The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 51 to 65.
GNI-Industry Dialogue Learning Session: Human Rights Impact Assessments and Due Diligence in the ICT sector
https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector
<b>Elonnai Hickok attended the meeting organized by Global Network Initiative on March 11, 2016 in Washington D.C.</b>
<p style="text-align: justify; ">The GNI welcomed its new observers from the Telecommunications Industry Dialogue by holding a learning session in conjunction with the GNI Board Meeting on March 10. This learning session aimed to increase understanding between the GNI and the ID by examining some of the common challenges that face ICT companies in the area of human rights due diligence and highlighting good practices. A second objective was to help the GNI develop a learning program and materials that will be useful for its members and draw on their expertise. Finally, this learning session informed the review of the GNI Implementation Guidelines that will take place during 2016.</p>
<p style="text-align: justify; ">The session took place according to the Chatham House Rule. Each short presentation was followed by a space for questions and answers.</p>
<ul>
<li>
<div style="text-align: justify; ">Human Rights Impact Assessments in the ICT sector – Michael Samway</div>
</li>
<li>
<div style="text-align: justify; ">The Human Rights Due Diligence Process at Nokia – Laura Okkonen</div>
</li>
<li>
<div style="text-align: justify; ">Yahoo’s approach to Human Rights Impact Assessments– Nicole Karlebach and Katie Shay</div>
</li>
<li>
<div style="text-align: justify; ">Orange’s challenges and approach to doing business in Africa – Yves Nissim</div>
</li>
<li>
<div style="text-align: justify; ">Microsoft’s human rights impacts and the warrant case – Steve Crown and Bernard Shen</div>
</li>
<li>
<div style="text-align: justify; ">TeliaSonera’s approach to withdrawing from Eurasia – Patrik Hiselius</div>
</li>
<li>
<div style="text-align: justify; ">Considerations for company due diligence on the ground – Kathleen Reen and Babette Ngene, Internews</div>
</li>
</ul>
<p>For discussion:</p>
<ul>
<li>What are some of the common challenges facing current GNI member companies and ID member companies?</li>
<li>What do we consider to be good practices that are applicable to all?</li>
<li>What lessons can be applied to the review of the GNI Implementation Guidelines that will take place during 2016?</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector'>https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2016-04-06T15:42:41ZNews ItemShort-term Consultant (IETF)
https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf
<b>The Centre for Internet & Society is seeking an individual with a strong understanding of IETF standards to work with us on writing 7 Human Rights Considerations for Internet standards and active drafts that are relevant to public interest. Additionally, the individual will help develop a longer term work-plan, expertise and approach for engagement in the IETF.</b>
<p dir="ltr">Note: This position is consultancy based on output.</p>
<p dir="ltr">Compensation: Based on experience and output.</p>
<p dir="ltr">Application requirements: two writing samples or other examples of technical work and CV</p>
<p dir="ltr">Contact: sunil@cis-india.org</p>
<p>
For more details visit <a href='https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf'>https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf</a>
</p>
No publisherelonnaiJobsInternet Governance2018-04-21T15:44:49ZPageShort-term Consultant (Cyber Security)
https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security
<b>The Centre for Internet & Society is seeking an individual with strong understanding of cyber security to contribute research to its cyber security research under its Internet Governance programme.</b>
<p style="text-align: justify; ">Research topics include economic incentives for cyber security, cross border sharing of data, India’s cyber security framework, and cybersecurity dimensions of e-governance .</p>
<p dir="ltr">Note: This position is consultancy based on output.</p>
<p dir="ltr">Compensation: Based on experience and output.</p>
<p dir="ltr">Application requirements: two writing samples and CV</p>
<p dir="ltr">Contact: <a href="mailto:elonnai@cis-india.org">elonnai@cis-india.org</a></p>
<p>
For more details visit <a href='https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security'>https://cis-india.org/jobs/vacancy-for-short-term-consultant-cyber-security</a>
</p>
No publisherelonnaiInternet Governance2018-04-20T01:27:36ZPageGNI Assessment Finds ICT Companies Protect User Privacy and Freedom of Expression
https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression
<b>Elonnai Hickok analyses a public report recently published by GNI on the independent assessment process for Google, Microsoft, and Yahoo. The report finds Google, Microsoft, and Yahoo to be in compliance with the GNI principles on privacy and freedom of expression.</b>
<h3>Introduction</h3>
<p style="text-align: justify; ">In January 2014, the <a href="http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf">Global Network Initiative (GNI)</a> published t<a href="http://globalnetworkinitiative.org/sites/default/files/GNI%20Assessments%20Public%20Report.pdf">he <i>Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo</i></a><i>. </i>GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.</p>
<h3 style="text-align: justify; ">Overview of the Public Report</h3>
<p style="text-align: justify; ">The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the <a href="http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf">GNI principles</a> on freedom of expression and privacy. The principles lay out broad guidelines that member companies should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with <a href="https://globalnetworkinitiative.org/sites/default/files/GNI_-_Implementation_Guidelines_1_.pdf">Implementation Guidelines</a> to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.</p>
<p style="text-align: justify; ">Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.</p>
<p style="text-align: justify; ">The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.</p>
<p style="text-align: justify; ">A number of findings came out of the assessments undertaken for the Report including:</p>
<ol>
<li style="text-align: justify; ">As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.</li>
<li style="text-align: justify; ">The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights. </li>
<li style="text-align: justify; ">Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles. </li>
</ol>
<p style="text-align: justify; ">The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:</p>
<ul>
<li>Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies. </li>
<li>Consider the impact of hardware on freedom of expression and privacy.</li>
<li>Improve external and internal reporting.</li>
<li>Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations. </li>
<li>Review executive management training.</li>
<li>Improve stakeholder engagement.</li>
<li>Improve communication with users. </li>
<li>Increase sharing of best practices. </li>
<li>The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights. </li>
</ul>
<h3>NSA leaks, global push for governmental surveillance reform, and the Public Report</h3>
<p style="text-align: justify; ">With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five <a href="http://reformgovernmentsurveillance.com/">Principles on Global Government Surveillance Reform</a>. Similar to other efforts to end mass and disproportionate surveillance, such as the <a href="https://en.necessaryandproportionate.org/text">Necessary and Proportionate</a> principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.</p>
<p style="text-align: justify; ">Along these lines, on January 14<sup>th</sup>, GNI released the statement <a href="http://globalnetworkinitiative.org/news/surveillance-reforms-protect-rights-and-restore-trust">“Surveillance Reforms to Protect Rights and Restore Trust”, </a> urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.</p>
<h3 style="text-align: justify; ">Conclusion and way forward</h3>
<p style="text-align: justify; ">Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.</p>
<p style="text-align: justify; ">The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.</p>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression'>https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression</a>
</p>
No publisherelonnaiFreedom of Speech and ExpressionInternet Governance2014-01-20T06:17:46ZBlog EntryThe Omnishambles of UID, shrouded in its RTI opacity
https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity
<b>The Centre for Internet & Society sponsored Colonel Mathew Thomas to hold a workshop at the fourth National Right to Information (RTI) organized by the National Campaign for People's Right to Information, held in Hyderabad from February 15 to 18, 2013. </b>
<p>Click below to see Colonel Mathew Thomas's presentation</p>
<h3><b><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1">Omnishambles of UID Shrouded in its Opacity</a></b></h3>
<p><iframe frameborder="0" height="421" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/16619783" width="512"> </iframe></p>
<p><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1"> </a></p>
<div><b><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1"> </a><br /></b><b><a href="http://www.slideshare.net/praskrishna" target="_blank"></a></b></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity'>https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-02-19T11:04:30ZBlog EntrySurveillance Camp IV: Disproportionate State Surveillance - A Violation of Privacy
https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy
<b>This is the fourth in a series of posts mapping global surveillance challenges discussed at EFF's State Surveillance and Human Rights Camp in Rio de Janeiro, Brazil. This article has been co-written with Elonnai Hickok — Centre for Internet and Society India, and a speaker at EFF's Camp.</b>
<hr />
<p>This article by Katitza Rodriguez and Elonnai Hickok was originally <a class="external-link" href="https://www.eff.org/deeplinks/2013/02/disproportionate-state-surveillance-violation-privacy">published by the Electronic Frontier Foundation</a> on February 13, 2013.</p>
<hr />
<p style="text-align: justify; ">States around the world are faced daily with the challenge of protecting their populations from potential and real threats. To detect and respond to them, many governments surveil communication networks, physical movements, and transactional records. Though surveillance by its nature compromises individual privacy, there are exceptional situations where state surveillance is justified. Yet, if state surveillance is unnecessary or overreaching, with weak legal safeguards and a failure to follow due process, it can become disproportionate to the threat—infringing on people's privacy rights.</p>
<p style="text-align: justify; ">Internationally, regulations concerning government surveillance of communications vary in approach and effectiveness, often with <a href="https://www.eff.org/deeplinks/2012/12/2012-in-review-state-surveillance-around-globe" target="_blank">very weak or nonexistent legal safeguards</a>. Some countries have strong regulations for the surveillance of communications, yet these regulations may be largely ineffective or unenforceable in practice. Other countries have no legal safeguards or legal standards differing vastly according to the type of communication data targeted. This is why, EFF organized at the end of last year a <a href="https://www.eff.org/issues/surveillance-human-rights" target="_blank">State Surveillance and Human Rights Camp</a> in Brazil to build upon this discussion and focused on how states are facilitating unnecessary and disproportionate surveillance of communications in ways that lead to privacy violations.</p>
<h3 style="text-align: justify; ">State-Mandated Identity Verification</h3>
<p style="text-align: justify; ">In 2012 the Constitutional Court in South Korea <a href="https://www.nytimes.com/2012/08/24/world/asia/south-korean-court-overturns-online-name-verification-law.html?_r=1&" target="_blank">declared</a> that country's "real-name identification system" unconstitutional. The system had mandated that any online portal with more than 100,000 daily users had to verify the identity of their users.<a href="#fn1" name="fr1">[1]</a>This meant that the individual has to provide their real name before posting comments online. The legal challenge to this system was raised by <a href="https://en.wikipedia.org/wiki/People%E2%80%99s_Solidarity_for_Participatory_Democracy" target="_blank">People's Solidarity for Participatory Democracy</a> (PSPD)'s Public Law Center and <a href="https://en.wikipedia.org/wiki/Korean_Progressive_Network_%28Jinbonet%29%20" target="_blank">Korean Progressive Network</a>—Jinbonet among others.</p>
<p style="text-align: justify; ">Korea University professor Kyung-shin Park, Chair of PSPD's Law Center told EFF that portals and phone companies would disclose identifying information about six million users annually—in a country of only 50 million people. The South Korean Government was using perceived online abuses as a convenient excuse to discourage political criticism, professor Park told EFF:</p>
<p class="callout" style="text-align: justify; ">The user information shared with the police most commonly has been used by the government to monitor the anti-governmental sentiments of ordinary people. All this has gone on because the government, the legislature, and civil society have not clearly understood the privacy implications of turning over identifying information of individuals.</p>
<p style="text-align: justify; ">The decision by the South Korean Constitutional Court to declare the "real identification system" unconstitutional was a win for user privacy and anonymity because it clearly showed that blanket mandates for the disclosure of identifying information, and the subsequent sharing of that data without judicial authorization, are a disproportionate measure that violates the rights of individuals.<a href="#fn2" name="fr2">[2]</a></p>
<h3 style="text-align: justify; ">States Restrict Encryption and Demand Backdoors</h3>
<p style="text-align: justify; ">Some States are seeking to block, ban, or discourage the use of strong encryption and other privacy enhancing tools by requiring assistance in decrypting information. In India service providers are required to ensure that bulk encryption is not deployed. Additionally, no individual or entity can employ encryption with a key longer than 40 bits. If the encryption equipments is higher than this limit, the individual or entity will need prior written permission from the Department of Telecommunications and <a href="https://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf" target="_blank">must deposit</a> the decryption keys with the Department.<a href="#fn3" name="fr3">[3]</a>The limitation on encryption in India means that technically any encrypted material over 40 bits <a href="http://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf" target="_blank">would be accessible</a> by the State. Ironically, the Reserve Bank of India<b> </b><a href="http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0" target="_blank">issued security recommendations</a> that banks should use strong encryption as higher as 128-bit for securing browser.<a href="#fn4" name="fr4">[4]</a>In the United States, under the <a href="http://wiki.surveillancehumanrights.org/Background_on_lawful_interception_mandates_and_government_access_to_encryption_keys" target="_blank">Communications Assistance for Law Enforcement Act</a>, telecommunication carriers are required to provide decryption assistance only if they already possess the keys (and in many communications system designs, there's no reason carriers should need to possess the keys at all). In 2011, the <a href="https://www.eff.org/pages/legal-struggles-over-interception-rules-united-states" target="_blank">US Government proposed a bill</a> that would place new restrictions on domestic development or use of cryptography, privacy software, and encryption features on devices. The bill has not been adopted.</p>
<p style="text-align: justify; ">Allowing only low levels of encryption and requiring service providers to assist in the decryption of communications, facilitates surveillance by enabling States easier access to data and preventing individuals from using crypto tools to protect their personal communications.</p>
<h3 style="text-align: justify; ">States Establish Blanket Interception Facilities</h3>
<p style="text-align: justify; ">In Colombia, telecommunications network and service providers carrying out business within the national territory <a href="https://www.eff.org/pages/mapping-laws-government-access-citizens-data-colombia" target="_blank">must implement</a> and ensure that interception facilities are available at all times to state agencies as prescribed by law. This is to enable authorized state agencies to intercept communications at any point of time. In addition to providing interception facilities, service providers must also retain subscriber data for a period of five years, and provide information such as subscriber identity, invoicing address, type of connection on request, and geographic location of terminals when requested.</p>
<p style="text-align: justify; ">Though Colombia has put in place regulations for the surveillance of communications, these regulations allow for broad surveillance and do not afford the individual clear rights in challenging the same.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The examples above demonstrate that, although state surveillance of communications can be justified in exceptional instances, it leads to the violation of individual privacy when implemented without adequate legal safeguards. Clearly there is a need for international principles articulating critical and necessary components of due process for the surveillance of communications. Those strong legal safeguards are necessary not only in countries that don't have laws in place, but also in countries where laws are lacking and fail to adequately protect privacy. Last year, EFF <a href="https://www.eff.org/deeplinks/2012/12/tackling-state-surveillance-and-human-rights-protecting-universal-freedoms" target="_blank">organized the State Surveillance and Human Rights Camp</a> to discuss a set of <a href="http://necessaryandproportionate.net/" target="_blank">International Principles on State Surveillance of Communications</a>, a global effort led by EFF and Privacy International, to define, articulate, and promote legal standards to protect individual privacy when the state carries out surveillance of communications.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>].Constitutional Court's Decision 2010 Hunma 47, 252 (consolidated) announced August 28, 2012.</p>
<p>[<a href="#fr2" name="fn2">2</a>].The illegality of this practice was proved by a High Court decision handed down 2 months after the Constitutional Court's decision in August 2012. Seoul Appellate Court 2011 Na 19012, Judgment Announced October 18, 2012. This case <a href="http://www.peoplepower21.org/English/955480" target="_blank">was prepared and followed singularly</a> by PSPD Public Interest Law Center.</p>
<p>[<a href="#fr3" name="fn3">3</a>].<a href="http://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf">License Agreement for Provision of Internet Services Section 2.2 (vii)</a></p>
<p>[<a href="#fr4" name="fn4">4</a>].Reserve Bank of India. <a href="http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0" target="_blank">Internet Banking Guidelines</a>. Section (f (2)).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy'>https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-02-19T12:37:09ZBlog EntryDoes the UID Reflect India?
https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india
<b>On December 17th the Campaign for No UID held a press conference and public meeting in Bangalore. Below is a summary and analysis of the events. </b>
<h3>Introduction</h3>
<p>Scientifically speaking, we are each unique. We have unique bodies and minds, and these give rise to unique understandings, interactions, and perceptions. Despite being unique, we can be put into different categories and classes, one of which is a culture. A culture is defined by its values, which are reflected in its legal system. Consequently legal systems are always changing – bills are constantly being amended, passed, and retracted in order to make the governing legal structure reflect the ethos of that society. Thus, when analyzing a piece of legislation it is important to ask if that bill is meaningful in a way that reflects the ideas, values, attitudes, and expectations that a society has. This is the question that Usha Ramanathan, Mathew Thomas, and others in the Campaign for No UID have been asking about the UID project, and urged the public to ask the same question in the press conference and public meeting held on the 17th of December. According to the Campaign for No UID, the project and Bill fail to reflect and meet the current needs that exist in India. The UID Bill, the proposed legislation for the project, authorizes the creation of a centralized database of unique identification numbers that are to be issued to every resident of India. The numbers will act as identity. Recently, the Bill was sent to the Parliamentary Standing Committee on Finance, and is scheduled to be enacted in early 2011. The UID project is attempting to create a technological solution to the identification problem in India. It is well-known that India faces challenges in identifying its citizens and residents. Individuals either have no identification – restricting their access to society and benefits -- or, in some cases, they have multiple identities, therefore taking advantage of society at the expense of others, or a person does not have any identification – therefore escaping civil duties. The confusing identity system that exists in India has many negative drawbacks including the facilitation of corruption, illegal immigration, and possible security threats. The UID project attempts to provide a system of identity that is based on individuals’ biometrics, and that places the whole of India on a grid through the issuance of 12 digit <em>Aadhaar</em> numbers. The Campaign for NO UID does not deny the need for an efficient identity system, is not against technology, and does not deny that the current identity system has problems. Instead, it believes that the project does not adequately address the issues at hand, while at the same time creating a real prospect of harmful ramifications. </p>
<h3>Benefits for the Poor</h3>
<p>Though the UID project only gives identity to an individual, it has been envisioned as a means of ensuring the delivery of benefits to the poor. According to the World Bank, within India 41% of the population lives below the poverty line, and targeting the need to ensure benefits for the poor is an appropriate vision. Furthermore, as reflected in the Right to Food Act, there is a cultural understanding and expectation that the State needs to work to bring benefits to the poor. The point that Ms. Ramanathan draws attention to, though, is that the goal of bringing benefits to the poor is just a vision. The project and the Bill are not structured in a way that guarantee benefits to the poor. Instead, by trying to include the perception of this benefit, the language of the Bill has become too broad. The wide-sweeping language allows room for abuse of how information that is collected will be used.</p>
<h3>Appropriate Methodology</h3>
<p>Ms. Ramanathan also questions the methodology of the UID project. The collection of biometrics is not an absolute insurer of identity, in the way that DNA would be. A person’s biometrics are in fact very public. They are left on anything one touches, and can easily be reproduced for use by others. Identity theft is thus easily accomplished if biometrics are the only safeguard. Realistically, the vast majority of India’s population would not know what to do or how to seek redress if identities were stolen – indeed, many would not even be aware of the fact that their identity had been stolen. Thus, the project establishes a hierarchy of vulnerability. Those who understand and have access to technology and the legal system are better able to protect their identity (or abuse another’s), and the rest of the population is at the mercy of the people who possess that knowledge and those connections.</p>
<h3>Legal Questions</h3>
<p>Ms. Ramanathan also brought up a few legal issues with the UID Bill. Most importantly she pointed out that the UID project is not legal, yet enrollment of individuals has been taking place. Not only is this action undemocratic, but it is presumptuous of the UIDAI to assume that their project will have legal validity. Another legal issue raised by Ms. Ramanathan was in concern with the compulsory nature of the <em>Aadhaar</em> number. Legally the UID Bill does not make the <em>Aadhaar</em> number compulsory. Instead, the project is structured in such a way that the UID number is socially compulsory. Ms. Ramanathan argues that this is unfair of the UIDAI. If the number were to be truly voluntary, the UID would need to include clauses that prohibit the denial of goods, services, entitlements and benefits for lack of a UID number. An individual would need to be able to access benefits with alternative forms of identification before the <em>Aadhaar</em> number would be truly voluntary.</p>
<h3>Does India Comprehend what the UID Could Bring?</h3>
<p>Another fear voiced by Mrs. Ramanathan in her presentation was the level of public comprehension. Even though the project will touch the lives of every human being who comes to India, the majority of the Indian population has not thought through why they support or do not support the project, and most do not comprehend the dangerous implications of the UID project. Connections are not being made and clearly publicized about how the project could be used in the future. For example, once everyone has a set of personal data that is uploaded on a centralized database, there is a new concern over that data. What is happening to it, who is using it, what is it being used for, who is seeing it, who is analyzing it, what happens if that data is lost? One of the serious implications of the project is its’ threat to anonymity. Anonymity results when the personal identity, or personally identifiable information of a person is not known. Anonymity already exists today in Indian society by default.. This will change, though, with the UID. One’s body will become a traceable marker that will be readily identifiable to law enforcement and other agencies. By issuing numbers to each person, that will be used for every transaction – it will be possible to create a map of the population and tag information about individuals in a way that changes the relationship between the state and the people. Though it is true India could benefit from a lesser degree of anonymity. For instance corruption might be easier to control. The Bill takes no steps, though, to ensure under what conditions anonymity will be preserved. Thus, the project has the potential to be widely misused for intensive surveillance and the policing of populations – not just for illegal activity but for disfavored or unpopular activity as well.</p>
<h3>Conclusion</h3>
<p>One way to avoid the misuse of data is through the adherence to privacy standards such as how data should be processed, transferred etc. India does not of yet have such a privacy law, and such principles are not reflected in the text of the Bill itself. The fact that the UID bill and project bring into focus principles that are not yet fully reflected in the social and legal framework of society can be problematic. On one hand this Bill can push India to adopt those principles, in which case a data protection and privacy bill must be enacted, and awareness must be raised. On the other hand, the Bill can simply overshadow the populace, allowing significant violations of privacy and anonymity to take place with no assurance of redress. As Ms. Ramanathan noted, even though the project is not reflective of Indian society, the way in which the project is being marketed is. The project has been tied to the image of Nandan Nilekani, and the message is clear: the project must be good. The Campaign for No UID is asking the public to look beyond the face of the project, and consider whether or not this is the India they imagine.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india'>https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india</a>
</p>
No publisherelonnaiInternet Governance2012-03-22T05:45:32ZBlog EntryCybersecurity Compilation
https://cis-india.org/internet-governance/files/cyber-security-compilation.pdf
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/cyber-security-compilation.pdf'>https://cis-india.org/internet-governance/files/cyber-security-compilation.pdf</a>
</p>
No publisherelonnai2017-06-18T13:15:49ZFileAI in Governance
https://cis-india.org/internet-governance/files/ai-in-governance
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/files/ai-in-governance'>https://cis-india.org/internet-governance/files/ai-in-governance</a>
</p>
No publisherelonnai2018-04-17T14:00:46ZFileFeedback to the NIA Bill
https://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill
<b>Malavika Jayaram and Elonnai Hickok introduce the formal submission of CIS to the proposed National Identification Authority of India (NIA) Bill, 2010, which would give every resident a unique identity. The submissions contain the detailed comments on the draft bill and the high level summary of concerns with the NIA Bill submitted to the UIDAI on 13 July, 2010.</b>
<p>The UID draft bill is a proposed legislation that authorizes the creation of a centralized database of unique identification numbers that will be issued to every resident of India. The purpose of such a database is characterized as ensuring that every resident is provided services and benefits. The UID project was first set up and introduced to the public in February 2009 by the planning committee. In June 2010, a draft bill was proposed which attracted public debates and opinions for over two weeks. Currently the bill is being considered by Parliament in the winter session (July-August 2010). If the Parliament of India approves the bill, it may be enacted during Winter 2010.</p>
<p>CIS has closely followed the UID project and reviewed the bill right from the time when it was first issued. and has worked to initiate and contribute to a public debate including attending of workshops in Delhi on 6 May, 2010 and in Bangalore on 16 May, 2010.</p>
<p>We respect the fact that civil society has many voices. That said, in our criticisms, suggestions, and analysis of the UID draft bill, we are asking for a simple, well-defined document, the language and structure of which expressly precludes abuse of a centralized identification database. The document should provide solely for its stated purpose of enabling the provision of benefits to the poor. Along with this mandate we believe the document should give clear rights of choice, control, and privacy to the <em>Aadhaar</em> number holder. Below is a summary of our general comments with citations to specific sections of the draft bill. A <a href="https://cis-india.org/internet-governance/letter-to-uid-authority" class="internal-link" title="Feedback on the NIA Bill 2010">detailed</a> section by section critique is attached along with our <a href="https://cis-india.org/internet-governance/high-level-summary" class="internal-link" title="High Level Summary">high level summary</a> of concerns. The compilation and synthesis of detailed critiques was done by Malavika Jayaram.</p>
<h2>Summary of High Concerns </h2>
<h3>Clarity of Definition and Purpose</h3>
<p>Most importantly we find that in order to adhere to the stated purpose of the bill there is a need to limit and better define language in the relevant sections of the bill. This includes the powers and purpose of the Authority and the overarching scheme of the bill. We are concerned that the over-breadth and generality of the language will open up the opportunity for more information to be collected than originally stated. Further, definition will act to prevent uncontrolled or unwanted change in the project’s scope, and will clearly limit the usage of the <em>Aadhaar</em> numbers to the facilitation of the delivery of social welfare programs.<br /><br />For the bill to be in line with its original purpose of reaching out to the poor, we also believe the issue of fees must be addressed. We find that there is an inadequate definition in the bill of what fees shall be applied for authentication of <em>Aadhaar</em> numbers. Also we find that it is incompatible with the bill’s stated purpose to require an individual to pay to be authenticated. The bill should provide that no charges will be levied for authentication by registrars and other service providers for certain categories of <em>Aadhaar</em> number holders (BPL, disabled, etc.), and that charges will be limited/capped in other cases. This will bring the bill in line with the statement in Chapter II 3 (1) “Every resident shall be entitled to obtain an <em>Aadhaar</em> number on providing his demographic information and biometric information to the Authority in such a manner as may be specified by regulations” and Chapter 3 (10 ) “The Authority shall take special measures to issue <em>Aadhaar</em> numbers to women, children, senior citizens, persons with disability, migrant unskilled and unorganized workers, nomadic tribes or such other persons who do not have any permanent dwelling house and such other categories of individuals as may be specified by regulations. If a fee must be permitted, a cap/safeguard should be put in place to ensure that the fee does not become a mechanism of abuse.</p>
<h3>Protection of the Citizen</h3>
<p>The bill should ensure the protection of citizens’ rights to privacy and freedom of choice. To do this it is important that the bill is voluntary, allows for the protection of anonymity, and is clear on how data will be collected, stored and deleted. Measures should be taken towards ensuring that the <em>Aadhaar</em> number is truly voluntary. Accordingly, a prohibition against the denial of goods, services, entitlements and benefits (private or public) for lack of a UID number – provided that an individual furnishes equivalent ID is necessary. The bill should also spell out the situations in which anonymity will be preserved and/or an <em>Aadhaar</em> number should not be requested such as a person’s sexuality/sexual orientation and marital status/history. Furthermore, the bill should require the Authority, registrars, enrolling agencies and service providers to delete/anonymize/obfuscate transaction data according to defined principles after appropriate periods of time in order to protect the privacy of citizens.</p>
<h3>Motivations of the UID Bill</h3>
<p>Since the submission of the high level summary, we note that a list of 221 agencies empanelled by the UIDAI has been uploaded onto the website (by a memo dated 15 July, 2010). A swift reading reveals that most of the agencies who are going to help enroll people into the UIDAI system are not NGOs, CSOs or other welfare oriented not-for-profit entities; rather, they are largely IT companies and commercial enterprises. This begs the question as to whether the UID scheme/<em>Aadhaar</em> is truly geared towards delivery of benefits and inclusivity of the poor and marginalized. Already concerns have been voiced that the “ecosystem” of registrars and enrolling agencies contemplated by the scheme, to the extent that it envisages a public-private partnership, could firstly, be “hijacked” or “captured” by commercial motives and result in sharing of data, security breaches, compromised identities, loss of privacy, data mining and customer profiling, and secondly, end up neglecting the very sections of society that the scheme allegedly most wants to help. The list of empanelled companies makes this even more likely and imminent a concern. Without casting aspersions on any of those entities, we would like to highlight that this sort of delegated structure raises several concerns.</p>
<p>Additionally, we find the speed and efficiency with which the UIDAI juggernaut is signing MoUs with states, banks and government agencies on the one hand, and issuing tenders, RFPs, RFQs and otherwise seeking proposals and awarding contracts to private entities – in the absence of any Parliament-sanctioned law (the bill is still a draft, and yet to even be placed before the Parliament) to be alarming. Along with news of the increasing costs of the project and doubts about how foolproof the technology will be, it is staggering to imagine that something that raises so many concerns is being pushed through without a more serious debate. The lack of formal procedures and open debates makes one wonder how democratic the actual process is.</p>
<h2>Conclusion</h2>
<p>To conclude, CIS believes that the UID bill threatens the rights of citizens in India, and appeals to the citizen to think critically of its implications and consequences.</p>
<p>1. <a href="https://cis-india.org/internet-governance/letter-to-uid-authority" class="internal-link" title="Feedback on the NIA Bill 2010">Detailed Summary pdf (159kb)</a></p>
<p><a href="https://cis-india.org/internet-governance/high-level-summary" class="internal-link" title="High Level Summary">2. High Level Summary (77kb)<br /></a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill'>https://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill</a>
</p>
No publisherelonnaiSubmissionsInternet Governance2012-03-21T10:14:27ZBlog EntryPresentation of the UID project by Ashok Dalwai – A Report
https://cis-india.org/internet-governance/blog/uid-dalwai-presentation
<b>On Tuesday, 7 September 2010, Ashok Dalwai, the Deputy Director General of the Unique Identification of India (UIDAI), gave a lecture at the Indian Institute for Science in Bangalore. Representing the UID Authority, his presentation explained the vision of the project and focused on the challenges involved in demographic and biometric identification, the technology adopted, and the enrolment process. Elonnai Hickok gives a report of his presentation in this blog post.</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-dalwai-presentation'>https://cis-india.org/internet-governance/blog/uid-dalwai-presentation</a>
</p>
No publisherelonnaiInternet Governance2012-03-21T10:09:48ZBlog EntryPrivacy Concerns in Whole Body Imaging: A Few Questions
https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions
<b>Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.</b>
<p><strong>What is Whole Body Imaging? </strong></p>
<p>Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons. </p>
<h3>How are These Technologies Being Used - Two News Items to Ponder: <br /></h3>
<p><strong>News Item One </strong></p>
<p>In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.</p>
<p>Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.</p>
<p>Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear. For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.</p>
<p><strong>News Item Two</strong></p>
<p>In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car. Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car. </p>
<h3>Questions at the Heart of the WBI Debate: <br /></h3>
<p>Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating? Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers? Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts? All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency. Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?</p>
<p><strong>How Have Other Countries Responded to Whole Body Imaging and How Should India Respond? <br /></strong></p>
<p>Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.</p>
<p>In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use. It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further. A Nigerian leader also pledged to use full-body scanners.</p>
<p>Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing. From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.” It is not clear which value would be given priority.</p>
<p>The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers. Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions'>https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:09:02ZBlog EntryDSCI Information Security Summit 2010 – A Report
https://cis-india.org/internet-governance/blog/dsci-information-summit
<b>On 2 and 3 December 2010, the DSCI Information Security Summit 2010 took place in the Trident Hotel, Chennai. The two day summit included a broad spectrum of speakers/panels and topics, ranging from Securing Data & Systems to how to leverage the Cloud. The key speakers were Mr. Gulshan Rai, Director General, CERT-In, DIT, Mr. Rajeev Kapoor, Joint Secretary, DoPT, Govt. of India, Mr. Vakul Sharma, Advocate, Supreme Court of India and Dr. Kamlesh Bajaj, CEO, DSCI. Elonnai Hickok attended the summit.</b>
<p>Day one commenced with keynote address given by Jeffery Carr, Principal, GreyLogic, US who spoke about the gravity and risk that businesses and countries are facing in the digital age. A prominent theme in every presentation throughout the day was that India is facing both serious changes and challenges in light of evolving technology and global standards. A few specific challenges addressed were: encryption standards, the cloud, and securing business transactions. During the panel on encryption standards it was pointed out that India desperately needs a clear and comprehensive policy on encryption standards. Not only will this serve to facilitate transactions in India, but it will increase trade as foreign countries will have an enforced policy to ensure them that India is a safe destination to export to. The panel addressing the cloud focused on the challenges that businesses are facing in terms of the cloud in the Indian context. The three main challenges to the Cloud are: </p>
<ul><li>data security and privacy</li><li>compliance requirements</li><li>legal and contractual requirements <br /></li></ul>
<p>It was pointed out that in particular the Indian legal environment is serving as an obstacle to businesses wishing to move to the cloud, because of policies such as 40 bit encryption, and the Indian Telecom licensing policy which do not permit data transfer outside the cloud. Discussed also were measures that organisations have adopted to address data protection challenges in the cloud including: Including security & privacy clauses in the contractual agreement, making the Cloud service provider liable for a data breach, and auditing the services of Cloud service providers. Further information about the Cloud in the Indian context can be found in the DSCI report on <em>Data Protection Challenges in Cloud Computing: An Indian Perspective</em>. In the session on Securing Business Transactions, the challenge of protecting data and transactions was addressed. Many approaches were presented which explained how securing systems has moved away from using security enables software to security embedded hardware. The first day concluded with a presentation of DSCI Study Reports, including their recent study on the State of Data Security and Privacy in the Indian BPO Industry, Service Provider Assessment Framework – A Study Report, and the DSCI Security Framework.</p>
<p>The second day included presentations and panel discussions on privacy, the economics of security, and security technologies. The presentation on privacy presented many different viewpoints which ranged from the stance that India has been taking the right steps towards securing individuals privacy, and in contrast, that India has seen a dilution of privacy standards in the recent years. Contributing to the panel on privacy, Vakul Sharma, Supreme Court Advocate created a timeline of privacy in India, dispelling the popular belief that India does not have a history of privacy. Mr. Sharma closed his presentation with a challenge to those who believe that India does not have adequate privacy protections - to return to the clauses in the ITA, see if they are indeed being followed, and then assess if India does not have adequate privacy protection. The panel on the Economics of Security spoke about the rising costs of security in the wake of cyber crime, and the rising cost of not adequately protecting one’s business. In the session on Technology Challenges to Fight Data Breaches and Cyber Crimes a debate evoked on current measures taken by industry and government to fight cyber crime, and steps that still need to be taken. Opening the session was a presentation by Mr. West, member of the National Cyber Forensics Training and Alliance. His presentation introduced a new approach taken by the States in which key stakeholders including students and local law enforcement were engaged when tracking down cyber criminals. Mr. West demonstrated the success of the program, and explained how such an approach could be easily adapted in India. From different comments made by the panel and audience it was clear from this session that there is a need for the Indian government to be more invested in funding and supporting smaller cybercrime initiatives. Closing the day was a panel on E-Security for the next five years including the application and enforcement of DSCI’s best practices for a Security and Privacy Framework. </p>
<p>The event was sponsored by: Trusted Computing Group, Computer Associates, McAfee, Verizon Business, Tata Consultancy Services, Deloitte, (ISC)2, BlackBerry, ACS, CSC, Microsoft, RSA, and Intel.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/dsci-information-summit'>https://cis-india.org/internet-governance/blog/dsci-information-summit</a>
</p>
No publisherelonnaiInternet Governance2012-03-21T10:04:22ZBlog EntryC.I.S Responds to Privacy Approach Paper
https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper
<b>A group of officers was created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject. Shri Rahul Matthan of Tri Legal Services prepared an approach paper for the legal framework for a proposed legislation on privacy. The approach paper is now being circulated for seeking opinions of the group of officers and is also being placed on the website of the Department of Personnel and Training for seeking public views on the subject. The Privacy India team at C.I.S responded to the approach paper and has called for the need for a more detailed study of statutory enforcement models and mechanisms in the creation of a privacy legislation. </b>
<h2>1. What is privacy? </h2>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>In the approach paper, the definition of privacy is not consistent and the meanings are used interchangably. It is variously referred to as a right and an expectation. Also, we find that no real distinctions are being made between privacy, data protection, and security. As a result, the paper lays out an approach to a data protection legislation masquerading as a privacy legislation. Thus, we find that there is a need to define and make consistent in the document, the language used to define privacy. </p>
<p>b)<span class="Apple-tab-span"> </span>CIS, drawing upon the definition of privacy used in the European Union, understands privacy as the right of an individual to be free from unauthorised intrusion and the ability of that individual to control and disseminate information that identifies or characterizes the individual. We thus believe privacy is operative in these contexts: </p>
<p>1. Physical - physical space, body, home, car, etc. </p>
<p>2. Informational - Digital as well as Non-Digital (Information gathering, storage, retrieval, usage, transfer, disposal, etc). </p>
<p>3. Intellectual - Right to make decisions pertaining to oneself, to enjoy one's perspective and ideas. A violation in any of these contexts should be construed as a breach of privacy.</p>
</div>
<h2>2. Is there a need for privacy protection? </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that there is a pressing need for privacy protection in the context of the enhanced technological opportunities that have arisen in the past two decades for the exploitation of personal data. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>As the approach paper rightly concludes, these threats to privacy are magnified by initiatives that interlink databases – such as the UID project. </p>
<p>c)<span class="Apple-tab-span"> </span>However, we believe that privacy is not limited to data protection and would invite the Committee to consider ways in which it may broaden the ambit of its investigation. </p>
</div>
<h2>3. Is there a need for such legislation? </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>We reject the “hybrid” approach being offered here. Previous experiences with Self Regulatory Organisations (SROs) in India (for eg. AMFI, MFIN) leaves us with little cause for optimism that they will be an effective guarantor of as sensitive a right as privacy. Curiously, the approach paper itself does not mention this “hybrid” aspect anywhere else in the document. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We endorse the attempt to arrive through statute, at a minimal, though robust, horizontal guarantee of privacy that operates across sectors. Just as the parameters of the right to life and liberty are broad guidelines on one hand but have specific and intentional meanings, so should the right to privacy. </p>
</div>
</div>
<h2>4. Legislative Competence: </h2>
<p>We agree.</p>
</div>
<h2>5. Is there a constitutional right to privacy? </h2>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that the Supreme Court has derived a constitutional right to privacy from Article 21 of the Constitution. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>However, the approach paper is factual incorrect in its assertion that “all available cases have been decided in the context of government action”. There is by now a sizeable amount of consumer case law which deals with the issue of privacy between private individuals/entities. </p>
<p>c)<span class="Apple-tab-span"> </span>Most frequently, this issue has arisen the context of hospital/patient relationships and the courts have held the right to privacy as one that is not unqualified. </p>
<p>d)<span class="Apple-tab-span"> </span>Other common “non-government” arenas where courts have elaborated on the right to privacy include banking and telephony services. </p>
<p>e)<span class="Apple-tab-span"> </span>We feel that the Committee ought to inform itself more thoroughly about the developing jurisprudence on the right to privacy in India – both in the context of government and non-government actions.</p>
</div>
</div>
</div>
<h2>6. Existing legislation: </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>In addition to the IT Act, there are several statutes and subordinate legislation which safeguard an individual’s privacy in specified sectors such as banking, insurance, telephony etc. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>By neglecting them wholesale, we feel that the approach paper deprives itself of valuable contextual elaborations of the right to privacy in India. The case for a horizontal right to privacy in India can be derived not merely from the inadequacies of the IT Act, but from the cumulative failings of all these numerous dispersed provisions. </p>
<p>c)<span class="Apple-tab-span"> </span>We agree that ITA does not provide sufficient protection to privacy, and that there is a need for specific legislation that addresses all aspects of privacy, but we would go much further than the current proposal. </p>
<p>d)<span class="Apple-tab-span"> </span>We suggest that in addition to the requirements listed for data security, a full-fledged privacy legislation needs to include specific regulations on: gathering, retention, access, transfer, security, data quality, and individuals’ consent. </p>
<p>e)<span class="Apple-tab-span"> </span>Furthermore, the data protection component of the privacy legislation needs to include redress for breaches of data, and the individual must be informed when a data breach takes place and given access to sufficient information to identify who breached the privacy and how – as well as information about what data were compromised and ways to limit or undo the improper disclosure.. </p>
<p>f)<span class="Apple-tab-span"> </span>Generally speaking, a privacy regime should work towards: 1. Increasing the protection of tangible and intangible possessions as well as personal data; 2. Increasing knowledge of privacy and empowering people to make informed choices; 3. Making organizations more accountable for protecting privacy; 4. Compelling (through audits, sanctions, etc) organisations to improve security standards; 5. Increasing individuals’ confidence in privacy laws and the organisations protecting privacy. </p>
</div>
<h2>7. Potential Conflicts between Data Protection Legislation and other Laws: </h2>
<div>
<p> We find that it would be useful if the laws that conflict with the data protection legislation are referenced in each section.</p>
</div>
<h3> 7.1 Data Protection and the Right to Information</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>The argument that a privacy legislation would conflict with the RTI is somewhat overstated. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Where the government has collected data from individual citizens, that information needs to be exempt from RTI disclosure unless an overriding public interest is demonstrated – which is the current position under the RTI Act. </p>
<p>c)<span class="Apple-tab-span"> </span>We believe, on the other hand, that public officials ought to be subject to scrutiny by virtue of the public office they hold and that they should be subject to transparency about certain aspects of their life which would not be applicable to the common man. Information about tax filings, credit history, and financial records can help root out corruption, for example. </p>
<p>d)<span class="Apple-tab-span"> </span>The kinds of personal data that are broadcast in the transparency bulletins should be limited with specifics shared if need be on a case by case basis. </p>
<p>e)<span class="Apple-tab-span"> </span>As the approach paper itself mentions, the RTI Act is extremely sensitive to the issue of privacy and privacy is one of the most frequent grounds of refusal of data by public bodies. </p>
<p>f)<span class="Apple-tab-span"> </span>Rulings by various information appellate bodies under the RTI Act have done an admirable job of balancing issues of privacy against the public interest and the proposed privacy legislation ought not to disturb this careful balance. </p>
<p>g)<span class="Apple-tab-span"> </span>We recommend that the proposed privacy legislation contain a non-obstante clause that subordinates it to the provisions of the RTI Act. </p>
</div>
</div>
<h3>7.2 Data Protection and Credit Verification</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree with the statement but believe the privacy issues that would come up are not limited to just credit verification. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>All aspects of data collection and handling for the financial sector should be looked into and statutes developed to deal with the sensitive nature of the data. </p>
<p>c)<span class="Apple-tab-span"> </span>This may include limitations on marketing efforts and disclosure to third-parties. </p>
</div>
<h3>7.3 Data Protection and Private Investigative Agencies</h3>
</div>
<p>a)<span class="Apple-tab-span"> </span>We believe that the private investigators should undergo licensure, and that the PI agencies should be regulated so that any kind of surveillance must comply with privacy protection laws. </p>
<div>
<div>
<p>b)<span class="Apple-tab-span"> </span>Judicial oversight should be required in order to take certain kinds of action (access to records, surveillance, monitoring, etc) by these agencies. </p>
</div>
<h3>7.4 Data Protection and National Security</h3>
</div>
<p>a)<span class="Apple-tab-span"> </span>We understand the conflict between the need for a government to ensure the security of its population with the need to protect privacy. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We find the most effective resolution is for judicial oversight for some activities (monitoring, surveillance, access to personal records by law enforcement, etc) to be required. </p>
</div>
</div>
<h3>7.5 Data Protection vs. Transparency in Government</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We feel that this section engages very sloppily with the issue of transparency/corruption in India. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>It completely ignores the history of the various struggles for transparency in government fought across India, that were aimed precisely at prodding the government out of its secretive shell. </p>
<p>c)<span class="Apple-tab-span"> </span>In doing so the approach paper risks retarding, at one stroke, all the advances made by these several movements over the past fifty years. </p>
<p>d)<span class="Apple-tab-span"> </span>The publication of lists of recipients/beneficiaries of schemes has been one of the most hard won, and potent tools that has been used to mobilize collective action by locals against corrupt officials. </p>
<p>e)<span class="Apple-tab-span"> </span>We empathise with the approach paper’s aspiration that the government “rethink its approach to transparency”, but are skeptical that a new privacy law would, of all things, prompt such a transformative rethinking. We advise caution and certainly greater sensitivity in handling this issue. </p>
</div>
<h3>8.0 Privacy legislation in other countries:</h3>
<p>a)<span class="Apple-tab-span"> </span>We agree with the recommendations, but would include notification of breach: how, when, what and who. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We believe that the auditing of companies is an important security and transparency mechanism that needs to be included, along with the ability to sanction offenders and methods of redressal for aggrieved parties. </p>
</div>
</div>
</div>
<h3>9.0 Proposed Framework for Privacy Legislation: </h3>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>Although India lacks a horizontal law of privacy, various sectoral laws currently function to provide a degree of protection. For instance, sectoral regulatory agencies such has TRAI, RBI and SEBI have periodically issued guidelines on privacy which are enforceable through tribunals and ombudsmen under the respective enactments. Professional bodies like the Medical Council and the Bar Council prescribe privacy and confidentiality norms which members of these bodies must adhere to. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>In this context, the approach paper’s suggestion of a “framework” followed by sectoral guidelines would appear to be no more than a duplication through statute of the extant state of affairs. </p>
<p>c)<span class="Apple-tab-span"> </span>We would recommend instead, the provision in the act of a robust, general “right to privacy” which would provide a threshold level of protection to the individual. Sectoral guidelines on privacy could then be framed to operate in addition to existing sectoral norms, thereby raising the bar of privacy in that particular sector. </p>
<p>d)<span class="Apple-tab-span"> </span>We also find the framework primarily targeted toward digital data protection alone, and it needs to address all forms of information and include personal and intellectual contexts.</p>
</div>
</div>
<h3>9.1 Applicability</h3>
<div>
<p>We endorse the approach paper’s recommendation that the proposed legislation apply both to private and public entities. However, we feel that this does not exhaust the issue of ‘applicability’. Specifically we invite the Committee’s attention to the following issues:</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>We believe that the data and the private information that are already in the possession of the government and public/private companies should come under the ambit of the legislation. I.e. it should be applicable to all data collected by any entity, regardless of the fact that such data is otherwise publicly obtainable.</p>
<p>b)<span class="Apple-tab-span"> </span>We invite the Committee’s consideration on whether it would be wise to limit the applicability of the act to regulating the organized, systematic collection of large amounts of personal data by entities, however incorporated. This would, as the approach paper suggests, exempt from the purview of this Act, private and domestic collection of information. In addition it would exempt marginal collectors such as hobbyist website designers, academic researchers etc from the scope of this act. Remedies against these users would still remain, as they have thus far in Tort law. </p>
</div>
<h3>9.2 Data</h3>
<div>
<p>While we acknowledge that certain kinds of information may be more sensitive than others, we feel that the approach paper has not adequately made use of this distinction in its later segments. Specifically we believe:</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>The distinction is useful to prescribe enahanced security precautions during the stage of data collection. For example, the collection of genetic data or HIV status of a person can be made subject to very stringent conditions compared to say, the collection of more mundane details like name, age. </p>
<p>b)<span class="Apple-tab-span"> </span>However, we believe the distinction is not useful if is used, say, to provide differentiated access/data security standards for the two types of information. Eg. If the law stipulated a lesser penalty for the exposure of personal data as opposed to sensitive data. Or if the law prescribed a lesser security standard for personal data compared to personal sensitive data. The threat posed by information depends heavily on the context in which it is used, and in the tragic aftermath of Godhra, even a list of names (which the approach paper has not regarded as ‘sensitive’) could be used to lethal purposes.</p>
</div>
</div>
</div>
<h3> 9.3 Personal Data</h3>
<div>
<p>We endorse the need expressed by the approach paper for a multilateral definition of the way in which information may identify a person</p>
</div>
</div>
<h3>9.4 Personal Sensitive Data </h3>
<p> See comments at 9.2 above </p>
<div>
<div><span class="Apple-style-span"></span></div>
</div>
<h3>9.5 Data Collection</h3>
<div>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>We feel that while informed consent ought to be mandatory in all situations the mandatory requirement of informed ‘written’ consent could be confined only to collection of sensitive information and any information that is likely to be stored for longer durations than say, a week. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>This would exempt benign uses such as by academic researchers or hobbyist website designers or photographers who inadvertently collect small quantities of ‘personal data’. </p>
<p>c)<span class="Apple-tab-span"> </span>Simultaneously, more ‘industrial’ collectors of personal information such as telephone and insurance companies would be required to obtained written consent. Note that this would not exempt them from the requirement of observing standards of data security, but only free them of the obligation of having obtained written consent. </p>
<p>d)<span class="Apple-tab-span"> </span>It is important that this requirement would be in addition to but not diminish consent requirements under existing law. For instance, various judicial decisions and the NHRC have stipulated guidelines governing the administration of the polygraph test to an accused. These include the provision of legal assistance and the requirement that consent be recorded before a judge. The simple requirement of “Informed written consent” under the privacy act should not override more other rigorous judicial guidelines. </p>
<p>e)<span class="Apple-tab-span"> </span>As a overriding safeguard, we think that where “balancing interests” come into play, such interest must first seek and obtain judicial approbation.</p>
</div>
</div>
<h3> 9.6 Data Processing</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree with the need to fix primary responsibility for data security on the data controller, however, </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>it may be in the interest of the citizen/victim to stipulate that in the event of a breach by the data processor, she may prefer her remedy against either the data processor or the data controller. </p>
<p>c)<span class="Apple-tab-span"> </span>We reject the approach paper’s view that concessions need to be made “considering the population of India”. After all, considering this population, the very necessity of a privacy legislation itself may also have to “be considered”. </p>
</div>
</div>
</div>
<h3>9.7 Data Storage</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We concur that data should be stored only until the time the purpose for which it was collected is achieved. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Further, the Committee could consider introducing a presumption that in all cases, unless demonstrated otherwise, the purpose of data collection would be deemed to have been served within, say, 6 months from the date of collection. </p>
<p>c)<span class="Apple-tab-span"> </span>We believe that this could be strengthened by placing the onus on the data controller, in the event of any dispute, to prove that the stated purpose has not yet been achieved. Any data that are required for national security or for archival, etc should come under the scrutiny of the judiciary. </p>
<p>d)<span class="Apple-tab-span"> </span>We endorse the approach paper’s conservative stance on linking of databases. </p>
</div>
</div>
<h3>9.8 Data Security</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We invite the Committee to explore the possibility of gradated data security standards depending on the size of the data collection and the sensitivity of the information held. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>This would ensure that different security standards would apply to, on the one hand, academic researchers and hobbyist website designers who collect marginal data in small ephemeral collections, and on the other hand large insurance companies which maintain large perpetual data warehouses of personal information. </p>
</div>
</div>
<h3>9.9 Data Access</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that data subjects ought to have a ‘moral right’ that guarantees the integrity of data collected and maintained about them. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We believe that the proposed legislation should provide a clear and speedy mechanism to activate this right. </p>
</div>
</div>
<h3>9.10 Cross Border Applicability and Transfer</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We would argue that India does need comprehensive legislation and strong enforcement. Population size is not a reason for loose legislation. To the contrary, it buttresses the argument for urgent action to be taken, since the stakes are exponentially greater in a country where a billion people stand to lose their privacy compared to countries with populations numbering in the trifling millions. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Furthermore, the benefits to international trade should be taken into consideration when determining the stringency of a data protection regime, and this should inform the terms of the statutes that are enacted. </p>
</div>
</div>
<h3>9.11 Exemptions</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We believe that exemptions to the legislation should be carefully worded and where possible, permitted only through judicial oversight. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Care must be taken to see that exemptions under the proposed legislation do not end up widening the scope of intrusion than allowable under existent law. eg. An exemption in the Privacy act on grounds of ‘national security’ should not permit wiretapping agencies to circumvent the due procedure requirements under the Telegraph Act or to violate principles of natural justice.</p>
</div>
</div>
<h3>9.12 Automated Decision Making</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree but we think that there is a present need for automated decision related laws since the technology is already in use in India and other countries. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>In particular, we would endorse the incorporation of provisions which would compel disclosure of the fact that automated decision making algorithms are being employed along with a synopsis of the logic of such algorithms. </p>
</div>
</div>
<h3>9.13 Regulatory Set Up</h3>
<div>
<p>We believe that effective regulation and inexpensive, speedy redress are critical for the success of the proposed right to privacy legislation. We believe the approach paper, while admirable in the scope of the subject it covers, deals with this issue rather inadequately under the overbroad heading of “Regulatory Set up” .</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>At the outset we believe that standards-setting functions could be and ought to be separated from adjudicatory functions. This is a model that has proven successful in various other domains in India in the recent past (eg. TRAI/TDSAT and SEBI/SAT. ) and could be usefully imported in the present context </p>
<p>b)<span class="Apple-tab-span"> </span>Secondly, we we believe that the approach paper is not clear enough on whether civil or criminal penalties are intended. We believe that a judicious mix of both would be necessary in order to minimize the risk of individuals being needlessly harassed by enforcement agencies, whilst simultaneously dealing firmly with corporations and other entities whose violations of privacy threaten the greatest harm. We believe that the proposed legislation could be modeled along the lines of the Workmen’s Compensation Act, the Motor Vehicles Act and similar legislations which provide a minimum assured relief immediately upon the establishment of a claim. </p>
<p>c)<span class="Apple-tab-span"> </span>Lastly, we firmly reject the approach paper’s proposal to merge the functions of the data regulator under the Privacy legislation with those of the Information Commissioners under the Right to Information Act. We believe that the Right to Information Act is a landmark legislation which has, in a short while, become a critical tool of empowerment in the hands of the citizens and civil service organizations. One of the most frequently cited reasons by which government departments refuse access to information under the RTI is on grounds of ‘privacy’. In most cases these turn out to be delaying tactics to shield the actions of a few corrupt officials from public scrutiny. The success of the RTI Act hinges on its interpretation and promulgation by officers who believe in the peremptory importance of openness of information in the public interest. The right to privacy demands an opposite orientation and the merging of the two in one officer would lead to an unsatisfactory implementation of both. We believe, as indicated above, that privacy claims that conflict with a citizen’s exercise of her right to information are being resolved satisfactory by the information commissioners under the RTI Act at present and the proposed Privacy legislation should not disturb this. </p>
</div>
</div>
<h2>Conclusion</h2>
<div>
<p>We commend the drafters of the approach paper for their having skillfully woven together the best international practices related to privacy, with an eye to specifics of the Indian situation. However we also feel that the Committee could have been better served by a more detailed study of statutory enforcement models and mechanisms that have succeeded in expanding the reach of remedies to Indians eg. the Consumer Protection Act, Motor Vehicles Act etc.</p>
<div>
<div> </div>
</div>
<div><a href="https://cis-india.org/internet-governance/blog/privacyapproachpaper" class="internal-link" title="Privacy Approach Paper">Approach Paper: 121KB</a></div>
<p> </p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper'>https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper</a>
</p>
No publisherelonnai2012-03-21T10:08:10ZBlog EntryAmerican Bar Association Online Privacy Conference: A Report
https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference
<b>On 10 November 2010, I attended an American Bar Association online conference on 'Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference'. The panalists addressed many important global privacy challenges and spoke about the changes the EU directive is looking to take. </b>
<h3>Introduction</h3>
<p>On 10 November, I attended an American Bar Association online conference on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference.” The panel was made up of:</p>
<ul><li>Lisa Sotto, a private practitioner in the US</li><li>Billy Hawkes, Commissioner of Data Protection, Ireland</li><li>Bojana Bellamy, Director of Data Privacy, London, UK</li><li>Hugh Stevenson, Deputy Director of the Federal Trade Commission, US</li><li> Jennifer Stoddart, Privacy Commissioner, Canada.</li></ul>
<p>The panelists shared their insight into many issues, including the challenges that cloud computing, behavioural advertising, and cross-border data transfer pose to privacy. The panel also spoke on the need to address concerns of enforcement, data breach, accountability, and harmonization of data protection policies. The conference was very informative, and brought up many points that, as India moves forward with a privacy legislation, should be considered and given thought about.</p>
<h3>Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer</h3>
<p>When speaking about the concerns of cloud computing, behavioural advertising, and cross-border data transfer – the panel was in agreement that privacy policies need to move beyond paper to practice. They questioned whether broad national law can actually address the privacy concerns associated with these issues, or whether internal, specific policies are more effective at protecting data being outsourced to the cloud, passed through the Internet, and sent across borders. Specifically addressing cloud computing internal policies have the potential to be more effective, because data in the cloud is essentially nowhere; it does not reside in one jurisdiction, and thus it is difficult to establish which countries’ laws apply to the data. Additionally, if there is a breach in data, the onus at the end of the day falls on the company that was in possession of the data the data breach. Though internal policies could also be used to address behavioural advertising, the lack of consumer awareness limits how effective a self-regulating program can be. Hugh Stevenson suggested another possibility - creating a system analogous to the “do not call registry” for websites – something like “do not track.” This would allow consumers to opt out of being tracked by cookies etc. on a websites, and force websites to be transparent about their collection and retention of data. Another solution discussed that could work to move policies beyond paper to practice, was the emerging trend of “privacy by design". “Privacy by design” is a mechanism applied by technology manufacturing and technology providing companies where companies will assess privacy risks before they offer a service, or before a product goes onto the market. This might mean a software company or service provider will need a seal before selling their products that indicates the product or service meets a certain privacy standard. If enforced effectively, the system of a seal could be especially effective, because it creates a visual indicator of privacy - allowing consumers to easily and quickly recognize what products are more privacy risky than others, and easily find reliable and secure data processors. The ability of the privacy seal to be applied to all services and sectors, would be particularly useful in a sectoral system like the US, where companies that collect data, but are not apart of the regulated sectors (financial, health, etc) do not come within the purview of the privacy protecting laws.</p>
<h3>Privacy Seals Globally? Privacy Seals in India?</h3>
<p>If this system of a privacy seal becomes widely used, it will be interesting to see the effect that it has on the international community, and subsequently – the Indian consumer. Even though India does not have a privacy legislation, nor a heightened concern over personal privacy, the Indian consumer does consume American-developed software, phones, computers and other technologies. Perhaps as a “privacy seal” begins to be seen on foreign products used in India, it will create pressure on domestic manufacturers and service providers to meet similar standards with their products. Furthermore, perhaps foreign countries will not want to engage in trade with a company if that company does not use the “privacy seal". Similar pressure is being placed on Chinese-made technologies. For example, the reputation that Chinese phones have of being dangerous and cheap has led some countries, like Australia, to place bans on the phones coming into their borders. Essentially a privacy seal could provide sufficient economic incentives and pressures on companies globally to ensure that their products and practices adequately protect consumer privacy.</p>
<h3>Accountability:</h3>
<p>In addition to internal policies and seals as ways to push privacy protection beyond theory and into practice, the panel heavily emphasized the need for accountability. Accountability, according to Bojana Bellamy – the EU Data Privacy Director, is increasingly necessary because data is constantly being sent and processed in multiple countries and places across the globe. How to create a greater level of accountability amongst organizations has been a subject of much discussion. Currently the EU is looking at adding an“accountability principle” to the directive. The directive is defining accountability as: showing how responsibility is exercised and making this verifiable -or in simpler terms – compliance with principles in the data protection field. The accountability principle that is being proposed would be comprised of two requirements. One requirement would obligate the data controllers to implement appropriate and effective measures that made sure the principles and obligations of the Directive were being put into effect by organizations. The second would be to require that data controllers demonstrate that these measures have been taken. In practice, this would translate into scalable programs such as the requirement of a privacy impact assessment,monitoring,sanctions, and internal and external audits The legal architecture of the accountability mechanism would be two-tiered. One tier would consist of the basic statutory requirement that would be binding for all data controllers; the second would include voluntary accountability systems. This would also mean that the data controllers would need to strengthen their internal arrangements. Further accountability measures considered by the Directive working party include: Establishment of internal procedures prior to the creation of new personal data processing operations, setting up written and binding data protection policies to be considered and applied to new data processing operations, mapping of procedures to endure proper identification of all data processing operations and maintenance of an inventory of data processing operations, appointment of data protection officer, offering adequate data protection, training, and education to staff members.</p>
<h3>Data Breaches:</h3>
<p>The panel next discussed data breaches. From the example of the UK, where in 2007 the government lost 24 million records from the Child Benefit Database – clearly date breaches are a continual, often very serious problem. Few people though, realize the extent to which data breaches happen (on their own personal data) and the actual consequences of the breaches, because countries do not have a well defined data breach policies set in place. There are a handful of European countries, like France and Germany, and some American states, like California, that have included data breach requirements into their laws. Also, Despite this, there are no broad statutes for data breach notification in the US or the EU. Also in 2009 the E-Privacy Directive, which applies to ISPs, telecommunication networks, and other electronic communications services, made it mandatory for certain data breaches to be reported.. Whether data breach notification should be made a requirement through legislation is a question many countries are facing. Some countries, like Canada, rely on self-regulation for enforcement of data breaches. Jennifer Stoddart, the data commissioner from Canada, spoke about how self regulation in Canada works. One of the mechanisms that makes self-regulation so effective is the media. If a data breach occurs, through bad press, the media causes the social and monetary costs to increase, so that companies will want to prevent data breaches. The privacy commission of Canada works to help companies remedy the breaches when they occur, but focuses mainly on working with companies to prevent a breach from taking place at all. Challenges and question that self regulation face are:</p>
<p>Will companies work to be less transparent and avoid notification despite the severity of the breach, because of the repercussions?</p>
<ul><li>How will the balance between over-reporting breaches with under-reporting breaches be maintained?</li><li>Even if there is a social incentive to provide notification of breach, is it adequate enough to ensure that the notification is comprehensive and that proactive steps are taken by the organization to prevent further breach?</li><li>If bad media is the main form of penalty for companies – is this enough penalty, and is it able to take into consideration the context of each privacy breach?</li></ul>
<p>These questions along with the growing number of breaches that are occurring have pushed the EU and other countries to consider integrating data breach statutes into broad legislation. </p>
<h3> E-Privacy Directive Breach Notification:</h3>
<p>Under the E-Privacy Directive the definition of a personal data breach is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed in connection with provision of a publicly available electronic communications service in the Community.” Currently the system in the EU is broken down into a two tiered system – a breach notification by the organization to the data controller is the first level. This level includes breaches that have occurred, but do not necessarily harm an individual. The second tier is if the breach impacts the subscriber or individual, than the individual must be notified of the nature of the breach, and recommendations made of measures to mitigate the possible adverse effects of the breach. If the breach is so large that individual notice is impractical, notice of the breach must be posted in the media. Failure to notify or incorrect notification results in sanctions. In the UK, data breach notification must include:</p>
<p>1. The type of information and compromised number of records</p>
<p>2. The circumstances of the loss, release, or corruption</p>
<p>3. Actions taken to minimize or mitigate the effect on individuals involved including whether they have been informed</p>
<p>4. details of how the breach is being investigated,</p>
<p>5. whether any other regulatory bodies have been informed and, if so, their responses</p>
<p>6. remedial actions taken to prevent future occurrences and any other information that may assist the ICO in making an assessment. </p>
<h3>Accountability, breach notification: What material should India think about for a legal privacy structure?</h3>
<p>Lawrence Friedman once explained that legal systems are living organisms – Bills are constantly being amended, passed, and retracted in order to make the legal structure that governs a society reflect the ethos of that society. Thus, when conceptualizing a new piece of legal legislation it is important to look at what purpose that legislation is going to serve, and if that purpose reflects the ideas, values, attitudes, and expectations that a society has. India is a nation that has enacted statutes and regulations for responding to cultural and economic changes against a backdrop of widely-dispersed population groups with deeply-engrained traditions of government and management. This has led to incongruities, for example, there are strong requirements for government transparency, but at the same time there is a common perception that bribery is necessary to prompt official action. There are laws to protect certain rights, but the average person who takes action will never be afforded redress. Thus, India faces both similar and different challenges that the EU and Western countries are face in concern with privacy. One of the greatest privacy challenges in India today, despite having adopted technology, habits, and practices that put privacy at risk, is the common perception that India does not have any privacy issues. Because it is believed that privacy is not at risk, there is a lack of awareness and understanding as to how to prevent privacy violations. Though the breach notification and accountability components that were discussed in the meeting are very detail-oriented mechanisms, they raise a fundamental question about legal architecture and context. When forming a privacy legislation, a few broad questions that India needs to consider are:</p>
<p>· Does it want a broad legislation, one that could limit business and trade (unless potential trading partners demand such legislation), or sector-based legislations, which risk being too tailored and difficult to harmonize?</p>
<p>· If India wants a broad privacy framework how will this be set up?</p>
<p>· What will be the tools used for civil education?</p>
<p>· How will enforcement take place ? </p>
<p>· Is self regulated accountability or statuary accountability better?</p>
<p>· Will there be a privacy tribunal?</p>
<p>· How will data be categorized? </p>
<p>· Will breaches be notified?</p>
<p>· Will standardized privacy policies be created?</p>
<p> As Hugh Stevenson, the commissioner from the FTC, described - one of the greatest benefits of breach notification was the awareness of privacy that it has brought. As individuals are notified that their information has been compromised, they are becoming more aware of how technologies work and how their information is processed, and what risks are involved and what protective measures they should take. Looking at the prospect of enhanced awareness from making data breach notification mandatory, it seems that it can only be a positive step for India to take towards raising awareness and understanding of privacy. The notification of breach could be required to specifically include a description of why the breach took place, and the steps that individuals could take to further protect their data. A concern that has been voiced - is whether a comprehensive legislation could be implemented? And should India be looking to enact such a comprehensive and detailed legislation when there is no existing privacy legislation to build off of, and no deep culture of privacy? To these concerns I can only speculate that there is always a balance between being overly ambitious in a legislation, and too conservative. It seems that enforcement will in fact always be a challenge in India, and that part of policy-making needs to address this challenge, rather than avoid it.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference'>https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:08:36ZBlog Entry