specified. Although an understanding of genetics and molecular biology is a necessary prerequisite for the specific CEO, an official understanding of privacy and human rights laws should also be a prerequisite to ensure that tasks are carried out adequately in regards to privacy and data protection.</p>
<ul>
<li><b>DNA 2007 Bill (Section 11):</b><i>“(1) The DNA Profiling Board shall have a Chief Executive Officer who shall be appointed by the Selection Committee consisting of Chairperson and four other members nominated by the DNA Profiling Board. (2) The Chief Executive Officer shall be of the rank of Joint Secretary to the Govt. of India and report to the Member Secretary of the DNA Profiling Board. (3)The Chief Executive Officer appointed under sub-section (1)shall exercise powers of general superintendence over the affairs of the DNA Profiling Board and its day-to-day management under the direction and control of the Member Secretary. (4) The Chief Executive Officer shall be responsible for the furnishing of all returns, reports and statements required to be furnished, under this Act and any other law for the time being in force, to the Central Government. (5) It shall be the duty of the Chief Executive Officer to place before the DNA Profiling Board for its consideration and decision any matter of financial importance if the Financial Adviser suggests to him in writing that such matter be placed before the DNA Profiling Board.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 10): </b><i>“(1) There shall be a Chief Executive Officer of the Board who shall be appointed by a selection committee consisting of the Chairperson and four other Members nominated by the Board. (2) The Chief Executive Officer shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board. (3) The Chief Executive Officer shall be a scientist with understanding of genetics and molecular biology. (4) The Chief Executive Officer appointed under subsection (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>3. </b><b>Functions of the Board</b></h3>
<p><b>Amendment:</b> The section on the functions of the DNA Profiling Board of the 2007 Draft DNA Profiling Bill has been amended. In particular, sub-section 12(j) of the Draft 2012 Human DNA Profiling Bill states that the Board would ´authorise procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies´. The equivalent sub-section in the 2007 Draft DNA Bill restricted the Board´s authorisation to crime investigation by law enforcement agencies, and did not include civil proceedings and other agencies.</p>
<p><b>Analysis:</b> This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ are not defined and remain vague. The broad use of the terms ´other agencies´ and ´civil proceedings´ could create a potential for abuse, as it is unclear which parties would be authorised to use DNA profiles and under what conditions, nor is it clear what ´civil proceedings´ entail.</p>
<p><b>DNA 2007 Bill (Section 13(x)): </b><i>The DNA Profiling Board constituted under section 3 of this Act shall exercise and discharge the following powers and functions, namely: “authorize communication of DNA profile for crime investigation by</i><b> </b><i>law enforcement agencies;” </i><b> </b></p>
<p><b>DNA April 2012 Bill (Section 12(j)): </b><i>The Board shall exercise and discharge the following functions for the purposes of this Act, namely: “authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies;”</i></p>
<h3><i> </i><b>4. </b><b>Regional DNA Data Banks</b></h3>
<p><b>Amendment:</b> Section 33(1) of the 2007 Draft DNA Profiling Bill has been amended and its 2012 version (section 32(1)) states that the Central Government will establish a National DNA Data Bank and ´as many Regional DNA Data Banks thereunder, for every state or group of States, as necessary´.</p>
<p><b>Analysis:</b> This amendment enables the potential establishment of infinite regional DNA Data Banks without setting out the conditions for their function, how they would use data, how long they would retain it for or who they would share it with. The establishment of such regional data banks could potentially enable the access to, analysis, sharing and retention of huge volumes of DNA data without adequate regulatory frameworks restricting their function.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(1)): </b><i>“The Central Government shall, by a notification published in the</i><b> </b><i>Gazette of India, establish a National DNA Data Bank.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(1)): </b><i>“The Central Government shall, by notification, establish a National DNA Data Bank and as many Regional DNA Data Banks thereunder for every State or a group of States, as necessary.</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>5. </b><b>Data sharing</b></h3>
<p>Section 33(2) of the 2007 Draft DNA Profiling Bill has been amended and section 32(2) of the 2012 draft Human DNA Profiling Bill includes that every state government should establish a State DNA Data Bank which should share the information with the National DNA Data Bank.</p>
<p>This sharing of DNA data between state and national DNA Data Banks could potentially increase the probability of data being accessed, shared, analysed and retained by unauthorised third parties. Furthermore, specific details, such as which information should be shared, how often and under what conditions, have not been specified.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(2)): </b><i>“A State Government may, by notification in the Official Gazette, establish a State DNA Data Bank.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(2)):</b><i>“Every State Government may, by notification, establish a State DNA Data Bank which shall share the information with the National DNA Data Bank.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>6. </b><b>Data retention</b></h3>
<p><b>Amendment:</b> Section 32(3) of the 2012 draft DNA Bill has been amended from its original 2007 form to include that regulations on the retention of DNA data would be drafted by the DNA Profiling Board.</p>
<p><b>Analysis:</b> This amendment does not set out the DNA data retention period, nor who would have the authority to access such data and under what conditions. Furthermore, regulations on the retention of such data would be drafted by the DNA Profiling Board, which could increase their probability of being subject to bias and lack of transparency.</p>
<ul>
<li><b>DNA 2007 Bill (Section 33(3)): </b><i>“The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA Profiles received from different</i><b> </b><i>laboratories in the format as may be specified by regulations.”</i> <b> </b></li>
<li><b>DNA April 2012 Bill (Section 32(3)): </b><i>“The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA profiles received from different laboratories in the format as may be specified by the regulations made by the Board.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>7. </b><b>Data Bank Manager</b></h3>
<p><b>Amendment:</b> Section 33 has been added to the 2012 draft Human DNA Profiling Bill and establishes a DNA Data Bank Manager, who would carry out ´all operations of and concerning the National DNA Data Bank´.</p>
<p><b>Analysis:</b> All such operations are not clearly specified and could create a potential for abuse. The DNA Data Manager would have the same type of status as the Chief Executive Officer, but he/she would be required to have an understanding of computer applications and statistics, possibly to support data mining efforts. However, the powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.</p>
<ul>
<li><b>DNA 2012 Bill (Section 33):</b><i>“(1) All operations of and concerning the National DNA Data Bank shall be carried out under the supervision of a DNA Data Bank Manager who shall be appointed by a selection committee consisting of Chairperson and four other Members nominated by the Board.(2) The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board.(3) The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics. (4) The DNA Data Bank Manager appointed under sub-section (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>8. </b><b>Communication of DNA profiles to foreign agencies</b></h3>
<p><b>Amendment:</b> The 2007 Draft DNA Profiling Bill has been amended and sub-sections 35(2, 3) have been excluded from the 2012 Draft Human DNA Profiling Bill. These sub-clauses prohibited the use of DNA profiles for purposes other than the administration of the Act, as well as the communication of DNA profiles. Furthermore, sub-section 36(1) has been added to the 2012 Bill, which authorises the communication of DNA profiles to international agencies for the purposes of crime investigation.</p>
<p><b>Analysis:</b> The exclusion of sub-sections 35(2, 3) from the 2012 Bill indicates that the use and communication of DNA profiles without prior authorisation may be legally permitted, which raises major privacy concerns. Sub-section 36(1) does not define a ´crime investigation´, which indicates that DNA profiles could be shared with international agencies for loosely defined ´criminal investigations´ or even for civil proceedings. The lack of a strict definition to the term ´crime investigation´, as well as the broad reference to foreign states and international agencies raises concerns, as it remains unclear who will have access to information, for how long, under what conditions and whether that data will be retained.</p>
<ul>
<li><b>DNA 2007 Bill (Sections 35(2,3)): </b><i>“(2) No person who receives the DNA profile for entry in the DNA Data Bank shall use it or allow it to be used for purposes other than for the administration of this Act. (3) No person shall, except in accordance with the provisions hereinabove, communicate or authorize communication, or allow to be communicated a DNA profile that is contained in the DNA Data Bank or information that is referred to in sub-section (1) of Section 34”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 36(1)): </b><i>“On receipt of a DNA profile from the government of a foreign state, an international organisation established by the governments of states or an institution of any such government or international organization, the National DNA Data Bank Manager may compare the DNA profile with those in the DNA Data Bank in order to determine whether it is already contained in the Data Bank and may then communicate through Central Bureau of Investigation or any other appropriate agency of the Central Government and with the prior approval of the Central Government information referred to in subsection (1) of section 35 to that government, international organisation or institution.”</i></li>
</ul>
<p><i><br /></i></p>
<h3><b>9. </b><b>Data destruction</b></h3>
<p><b>Amendment:</b> Section 37 of the 2007 draft DNA Profiling Bill states that the DNA Data Bank Manager shall expunge the DNA analysis of a person from the DNA index once the court has certified that the conviction of a person has been set aside. The 2007 Bill had no particular reference to data retention. The equivalent clause (37) of the 2012 draft DNA Bill, however, not only states that individuals´ DNA data will be kept on a ´permanent basis´, but also that the DNA Data Bank Manager shall expunge a DNA profile under the same conditions under the 2007 Bill.</p>
<p><b>Analysis:</b> This amendment indicates that Indians´ DNA data will be kept indefinitely and that it will be deleted only once the court has cleared an individual from conviction. This raises major concerns, as it does not clarify under what conditions individuals can have access to data during its retention, nor does it give ´non-convicts´ the opportunity to have their data deleted from the data bank.</p>
<ul>
<li><b>DNA 2007 Bill (Section 37): </b><i>“The Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person included in the DNA data bank has been set aside, expunge forthwith the DNA analysis of such person from the DNA index. Explanation:- For the purposes of this section, a court order is not ‘final’ till the expiry of the period of limitation for filing an appeal, or revision application, or review if permissible under the law, with respect to the order setting aside the conviction.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 37):</b><i>“(1) Subject to sub-sections (2) and (3), the information in the offenders’ index pertaining to a convict shall be kept on a permanent basis. (2) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the person in respect of whom the information is included in the offenders’ index has been acquitted of the charge against him, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed. (3) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person in respect of whom the information is included in the offenders’ index has been set aside, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>10. </b><b>Use of DNA profiles and DNA samples and records</b></h3>
<p><b>Amendment</b>: Section 39 of the 2007 draft DNA Profiling Bill has been amended and the equivalent section of the 2012 DNA Bill (section 39) states that DNA profiles, samples and records can be used for purposes related to ´other civil matters´ and ´other purposes´, as specified by the regulations made by the DNA Profiling Board.</p>
<p><b>Analysis:</b> The vague use of the terms ´other civil matters´ and ´other purposes´ can create a potential for abuse, especially since the Board will not be comprised by an adequate amount of members with legal expertise on civil matters. This section enables the use of DNA data for potentially any purpose, as long as it is enabled by the Board. Furthermore, the section does not specify <i>who </i>can be authorised to use DNA data under such conditions, which raises further concerns.</p>
<ul>
<li><b>DNA 2007 Bill (Section 39):</b> <i>“(1)All DNA profiles, samples and records shall solely be used for the purpose of facilitating identification of the perpetrator(s) of a specified</i><b> </b><i>offence: Provided that such records or samples may be used to identify victims of</i><b> </b><i>accidents, disasters or missing persons or for such other purposes.</i><b> </b><i>(2) Information stored on the DNA data base system may be accessed by the authorized persons for the purposes of: (i) forensic comparison permitted under this Act; (ii) administering the DNA data base system; (iii) accessing any information contained in the DNA database system</i><b> </b><i>by law enforcement officers or any other persons, as may be</i><b> </b><i>prescribed, in accordance with provisions of any law for the time</i><b> </b><i>being in force; (iv) inquest or inquiry; (v) any other purpose as may be prescribed: Provided that nothing contained in this section shall apply to information</i><b> </b><i>which may be used to determine the identity of any person.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 39): </b><i>“All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule: Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part I of the Schedule or for other purposes as may be specified by the regulations made by the Board.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>11. </b><b>Availability of DNA profiles and DNA samples</b></h3>
<p><b>Amendment:</b> Section 40 of the 2007 draft DNA Bill has been amended and an extra paragraph has been included to the equivalent 2012 Bill. In particular, section 40 enables the availability of DNA profiles and samples in criminal cases, judicial proceedings and for defence purposes among others.</p>
<p><b>Analysis:</b> ´Criminal cases´ are loosely defined and could enable the availability of DNA data on low profile cases.</p>
<ul>
<li><b>DNA 2007 Bill (Section 40):</b><i>“The information on DNA profiles, samples and DNA identification records</i><b> </b><i>shall be made available only : (i) to law enforcement agencies for identification purposes in a criminal</i><b> </b><i>case; (ii) in judicial proceedings, in accordance with the rules of</i><b> </b><i>admissibility of evidence; (iii) for facilitating decisions in cases of criminal prosecution; (iv) for defense purposes, to a victim or the accused to the extent relevant and in connection with the case in which such accused is charged; (v) for population statistics data base, identification, research and</i><b> </b><i>protocol development, or for quality control provided that it does not</i><b> </b><i>contain any personally identifiable information and does not violate ethical norms, as specified by rules. (vi) for any other purposes as specified by rules.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 40):</b><i>“Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely:- (a) for identification purposes in criminal cases, to law enforcement agencies; (b) in judicial proceedings, in accordance with the rules of admissibility of evidence; (c) for facilitating decisions in cases of criminal prosecution; (d) for defence purposes, to the accused to the extent relevant and in connection with the case in which such accused is charged; (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms; or (f) in the case of investigations related to civil dispute and other civil matter listed in Part I of the Schedule, to the concerned parties to the said civil dispute or civil matter and to the concerned judicial officer or authority; or (g) for any other purposes, as may be prescribed.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>12. </b><b>Restriction on access to information in DNA Data Banks</b></h3>
<p><b>Amendment:</b> Section 43 has been added to the 2012 draft Human DNA Profiling Bill which states that access to information shall be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect.</p>
<p><b>Analysis:</b> This section implies that everyone who does not belong in these two categories has his/her data exposed to (unauthorised) access by third parties.</p>
<ul>
<li><b>DNA April 2012 Bill (Section 43): </b><i>“Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from- (a) a victim of an offence which forms or formed the object of the relevant investigation, or (b) a person who has been excluded as a suspect in the relevant investigation.”</i><b> </b></li>
</ul>
<p><b> </b></p>
<h3><b>13. </b><b>Board exemption from tax on wealth and income, profits and gains</b></h3>
<p><b>Amendment:</b> Section 53 of the 2007 draft DNA Bill on “Returns and Reports” on behalf of the Board has been deleted and section 62 on the Board exemption from tax on wealth and income, profits and gains, has been added to the 2012 DNA Bill.</p>
<p><b>Analysis:</b> Although the 2007 DNA Bill stated that the Central Government was authorised to issue directions, this has been replaced by section 64 of the 2012 DNA Bill, which authorises the DNA Profiling Board to issue directions.</p>
<ul>
<li><b>DNA 2007 Bill (Section 53):</b><i>“(1) The DNA Profiling Board shall furnish to the Central Government at</i><b> </b><i>such time and in such form and manner as may be specified by rules or </i><b> </b><i>as the Central Government may direct, such returns and statements as</i><b> </b><i>the Central Government may, from time to time, require. (2) Without prejudice to the provisions of sub-section (1), the DNA Profiling</i><b> </b><i>Board shall, within ninety days after the end of each financial</i><b> </b><i>year, submit to the Central Government a report in such form, as may be</i><b> </b><i>prescribed, giving a true and full account of its activities, policy and</i><b> </b><i>programmes during the previous financial year. (3) A copy of the report received under sub-section (2) shall be laid, as soon may be after it is received, before each House of Parliament.”</i><b> </b></li>
<li><b>DNA April 2012 Bill (Section 62): “</b><i>Notwithstanding anything contained in- (a) the Wealth-tax Act, 1957; (b) the Income-tax Act, 1961; or (c) any other enactment for the time being in force relating to tax, including tax on wealth, income, profits or gains or the provision of services,- the Board shall not be liable to pay wealth-tax, income-tax or any other tax in respect of its wealth, income, profits or gains derived.”</i><b> </b></li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills'>https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:32:08ZBlog EntryHacking without borders: The future of artificial intelligence and surveillance
https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance
<b>In this post, Maria Xynou looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p class="Normal1">Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.</p>
<h2><b>Combat Zones That See (CTS)</b></h2>
<p><b><img src="http://farm5.staticflickr.com/4137/4749564682_9ab88cb4d1.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/swanksalot/">swanksalot</a> on flickr</p>
<p class="Normal1">Ten years ago DARPA started funding the<a href="http://www.freerepublic.com/focus/f-news/939608/posts"> Combat Zones That See (CTS)</a> project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.</p>
<p class="Normal1">Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that<span> <a class="external-link" href="http://www.wired.com/politics/law/news/2003/07/59471">40 million surveillance cameras were already in use around the </a></span><a class="external-link" href="http://www.wired.com/politics/law/news/2003/07/59471">world </a>by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. <a href="http://www.wired.com/politics/law/news/2003/07/59471">Police</a> in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.</p>
<p class="Normal1">However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.</p>
<h2><b>Mind´s Eye</b></h2>
<p><b><img src="http://farm9.staticflickr.com/8425/7775805386_8260b7836c.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/58687716@N05/">watchingfrogsboil</a> on flickr</p>
<p class="Normal1">A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a <a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">thinking camera</a>. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Minds_Eye.aspx">´visual intelligence´</a>. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to <a href="http://phys.org/news/2012-10-surveillance-tech-carnegie-mellon.html">predict future human activities and situations</a>.</p>
<p class="Normal1">Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. <a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">General</a><a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/"> </a><a href="http://www.wired.com/dangerroom/2011/01/beyond-surveillance-darpa-wants-a-thinking-camera/">James Cartwright</a>, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Minds_Eye.aspx">operationally significant activity</a> and predicting outcomes.</p>
<p class="Normal1">Mounting these <a href="http://www.dailygalaxy.com/my_weblog/2011/01/minds-eye-darpas-new-thinking-camera-will-transform-the-world-of-surveillance.html">smart cameras on drones</a> is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?</p>
<h2><b>SyNAPSE</b></h2>
<p><b><img src="http://farm9.staticflickr.com/8230/8384110298_da510e0347.jpg" /></b></p>
<p class="Normal1">Source: <span> </span><a href="http://www.flickr.com/photos/healthblog/">A Health Blog</a> on flickr</p>
<p class="Normal1">The <i>Terminator </i>could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the <a href="http://www.artificialbrains.com/darpa-synapse-program">Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE)</a> programme. Is DARPA funding the creation of the <i>Terminator</i>? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.</p>
<p class="Normal1">SyNAPSE is a programme which aims to develop <a href="http://celest.bu.edu/outreach-and-impacts/the-synapse-project">electronic neuromorphic machine technology</a> which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received<a href="http://www.artificialbrains.com/darpa-synapse-program"> $102.6 million</a> in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create <a href="http://www.darpa.mil/Our_Work/DSO/Programs/Systems_of_Neuromorphic_Adaptive_Plastic_Scalable_Electronics_(SYNAPSE).aspx">biological neural systems </a>which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s <a href="http://www.ibm.com/smarterplanet/us/en/business_analytics/article/cognitive_computing.html">cognitive computers</a> would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.</p>
<p class="Normal1">Although this original type of computational device could be beneficial to <a href="http://www.ibm.com/smarterplanet/us/en/business_analytics/article/cognitive_computing.html">predict natural disasters</a> and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.</p>
<p class="Normal1">Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.</p>
<h2><b>Brain-Computer Interface (BCI)</b></h2>
<p><b><br /></b></p>
<p><iframe frameborder="0" height="360" src="http://www.youtube.com/embed/qCSSBEXBCbY?feature=player_embedded" width="640"></iframe></p>
<p class="Normal1">Remember Orwell's ´<i>Thought Police</i>´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in <i>1984</i>. Unlike the ´<i>Thought Police</i>´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can <i>literally </i>read our thoughts.</p>
<p class="Normal1">Once again, DARPA appears to be funding one of the world´s most innovative projects: the <a href="http://www.wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain/">Brain-Computer Interface (BCI)</a>. The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph -<a href="http://www.extremetech.com/wp-content/uploads/2012/08/brain-hacking-accuracy-chart.jpg"> an EEG</a>) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely <i>thinking </i>of the action.</p>
<p class="Normal1">Ten years ago it was reported that the brains of <a href="http://www.newscientist.com/article/dn2237">rats</a> and <a href="http://news.bbc.co.uk/2/hi/health/3186850.stm">monkeys</a> could control robot arms through the use of such technologies. A few years later<a href="http://www.newscientist.com/article/dn4540"> brainstem implants</a> were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as<a href="http://www.cyborgdb.org/mckeever.htm"> to control robotic limbs with their thoughts</a>. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally <i>thinking </i>about them, while using a BCI.</p>
<p class="Normal1">Brain-controlled robotic limbs could change the lives of disabled persons, but<a href="http://www.guardian.co.uk/science/2007/feb/09/neuroscience.ethicsofscience"> ethical concerns</a> have arisen in regards to the BCI´s mind-reading ability. If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain? Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out <a href="http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data">sensitive data</a>, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the <i>P300 response</i>, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to <a href="http://www.digitaltrends.com/cool-tech/this-is-your-brain-on-silicon/">DARPA</a>:</p>
<blockquote class="italized"><i>´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´</i></blockquote>
<p class="Normal1">This constitutes the human brain as<a class="external-link" href="http://www.wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain/"> a <span>new warfighting </span>domain</a> of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.</p>
<p class="Normal1">Security expert, Barnaby Jack, of IOActive demonstrated the <a href="http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt">vulnerability of biotechnological systems</a>, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.</p>
<p class="Normal1">Will BCI be used in the future to<a href="http://www.guardian.co.uk/science/2007/feb/09/neuroscience.ethicsofscience"> interrogate terrorists and suspects</a>? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our <i>thoughts</i> - can potentially be hacked? Human rights are essential because they protect us from those in power; but the <i>privacy of our thoughts</i> is even more important, because without it, we can have no human rights, no individuality.</p>
<p class="Normal1">Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals. Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.</p>
<p class="Normal1">Apparently, anyone can<a href="http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data"> buy Emotiv or Neurosky BCI online</a> to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance'>https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:30:27ZBlog EntryWorkshop on the Unique Identity Number (UID), the National Population Register (NPR) and Governance: What will happen to our data?
https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr
<b>On March 2nd, 2013, the Centre for Internet and Society and the Say No to UID campaign organized a workshop to discuss the present state of the UID and NPR schemes. Some of the questions which were addressed included ´How do the UID and NPR impact citizenship´, ´Why and how is national security linked to UID/NPR´, and ´What is the relationship between UID and Big Data´. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p class="italized" style="text-align: justify; "><i>“The UIDAI will own our data...When we hand over information, we hand over the ownership of that data...”</i>, stated Usha Ramanathan, legal researcher and human rights activist.She also pointed out that, although the UID has been set up by an executive order, there is no statute which legally backs up the UID. In other words, the collection of our data through the UID scheme is currently illegal in India, hinging only on an executive order. However, Usha Ramanathan stated that if the UID scheme is going to be carried out, it is highly significant that a statute for the UID is enacted to prevent potential abuse of human rights, especially since the UIDAI is currently collecting, sharing, using and storing our data on untested grounds.</p>
<blockquote class="italized"><i>´What is alarming is that the Indian government has not even attempted to legalize the UID! When a government does not even care about legalizing its actions, then we have much bigger problems...” </i></blockquote>
<p style="text-align: justify; "><span>The NPR is legally grounded in the provisions of the Citizenship Act 1955 and in the Citizenship Rules 2003 and it is mandatory for every usual resident in India to register with the NPR. Even though the collection of biometrics is not accounted for in the statute or rules, the NPR is currently collecting photographs, iris prints and fingerprints. Concerns regarding the use of biometrics in the UID and NPR schemes were raised during the workshop; biometrics are not infallible and can be spoofed, an individual´s biometrics can change in response to a number of factors (including age, environment and stress), the accuracy of a biometric match depends on the accuracy of the technology used and the larger the population is, the higher the probability of an error. Thus, individuals are required to re-enrol every two to three years, to ensure that the biometric data collected is accurate; but the accuracy of the data is not the only problem. The Indian government is illegally collecting biometrics and as of yet has not amended the 2003 Citizenship Rules to include the collection of biometrics! As Usha Ramanathan stated:</span></p>
<blockquote class="italized" style="text-align: justify; "><span> </span><i>“It´s not really about the UID and the NPR per se...it´s more about the idea of profiling citizens and the technologies which enable this...”</i></blockquote>
<p style="text-align: justify; "><span>In his presentation, Anant Maringanti, from the Hyderabad Urban Labs and Right to the City Foundation, stated that even though seventy seven lakh duplicates have been found, no action has been taken, other than discarding one of them. Despite the fact that enrolment with the UID is considered to be voluntary, children in India are forced to get a unique identification number as a prerequisite of going to school. Anant emphasized that the UID scheme supposedly provides some form of identity to the poor and marginalised groups in India, but it actually targets some of the most vulnerable groups of people, such as HIV patients and sex workers. Furthermore, though Indians living below the poverty line (BPL) are eligible for direct cash transfer programmes, apparently registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BLP category. This is problematic as individuals who have not enrolled in the UID or do not want to enroll in the UID could risk being denied benefits because they did not enroll and thus were not classified in the BPL category. Anant also pointed out that, linking biometric data to a bank account through the UID scheme is basically exposing personal data to fraud. Anant Maringanti characteristically stated: </span></p>
<blockquote class="italized"><span> </span><i>“I wish the 100 people applying the UID scheme had UIDs so that we could track them...!”</i></blockquote>
<p style="text-align: justify; "><span>Following the end of the workshop on the UID and NPR schemes, CIS interviewed Usha Ramanathan and Anant Maringanti: <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/P1CdCkdKtcU" width="250"></iframe> </span></p>
<p style="text-align: justify; "><span>The workshop can be viewed in two parts: <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/o7X1Af5Jw3s" width="250"></iframe> <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/rSFYOfvtOr8" width="250"></iframe> </span></p>
<p style="text-align: justify; "><span><br /></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr'>https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:28:50ZBlog EntryInterview with Mathew Thomas from the Say No to UID campaign - UID Court Cases
https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign
<b>The Centre for Internet and Society (CIS) recently interviewed Mathew Thomas from the Say No to UID campaign about his ongoing efforts to challenge the UID scheme legally in the Bangalore High Court and Supreme Court of India. Read this interview and gain an interesting insight on recent legal developments with regards to the UID!</b>
<h3><b>Hi Mathew! We've heard that you've been in court a lot over the last few years with regards to the UID scheme. Could you please tell us about the UID case you have filed?</b></h3>
<p align="JUSTIFY" class="western">In early 2012, I filed a civil suit at the Bangalore Court to declare the UID scheme illegal and to stop further biometric enrollments. I alleged that foreign agencies are involved in the process of biometric enrollment, and that cases of corruption have occurred with regards to the companies contracted by the UID Authority of India (UIDAI). Many dubious companies have been empanelled for biometric enrollments by the UIDAI and many cases of corruption have been noted, especially with regards to the preparation of biometric databases for below poverty line (BPL) ration cards in Karnataka.</p>
<p align="JUSTIFY" class="western">In 2010, according to a government audit report, COMAT Technologies Private Limited had a contract with the Karnataka Government and was required to undertake a door-to-door survey and to set up biometric devices. COMAT Technologies Private Limited was paid ₹ 542.3 million for this purpose, but it turns out that the company did not comply with the terms of the contract and did not fullfill its obligations under the contract. Even though COMAT Technologies Private Limited had been contracted and had been paid ₹ 542.3 million, the company did not hand over any biometric device to the Karnataka Government. Instead, when the company got questioned, it walked away from the contract in 2010, even though it had been paid for a service it did not deliver.</p>
<p style="text-align: justify; ">In the same year, 2010, COMAT Technologies was empanelled as an Enrolling Agency of the UIDAI. COMAT Technologies also carries out enrollments in Mysore and a TV channel sting operation revealed that fake IDs were being issued in the Mysore enrollment center. After much persuasion, the e-Government department of Karnataka informed me that they have filed an FIR. And this is just one case of a corrupt company empanelled as an enrollement agency with the UIDAI. Many similar cases with other companies have occurred in other cities in India, such as Mumbai, where the empanelled agencies have committed fraud and police complaints have been filed. But unfortunately, there is no publicly available information on the state of the investigations.</p>
<p align="JUSTIFY" class="western">As such, I filed a case at the Bangalore Court and stated that the whole UID system is insecure, that it will not achieve the objective of preventing leakages of welfare subsidies and that, therefore, it is a waste of public funds, which also affects individuals' right to privacy and right to life. In my complaint in the civil court I made allegations of corruption and dangers to national security backed by documentary evidence. According to Order 8 of the Civil Procedure Code (CPC), defendants are required to specifically deny each of the allegations against them and if they don't, the court is required to accept the allegations as accurate. According to law, vague, bald denials are not acceptable in courts. Interestingly enough, the defendants in this court case did <i>not</i> deny any of the allegations, but instead stated that they (allegations) are “trivial” and requested the judge to dismiss the case without a trial. The judge requested the defendants to file a written application, asking for the suit to be dismissed under Order 7, Rule 11, of the Civil Procedure Code. Nonetheless, in May 2012, the judge observed that this is a serious case which should not be dismissed and that he would like to have a daily hearing of the case, especially since the case was grounded on the allegation that thousands of crores of rupees of public money are spent every day.</p>
<p align="JUSTIFY" class="western">However, one month later in June 2012, the judge dismissed the case by stating that I did not have a “cause of action” and that the case is not of civil nature under Section 9 of the Code of Civil Procedure. I argued that tax payers have a right to know where their money is going and that we all have a right to privacy and that therefore, I <i>did</i> have a cause for action. I quoted the Supreme Court case setting out the law relating to the meaning of “civil nature”. The Apex court said, “Anything which is not of criminal nature is of civil nature”. I also quoted several court precedents which explained conditions under which complaints could be dismissed under Order VII Rule 11. Unfortunately though, the judge dismissed all of this and suggested that I should take this case to the High Court or to the Supreme Court, since the Bangalore Court did not have the authority to address the violation of fundamental human rights. In my opinion, the fallacy in this judgement was that, on the one hand, the judge stated in his order that there was “no cause for action”, but on the other hand, he said that I should take the case to the High Court or to the Supreme Court! And on top of that, the judge stated that my case was frivolous and levied on me a Rs. 25, 000 fine, because apparently I was “wasting the court's time” !</p>
<p align="JUSTIFY" class="western">In addition to all of this, the judge made a very intriguing statement in his order: he claimed that the biometric enrollment with the UIDAI is voluntary and that therefore I need not enrol. I argued that although the UID is voluntary in theory, it is actually mandatory on many levels, especially since access to many governmental services require enrollment with the UIDAI. Nonetheless, the judge insisted that the UID is purely voluntary and that if I am not happy with the UID, then I should just “stay at home”.</p>
<h3><b>And how did the case continue thereafter?</b></h3>
<p align="JUSTIFY" class="western">In October 2012 I appealed against this to the High Court by stating that there was a misapplication of Order 7, Rule 11, of the Civil Procedure Code and requested the High Court to send the suit back for trial at the Bangalore Court.</p>
<p align="JUSTIFY" class="western">Now, when you appeal in India, the Court has to issue notices to the opposite party, which are usually sent by registered post. However, nothing was happening, so I filed a number of applications to hear the case. The registrar’s office filed a number of trivial “objections” with which I needed to comply and this took three months, until January 2013. For example, one “objection” was that the lower court order stated the date of the order as "03-07-12", whereas I had mentioned the date as 3 July 2012. Then they would argue that the acknowledgement of the receipt of the notice from the respondents was not received. The High Court is located next to the head post office (GPO) in Bangalore and normally it would be sent there, then directly to the GPO in Delhi and from there to the Planning Commission or to the UIDAI. Yet, the procedure was delayed because apparently the notices weren't sent. In one hearing, the court clerk said that the address of the defendant was wrong and that the address of the Planning Commission should also be included. All in all, it seemed to me like there was some deliberate attempt to delay the procedure and the dismissal of the case by the Bangalore Court seemed very questionable. As a result, in January 2013, I asked the High Court to permit me to personally hand over my appeal to the Government Council. And finally, on 17th December 2013, my appeal was heard by the Bangalore High Court!</p>
<p align="JUSTIFY" class="western">Over the last three months, the defendants have not filed any counter affidavit. Instead, the Government Council came to the High Court and stated that I have not filed a “paper book” (which includes depositions and evidence, among other things). However, the judge stated that this is not a case which requires a “paper book”, since my appeal was about the misapplication of Order 7, Rule 11, of the Civil Procedure Code. Then the Government Council asked for more time to review the appeal and it is has been postponed.</p>
<h3><b>Have there been any other recent court cases against the UID?</b></h3>
<p align="JUSTIFY" class="western">Yes. While all of this was going on, retired judge, Justice Puttaswamy, filed a petition in the Supreme Court, stating that the UID scheme is illegal, since it violates article 73 of the Constitution. Aruna Roy, who is an activist at the National Council for People’s Right to Information, has also filed a petition where she has questioned the UID because it violates privacy rights and the rights of the poor.</p>
<p align="JUSTIFY" class="western">Furthermore, petitions have been filed in the Madras High Court and in the Mumbai High Court. In 2012, it was argued in the Madras High Court that the only legal provision for taking fingerprints exists under the Prisoners Act, whereas the UIDAI is taking the fingerprints of people who are not prisoners and therefore it is illegal. In 2013, Vikram Crishna, Kamayani Bahl and a few others argued in the Mumbai High Court that the right to privacy is being violated through the UID scheme. It is noteworthy that in most of these cases, the defendants have not filed any counter-arguments. The only exceptions were in the Aruna Roy and Puttaswamy cases, where the defendants claimed that the UID is secure and supported it in general. In the end, the Supreme Court directed that the cases in Mumbai and Madras should be clubbed together and addressed by it. As such, the cases filed in the Madras and Mumbai High Courts have been sent to the Supreme Court of India.</p>
<p align="JUSTIFY" class="western">Major General Vombathakere also filed a petition in the Supreme Court, arguing that the UID scheme violates individuals' right to privacy. When the counsel for the General commenced his arguments the judge pointed to the possibility of the Government passing the NIA Bill soon, which will contain provisions for privacy, as stated by the Government. As such, the judge implied that if the Government passes such a law the argument, that the Government is implementing the scheme in a legal vacuum, may not be valid.</p>
<h3><b>So what is the status of your pending court cases?</b></h3>
<p align="JUSTIFY" class="western">Well, I impleaded myself in Aruna Roy's petition and brought my arguments with regards to corruption in the case of companies contracted with the UIDAI and the danger to national security through the involvement of persons linked to US intelligence agencies. The last hearing in the Supreme Court was on 10th December 2013, but it was postponed to 28 January 2014. So in short, in the Supreme Court I am currently filing a case for investigation with regards to corruption and links with foreign intelligence agencies by companies contracted with the UIDAI, while in the Bangalore High Court, I have appealed a civil trial with regards to the misplacement of Order 7, Rule 11, of the Civil Procedure Code.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign'>https://cis-india.org/internet-governance/blog/interview-with-mathew-thomas-from-the-say-no-to-uid-campaign</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2014-01-27T12:47:49ZBlog EntryNew Document on India's Central Monitoring System (CMS) - 2
https://cis-india.org/internet-governance/blog/new-cms-doc-2
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/new-cms-doc-2'>https://cis-india.org/internet-governance/blog/new-cms-doc-2</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-01-30T12:40:31ZFileUAS License Agreement Amendment regarding the Central Monitoring System (CMS)
https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment'>https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-01-30T12:43:56ZFileThe Privacy (Protection) Bill 2013: A Citizen's Draft
https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft
<b>The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness around privacy, completing in depth research, and driving a privacy legislation in India. As part of this work, Bhairav Acharya has drafted the Privacy (Protection) Bill 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">The Privacy (Protection) Bill 2013 contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of a possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf" class="internal-link">Click</a> to download a full draft of the Privacy (Protection) Bill, 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft'>https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:50:20ZBlog EntryDriving in the Surveillance Society: Cameras, RFID tags and Black Boxes...
https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes
<b>In this post, Maria Xynou looks at red light cameras, RFID tags and black boxes used to monitor vehicles in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have <a href="http://www.thenewspaper.com/rlc/docs/syn310.pdf">already adopted measures</a> to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, <a href="http://arstechnica.com/tech-policy/2012/09/your-car-tracked-the-rapid-rise-of-license-plate-readers/2/">privacy concerns</a> have arisen as it remains unclear how data collected will be used.<span> </span></p>
<h2><b>Red light cameras</b></h2>
<p style="text-align: justify; "><span>Last week, the Chennai police announced that it plans</span><a href="http://articles.timesofindia.indiatimes.com/2011-05-12/chennai/29535601_1_red-light-camera-system-red-light-cameras-traffic-signals"> to install traffic enforcement cameras</a><span>, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since </span><a href="http://www.traffictechnologytoday.com/news.php?NewsID=2767">early 2008</a><span> and a</span><a href="http://ibnlive.in.com/news/study-finds-red-light-cameras-cuts-crashes/142065-57-132.html"> study</a><span> indicates that they have reduced the traffic violation rates. A </span><a href="http://www.thenewspaper.com/rlc/docs/syn310.pdf">2003 report by the National Cooperative Highway Research Programme (NCHRP)</a><span> examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.</span></p>
<p style="text-align: justify; "><span></span><span>However, how are traffic violation rates even measured? According to </span><a href="http://blogs.wsj.com/numbersguy/seeing-red-1208/">Barbara Langland Orban</a><span>, an associate professor of health policy and management at the University of South Florida:</span></p>
<blockquote class="italized"><i>“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”</i></blockquote>
<p style="text-align: justify; "><span>Last year, the Bombay state government informed the High Court that the </span><a href="http://www.indianexpress.com/news/cctvs-not-fit-to-detect-traffic-violations-state-to-hc/910392">100 CCTV cameras</a><span> installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s </span><a href="http://www.thehindu.com/opinion/op-ed/of-constitutional-due-process/article436586.ece">due-process rights</a><span>?</span></p>
<h2 style="text-align: justify; "><b>RFID tags and Black Boxes</b></h2>
<p style="text-align: justify; "><span>A communication revolution is upon us, as Maharashtra state transport department is currently including radio </span><a href="http://www.dnaindia.com/mumbai/report_maharashtra-rto-spy-to-breathe-down-drivers-neck_1625521">frequency identification (RFID) tags on each and every number plate of vehicles</a><span>. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the </span><a href="http://www.hsrpdelhi.com/Rule50.pdf">2001 amendment of Rule 50 of the Central Motor Vehicles Rules</a><span>, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.</span></p>
<p style="text-align: justify; "><span>RFID technology has also been launched at Maharashtra´s </span><a href="http://articles.timesofindia.indiatimes.com/2012-08-18/mumbai/33261046_1_rfid-stickers-border-check-posts">state border check-posts</a><span>. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.</span></p>
<p style="text-align: justify; "><span>By </span><a href="http://articles.timesofindia.indiatimes.com/2013-03-07/mumbai/37530519_1_plazas-on-national-highways-toll-plazas-toll-collection">31 March 2014</a><span>, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to </span><a href="http://netindian.in/news/2013/03/05/00023379/electronic-toll-collection-all-national-highways-march-2014-joshi">Dr. Joshi</a><span>, the Union Minister for Road Transport and Highways:</span></p>
<blockquote class="italized" style="text-align: justify; "><i>“</i><i>The RFID technology</i><i> shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”</i></blockquote>
<p style="text-align: justify; "><span>Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it </span><a href="http://articles.timesofindia.indiatimes.com/2013-03-07/mumbai/37530519_1_plazas-on-national-highways-toll-plazas-toll-collection">uniquely identifies each vehicle</a><span>, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.</span></p>
<p style="text-align: justify; "><span>The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an </span><a href="http://www.thehindu.com/news/national/article3636417.ece">Event Data Recorder (EDR)</a><span>, otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.</span></p>
<p style="text-align: justify; "><span>Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it </span><a href="http://www.thehindu.com/news/national/article3636417.ece">mandatory for cars</a><span> to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.</span></p>
<h2><b>Are monitored cars safer?</b></h2>
<p style="text-align: justify; "><span>The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a </span><a href="http://www.fhwa.dot.gov/publications/research/safety/05049/05049.pdf">2005 Federal Highway Administration study</a><span>, although it shows a decrease in front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other</span><a href="http://www.techdirt.com/articles/20091218/1100537428.shtml"> studies</a><span> of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.</span></p>
<p style="text-align: justify; "><span>Furthermore, there have been </span><a href="http://www.usatoday.com/story/news/nation/2013/03/08/speed-camera-ruling/1974369/">claims</a><span> that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.</span></p>
<p style="text-align: justify; "><span>Companies which manufacture </span><a href="http://dir.indiamart.com/impcat/vehicle-tracking-systems.html">vehicle tracking systems</a><span> are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?</span></p>
<p style="text-align: justify; "><span>And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope,</span><a href="http://www.farnish.plus.com/amatterofscale/mirrors/omni/surveillance.htm"> but us</a><span>. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored,</span><a href="http://www.samharris.org/blog/item/the-trouble-with-profiling"> we are all suspects</a><span> and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.</span></p>
<h2><b>Maneuvering our monitoring</b></h2>
<p style="text-align: justify; "><span>Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.</span></p>
<p style="text-align: justify; "><span>Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as</span><a href="http://d2dtl5nnlpfr0r.cloudfront.net/tti.tamu.edu/documents/0-4196-2.pdf"> increasing the duration of the yellow light</a><span> between the green and the red, </span><a href="http://www.motorists.org/red-light-cameras/alternatives">re-timing lights</a><span> so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.</span></p>
<p style="text-align: justify; "><span>Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:</span></p>
<blockquote class="quoted"><i>Should we be monitored at all?</i></blockquote>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes'>https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:26:33ZBlog EntryMicrosoft releases its first report on data requests by law enforcement agencies around the world
https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies
<b>In this post, the Centre for Internet and Society presents Microsoft´s report on law enforcement requests, with a focus on data requested by Indian law enforcement agencies.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Last week, Microsoft released its first report with data on the number of requests received from law enforcement agencies around the world relating to Microsoft online and cloud services. Microsoft´s newly released <a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">2012 Law Enforcement Requests Report </a>depicts the company's willingness to join the ranks of Google, Twitter and other Web businesses that publish transparency reports.</p>
<p style="text-align: justify; "><span>As of 30 June 2012, </span><a href="http://www.internetworldstats.com/asia.htm#in">137 million</a><span> Indians are regular Internet users, many of which use Microsoft services including Skype, Hotmail, Outlook.com, SkyDrive and Xbox Live. Yet, until recently, it was unclear whether Indian law enforcement agencies were requesting data from our Skype calls, emails and other Microsoft services. Thus, Microsoft's release of a report on law enforcement requests is a decisive step in improving transparency in regards to how many requests for data are made by law enforcement agencies and how many requests are granted by companies. Brad Smith, an executive vice president and Microsoft´s general counsel, wrote in his </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">blog post</a><span>:</span></p>
<blockquote class="italized"><i>“As we continue to move forward, Microsoft is committed to respecting human rights, free expression and individual privacy.”</i></blockquote>
<h2><b>Microsoft 2012 Law Enforcement Requests</b></h2>
<p style="text-align: justify; "><span>Democratic countries requested the most data during 2012, according to </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Microsoft´s report</a><span>. The law enforcement agencies in the United States, the United Kingdom, Germany, France and Turkey accounted for 69 percent of the 70, 665 requests Microsoft (excluding Skype) received last year. Although India did not join the rank of the countries which made the fewest requests from Microsoft, it did not join the</span><a href="http://www.itpro.co.uk/data-protection/19488/microsoft-opens-collaboration-law-enforcement-agencies"> top-five league</a><span> which accounted for the most requests, despite the country having </span><a href="https://opennet.net/research/profiles/india">one of the world´s highest number of Internet users</a><span>.</span></p>
<p style="text-align: justify; "><span>Out of the</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 70,665 requests</a><span> to Microsoft by law enforcement agencies around the world, only about 0.6 percent of the requests were made by Indian law enforcement agencies. These 418 requests specified 594 accounts and users, which is significantly low in comparison to the top-five and other countries, such as Taiwan, Spain, Mexico, Italy, Brazil and Australia. Indian law enforcement requests accounted for about 0.5 percent of the total 122, 015 accounts and user data that was requested by law enforcement agencies around the world.</span></p>
<p style="text-align: justify; "><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">Content data</a><span> is defined by Microsoft as what customers create, communicate and store on or through their services, such as words in an e-mail or photographs and documents stored on SkyDrive or other cloud offerings. </span><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html?_r=1&">Non-content data</a><span>, on the other hand, refers to basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration. According to Microsoft´s 2012 report, the company did not disclose any content data to Indian law enforcement agencies. In fact, only </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">2.2 percent </a><span>of requests from law enforcement agencies around the world resulted in the disclosure of content data, </span><a href="http://www.engadget.com/2013/03/21/microsoft-posts-its-first-law-enforcement-requests-report/">99 percent of which were in response to warrants from courts in the United States</a><span>. Microsoft may have not disclosed any of our content data, but</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> 370 requests</a><span> from Indian law enforcement agencies resulted in the disclosure of our non-content data. In other words, 88.5 percent of the requests by India resulted in the disclosure of e-mail addresses, IP addresses, names, locations and other subscriber information.</span></p>
<p style="text-align: justify; "><span>Out of the 418 requests made to Microsoft by Indian law enforcement agencies, </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">only 4 were rejected </a><span>(1 percent) and no data was found for 44 requests (10.5 percent). In total, Microsoft rejected the disclosure of 1.2 percent of the requests made by law enforcement agencies around the world, while data was not found for 16.8 percent of the international requests. Thus, the outcome of the data shows that the majority of the requests by Indian law enforcement agencies resulted in the disclosure of non-content data, while very few requests were rejected by Microsoft (excluding Skype). The following table summarizes the requests by Indian law enforcement agencies and their outcome:</span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total number of requests</p>
</td>
<td>
<p>418 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/Users specified in requests</p>
</td>
<td>
<p>594 (0.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of non-content data</p>
</td>
<td>
<p>370 (88.5%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>44 (10.5%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests rejected</p>
</td>
<td>
<p>4 (1%)</p>
</td>
</tr>
</tbody>
</table>
<h2><span>Skype 2012 Law Enforcement Requests</span></h2>
<p style="text-align: justify; "><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">Microsoft acquired Skype</a> towards the end of 2011 and the integration of the two companies advanced considerably over the course of 2012. According to the<a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> Microsoft 2012 report</a>, Indian law enforcement agencies made 53 requests for Skype user data and 101 requests for specified accounts on Skype. In other words, out of the total 4,715 requests for Skype user data by law enforcement agencies around the world, the requests by Indian law enforcement accounted for about 0.1 percent. 15,409 international requests were made for specified accounts on Skype, but Indian law enforcement requests only accounted for about 0.6 percent of those.</p>
<p style="text-align: justify; "><span>The</span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1"> report </a><span>appears to be extremely reassuring, as it states that Skype did</span><i> not </i><span>disclose any content data to any law enforcement agencies around the world. That essentially means that, according to the report, that all the content we created and communicated through Skype during 2012 was kept private from law enforcement. Although Microsoft claims to not have disclosed any of our content data, it did </span><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx">disclose </a><a href="http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/03/21/microsoft-releases-2012-law-enforcement-requests-report.aspx"><i>non-content data</i></a><span>, such as SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number. However, Microsoft did not report how many requests the company received for non-content data, nor how much data was disclosed and to which countries.</span></p>
<p style="text-align: justify; "><span>Microsoft </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/#FAQs1">reported </a><span>that data was not found for 47 of India´s law enforcement requests, which represents 88.6 percent of the requests. In total, Microsoft reported that data was not found for about half the requests made by law enforcement agencies on an international level. Out of the 53 requests, Microsoft provided guidance to Indian law enforcement agencies for 10 requests. In particular, such guidance was provided either in response to a rejected request or general questions about the process for obtaining Skype user data. Yet, the amount of rejected requests for Skype user data was not included in the report and the guidance provided remains vague. The following table summarizes the requests by Indian law enforcement agencies for Skype user data and their outcome:</span><span> </span></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Total of requests</p>
</td>
<td>
<p>53 (0.1%)</p>
</td>
</tr>
<tr>
<td>
<p>Accounts/identifiers specified in requests</p>
</td>
<td>
<p>101 (0.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Requests resulting in disclosure of content</p>
</td>
<td>
<p>0 (0%)</p>
</td>
</tr>
<tr>
<td>
<p>No data found</p>
</td>
<td>
<p>47 (88.6%)</p>
</td>
</tr>
<tr>
<td>
<p>Provided guidance to law enforcement</p>
</td>
<td>
<p>10 (18.8%)</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>The Centre for Internet and Society (CIS) supports the publication of </span><a href="http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">Microsoft´s 2012 Law Enforcement Requests Report</a><span> and encourages Microsoft (including Skype) to continue releasing such reports which can provide an insight on how much user data is being shared with law enforcement agencies around the world. In order to ensure that such reports adequately provide transparency, they should be broadened in the future to include more data, such as the amount of non-content data requests disclosed by Skype, the type of guidance provided to law enforcement agencies and the amount of requests rejected by Skype. Nonetheless, this report is a decisive first step in increasing transparency and further, more detailed reports are strongly encouraged.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies'>https://cis-india.org/internet-governance/blog/microsoft-releases-first-report-on-data-requests-by-law-enforcement-agencies</a>
</p>
No publishermariaInternet GovernanceSAFEGUARDS2013-07-12T12:19:31ZBlog EntryThe Personal Data (Protection) Bill, 2013
https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013
<b>Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013.
Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.
</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013'>https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T14:53:11ZFileThe India Privacy Monitor Map
https://cis-india.org/internet-governance/blog/india-privacy-monitor-map
<b>The Centre for Internet and Society has started the first Privacy Watch in India! Check out our map which includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country. </b>
<p style="text-align: justify; ">In a country of twenty-eight diverse states and seven union territories, it remained unclear to what extent surveillance, biometric and other privacy-intrusive schemes are being implemented. We are trying to make up for this by mapping out data in every single state in India on the UID, CCTNS and NPR schemes, as well as on the installation of CCTV cameras and the use of Unmanned Aerial Vehicles (UAVs), otherwise known as drones.</p>
<p style="text-align: justify; ">In particular, the map in its current format includes data on the following:</p>
<p style="text-align: justify; "><b>UID:</b> The Unique Identification Number (UID), also known as AADHAAR, is a 12-digit unique identification number which the Unique Identification Authority of India (UIDAI) is currently issuing for all residents in India (on a voluntary basis). Each UID is stored in a centralised database and linked to the basic demographic and biometric information of each individual. The UIDAI and AADHAAR currently lack legal backing.</p>
<p style="text-align: justify; "><b>NPR:</b> Under the National Population Register (NPR), the demographic data of all residents in India is collected on a mandatory basis. The Unique Identification Authority of India (UIDAI) supplements the NPR with the collection of biometric data and the issue of the AADHAAR number.</p>
<p style="text-align: justify; "><b>CCTV:</b> Closed-circuit television cameras which can produce images or recordings for surveillance purposes.</p>
<p style="text-align: justify; "><b>UAV: </b>Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are aircrafts without a human pilot on board. The flight of a UAV is controlled either autonomously by computers in the vehicle or under the remote control of a pilot on the ground or in another vehicle. UAVs are used for surveillance purposes.</p>
<p style="text-align: justify; "><b>CCTNS: </b>The Crime and Criminal Tracking Networks and Systems (CCTNS) is a nationwide networking infrastructure for enhancing efficiency and effectiveness of policing and sharing data among 14,000 police stations across India.</p>
<p style="text-align: justify; "><b>Our India Privacy Monitor Map can be viewed through the following link: http://cis-india.org/cisprivacymonitor </b></p>
<p style="text-align: justify; ">This map is part of on-going research and will hopefully expand to include other schemes and projects which are potentially privacy-intrusive. We encourage all feedback and additional data!</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-privacy-monitor-map'>https://cis-india.org/internet-governance/blog/india-privacy-monitor-map</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-09T16:26:14ZBlog EntryBigDog is Watching You! The Sci-fi Future of Animal and Insect Drones
https://cis-india.org/internet-governance/blog/big-dog-is-watching-you
<b>Do you think robotic aeroplanes monitoring us are scary enough? Wait until you read about DARPA´s new innovative and subtle way to keep us all under the microscope! This blog post presents a new reality of drones which is depicted in none other than animal and insect-like robots, equipped with cameras and other surveillance technologies. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Just when we thought we had seen it all, the US Defence Advanced Research Projects Agency (DARPA) funded another controversial surveillance project which makes even the most bizarre sci-fi movie seem like a pleasant fairy-tale in comparison to what we are facing: animal and insect drones.</p>
<p style="text-align: justify; ">Up until recently, unmanned aerial vehicles (UAVs), otherwise called drones, depicted the scary reality of surveillance, as robotic pilot-less planes have been swarming the skies, while monitoring large amounts of data without people´s knowledge or consent. Today, DARPA has come up with more subtle forms of surveillance: animal and insect drones. Clearly animal and insect-like drones have a much better camouflage than aeroplanes, especially since they are able to go to places and obtain data that mainstream UAVs can not.</p>
<p dir="ltr" style="text-align: justify; ">India´s ´DARPA´, the Defence Research and Development Organisation (DRDO), has been creating <a href="http://www.indiastrategic.in/topstories1369_Unmanned_Aerial_Vehicle.htm"><span>UAVs</span></a> over the last ten years, while the Indian Army first acquired UAVs from Israel in the late 1990s. Yet the use of all UAVs in India is still poorly regulated! Drones in the U.S. are regulated by the <a href="http://www.faa.gov/"><span>Federal Aviation Administration (FAA)</span></a>, whilst the <a href="https://www.easa.europa.eu/what-we-do.php"><span>European Aviation Safety Agency (EASA)</span></a> regulates drones in the European Union. In India, the <a href="http://www.civilaviation.gov.in/MocaEx/faces/index.html;jsessionid=BLvyRvDp2NJzl4Q264fTNkXdynJkvJGF6bK1rSJtCrcJzwq1pym2!-750232318?_adf.ctrl-state=buu3l8xph_4"><span>Ministry of Civil Aviation</span></a> regulates drones, whilst the government is moving ahead with plans to<a href="http://indiatoday.intoday.in/story/aviation-ministry-moots-to-replace-dgca-with-a-super-regulator/1/224097.html"><span> replace the Directorate General of Civil Aviation (DGCA)</span></a> with a Civil Aviation Authority. However, current Indian aviation laws are vague in regards to data acquired, shared and retained, thus not only posing a threat to individual´s right to privacy and other human rights, but also enabling the creation of a secret surveillance state.</p>
<p dir="ltr" style="text-align: justify; ">The DRDO appears to be following DARPA´s footsteps in terms of surveillance technologies and the questions which arise are: will animal and insect drones be employed in India in the future? If so, how will they be regulated?</p>
<p><b><span> </span></b></p>
<h2><span>BigDog/LS3</span></h2>
<h2></h2>
<p><iframe frameborder="0" height="250" src="http://www.youtube.com/embed/40gECrmuCaU" width="250"></iframe></p>
<p align="JUSTIFY">Apparently having UAVs flying above us and monitoring territories and populations without our knowledge or consent was not enough. DARPA is currently funding the <a href="http://defensetech.org/2012/02/08/video-the-latest-terrifying-drone-dog/">BigDog project</a>, which is none other than a drone dog, a four-legged robot equipped with a camera and capable of surveillance in disguise. DARPA and Boston Dynamics are working on the latest version of BigDog, called the <a href="http://www.darpa.mil/Our_Work/TTO/Programs/Legged_Squad_Support_System_%28LS3%29.aspx">Legged Squad Support System (LS3)</a>, which can carry 400 pounds of gear for more than 20 miles without refuelling. Not only can the LS3 walk and run on all types of surfaces, including ice and snow, but it also has ´vision sensors´ which enable it to autonomously maneuver around obstacles and follow soldiers in the battle field. The LS3 is expected to respond to soldiers' voice commands, such as 'come', 'stop' and 'sit', as well as serve as a battery charger for electronic devices.</p>
<p align="JUSTIFY">BigDog/LS3 is undoubtedly an impressive technological advancement in terms of aiding squads with surveillance, strategic management and a mobile auxiliary power source, as well as by carrying gear. Over the last century most technological developments have manifested through the military and have later been integrated in societies. Many questions arise around the BigDog/LS3 and its potential future use by governments for non-military purposes. Although UAVs were initially used for strictly military purposes, they are currently also being used by governments on an international level for <a href="http://www.nasa.gov/centers/dryden/pdf/111760main_UAV_Assessment_Report_Overview.pdf">civil purposes</a>, such as to monitor climate change and extinct animals, as well as to surveille populations. Is it a matter of time before BigDog is used by governments for ´civil purposes´ too? Will robotic dogs swarm cities in the future to provide ´security´?</p>
<p align="JUSTIFY"> </p>
<p dir="ltr" style="text-align: justify; ">Like any other surveillance technology, the LS3 should be legally regulated and current lack of regulation could create a potential for abuse. Is authorisation required to use a LS3? If so, who has the legal right to authorise its use? Under what conditions can authorisation be granted and for how long? What kind of data can legally be obtained and under what conditions? Who has the legal authority to access such data? Can data be retained and if so, for how long and under what conditions? Do individuals have the right to be informed about the data withheld about them? Just because it´s a ´dog´ should not imply its non-regulation. This four-legged robot has extremely intrusive surveillance capabilities which may breach the right to privacy and other human rights when left unregulated.</p>
<p><b><span> </span></b></p>
<h2><span>Humming Bird Drone</span></h2>
<table class="invisible">
<tbody>
<tr>
<th>
<p><span><img src="https://cis-india.org/home-images/hummingbirddronepic.png/@@images/f6c4be7f-597d-4909-914e-6470256cb1c9.png" style="text-align: justify; " title="Humming bird drone" class="image-inline" alt="Humming bird drone" /></span></p>
</th>
</tr>
<tr>
<td>Source:<a class="external-link" href="http://www.hightech-edge.com/aerovironment-nano-humming-bird-flapping-wing-uav-video-clip/10309/"> HighTech Edge</a></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">TIME magazine recognised DARPA for its Hummingbird nano air vehicle (NAV) and named the drone bird<a href="http://www.darpa.mil/newsevents/releases/2011/11/24.aspx"><span> one of the 50 best inventions of 2011</span></a>. True, it is rather impressive to create a robot which looks like a bird, behaves like a bird, but serves as a secret spy.</p>
<p dir="ltr" style="text-align: justify; ">During the presentation of the humming bird drone, <a href="http://www.ted.com/talks/regina_dugan_from_mach_20_glider_to_humming_bird_drone.html"><span>Regina Dugan</span></a>, former Director of DARPA, stated:</p>
<p class="callout" dir="ltr" style="text-align: justify; "><i>"</i>Since we took to the sky, we have wanted to fly faster and farther. And to do so, we've had to believe in impossible things and we've had to refuse to fear failure<i>."</i><span> </span></p>
<p dir="ltr" style="text-align: justify; ">Although believing in 'impossible things' is usually a prerequisite to innovation, the potential implications on human rights of every innovation and their probability of occurring should be examined. Given the fact that drones already exist and that they are used for both military and non-military purposes, the probability is that the hummingbird drone will be used for civil purposes in the future. The value of data in contemporary information societies, as well as government's obsession with surveillance for ´national security´ purposes back up the probability that drone birds will not be restricted to battlefields.</p>
<p dir="ltr" style="text-align: justify; ">So should innovation be encouraged for innovation’s sake, regardless of potential infringement of human rights? This question could open up a never-ending debate with supporters arguing that it´s not technology itself which is harmful, but its use or misuse. However the current reality of drones is this: UAVs and NAVs are poorly regulated (if regulated at all in many countries) and their potential for abuse is enormous, given that <a href="http://www.wired.com/politics/security/commentary/securitymatters/2008/05/securitymatters_0515"><span>´what happens to our data happens to ourselves....who controls our data controls our lives.´</span></a> If UAVs are used to surveille populations, why would drone birds not be used for the same purpose? In fact, they have an awesome camouflage and are potentially capable of acquiring much more data than any UAV! Given the surveillance benefits, governments would appear irrational not to use them.</p>
<p><b><span> </span></b></p>
<h2><span>MeshWorms and Remote-Controlled Insects</span></h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/picofmeshworm.png" alt="MeshWorm" class="image-inline" title="MeshWorm" /></th>
</tr>
<tr>
<td>Source: <a class="external-link" href="http://www.nydailynews.com/news/national/scientists-create-resilient-robot-worm-medicine-electronics-spy-missions-roboticists-leading-universities-wroking-pentagon-grant-created-super-durable-synthetic-worm-call-meshworm-robot-article-1.1134361">NY Daily News</a></td>
</tr>
</tbody>
</table>
<table class="invisible">
<tbody>
<tr>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Think insects are creepy? Now we can have a real reason to be afraid of them. Clearly robotic planes, dogs and birds are not enough.</p>
<p dir="ltr" style="text-align: justify; ">DARPA´s <a href="http://www.bbc.co.uk/news/technology-19200285"><span>MeshWorm project</span></a> entails the creation of earthworm-like robots that crawl along surfaces by contracting segments of their bodies. The MeshWorm can squeeze through tight spaces and mold its shape to rough terrain, as well as absorb heavy blows. This robotic worm will be used for military purposes, while future use for ´civil purposes´ remains a probability.</p>
<p dir="ltr" style="text-align: justify; ">Robots, however, are not only the case. Actual insects are being wirelessly controlled, such as <a href="http://www.technologyreview.com/news/411814/the-armys-remote-controlled-beetle/"><span>beetles with implanted electrodes</span></a> and a radio receiver on their back. The giant flower beetle´s size enables it to carry a small camera and a heat sensor, which constitutes it as a reliable mean for surveillance.</p>
<p dir="ltr" style="text-align: justify; "><span>Other</span><a href="http://www.wired.com/dangerroom/2012/06/ff_futuredrones/"> drone insects</a><span> look and fly like ladybugs and dragonflies. Researchers at the Wright State University in Dayton, Ohio, have been working on a butterfly drone since 2008. Former software engineer Alan Lovejoy has argued that the US is developing </span><a href="http://www.businessinsider.com/the-future-of-micro-drones-is-getting-pretty-scary-according-to-alan-lovejoy-2012-6">mosquito drones</a><span>. Such a device could potentially be equipped with a camera and a microphone, it could use its needle to abstract a DNA sample with the pain of a mosquito bite and it could also inject a micro RFID tracking device under peoples´ skin. All such micro-drones could potentially be used for both military and civil purposes and could violate individuals´ right to privacy and other civil liberties.</span></p>
<p><b><span> </span></b></p>
<h2><span>Security vs. Privacy: The wrong debate</span></h2>
<p style="text-align: justify; "><b><span> </span></b>09/11 was not only a pioneering date for the U.S., but also for India and most countries in the world. The War on Terror unleashed a global wave of surveillance to supposedly enable the detection and prevention of crime and terrorism. Governments on an international level have been arguing over the last decade that the use of surveillance technologies is a prerequisite to safety. However, security expert, <a href="http://www.schneier.com/blog/archives/2008/01/security_vs_pri.html"><span>Bruce Schneier</span></a>, argues that the trade-off of privacy for security is a false dichotomy.</p>
<p dir="ltr" style="text-align: justify; ">Everyone can potentially be a suspect within a surveillance state. Analyses of Big Data can not only profile individuals and populations, but also identify ‘branches of communication’ around every individual. In short, if you know someone who may be considered a suspect by intelligence agencies, you may also be a suspect. The mainstream argument <a href="http://www.youtube.com/watch?v=GMN2360LM_U"><span>“I have nothing to hide, I am not a terrorist’</span></a> is none other than a psychological coping mechanism when dealing with surveillance. The reality of security indicates that when an individual’s data is being intercepted, the probability is that those who control that data can also control that individual’s life. Schneier has argued that<a href="http://www.schneier.com/blog/archives/2008/01/security_vs_pri.html"><span> privacy and security are not on the opposite side of a seesaw</span></a>, but on the contrary, the one is a prerequisite of the other. Governments should not expect us to give up our privacy in exchange for security, as loss of privacy indicates loss of individuality and essentially, loss of freedom. We can not be safe when we trade-off our personal data, because privacy is what protects us from abuse from those in power. Thus the entire War on Terror appears to waged through a type of phishing, as the promise of ´security´ may be bait to acquire our personal data.</p>
<p align="JUSTIFY">Since the <a href="http://www.thenational.ae/news/world/south-asia/mumbai-police-to-get-aerial-drones-to-help-fight-crime">2008 Mumbai terrorist attacks</a>, India has had more reasons to produce, buy and use surveillance technologies, including drones. Last New Year´s Eve, the <a class="external-link" href="http://articles.timesofindia.indiatimes.com/2012-12-31/mumbai/36078903_1_surveillance-cameras-terror-outfits-netra">Mumbai police used UAVs</a> to monitor hotspots, supposedly to help track down revellers who sexually harass women. The Chennai police recently procured <a class="external-link" href="http://www.thehindu.com/news/cities/chennai/it-flies-it-swoops-it-records-and-monitors/article4218683.ece">three UAVs from Anna University </a>to assist them in keeping an eye on the city´s vehicle flow. Raj Thackeray´s rally marked<a class="external-link" href="http://articles.economictimes.indiatimes.com/2012-08-22/news/33322409_1_mumbai-police-uav-unmanned-aerial-vehicle"> the biggest surveillance exercise ever launched for a single event</a>, which included UAVs. The Chandigarh police are the first Indian police force to use the <a class="external-link" href="http://www.indianexpress.com/news/UAV--Chandigarh-police-spread-wings-with--Golden-Hawk-/779043/">´Golden Hawk´</a> - a UAV which will keep a ´bird´s eye on criminal activities´. This new type of drone was manufactured by the <span>Aeronautical Development Establishment (one of DRDO's premier laboratories based in Bangalore) and as of 2011 is being used by Indian law enforcement agencies.</span></p>
<p align="JUSTIFY">Although there is no evidence that India currently has any animal or insect drones, it could be a probability in the forthcoming years. Since India is currently using many UAVs either way, why would animal and/or insect drones be excluded? What would prevent India from potentially using such drones in the future for ´civil purposes´? More importantly, how are ´civil purposes´ defined? Who defines ´civil purposes´and under what criteria? Would the term change and if so, under what circumstances? The term ´civil purposes´ varies from country to country and is defined by many political, social, economic and cultural factors, thus potentially enabling extensive surveillance and abuse of human rights.</p>
<p dir="ltr" style="text-align: justify; ">Drones can potentially be as intrusive as other communications surveillance technologies, depending on the type of technology they´re equipped with, their location and the purpose of their use. As they can potentially violate individuals´ right to privacy, freedom of expression, freedom of movement and many other human rights, they should be strictly regulated. In<a href="http://www.uavs.org/regulation"><span> Europe UAVs</span></a> are regulated based upon their weight, as unmanned aircraft with an operating mass of less than 150kg are exempt by the EASA Regulation and its Implementation Rules. This should not be the case in India, as drones lighter than 150kg can potentially be more intrusive than other heavier drones, especially in the case of bird and insect drones.</p>
<p dir="ltr" style="text-align: justify; ">Laws which explicitly regulate the use of all types of drones (UAVs, NAVs and micro-drones) and which legally define the term ´civil purposes´ in regards to human rights should be enacted in India. Some thoughts on the authorisation of drones include the following: A Special Committee on the Use of All Drones (SCUAD) could be established, which would be comprised of members of the jury, as well as by other legal and security experts of India. Such a committee would be the sole legal entity responsible for issuing authorisation for the use of drones, and every authorisation would have to comply with the constitutional and statutory provisions of human rights. Another committee, the Supervisory Committee on the Authorisation of the Use of Drones (lets call this ´SCAUD´), could also be established, which would also be comprised by (other) members of the jury, as well as by (other) legal and security experts of India. This second committee would supervise the first and it would ensure that SCUAD provides authorisations in compliance with the laws, once the necessity and utility of the use of drones has been adequately proven.</p>
<p dir="ltr" style="text-align: justify; "><span>It´s not about ´privacy vs. security´. Nor is it about ´privacy or security´. In every democratic state, it should be about ´privacy and security´, since the one cannot exist without the other. Although the creation of animal and insect drones is undoubtedly technologically impressive, do we really want to live in a world where even animal-like robots can be used to spy on us? Should we be spied on at all? How much privacy do we give up and how much security do we gain in return through drones? If drones provided the ´promised security´, then India and all other countries equipped with these technologies should be extremely safe and crime-free; however, that is not the case.</span></p>
<p dir="ltr" style="text-align: justify; ">In order to ensure that the use of drones does not infringe upon the right to privacy and other human rights, strict regulations are a minimal prerequisite. As long as people do not require that the use of these spying technologies are strictly regulated, very little can be done to prevent a scary sci-fi future. That´s why this blog has been written.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/big-dog-is-watching-you'>https://cis-india.org/internet-governance/blog/big-dog-is-watching-you</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:38:33ZBlog Entry