The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 61 to 75.
Report on the 2nd Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table
<b>This post entails a report on the second Privacy Round Table meeting which took place on 20th April 2013. </b>
<hr />
<p>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</p>
<hr />
<p style="text-align: justify; ">In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</p>
<p style="text-align: justify; ">In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</p>
<p style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol style="text-align: justify; ">
<li>New Delhi Roundtable: 13 April 2013</li>
<li>Bangalore Roundtable: 20 April 2013</li>
<li>Chennai Roundtable: 18 May 2013</li>
<li>Mumbai Roundtable: 15 June 2013</li>
<li>Kolkata Roundtable: 13 July 2013</li>
<li>New Delhi Final Roundtable and National Meeting: 17 August 2013</li>
</ol>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Following the first Privacy Round Table in Delhi, this <a href="https://cis-india.org/internet-governance/blog/report-on-bangalore-privacy-meeting" class="internal-link">report</a> entails an overview of the discussions and recommendations of the second Privacy Round Table meeting in Bangalore, on 20<sup>th</sup> April 2013.</p>
<h2 style="text-align: justify; ">Overview of DSCI´s paper on “Strengthening Privacy Protection through Co-regulation”</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The meeting began with a brief summary of the first Privacy Round Table meeting which took place in Delhi on 13<sup>th</sup> April 2013. Following the summary, the Data Security Council of India (DSCI) presented the paper “Strengthening Privacy Protection through Co-regulation”. In particular, DSCI presented the regulatory framework for data protection under the IT (Amendment) Act 2008, which entails provisions for sensitive personal information, privacy principles and “reasonable security practices”. It was noted that the privacy principles, as set out in the Justice AP Shah Report, refer to: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness and individual participation. The generic definitions of identified privacy principles refer to: notice, choice and consent, collection limitation, purpose specification, access and correction, disclosure of information, security, openness/transparency and accountability. However, the question which prevailed is what type of regulatory framework should be adopted to incorporate all these privacy principles.</p>
<p style="text-align: justify; ">DSCI suggested a co-regulatory framework which would evolve from voluntary self-regulation with legal recognition. The proposed co-regulatory regime could have different types of forms based on the role played by the government and industry in the creation and enforcement of rules. DSCI mentioned that the Justice AP Shah Committee recommends: (1) the establishment of the office of the Privacy Commissioner, both at the central and regional levels, (2) a system of co-regulation, with emphasis on SROs and (3) that SROs would be responsible for appointing an ombudsman to receive and handle complaints.</p>
<p style="text-align: justify; ">The discussion points brought forward by DSCI were:</p>
<ul style="text-align: justify; ">
<li>What role should government and industry respectively play in developing and enforcing a regulatory framework? </li>
<li>How can the codes of practice developed by industry be enforced in a co-regulatory regime? How will the SRO check the successful implementation of codes of practice? How can the SRO penalize non-compliances?</li>
<li>How can an organization be incentivized to follow the codes of practice under the SRO?</li>
<li>What should be the role of SROs in redressal of complaints?</li>
<li>What should be the business model for SROs?</li>
</ul>
<p style="text-align: justify; ">DSCI further recommended the establishment of “light weight” regulations based on global privacy principles that value economic beliefs of data flow and usage, while guaranteeing privacy to citizens. DSCI also recommended that bureaucratic structures that could hinder business interests be avoided, as well as that the self-regulatory framework of businesses adapts technological advances to the privacy principles. Furthermore, DSCI recommended that self-regulatory bodies are legally recognised.</p>
<p style="text-align: justify; "> </p>
<h2 style="text-align: justify; ">Discussion on the draft Privacy (Protection) Bill 2013</h2>
<h3 style="text-align: justify; ">Discussion of definitions and preamble: Chapter I & II</h3>
<p style="text-align: justify; ">The second session began with a discussion of definitions used in the Bill. In particular, many participants argued that the term ´personal data´ should be more specific, especially since the vague definition of the term could create a potential for abuse. Other participants asked who the protection of personal data applies to and whether it covers both companies and legal persons. Furthermore, the question of whether the term ´personal data´ entails processed and stored data was raised, as well as whether the same data protection regulations apply to foreign citizens residing in India. A participant argued that the preamble of the Bill should be amended to include the term ´governance´ instead of ´democracy´, as this privacy legislation should be applicable in all cases in India, regardless of the current political regime.</p>
<h3 style="text-align: justify; ">Sensitive Personal Data</h3>
<p style="text-align: justify; ">The meeting proceeded with a discussion of the term ´sensitive personal data´ and many participants argued that the term should be broadened to include more categories, such as religion, ethic group, race, caste, financial information and others. Although the majority of the participants agreed that the term ´sensitive personal data´ should be redefined, they disagreed in regards to what should be included in the term. In particular, the participants were not able to reach a consensus on whether religion, caste and financial information should be included in the definition of the term ´sensitive personal data´. Other participants argued that passwords should be included within the scope of ´sensitive personal data´, as they can be just as crucial as financial information.</p>
<h3 style="text-align: justify; ">Information vs. Data</h3>
<p style="text-align: justify; ">During the discussion, a participant argued that there is a subtle difference between the term ´information´ and ´data´ and that this should be pointed out in the Bill to prevent potential abuse. Another participant argued that ´sensitive personal data´ should be restricted to risk factors, which is why unique identifiers, such as passwords, should be included in the definition of the term. Other participants argued that the context of data defines whether it is ´sensitive´ or not, as it may fall in the category of ´national security´ in one instance, but may not in another. Thus, all types of data should be considered within their context, rather than separately. The fact that privacy protection from several financial services already exists was pointed out and the need to exclude pre-existing protections from the Bill was emphasised. In particular, a participant argued that banks are obliged to protect their customers´ financial information either way, which is why it should not be included in the definition of the term ´sensitive personal data´.</p>
<h3 style="text-align: justify; ">Exemptions</h3>
<p style="text-align: justify; ">Several exemptions to the right to privacy were discussed throughout the meeting. A participant asked whether the right to privacy would also apply to deceased persons and to unborn infants. Another participant asked whether the term ´persons´ would be restricted to natural persons or if it would also apply to artificial persons. The fact that children should also have privacy rights was discussed in the meeting and in particular, participants questioned whether children´s right to privacy should be exempted in cases when they are being surveilled by their own parents.</p>
<h2 style="text-align: justify; ">Discussion of “Protection of Personal Data”: Chapter III</h2>
<p style="text-align: justify; ">Following the discussion of definitions used in the Bill, the meeting proceeded with a discussion on the protection of personal data. A participant emphasized that the probability of error in data is real and that this could lead to major human rights violations if not addressed appropriately and in time. The fact that the Bill does not address the element of error within data was pointed out and suggested that it be included in draft Privacy (Protection) Bill. Another participant recommended an amendment to the Bill which would specify the parties, such as the government or companies, which would be eligible to carry out data collection in India. As new services are been included, the end purpose of data collection should be taken into consideration and, in particular, the ´new purposes´ for data collection would have to be specified at every given moment.</p>
<h3 style="text-align: justify; ">Data Collection</h3>
<p style="text-align: justify; ">In terms of data collection, a participant emphasized that the objectives and purposes are different from an individual and an industry perspective, which should be explicitly considered through the Bill. Furthermore, the participant argued that the fact that multiple purposes for data collection may arise should be taken into consideration and relevant provisions should be incorporated in the in Bill. Another participant argued that the issue of consent for data collection may be problematic, especially since the purpose of data collection may change in the process and while an individual may have given consent to the initial purpose for data collection, he/she may not have given consent to the purposes which evolved throughout the process. Thus, explicitly defining the instances for data collection may not be feasible.</p>
<h3 style="text-align: justify; ">Consent</h3>
<p style="text-align: justify; ">On the issue of consent, several participants argued that it would be important to distinguish between ´mandatory´ and ´optional´ information, as, although individuals may be forced by the government to hand over certain cases, in other cases they <i>choose </i>to disclose their personal data. Thus participants argued that the Bill should provide different types of privacy protections for these two separate cases. Other participants argued that the term ´consent´ varies depending on its context and that this should too be taken into consideration within the draft Privacy (Protection) Bill. It was also argued that a mechanism capable of gaining individual consent prior to data collection should be developed. However, a participant emphasized upon the fact that, in many cases, it is very difficult to gain individual consent for data collection, especially when individuals cannot read or write. Thus the need to include provisions for uneducated or disabled persons within the Bill was highly emphasized.</p>
<p style="text-align: justify; ">Further questions were raised in regards to the withdrawal of consent. Several participants argued that the draft Privacy (Protection) Bill should explicitly determine that all data is destroyed once an individual has withdrawn consent. Participants also argued that consent should also be a prerequisite to the collection, processing, sharing and retention of secondary users´ data, such as the data of individuals affiliated to the individual in question. A participant argued that there are two problematic areas of consent: (1) financial distribution (such as loans) and (2) every financial institution must store data for a minimum of seven to eight years. Having taken these two areas in consideration, the participant questioned whether it is feasible to acquire consent for such cases, especially since the purpose for data retention may change in the process. Participants also referred to extreme cases through which consent may not be acquired prior to the collection, processing, sharing and retention of data, such as in disastrous situations (e.g. earthquake) or in extreme medical cases (e.g. if a patient is in a coma), and suggested that relevant provisions are included in the Bill.</p>
<h3 style="text-align: justify; ">Data Disclosure</h3>
<p style="text-align: justify; ">In terms of data disclosure, several participants argued that the disclosure of data can potentially be a result of blackmail and that the Bill does not provide any provisions for such extreme cases. Furthermore, participants argued that although consent may be taken from an individual for a specific purpose, such data may be used in the process for multiple other purposes by third parties and that it is very hard to prevent this. It was recommended that the Bill should incorporate provisions to prevent the disclosure of data for purposes other than the ones for which consent was given.</p>
<p style="text-align: justify; ">A participant recommended that individuals are informed of the name of the Data Processor prior to the provision of consent for the disclosure of data, which could potentially increase transparency. Many participants raised questions in regards to the protection of data which goes beyond the jurisdiction of a country. It remains unclear how data will be processed, shared, retained when it is not handled within India and several participants argued that this should be encountered within the Bill.</p>
<h3 style="text-align: justify; ">Data Destruction</h3>
<p style="text-align: justify; ">In terms of data destruction, a participant emphasized upon the fact that the draft Privacy (Protection) Bill lacks provisions for the confirmation of the destruction of data. In particular, although the Bill guarantees the destruction of data in certain cases, it does not provide a mechanism through which individuals can be assured that their data has actually been deleted from databases. Another individual argued that since the purposes for data collection may change within the process, it is hard to determine the cases under which data can be destroyed. Since the purposes for data collection and data retention may change in time, the participant argued that it would be futile to set a specific regulatory framework for data destruction. Another participant emphasized upon the value of data and stated that although some data may appear to have no value today, it may in the future, which is why data should not be destroyed.</p>
<h3 style="text-align: justify; ">Data Processing</h3>
<p style="text-align: justify; ">In terms of data processing, participants argued that privacy protection complications have arisen in light of the social media. In particular, they argued that social media develop and expand technologically constantly and that it is very difficult to regulate the processing of data that may be conducted by such companies. A participant emphasized the difference between (1) the processing of data when it is being read and (2) the processing of data when it is being analysed. Such a distinction should be considered within the Bill, as well as the use of data which is being processed. Many participants distinguished between the primary and secondary use of data and argued that the secondary use of data should also be included in the privacy statements of companies.</p>
<p style="text-align: justify; ">However, participants also pointed out that purposes for the collection of data may overlap and that it may be difficult to distinguish between primary and secondary purposes for data collection. A participant disagreed with this argument and stated that it is possible to distinguish between primary and secondary purposes of data collection, as long as companies are transparent about why they are collecting information and about the purpose of its processing. This argument was seconded by another participant who argued that the specific purposes for the processing of data should be incorporated in the Bill.</p>
<p style="text-align: justify; ">In brief, the following questions with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>Should consent be required prior to the collection of data?</li>
<li>Should consent be acquired prior and after the disclosure of data? </li>
<li>Should the purpose of data collection be the same as the purpose for the disclosure of data?</li>
<li>Should an executive order or a court order be required to disclose data?</li>
<li>At the background of national security, anyone´s data can be under the ´suspicion list´. How can the disclosure of data be prevented in such circumstances? Non-criminals may have their data in the ´suspicion list´ and under national security, the government can disclose information; how can their information be protected in such cases?</li>
<li>An individual may not be informed of the collection, analysis, disclosure and retention of his/her data; how can an individual prevent the breach of his/her data?</li>
</ul>
<ul style="text-align: justify; ">
<li>Should companies notify individuals when they share their (individuals´) data with international third parties?</li>
</ul>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">In brief, the following recommendations with regards to chapter III of the bill were raised during the meeting:</p>
<ul style="text-align: justify; ">
<li>The data subject has to be informed, unless there is a model contract. </li>
<li>The request for consent should depend on the type of data that is to be disclosed.</li>
<li>Some exceptions need to be qualified (for example, in instances of medical patients different exceptions may apply).</li>
<li>The shared data may be considered private data (need of a relevant regulatory framework).</li>
<li>An international agreement should deal with the sharing of data with international third parties - incorporating such provisions in Indian law would probably be inadequate.</li>
<li>If any country is not data-secure, there should be an approval mechanism for the transfer of data to such a country. </li>
<li>India could have an export law which would monitor which data is sensitive and should not be shared with international third parties.</li>
<li>The problem with disclosure is when there is an exception for certain circumstances </li>
<li>Records should be kept on individuals who disclose data; there should be a trail of disclosure, so that there can be more transparency and accountability. </li>
<li>Ownership of data is a controversial issue and so is the disclosure of data; consumers give up the ownership of their data when they share it with third parties and ergo cannot control its disclosure (or non-disclosure).</li>
<li>´Data ownership´ should be included in the definitions of the Bill. </li>
<li>What is the ´quality´ of data? The definition for ´quality´ under section 11 of the Bill is not well defined and should be improved.</li>
</ul>
<p> </p>
<h2 style="text-align: justify; ">Discussion of “Interception of Communications”: Chapter IV</h2>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">The discussion on the interception of communications started off with a statement that 70 percent of the citizens in India are enrolled on “voice”, which means that the interception of communications affects a large proportion of the population in the country. A participant asked whether the body corporate in India should be treated as a telecommunications provider and whether it should be responsible for the interception of communications. Another participant argued that the disclosure of information should be closely regulated, even when it is being intercepted for judicial purposes. Many participants agreed that data which is collected and intercepted should not be used for other purposes other than the original purpose, as well as that such information should not be shared with third parties.</p>
<p style="text-align: justify; ">Questions were raised in regards to who should authorise the interception of communications and a participant recommended that a judicial warrant should be a prerequisite to the interception of communications in India. Some participants argued that the Bill should clearly specify the instances under which communications can be intercepted, as well as the legitimate purposes for interception. It was also argued that some form of ´check and balance´ should exist for the interception of communications and that the Bill should provide mechanisms to ensure that interception is carried out in a legal way. Several participants recommended that the Privacy Commissioner is mandated to approve the interception of communications, while questions were raised in regards to the sharing of intercepted data.</p>
<h2 style="text-align: justify; ">Discussion on self-regulation and co-regulation</h2>
<p> </p>
<p style="text-align: justify; ">The final session of the meeting consisted of a debate on self-regulation and co-regulation. Questions were raised in regards to how self-regulation and co-regulation could be enforced. Some participants recommended the establishment of sector regulations which would mandate the various forms of surveillance, such as a separate regulation for the UID scheme. However, this recommendation was countered by participants who argued that the government would probably not approve every sector regulation and that this would leave large areas of surveillance unregulated.</p>
<p style="text-align: justify; ">The participants who supported the self-regulation framework argued that the government should not intervene in the industry and that the industry should determine its own rules in terms of handling its customers´ data. Other participants supported the co-regulatory framework and argued that companies should cooperate with the Privacy Commissioner in terms of handling customers´ data, especially since this would increase transparency on how the industry regulates the use of customers´ data. The supporters of co-regulation supplemented this statement by arguing that the members of the industry should comply with regulations and that if they do not, there should be sanctions. Such arguments were countered by supporters of self-regulation, who stated that the industry should create its own code of conduct and that the government should not regulate its work.</p>
<p style="text-align: justify; ">Furthermore, it was argued that although government regulations for the handling of data could make more sense in other countries, in India, the industry became aware of privacy far sooner than what the government did, which is why a self-regulatory regime should be established in terms of handling data. Such arguments were countered by supporters of co-regulation who argued that the industry has vested interest in self-regulation, which should be countered by public policy. This argument was also countered by participants arguing that, given the high levels of corruption in India, the Privacy Commissioner in India may be corrupt and co-regulation may end up being ineffective. Other participants questioned this argument by stating that if India lacks legal control over the use of data by companies, individuals are exposed to potential data breaches. Supporters of co-regulation stated that the Privacy Commissioner should formulate a set of practices and both the industry and the government should comply with them.</p>
<h2 style="text-align: justify; ">Meeting conclusion</h2>
<p> </p>
<p style="text-align: justify; ">The second Privacy Round Table entailed a discussion of the definitions used in the draft Privacy (Protection) Bill 2013, as well as of chapters II, III and IV on the right to privacy, the protection of personal data and the interception of communications. The majority of the participants agreed that India needs a privacy legislation and that individuals´ data should be legally protected. However, participants disagreed in regards to how data would be safeguarded and the extent to which data collection, processing, sharing, disclosure, destruction and retention should be regulated. This was supplemented by the debate on self-regulation and co-regulation which concluded the meeting; participants disagreed on whether the industry should regulate the use of customers´ data autonomously from government regulation or whether the industry should co-operate with the Privacy Commissioner for the regulation of the use of data. Though a consensus was not reached in regards to co-regulation and self-regulation, the majority of the participants agreed upon the establishment of a privacy legislation which would safeguard individuals´ personal data. The major issue, however, with the creation of a privacy legislation in India would probably be its adequate enforcement.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table'>https://cis-india.org/internet-governance/blog/report-on-the-2nd-privacy-round-table</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:54:28ZBlog EntryInformation Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
https://cis-india.org/internet-governance/resources/it-procedure-and-safeguards-for-interception-monitoring-and-decryption-of-information-rules-2009
<b>Rules under section 69(2) of the Information Technology Act, 2008 (after the 2008 amendment).</b>
<p style="text-align: justify; ">G.S.R. 780 (E).— In exercise of the powers conferred by clause (y) of sub-section (2) of section 87, read with sub-section (2) of section 69 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely:</p>
<p>1. <b>Short title and commencement.</b>—</p>
<p>(1) These rules may be called the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.</p>
<p>(2) They shall come into force on the date of their publication in the Official Gazette.</p>
<p>2. <b>Definitions.</b>— In these rules, unless the context otherwise requires,--</p>
<p>(a) “Act” means the Information Technology Act, 2000 (21 of 2000);</p>
<p>(b) “communication” means dissemination, transmission, carriage of information or signal in some manner and include both a direct communication and an indirect communication”;</p>
<p style="text-align: justify; ">(c) “communication link” means the use of satellite, microwave, radio, terrestrial line, wire, wireless or any other communication media to inter-connect computer resource;</p>
<p>(d) “competent authority” means--</p>
<p>(i) the Secretary in the Ministry of Home Affairs, in case of the Central Government; or</p>
<p style="text-align: justify; ">(ii) the Secretary in charge of the Home Department, in case of a State Government or Union territory, as the case may be;</p>
<p style="text-align: justify; ">(e) “computer resource” means computer resource as defined in clause (k) of sub-section (1) of section 2 of the Act;</p>
<p style="text-align: justify; ">(f) “decryption” means the process of conversion of information in non-intelligible form to an intelligible form via a mathematical formula, code, password or algorithm or a combination thereof;</p>
<p>(g) “decryption assistance” means any assistance to--</p>
<p>(i) allow access, to the extent possible, to encrypted information; or</p>
<p>(ii) facilitate conversion of encrypted information into an intelligible form;</p>
<p>(h) “decryption direction” means a direction issued under Rule (3) in which a decryption key holder is directed to--</p>
<p>(i) disclose a decryption key; or</p>
<p>(ii) provide decryption assistance in respect of encrypted information</p>
<p>(i) “decryption key” means any key, mathematical formula, code, password, algorithm or any other data which is used to--</p>
<p>(i) allow access to encrypted information; or</p>
<p>(ii) facilitate the conversion of encrypted information into an intelligible form;</p>
<p style="text-align: justify; ">(j) “decryption key holder” means any person who deploys the decryption mechanism and who is in possession of a decryption key for purposes of subsequent decryption of encrypted information relating to direct or indirect communications;</p>
<p>(k) “information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;</p>
<p style="text-align: justify; ">(l) “intercept” with its grammatical variations and cognate expressions, means the aural or other acquisition of the contents of any information through the use of any means, including an interception device, so as to make some or all of the contents of an information available to a person other than the sender or recipient or intended recipient of that communication, and includes--</p>
<p>(a) monitoring of any such information by means of a monitoring device;</p>
<p>(b) viewing, examination or inspection of the contents of any direct or indirect information; and</p>
<p style="text-align: justify; ">(c) diversion of any direct or indirect information from its intended destination to any other destination to any other destination;</p>
<p style="text-align: justify; ">(m) “interception device” means any electronic, mechanical, electro-mechanical, electro-magnetic, optical or other instrument, device, equipment or apparatus which is used or can be used, whether by itself or in combination with any other instrument, device, equipment or apparatus, to intercept any information; and any reference to an “interception device” includes, where applicable, a reference to a “monitoring device”;</p>
<p style="text-align: justify; ">(n) “intermediary” means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;</p>
<p style="text-align: justify; ">(o) “monitor” with its grammatical variations and cognate expressions, includes to view or to inspect or listen to or record information by means of a monitoring device;</p>
<p style="text-align: justify; ">(p) “monitoring device” means any electronic, mechanical, electro-mechanical, electro-magnetic, optical or other instrument, device, equipment or apparatus which is used or can be used, whether by itself or in combination with any other instrument, device, equipment or apparatus, to view or to inspect or listen to or record any information;</p>
<p>(q) “Review Committee” means the Review Committee constituted under rule 419A of Indian Telegraph Rules, 1951.</p>
<p style="text-align: justify; ">3. <b>Direction for interception or monitoring or decryption of any information.</b>— No person shall carry out the interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub-section (2) of section 69 of the Act, except by an order issued by the competent authority;</p>
<p style="text-align: justify; ">Provided that in an unavoidable circumstances, such order may be issued by an officer, not below the rank of Joint Secretary of the Government of India, who has been duly authorised by the competent authority;</p>
<p>Provided further that in a case of emergency--</p>
<p style="text-align: justify; ">(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or</p>
<p style="text-align: justify; ">(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generation, transmitted, received or stored in any computer resource is not feasible,</p>
<p style="text-align: justify; ">the interception or monitoring of decryption of any information generated, transmitted, received or stored in any computer resource may be carried out with the prior approval of the Head or the second senior most officer of the security and law enforcement agency (hereinafter referred to as the said security agency) at the Central level and the officer authorised in this behalf, not below the rank of the inspector General of Police or an officer of equivalent rank, at the State or Union territory level;</p>
<p style="text-align: justify; ">Provided also that the officer, who approved such interception or monitoring or decryption of information in case of emergency, shall inform in writing to the competent authority about the emergency and of such interception or monitoring or decryption within three working days and obtain the approval of the competent authority thereon within a period of seven working days and if the approval of competent authority is not obtained within the said period of seven working days, such interception or monitoring or decryption shall cease and the information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the competent authority.</p>
<p style="text-align: justify; ">4. <b>Authorisation of agency of Government.</b>— The competent authority may authorise an agency of the Government to intercept, monitor or decrypt information generated, transmitted received or stored in any computer resource for the purpose specified in sub-section (1) of section 69 of the Act.</p>
<p style="text-align: justify; ">5. <b>Issue of decryption direction by competent authority.</b>— The competent authority may, under Rule (3), give any decryption direction to the decryption key holder for decryption of any information involving a computer resource or part thereof.</p>
<p style="text-align: justify; ">6. <b>Interception or monitoring or decryption of information by a State beyond its jurisdiction.</b>— Notwithstanding anything contained in Rule (3), if a State Government or Union territory Administration requires any interception or monitoring or decryption of information beyond its territorial jurisdiction, the Secretary in-charge of the Home Department in that State or Union territory, as the case may be, shall make a request to the Secretary in the Ministry of Home Affairs, Government of India for issuing direction to the appropriate authority for such interception or monitoring or decryption of information.</p>
<p style="text-align: justify; ">7. <b>Contents for direction.</b>— Any direction issued by the competent authority under Rule (3) shall contain reasons for such direction and a copy of such direction shall be forwarded to the Review Committee within a period of seven working days.</p>
<p style="text-align: justify; ">8. <b>Competent authority to consider alternative means in acquiring information.</b>— The competent authority shall, before issuing any direction under Rule (3), consider possibility of acquiring the necessary information by other means and the direction under Rule (3) shall be issued only when it is not possible to acquire the information by any other reasonable means.</p>
<p style="text-align: justify; ">9. <b>Direction of interception or monitoring or decryption of any specific information.</b>— The direction of interception or monitoring or decryption of any information generation, transmitted, received or stored in any computer resource shall be of any information as is sent to or from any person or class of persons or relating to any particular subject whether such information or class of information are received with one or more computer resources, or being a computer resource likely to be used for the generation, transmission, receiving, storing of information from or to one particular person or one or many set of premises, as may be specified or described in the direction.</p>
<p style="text-align: justify; ">10. <b>Direction to specify the name and designation of the officer to whom information to be disclosed.</b>— Every directions under Rule (3) shall specify the name and designation of the officer of the authorised agency to whom the intercepted or monitored or decrypted or stored information shall be disclosed and also specify that the use of intercepted or monitored or decrypted information shall be subject to the provisions of sub-section (1) of section 69 of the said Act.</p>
<p style="text-align: justify; ">11. <b>Period within which direction shall remain in force.</b>— The direction for interception or monitoring or decryption shall remain in force, unless revoked earlier, for a period not exceeding sixty days from the date of its issue and may be renewed from time to time for such period not exceeding the total period of one hundred and eighty days.</p>
<p style="text-align: justify; ">12. <b>Authorised agency to designate nodal officer.</b>— The agency authorised by the competent authority under Rule (4) shall designate one or more nodal officer, not below the rank of Superintendent of Police or Additional Superintendent of Police or the officer of the equivalent rank to authenticate and send the requisition conveying direction issued under Rule (3) for interception or monitoring or decryption to the designated officers of the concerned intermediaries or person in-charge of computer resource;</p>
<p style="text-align: justify; ">Provided that an officer, not below the rank of Inspector of Police or officer of equivalent rank, shall deliver the requisition to the designated officer of the intermediary.</p>
<p>13. <b>Intermediary to provide facilities, etc.</b>—</p>
<p style="text-align: justify; ">(1) The officer issuing the requisition conveying direction issued under Rule (3) for interception or monitoring or decryption of information shall also make a request in writing to the designated officers of intermediary or person in-charge of computer resources, to provide all facilities, co-operation and assistance for interception or monitoring or decryption mentioned in the directions.</p>
<p style="text-align: justify; ">(2) On the receipt of request under sub-rule (1), the designated officers of intermediary or person in-charge of computer resources, shall provide all facilitates, co-operation and assistance for interception or monitoring or decryption of information mentioned in the direction.</p>
<p style="text-align: justify; ">(3) Any direction of decryption of information issued under Rule (3) to intermediary shall be limited to the extent the information is encrypted by the intermediary or the intermediary has control over the decryption key.</p>
<p style="text-align: justify; ">14. <b>Intermediary to designate officers to receive and handle.</b>— Every intermediary or person in-charge of computer resource shall designate an officer to receive requisition, and another officer to handle such requisition, from the nodal officer for interception or monitoring or decryption of information generation, transmitted, received or stored in any computer resource.</p>
<p style="text-align: justify; ">15. <b>Acknowledgement of instruction.</b>— The designated officer of the intermediary or person in-charge of computer resources shall acknowledge the instructions received by him through letters or fax or e-mail signed with electronic signature to the nodal officer of the concerned agency within two hours on receipt of such intimation or direction for interception or monitoring or decryption of information.</p>
<p style="text-align: justify; ">16. <b>Maintenance of records by designated officer.</b>— The designated officer of intermediary or person in-charge of computer resource authorised to intercept or monitor or decrypt any information shall maintain proper records mentioning therein, the intercepted or monitored or decrypted information, the particulars of persons, computer resource, e-mail account, website address, etc. whose information has been intercepted or monitored or decrypted, the name and other particulars of the officer or the authority to whom the intercepted or monitored or decrypted information has been disclosed, the number of copies, including corresponding electronic records of the intercepted or monitored or decrypted information made and the mode of the method by which such copies, including corresponding electronic records are made, the date of destruction of the copies, including corresponding electronic record and the duration within which the directions remain in force.</p>
<p style="text-align: justify; ">17. <b>Decryption key holder to disclose decryption key or provide decryption assistance.</b>— If a decryption direction or a copy thereof is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer referred to in Rule (12), the decryption key holder shall within the period mentioned in the decryption direction--</p>
<p>(a) disclose the decryption key; or</p>
<p>(b) provide the decryption assistance,</p>
<p>specified in the decryption direction to the concerned authorised person.</p>
<p style="text-align: justify; ">18. <b>Submission of the list of interception or monitoring or decryption of information.</b>— <br />(1) The designated officers of the intermediary or person in-charge of computer resources shall forward in every fifteen days a list of interception or monitoring or decryption authorisations received by them during the preceding fortnight to the nodal officers of the agencies authorised under Rule (4) for confirmation of the authenticity of such authorisations. <br />(2) The list referred to in sub-rule (1) shall include details, such as the reference and date of orders of the concerned competent authority including any order issued under emergency cases, date and time of receipt of such order and the date and time of implementation of such order.</p>
<p style="text-align: justify; ">19. <b>Intermediary to ensure effective check in handling matter of interception or monitoring or decryption of information.</b>— The intermediary or the person in-charge of the computer resource so directed under Rule (3), shall provide technical assistance and the equipment including hardware, software, firmware, storage, interface and access to the equipment wherever requested by the agency authorised under Rule (4) for performing interception or monitoring or decryption including for the purposes of--</p>
<p style="text-align: justify; ">(i) the installation of equipment of the agency authorised under Rule (4) for the purposes of interception or monitoring or decryption or accessing stored information in accordance with directions by the nodal officer; or</p>
<p>(ii) the maintenance, testing or use of such equipment; or</p>
<p>(iii) the removal of such equipment; or</p>
<p>(iv) the performance of any action required for accessing of stored information under the direction issued by the competent authority under Rule (3).</p>
<p style="text-align: justify; ">20. <b>Intermediary to ensure effective check in handling matter of interception or monitoring or decryption of information.</b>— The intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure the unauthorised interception of information does not take place and extreme secrecy is maintained and utmost care and precaution shall be taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary and no other person of the intermediary or person in-charge of computer resources shall have access to such intercepted or monitored or decrypted information.</p>
<p style="text-align: justify; ">21. <b>Responsibility of intermediary.</b>— The intermediary or person in-charge of computer resources shall be responsible for any action of their employees also and in case of violation pertaining to maintenance of secrecy and confidentiality of information or any unauthorised interception or monitoring or decryption of information, the intermediary or person in-charge of computer resources shall be liable for any action under the relevant provisions of the laws for the time being in force.</p>
<p style="text-align: justify; ">22. <b>Review of directions of competent authority.</b>— The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (3) are in accordance with the provisions of sub-section (2) of section 69 of the Act and where the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issues order for destruction of the copies, including corresponding electronic record of the intercepted or monitored or decrypted information.</p>
<p>23. <b>Destruction of records of interception or monitoring or decryption of information</b>.—</p>
<p style="text-align: justify; ">(1) Every record, including electronic records pertaining to such directions for interception or monitoring or decryption of information and of intercepted or monitored or decrypted information shall be destroyed by the security agency in every six months except in a case where such information is required, or likely to be required for functional requirements.</p>
<p style="text-align: justify; ">(2) Save as otherwise required for the purpose of any ongoing investigation, criminal complain or legal proceedings, the intermediary or person in-charge of computer resources shall destroy records pertaining to directions for interception of information within a period of two months of discontinuance of the interception or monitoring or decryption of such information and in doing so they shall maintain extreme secrecy.</p>
<p><b> </b>24. <b>Prohibition of interception or monitoring or decryption of information without authorisation.</b>—</p>
<p style="text-align: justify; ">(1) Any person who intentionally or knowingly, without authorisation under Rule (3) or Rule (4), intercepts or attempts to intercept, or authorises or assists any other person to intercept or attempts to intercept any information in the course of its occurrence or transmission at any place within India, shall be proceeded against and punished accordingly under the relevant provisions of the laws for the time being in force.</p>
<p style="text-align: justify; ">(2) Any interception, monitoring or decryption of information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, may be undertaken in course of his duty relating to the services provided by that intermediary, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with the following matters, namely--</p>
<p>(i) installation of computer resource or any equipment to be used with computer resource; or</p>
<p>(ii) operation or maintenance of computer resource; or</p>
<p style="text-align: justify; ">(iii) installation of any communication link or software either at the end of the intermediary or subscriber, or installation of user account on the computer resource of intermediary and testing of the same for its functionality;</p>
<p style="text-align: justify; ">(iv) accessing stored information from computer resource relating to the installation, connection or maintenance of equipment, computer resource or a communication link or code; or</p>
<p>(v) accessing stored information from computer resource for the purpose of--</p>
<p>(a) implementing information security practices in the computer resource;</p>
<p>(b) determining any security breaches, computer contaminant or computer virus;</p>
<p>(c) undertaking forensic of the concerned computer resource as a part of investigation or internal audit; or</p>
<p style="text-align: justify; ">(vi) accessing or analysing information from a computer resource for the purpose of tracing a computer resource of any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.</p>
<p style="text-align: justify; ">(3) The intermediary or the person in-charge of computer resource and its employees shall maintain strict secrecy and confidentiality of information while performing the actions specified under sub-rule (2).</p>
<p>25. <b>Prohibition of disclosure of intercepted or monitored decrypted information.</b>—</p>
<p style="text-align: justify; ">(1) The contents of intercepted or monitored or stored or decrypted information shall not be used or disclosed by intermediary or any of its employees or person in-charge of computer resource to any person other than the intended recipient of the said information under Rule (10).</p>
<p style="text-align: justify; ">(2) The contents of intercepted or monitored or decrypted information shall not be used or disclosed by the agency authorised under Rule (4) for any other purpose, except for investigation or sharing with other security agency for the purpose of investigation or in judicial proceedings before the competent court in India.</p>
<p style="text-align: justify; ">(3) Save as otherwise provided in sub-rule (2), the contents of intercepted or monitored or decrypted information shall not be disclosed or reported in public by any means, without the prior order of the competent court in India.</p>
<p style="text-align: justify; ">(4) Save as otherwise provided in sub-rule (2), strict confidentiality shall be maintained in respect of direction for interception, monitoring or decryption issued by concerned competent authority or the nodal officers.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/resources/it-procedure-and-safeguards-for-interception-monitoring-and-decryption-of-information-rules-2009'>https://cis-india.org/internet-governance/resources/it-procedure-and-safeguards-for-interception-monitoring-and-decryption-of-information-rules-2009</a>
</p>
No publisherjdineIT ActInternet Governance2013-07-06T01:51:58ZPageInformation Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009
https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009
<b>Draft Rules under section 69B of the Information Technology (Amendment) Act, 2008 as notified by the Central Government. </b>
<p style="text-align: justify; "><b>G.S.R. 782 (E).</b>—<b> </b>In exercise of the power conferred y clause (za) of sub-section (2) of section 87, read with sub-section (3) of section 69B of the Information Technology Act 2000 (21 of 2000), the Central Government hereby makes the following rules, namely:—</p>
<p><b>1. Short title and commencement.</b>—</p>
<p style="text-align: justify; ">(1) These rules may be called the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009.</p>
<p style="text-align: justify; ">(2) They shall come into force on the date of their publication in the Official Gazette.</p>
<p><b> </b></p>
<p style="text-align: justify; "><b>2. Definitions.</b>— In these rules, unless the context otherwise requires,—</p>
<p style="text-align: justify; ">(a) “Act” means the Information Technology Act, 2000 (21 of 2000);</p>
<p style="text-align: justify; ">(b) “communication” means dissemination, transmission, carriage of information or signal in come manner and include both a direct communication and an indirect communication;</p>
<p style="text-align: justify; ">(c) “communication link” means the use of satellite, microwave, radio, terrestrial line, wire, wireless or any other communication media to inter-connect computer resource;</p>
<p style="text-align: justify; ">(d) “competent authority” means the Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology;</p>
<p>(e) “computer resource” means computer resource as defined in clause (k) of sub-section (1) of section 2 of the Act;</p>
<p style="text-align: justify; ">(f) “cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service/disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;</p>
<p style="text-align: justify; ">(g) “cyber security breaches” means unauthorised acquisition or unauthorised use by a person of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource;</p>
<p style="text-align: justify; ">(h) “information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;</p>
<p style="text-align: justify; ">(i) “information security practices” means implementation of security policies and standards in order to minimize the cyber security incidents and breaches;</p>
<p style="text-align: justify; ">(j) “intermediary” means an intermediary as defined by clause (w) of sub-section (1) of section 2 of the Act;</p>
<p style="text-align: justify; ">(k) “monitor” with its grammatical variations and cognate expressions, includes to view or inspect or to record or collect traffic data or information generated, transmitted, received or stored in a computer resource by means of a monitoring device;</p>
<p style="text-align: justify; ">(l) “monitoring device” means any electronic, mechanical, electro-mechanical, electro-magnetic, optical or other instrument, device, equipment or apparatus which is used or can be used, whether by itself or in combination with any other instrument, device, equipment or apparatus, to view or inspect or record or collect traffic data or information;</p>
<p style="text-align: justify; ">(m) “port” or “application port” means a set of software rules which identifies and permits communication between application to application, network to network, computer to computer, computer system to computer system;</p>
<p style="text-align: justify; ">(n) “Review Committee” means the Review Committee constituted under rule 419A of Indian Telegraph Rules, 1951;</p>
<p style="text-align: justify; ">(o) “security policy” means documented business rules and processes for protecting information and the computer resource;</p>
<p style="text-align: justify; ">(p) “traffic data” means traffic data as defined in <i>Explanation (ii) </i>to section 69B of the Act.</p>
<p><b> </b></p>
<p><b>3. Directions for monitoring.</b>—</p>
<p style="text-align: justify; ">(1) No directions for monitoring and collection of traffic data or information under sub-section (3) of section 69B of the Act shall be issued, except by an order made by the competent authority.</p>
<p style="text-align: justify; ">(2) The competent authority may issue directions for monitoring for any or all of the following purposes related to cyber security, namely:-</p>
<p style="text-align: justify; ">(a) forecasting of imminent cyber incidents;</p>
<p style="text-align: justify; ">(b) monitoring network application with traffic data or information on computer resource;</p>
<p style="text-align: justify; ">(c) identification and determination of viruses or computer contaminant;</p>
<p>(d) tracking cyber security breaches or cyber security incidents;</p>
<p style="text-align: justify; ">(e) tracking computer resource breaching cyber security or spreading virus or computer contaminants;</p>
<p style="text-align: justify; ">(f) identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;</p>
<p style="text-align: justify; ">(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;</p>
<p style="text-align: justify; ">(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;</p>
<p style="text-align: justify; ">(i) any other matter relating to cyber security.</p>
<p style="text-align: justify; ">(3) Any direction issued by the competent authority under sub-rule (2) shall contain reasons for such direction and a copy of such direction shall be forwarded to the Review Committee withing a period of seven working days.</p>
<p style="text-align: justify; ">(4) The direction of the competent authority for monitoring and collection of traffic data or information may include the monitoring and collection of traffic data or information from any person or class of persons or relating to any particular subject whether such traffic data or information, or class of traffic data of information, are received with one or more computer resources, being a computer resource likely to be used for generation, transmission, receiving, storing of traffic data or information from or to one particular person or one or many set of premises.</p>
<p><b>4. Authorised agency of government for monitoring and collection of traffic data or information.</b>—</p>
<p style="text-align: justify; ">(1) The competent authority may authorise any agency of the government for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource.</p>
<p style="text-align: justify; ">(2) The agency authorised by the competent authority under sub-rule (1) shall designated one or more nodal officer, not below the rank of Deputy Secretary to the Government of India, for the purpose to authenticate and send the requisition conveying direction issued under rule 3 to the designated officers of the concerned intermediary or person in-charge of computer resources.</p>
<p style="text-align: justify; ">(3) The requisition under sub-rule (2) shall specify the name and designation of the officer or the agency to whom the monitored or collected traffic data or information is to be disclosed.</p>
<p style="text-align: justify; ">(4) The intermediaries or person in-charge of computer resource shall designate one or more officers to receive requisition and to handle such requisition from the nodal officer for monitoring or collection of traffic data or information.</p>
<p style="text-align: justify; ">(5) The requisition conveying directions for monitoring shall be conveyed to the designated officers of the intermediary or person in-charge of computer resources, in writing through letter or fax by the nodal officer or delivered, (including delivery by email signed with electronic signature), by an officer not below the rank of Under Secretary or officer of the equivalent rank.</p>
<p style="text-align: justify; ">(6) The nodal officer issuing the requisition conveying directions for monitoring under sub=rule (2) shall also make a request in writing to the designated officer of intermediary or person in-charge of computer resource for monitoring in accordance with the format indicated in such requisition and report the same to the officer designated under sub-rule (3).</p>
<p style="text-align: justify; ">(7) The nodal officer shall also make a request to the officer of intermediary or person in-charge of computer resource designated under sub-rule (4) to extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access or to secure and provide online access to the computer resource for monitoring and collecting traffic data or information.</p>
<p style="text-align: justify; ">(8) On receipt of requisition under sub-rule (2) conveying the direction issued under sub-rule (2) of rule 3 the designated officer of the intermediary or person in-charge of computer resource designated under sub-rule (4) shall acknowledge the receipt of requisition by way of letter or fax or electronically signed e-mail to the nodal officer within a period of two hours from the time of receipt of such requisition.</p>
<p style="text-align: justify; ">(9) The officer of the intermediary or person in-charge of computer resource designed under sub-rule (4) shall maintain proper records of the requisitions received by him.</p>
<p style="text-align: justify; ">(10) The designated officer of the intermediary or person in-charge of computer resource shall forward in every fifteen days a list of requisition conveying direction for monitoring or collection of traffic data or information to the nodal officer which shall include details such as the reference and date of requisition conveying direction of the concerned competent authority.</p>
<p><b> </b></p>
<p style="text-align: justify; "><b>5. Intermediary to ensure effective check in handling monitoring or collection of traffic data or information.</b>— The intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure that unauthorised monitoring or collection of traffic data or information does not take place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of monitoring or collection of traffic data or information as it affects privacy of citizens and also that this matter is handled only by the designated officer of the intermediary or person in-charge of computer resource.</p>
<p><b> </b></p>
<p style="text-align: justify; "><b>6. Responsibility of intermediary.</b>— The intermediary or person in-charge of computer resource shall be responsible for the actions of their employees also, and in case of violation of the provision of the Act and rules made thereunder pertaining to maintenance of secrecy and confidentiality of information or any unauthorised monitoring or collection of traffic data or information, the intermediary or person in-charge of computer resource shall be liable for any action under the relevant provision of the laws for the time being in force.</p>
<p><b> </b></p>
<p style="text-align: justify; "><b>7. Review of directions of competent authority.</b>— The Review Committee shall meet at least once in two months and record its finding whether the directions issued under sub-rule (2) of rule 3 are in accordance with the provisions of sub-section (3) of section 69B of the Act and where the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and issue order for destruction of the copies, including corresponding electronic record of the monitored or collected traffic data or information.</p>
<p><b> </b></p>
<p><b>8. Destruction of records.</b>—</p>
<p style="text-align: justify; ">(1) Every record, including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed by the designated officer after the expiry of a period of nine months from the receipt of direction or creation of record, whichever is later, except in a case where the traffic data or information is, or likely to be, required for functional requirements.</p>
<p style="text-align: justify; ">(2) Save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or the person in-charge of computer resource shall destroy records pertaining to directions for monitoring or collection of information within a period of six months of discontinuance of the monitoring or collection of traffic data and in doing so they shall maintain extreme secrecy.</p>
<p><b> </b></p>
<p style="text-align: justify; "><b>9. Prohibition of monitoring or collection of traffic data or information without authorisation.</b>—</p>
<p style="text-align: justify; ">(1) Any person who, intentionally or knowingly, without authorisation under sub-rule (2) of rule 3 or sub-rule (1) of rule 4, monitors or collects traffic data or information, or attempts to monitor or collect traffic data or information, or authorises or assists any person to monitor or collect traffic data or information in the course of its occurrence or transmission at any place within India, shall be proceeded against, punished accordingly under the relevant provisions of the law for the time being in force.</p>
<p style="text-align: justify; ">(2) the monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, may be undertaken in course of his duty relating to the services provided by that intermediary, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with the following matters, namely:—</p>
<p style="text-align: justify; ">(i) installation of computer resource or any equipment to be used with computer resource; or</p>
<p>(ii) operation or maintenance of computer resource; or</p>
<p style="text-align: justify; ">(iii) installation of any communication link or software either at the end of the intermediary or subscriber, or installation of user account on the computer resource of intermediary and testing of the same for its functionality;</p>
<p style="text-align: justify; ">(iv) accessing stored information from computer resource relating to the installation, connection or maintenance of equipment, computer resource or a communication link or code; or</p>
<p style="text-align: justify; ">(v) accessing stored information from computer resource for the purpose of--</p>
<p style="text-align: justify; ">(a) implementing information security practices in the computer resource;</p>
<p style="text-align: justify; ">(b) determining any security breaches, computer contaminant or computer virus;</p>
<p style="text-align: justify; ">(c) undertaking forensic of the concerned computer resource as a part of investigation or internal audit; or</p>
<p style="text-align: justify; ">(vi) accessing or analysing information from a computer resource for the purpose of tracing a computer resource of any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.</p>
<p style="text-align: justify; ">(3) The intermediary or the person in-charge of computer resource and its employees shall maintain strict secrecy and confidentiality of information while performing the actions as specified under sub-rule (2).</p>
<p style="text-align: justify; ">(4) The details of monitored or collected traffic data or information shall not be used or disclosed by intermediary or person in-charge of computer resource or any of its employees to any person other than the intended recipient of the said information under sub-rule (2) of rule 4. Any intermediary or its employees of person in-charge of computer resource who contravenes the provisions of this rule shall be proceeded against and punished accordingly under the relevant provisions of the Act or any other law for the time being in force.</p>
<p style="text-align: justify; "><b>10. Prohibition of disclosure of traffic data or information by authorised agency.</b>— The details of monitored or collected traffic data or information shall not be used or disclosed by the agency authorised under sub-rule (1) of rule 4 for any other purpose, except for forecasting imminent cyber threats or general trend of port-wise traffic on Internet, or general analysis of cyber incidents, or for investigation or in judicial proceedings before the competent court in India.</p>
<p><b> </b></p>
<p style="text-align: justify; "><b>11. Maintenance of confidentiality.</b>— Save as otherwise provided in rule 10, strict confidentiality shall be maintained in respect of directions for monitoring or collection of traffic data or information issued by the competent authority under these rules.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009'>https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009</a>
</p>
No publisherjdineIT ActInternet Governance2013-04-25T04:49:05ZPageConsilience – 2013
https://cis-india.org/internet-governance/events/consilience-2013-law-technology-committee-nls-bangalore
<b>The Law and Technology Committee of National Law School of India University, Bangalore is organising ‘Consilience – 2013′, an annual conference on law and technology, to be held on May 25 and 26, 2013. The Centre for Internet and Society is a co-partner for this event.</b>
<hr />
<p>Theme: Data Protection and Cyber Security in India. Click to read the <a href="https://cis-india.org/internet-governance/blog/consilience-2013.pdf" class="internal-link">report here</a>.</p>
<hr />
<p><b>Topics:<br />Frameworks for Data Protection in India: The J. A.P. Shah “Report of the Group of Experts on Privacy”</b></p>
<p style="text-align: justify; ">a. What is the scope of the principles/framework?</p>
<p style="text-align: justify; ">b. What could be the strengths and limitation of their application?</p>
<p style="text-align: justify; ">c. How does Report define privacy for India?</p>
<p style="text-align: justify; ">d. Would an alternative framework for privacy in India be better? If so, what would this framework look like?</p>
<p><b>India and the EU: The Privacy Debate</b></p>
<p style="text-align: justify; ">a. How does the Indian data protection regime differ from the EU regime?</p>
<p style="text-align: justify; ">b. Was the EU is justified in not accepting India as a data secure country? Reason for or against.</p>
<p style="text-align: justify; ">c. In what way does the Indian regime on data protection not meet the requirements of EU’s data protection directive?</p>
<p style="text-align: justify; ">d. What changes need to be made in the Indian regime to become EU compliant? Are these changes feasible? Should India make these changes?</p>
<p><b>Governmental Schemes, Data Protection, and Security</b></p>
<p style="text-align: justify; ">a. In India, do private public partnerships between government and the private sector adequately incorporate data protection standards?</p>
<p style="text-align: justify; ">b. What have been concerns related to data protection and security that have arisen from government schemes? (Please use two governmental schemes as case studies)</p>
<p style="text-align: justify; ">c. Are these concerns related to the policy associated with the project – the architecture of the project as well as the implementation?</p>
<p style="text-align: justify; ">d. Should the larger question of data protection for governmental schemes be incorporated into a privacy legislation? If yes, how so?</p>
<p><b>Contracts and Data Protection in India</b></p>
<p style="text-align: justify; ">a. How are contracts used to ensure data protection in India? What actors use contracts?</p>
<p style="text-align: justify; ">b. Are there weaknesses in using contracts to ensure data protection standards?</p>
<p style="text-align: justify; ">c. Do contracts address questions brought about from technology like the cloud?</p>
<p><b>Cyber security in India</b></p>
<p>a. What are the perceived challenges and threats to cyber security in India?</p>
<p>b. Are these currently being addressed through policy/projects? If yes, how so?</p>
<p>c. How does India’s cyber security regime compare to other countries?</p>
<p><b>Surveillance and Cyber Security</b></p>
<p style="text-align: justify; ">a. Does policy in India enable the Government of India to surveil individuals for reasons related to cyber security?</p>
<p>b. If so – through what policy, projects, legislation?</p>
<p>c. Do the relevant policies, projects, and legislation impact privacy? How so?</p>
<p><b>The Draft National Cyber Security Policy</b></p>
<p style="text-align: justify; ">a. What is the scope of the National Cyber Security Policy of India? Does the draft policy adequately address all of the concerns within the ambit of cyber security?</p>
<p style="text-align: justify; ">b. Would the Draft National Cyber Security Policy of India be effective in meeting the goal of enhancing cyber security levels in India?</p>
<p style="text-align: justify; ">c. How does the Draft National Cyber Security Policy compare to other countries cyber security policies?</p>
<p><b>Word Limit</b>:</p>
<p>Abstract: 750-800 words</p>
<p>Paper: 2,500 words</p>
<p><b>Deadlines:</b></p>
<p>Abstract Submission: April 30, 2013</p>
<p>Paper Submission: May 15, 2013</p>
<p><b>Contact Details</b>:</p>
<p>consilience2013[at]gmail[dot]com</p>
<p>Mohak Arora: +91-90359-21926</p>
<p>Shivam Singla: +91-99167-08701</p>
<p style="text-align: justify; ">Each participant is required to submit an abstract on <b>any one</b> of the seven topics above and can choose the specific issue within the selected topic to discuss.</p>
<p style="text-align: justify; ">For additional details, click<b> <a href="http://consilience.co.in/index.php/component/content/article/20-frontpage/310-call-for-papers">here</a>.</b></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/consilience-2013-law-technology-committee-nls-bangalore'>https://cis-india.org/internet-governance/events/consilience-2013-law-technology-committee-nls-bangalore</a>
</p>
No publisherpraskrishnaEventInternet GovernancePrivacy2013-11-20T06:15:15ZEventInterview with the Citizen Lab on Internet Filtering in India
https://cis-india.org/internet-governance/blog/interview-with-citizen-lab-on-internet-filtering
<b>Maria Xynou recently interviewed Masashi Crete-Nishihata and Jakub Dalek from the Citizen Lab on internet filtering in India. View this interview and gain an insight on Netsweeper and FinFisher!</b>
<p>A few days ago, Masashi Crete-Nishihata (research manager) and Jakub Dalek (systems administrator) from the Citizen Lab visited the Centre for Internet and Society (CIS) to share their research with us.</p>
<p>The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. The OpenNet Initiative is one of the Citizen Lab's ongoing projects which aims to document patterns of Internet surveillance and censorship around the world. OpenNet.Asia is another ongoing project which focuses on censorship and surveillance in Asia.</p>
<p>The following video entails an interview of both Masashi Crete-Nishihata and Jakub Dalek on the following questions:</p>
<p>1. Why is it important to investigate Internet filtering around the world?</p>
<p>2. How high are the levels of Internet filtering in India, in comparison to the rest of the world?</p>
<p>3. "Censorship and surveillance of the Internet aim at tackling crime and terrorism and in increasing overall security." Please comment.</p>
<p>4. What is Netsweeper and how is it being used in India? What consequences does this have?</p>
<p>5. What is FinFisher and how could it be used in India?</p>
<p>Video</p>
<hr />
<p><iframe frameborder="0" height="250" src="http://www.youtube.com/embed/4Z9Iq_cIJgw" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-citizen-lab-on-internet-filtering'>https://cis-india.org/internet-governance/blog/interview-with-citizen-lab-on-internet-filtering</a>
</p>
No publishermariaInternet GovernancePrivacy2013-06-26T09:47:14ZBlog EntryOpen Letter to Prevent the Installation of RFID tags in Vehicles
https://cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles
<b>The Centre for Internet and Society (CIS) has sent this open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to intall RFID tags in vehicles in India. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p class="western" style="text-align: justify; ">This letter is with regards to the installation of Radio Frequency Identification Tags (RFID) in vehicles in India.</p>
<p class="western" style="text-align: justify; ">On behalf of the Centre for Internet and Society, we urge you to prevent the installation of RFID tags in vehicles in India, as the legality, necessity and utility of RFID tags have not been adequately proven. Such technologies raise major ethical concerns, since India lacks privacy legislation which could safeguard individuals' data.</p>
<p class="western" style="text-align: justify; ">The proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India. However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.</p>
<p class="western" style="text-align: justify; ">The installation of RFID tags in vehicles is not only currently illegal, but it also raises majors privacy concerns. RFID tags yield locational information, and thus reveal information as to an individual’s whereabouts. This could lead to a serious invasion of the right to privacy, which is at the core of personal liberty, and constitutionally protected in India. Moreover, the installation of RFID tags in vehicles is not in compliance with the privacy principles of the Report of the Group of Experts on Privacy, as, among other things, the architecture of RFID tags does not allow for consent to be taken from individuals for the collection, use, disclosure, and storage of information generated by the technology.<a href="#fn1" name="fr1">[1]</a></p>
<p class="western" style="text-align: justify; ">The Centre for Internet and Society recently drafted the Privacy (Protection) Bill 2013 – a citizen's version of a possible privacy legislation for India.<a href="#fn2" name="fr2">[2]</a><sup> </sup>The Bill defines and establishes the right to privacy and regulates the interception of communications and surveillance, and would include the regulation of technologies like RFID tags. As this Bill has not been enacted into law and India lacks a privacy legislation which could safeguard individuals' data, we strongly urge you to not require the mandatory installation of RFID tags in vehicles, as this could potentially violate individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">As the proposed rule 138A, which mandates the installation of RFID tags in vehicles, is currently illegal and India lacks privacy legislation which would regulate the collection, use, sharing of, disclosure and retention of data, we strongly urge you to ensure that RFID tags are not installed in vehicles in India and to play a decisive role in protecting individuals' right to privacy and other human rights.</p>
<p class="western" style="text-align: justify; ">Thank you for your time and for considering our request.</p>
<p class="western" style="text-align: justify; ">Sincerely,</p>
<p class="western" style="text-align: justify; ">Centre for Internet and Society (CIS)</p>
<p> </p>
<p id="sdfootnote1"> </p>
<p>[<a href="#fr1" name="fn1">1</a>]. Report of the Group of Experts on Privacy: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p>[<a href="#fr2" name="fn2">2</a>].Draft Privacy (Protection) Bill 2013: http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles'>https://cis-india.org/internet-governance/blog/open-letter-to-siam-on-rfid%20installation-in-vehicles</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:59:31ZBlog EntryThe State is Snooping: Can You Escape?
https://cis-india.org/internet-governance/blog/india-together-june-26-2013-snehashish-ghosh-the-state-is-snooping-can-you-escape
<b>Blanket surveillance of the kind envisaged by India's Centralized Monitoring System achieves little, but blatantly violates the citizen's right to privacy; Snehashish Ghosh explores why it may be dangerous and looks at potential safeguards against such intrusion. </b>
<p><span style="text-align: justify; ">The Snowden Leaks have made it amply clear that the covert surveillance conducted by governments is no longer covert. Information by its very nature is prone to leaks. The discretion lies completely in the hands of the personnel handling your data or information. Whether it is through knowledge obtained by an intelligence analyst about the US Government conducting indiscriminate surveillance, or hackers infiltrating a secure system and leaking personal information, stored information has a tendency to come out in the open sooner or later.</span></p>
<p><span style="text-align: justify; ">This raises the question whether, with the advancement of technologies, we should trust our personal information and data with computers. Should we have more stringent laws and procedural safeguards to protect our personal information? Of course, the broader question that remains is whether we have a ‘Right to be Forgotten’.</span></p>
<p style="text-align: justify; ">Similar to PRISM in the US, India is also implementing a Centralized Monitoring System (CMS) which would have the capabilities to conduct multiple privacy-intrusive activities, ranging from call data record analysis to location based monitoring. Given the circumstances and the current revelations by a whistleblower in the US, it is more than imperative to take a closer look at the surveillance technologies which are being deployed by India and question what implications it might have in the future.</p>
<p style="text-align: justify; "><strong>Technological shift and procedural safeguards<br /></strong>The need for procedural safeguards was brought to light in the Supreme Court case, when news reports surfaced about the tapping of politicians' phones by the CBI. The Court while deciding on the issue of phone tapping in the case of <i>People’s Union of Civil Liberties v. Union of India</i> (1996), observed that the Indian Telegraph Act, 1885 is an ancient legislation and does not address the issue of telephone tapping. Thereafter, the court issued guidelines, which were implemented by the Government by amending and inserting Rule 419A of the Indian Telegraph Rules, 1951. These procedural safeguards ensure that due process will be followed by any law enforcement agency, while conducting surveillance.</p>
<p style="text-align: justify; ">Section 5(2) of the Indian Telegraph Act, 1885 grants the power to the Government to conduct surveillance provided that there is an occurrence of any public emergency or public safety. If and only if the conditions of public safety and public emergency are compromised, and if the concerned authority is convinced that it is expedient to issue such an order for interception in the interest of “the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence” is surveillance legitimized. The same was reaffirmed by the Supreme Court in the 1996 judgment on wire tapping.</p>
<p style="text-align: justify; ">Now, as the Government of India is planning to launch a new technology, the Centralized Monitoring System (CMS) which would snoop, track and monitor communication data flowing through telecom and data networks, the question arises: can we have procedural safeguards which would protect our right to privacy against technologies such as the CMS?</p>
<p style="text-align: justify; ">The key component of a procedural safeguard is human discretion; either a court authorization or an order from a high ranking government official is necessary to conduct targeted surveillance and the reasons for conducting surveillance have to be recorded in writing. This is the procedure which is ordinarily followed by law enforcement agencies before conducting any form of surveillance. However, with the computational turn, governments have resorted to practices which would do away with the human discretion. Dragnet surveillance allows for blanket surveillance. Before getting to the problems in evolving a due process for systems like CMS, it is imperative to examine the capabilities of the system.</p>
<p style="text-align: justify; "><strong>Centralized Monitoring System and death of due process</strong> <br />Setting up of a CMS was conceptualized in India after the 2008 Mumbai attacks. It was further consolidated and found a place in the Report of the Telecom Working Group on the Telecom Sector for the Twelfth Five Year Plan (2012-2017). The Report was published in August, 2011 and goes into the details of the CMS.</p>
<blockquote class="pullquote" style="text-align: justify; ">When machines and robots are deployed to conduct blanket surveillance and impinge on the most fundamental right to life and liberty, and also violate the basic tenets of due process, then much cannot be done by way of procedures. What then do we resort to, is the primary question. Can there be a compromise between the right to privacy and security? <br /></blockquote>
<p style="text-align: justify; ">The Report indicates that the technology will cater to “the requirements of security management for law enforcement agencies for interception, monitoring, data analysis/mining, antiâ€socialâ€networking using the country’s telecom infrastructure for unlawful activities.”</p>
<p style="text-align: justify; ">The CMS will also be capable of running algorithms for interception of connection oriented networks, algorithms for interception of voice over internet protocol (VoIP), video over IP and GPS based monitoring systems. These algorithms would be able to intercept any communication without any intervention from the telecom or internet service provider. It would also have the capability to intercept and analyze data on any communication network as well as to conduct location based monitoring by tracking GPS locations. Given such capabilities, it is clear that a computer system will be sifting through the internet/communication data and will conduct surveillance as instructed through algorithms. This would include identifying patterns, profiling and also storing data for posterity. Moreover, the CMS will have direct access to the telecommunication infrastructure and would be monitoring all forms of communication.</p>
<p style="text-align: justify; ">With the introduction of CMS, state surveillance will shift to blanket surveillance from the current practice of targeted surveillance which can be carried out under specific circumstances that are well defined in the law and in judgments. Moreover, when it comes to current means of surveillance, there are well-defined procedures under the law which have the ability to prevent misuse of the surveillance systems. This is not to say that the current procedural safeguards under the laws are not prone to abuse, but if implemented properly, there is less chance of them being misused. Furthermore, with strong privacy and data protection laws, unlawful and illegal surveillance can be minimized.</p>
<p style="text-align: justify; ">In the current legal framework, with respect to surveillance, if CMS is implemented then it will be in violation of the fundamental right to privacy and freedom of speech as guaranteed under our Constitution. It will be also in contravention of the procedural safeguards laid down in the Supreme Court judgement and the Rule 419A of Indian Telegraph Rules, thereof. Strong privacy laws and data protection laws may be put in place, which are completely absent now. But at the end of the day, a machine will be spying on every citizen of India or anyone using any communication services, without any specific targets or suspects.<br /><br />In the People’s Union of Civil Liberties v. Union of India (1996), the Supreme Court laid down that “the substantive law as laid down in Section 5(2) of the [Indian Telegraph Act, 1885] must have procedural backing so that the exercise of power is fair and reasonable.” But with technologies such as CMS, it will be very difficult to have any form of procedural backing because the system would do away with human discretion which happens to be a key ingredient of any legal procedure.<br /><br />The argument which can be made in favour of CMS, if any, is that a machine will be going through personal data and it will not be available to any personnel or law enforcement agency without authorization and therefore, it will adhere to the due process. However, such a system will be keeping track of all personal information. Right to privacy is the right to be left alone and any incursion on this fundamental right can only be allowed in special cases, in cases of public emergency or threat of public safety. So, electronic blanket surveillance without human intervention also amounts to violation of the substantive law, which specifically allows surveillance only to be conducted under certain conditions, and not through a system such as CMS that is designed to keep a constant watch on everyone, irrespective of the fact whether there is a need to do so.<br /><br />Additionally, there exists a strong, pre-established notion that whatever comes out of a computer is bound to be true and authentic and there cannot be any mistakes. We have witnessed this in the past where an IT professional from Bangalore was arrested and detained by the Maharashtra Police for posting derogatory content on Orkut about Shivaji. Later, it was found that the records acquired from the Internet Service Provider were incorrect and the individual had been arrested and detained illegally.<br /><br />Telephone bills, credit card bills coming out from a computer system are often held to be authentic and error-free. With UID, our identity has been reduced to a number and biometrics stored in a database corresponding to that number. It is this trust in anything which comes out of a computer or a machine that can lead to massive abuse of the system in the absence of any form of checks and balance in place. Artificial things taking control over human lives and our almost unflinching trust in technology will not only cause gross violations of privacy but will also be the death of due process and basic human rights as we know it.<br /><br />In this regard, due emphasis should be given to the landmark Supreme Court judgment in the case of Maneka Gandhi v. Union of India (1978) which deals with issues related to due process and privacy. It states that "procedure which deals with the modalities of regulating, restricting or even rejecting a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, ‘procedure’ must rule out anything arbitrary, freakish or bizarre. A valuable constitutional right can be canalised only by canalised processes".<br /><br />When machines and robots are deployed to conduct blanket surveillance and impinge on the most fundamental right to life and liberty and also violate the basic tenets of due process, then much cannot be done by way of procedures. What then do we resort to, is the primary question. Can there be a compromise between the right to privacy and security?</p>
<p style="text-align: justify; "><strong>A no-win situation<br /></strong>In reality, dragnet surveillance or blanket surveillance is not very useful for gathering valuable intelligence to prevent instances of threat to national security, public safety and public emergency. For example, if the CMS is used to mine data, analyse content related to anti-social activities and even if the system is 99 per cent accurate, the remaining 1 per cent which is a false positive happens to be a large set. So, 1 out of every 100 individuals identified as an anti-social element by CMS may actually be an innocent citizen. Given the possibility of false positives and which may be more than 1 per cent, the number of innocent citizens caught in the terrorist net would be much higher.<br /><br />Even though blanket surveillance or dragnet surveillance can keep a tab on everyone, it is nearly impossible for an algorithm to separate the terrorists from the rest. Moreover, the data set collected by the machine is too big for any human analyst, to actually analyze and identify the terrorist in the midst of a deluge of information. Therefore, the argument that a system like CMS will ensure security in lieu of minor intrusions of privacy is a flawed one. Implementation of CMS will not really ensure security but will be a case of blatant violation of individual’s right to privacy anyway.<br /><br />What is perhaps more shocking is that not only will CMS be futile in preventing security breaches or neutralizing security threats, it will on the contrary expose individual Indian citizens to breach of personal security. If personal data and information are stored for future reference through a centralized mechanism, which is also the case with UID, it will be highly susceptible to attacks and security threats. It will be a Pandora’s Box with a potential to create havoc the moment someone is able to gain access to the information with intention to misuse that. Leaking of personal information and data on a large scale can be detrimental to society and give rise to instances of public emergency.</p>
<p style="text-align: justify; "><strong>The ‘Right to be Forgotten’<br /></strong></p>
<div id="stcpDiv">
<p align="justify">Currently, the European Union is engulfed in the debate on the “Right to be Forgotten” laws. The Right to be Forgotten finds its origins in the French Law <i>le droit à l’oubli </i>or the right of oblivion, where a convict who has served his sentence can object to the publication of facts of his conviction and imprisonment or penalty. This law has a new found meaning in the context of social media and the internet, where we have the right to delete all our personal information permanently. This is an important issue which India should debate and discuss, as we live in an era where privacy comes at a cost.</p>
<p align="justify">On the one hand, technology has made it easier to track, trace, monitor and snoop, on the other it has also seen innovation in the field of encryption and anonymity tools. Encryption tools such as Open PGP exist online, which can secure information from third party access. Tor Browser, allows an user to surf the web anonymously. The use of such technologies should be encouraged as there is no law which prohibits their use. If systems are being built to spy on us, it will be better if we use technologies which protect our personal information from such surveillance technologies.</p>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-together-june-26-2013-snehashish-ghosh-the-state-is-snooping-can-you-escape'>https://cis-india.org/internet-governance/blog/india-together-june-26-2013-snehashish-ghosh-the-state-is-snooping-can-you-escape</a>
</p>
No publishersnehashishInternet GovernancePrivacy2019-04-29T15:09:18ZBlog EntryInternet users enraged over US online spying
https://cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying
<b>India is the fifth most tracked nation by American intelligence agencies.</b>
<hr />
<p style="text-align: justify; ">The article by Maitreyee Boruah was <a class="external-link" href="http://articles.timesofindia.indiatimes.com/2013-06-29/people/40256468_1_privacy-private-information-sunil-abraham">published in the Times of India</a> on June 29, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">Have you been posting pictures and messages with gay abandon on your social networking sites or having personal discussions on instant chat or video messaging and thinking that no one other than the intended recipient(s) has access to it? Well, going by the recent revelation that government agencies, and that too from the US, have been spying on our internet usage and collating private information, even the most hardcore security settings for your online data are apparently of no use.</p>
<p style="text-align: justify; ">According to former US <a href="http://timesofindia.indiatimes.com/topic/Central-Intelligence-Agency">Central Intelligence Agency</a> (CIA) employee Edward Snowden's testimony, the US National Security Agency ( <a href="http://timesofindia.indiatimes.com/topic/National-Security-Agency">NSA</a>) has been using major tech giants to spy on private information of users around the world. And India is the fifth most tracked nation by the US intelligence system. But isn't this a direct infringement on our right to privacy? Or are such measures the need of the hour, given the increasing incidences of terror acts across the world?</p>
<p style="text-align: justify; "><b>What should the <a href="http://timesofindia.indiatimes.com/topic/Indian-Government">Indian government</a> do?</b></p>
<p style="text-align: justify; ">Recently, a PIL (Public Interest Litigation) was filed in the Indian Supreme Court on the issue of the web snooping by the US. The PIL sought the Centre to initiate action against internet companies for sharing information with foreign authorities, which amounts to breach of contract and violation of the right to privacy.</p>
<p style="text-align: justify; ">"First, we need to urgently enact a horizontal privacy law, which articulates privacy principles and institutes <a href="http://timesofindia.indiatimes.com/topic/The-Office">the office</a> of the <a href="http://timesofindia.indiatimes.com/topic/Privacy-Commissioner">privacy commissioner</a>. Second, we need to promote the use of encryption and other privacy-enhancing technologies. The use of foreign internet infrastructure by those in public offices should be banned, except in the case of public dissemination. And last, but not the least, take action against online firms that have access to personal data of users and violate the privacy of Indian citizens through the office of the regulator," suggests Sunil Abraham, executive director of Bangalore-based research organization, Centre for Internet and Society.</p>
<p style="text-align: justify; ">Anja Kovacs, project director at the Internet Democracy Project in India, meanwhile, wants the Indian government to assert itself. "The best the Indian government can do is to demand that this kind of snooping does not happen. However, it can't ensure that such episodes won't happen in the future, as there is no enforceable global legal framework to deal with online snooping."</p>
<p><b>Era of the Big Brother?</b></p>
<p style="text-align: justify; ">Given the lack of legal support, does it mean that internet users have no right to privacy? "We do have a right to privacy. Unfortunately, our right is not respected. By and large, unless they use special tools to protect themselves, internet users do not have any real privacy in many countries, including India," says Anja, adding, "The right to privacy is not explicitly included in the Constitution, and the Privacy Bill continues to be pending. Also, Indian intelligence agencies are not under supervision of the Parliament, which is an important weakness in the accountability system." Echoing Anja, Sunil says, "In India, unfortunately, our right to privacy is not sufficiently protected. Indian laws are not strong enough to safeguard privacy of Internet users."</p>
<p><b>Anger in the online community</b></p>
<p style="text-align: justify; ">A large number of internet users who we spoke to said they were "shocked" after hearing about the US government's spying mechanism. "The recent revelation of snooping by the <a href="http://timesofindia.indiatimes.com/topic/US-Government">US government</a> is a clear case of intrusion into our privacy. It is absolutely illegal," says 24-year-old IT professional Subodh Gupta.</p>
<p>
For more details visit <a href='https://cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying'>https://cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying</a>
</p>
No publisherpraskrishnaSurveillanceInternet GovernancePrivacy2013-07-01T04:10:05ZNews ItemTechnology, Power, and Revolutions in the Arab Spring
https://cis-india.org/internet-governance/events/technology-power-and-revolutions-in-arab-spring
<b>The Centre for Internet and Society (CIS), Bangalore cordially invites you to a talk by Prof. Ramesh Srinivasan on technology, power and revolutions in the Arab Spring. The talk will be held in CIS office on July 2, 2013 from 6.00 p.m. onwards.</b>
<h2>Ramesh Srinivasan</h2>
<p style="text-align: justify; ">Ramesh Srinivasan, Associate Professor at UCLA in Design and Media/Information Studies, studies and participates in projects focused on how new media technologies impact political revolutions, economic development and poverty reduction, and the future of cultural heritage. He recently wrote <a href="http://www.washingtonpost.com/national/on-innovations/london-egypt-and-the-complex-role-of-social-media/2011/08/11/gIQAIoud8I_story.html">an op/ed at the Washington Post</a> explaining the complex nature of social media in revolutions and riots, such as those in Egypt and in London, and also a column for the Post’s Sunday Outlook section on the <a href="http://www.washingtonpost.com/national/on-innovations/five-myths-about-social-media/2011/09/15/gIQAr2BwAL_allComments.html#comments">5 Myths of Social Media</a>. Additionally, he has written multiple front page articles for the Huffington Post, including a <a href="http://www.huffingtonpost.com/ramesh-srinivasan/the-net-worth-of-open-net_b_823570.html">piece</a> on Internet Freedom for the Huffington Post. He has had his work featured on the front page of the UCLA and USC websites.</p>
<p style="text-align: justify; ">Recent public outreach has built on his response in the New Yorker (from his blog: <a href="http://rameshsrinivasan.org/">http://rameshsrinivasan.org</a>) to Malcolm Gladwell’s writings critiquing the power of social media in impacting revolutionary movements. He has worked with bloggers, pragmatically studying their strengths and limitations, who were involved in recent revolutions in Egypt and Kyrgyzstan, as discussed in a recent <a href="http://www.npr.org/2011/08/12/139570720/twitter-created-echo-chamber-during-egyptian-protests">NPR interview</a>. He has also collaborated with non-literate tribal populations in India to study how literacy emerges through uses of technology, and traditional Native American communities to study how non-Western understandings of the world can introduce new ways of looking at the future of the internet. His work has impacted contemporary understandings of media studies, anthropology and sociology, design, and economic and political development studies. He has given several major invited talks, including recently at LIFT in 2009 (<a href="http://vimeo.com/5520100">http://vimeo.com/5520100</a>). He holds an engineering degree from Stanford, a Masters degree from the MIT Media Lab, and a Doctorate from Harvard University. His full academic CV can be found at <a href="http://rameshsrinivasan.org/cv">http://rameshsrinivasan.org/cv</a></p>
<hr />
<p><b><a class="external-link" href="http://rameshsrinivasan.org/">See Prof. Ramesh Srinivasan's blog page</a></b></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/technology-power-and-revolutions-in-arab-spring'>https://cis-india.org/internet-governance/events/technology-power-and-revolutions-in-arab-spring</a>
</p>
No publisherpraskrishnaEventInternet Governance2013-07-01T08:36:57ZEventBiometrics or bust? India's Identity Crisis
https://cis-india.org/news/biometrics-or-bust-indias-identity-crisis
<b>Malavika Jayaram is speaking at an event organized by the Oxford Internet Institute on July 2, 2013. The talk will be held at Oxford Internet Institute, University of Oxford, 1 St Giles Oxford OX1 3JS.</b>
<hr />
<div class="story" style="text-align: justify; ">
<p>This info was <a class="external-link" href="http://www.oii.ox.ac.uk/events/?id=602">published on the Oxford Internet Institute website</a>.</p>
<hr />
<p>India's mammoth biometric ID project, which has registered around 270 million people and is yet to be fully realized, is already the worldís largest such endeavor. It is marketed as a potential game-changer both domestically (where it is touted as a silver bullet to solve most problems) and internationally (where countries wait and watch this experiment before importing it into their own jurisdictions). Alongside all the hype about the scale of the scheme, its potential for transforming the delivery of services and the scope for private participation in traditionally state-controlled functions, there are fears of function creep, of subversion to create new types of fraud and corruption, of increased profiling and targeting, and of a citizenry becoming transparent to its government in an unprecedented way, all in the name of ambiguous benefits and the rhetoric of inclusion.</p>
<p>The government praises the ease and efficiency of centralized databases, the promise of technology (including the myth of biometrics uniquely and unambiguously identifying people in a foolproof way) and the construction of the identified self. However, there is growing awareness of the dangers of joined-up databases resulting in exclusion rather than inclusion, and persecution rather than democratization.</p>
<p>The scheme is technically voluntary, but with the provision of benefits, goods and services being increasingly linked to the scheme, it will soon become impossible to function in India without a biometric ID. If every facet of everyday life is linked to this single number, it renders all claims of voluntariness meaningless. The lack of information self-determination in a biometrically mediated universe has important ramifications for anonymity, free speech and the maintenance of an essential private sphere.</p>
<p>In this talk, Malavika will provide an overview of the scheme as well as the debate around privacy and autonomy that it has triggered, framed against the backdrop of a larger civil liberties crisis. She will also describe Indiaís efforts to craft new privacy and data protection legislation.</p>
</div>
<p>
For more details visit <a href='https://cis-india.org/news/biometrics-or-bust-indias-identity-crisis'>https://cis-india.org/news/biometrics-or-bust-indias-identity-crisis</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2013-07-01T09:49:48ZNews ItemWorld Wide Rule
https://cis-india.org/internet-governance/blog/indian-express-june-14-2013-nishant-shah-world-wide-rule
<b>Nishant Shah's review of Schmidt and Cohen's book was published in the Indian Express on June 14, 2013.</b>
<hr />
<p><a class="external-link" href="http://www.indianexpress.com/news/world-wide-rule/1129208/0">Click to read the original published in the Indian Express here</a></p>
<hr />
<p><b>Book: The New Digital Age</b><b><br />Author: Eric Schmidt & Jared Cohen<br /></b><b>Publisher: Hachette</b><b><br />Price: Rs 650<br />Pages: 315</b></p>
<hr />
<p style="text-align: justify; ">When I first heard that Eric Schmidt the chairman of Google and Jared Cohen, the director of the techno-political think-tank Google Ideas, are co-authoring a book about our future and how it is going to be re-shaped with the emergence of digital technologies, I must confess I was sceptical. When people who do things that you like start writing about those things, it is not always a pretty picture. Or an easy read. However, like all sceptics, I am only a romantic waiting to be validated. So, when I picked up The New Digital Age I was hoping to be entertained, informed and shaken out of my socks as the gurus of the interwebz spin science fiction futures for our times. Sadly, I have been taught my lesson and have slid back into hardened scepticism.</p>
<p style="text-align: justify; ">Here is the short version of the book: Technology is good. Technology is going to be exciting. There are loads of people who haven't had it yet. There are not enough people who have figured out how things work. Everybody needs to go online because no matter what, technologies are here to stay and they are going to be the biggest corpus of power. They write, "There is a canyon dividing people who understand technology and people charged with addressing the world's toughest geopolitical issues, and no one has built a bridge…As global connectivity continues its unprecedented advance, many old institutions and hierarchies will have to adapt or risk becoming obsolete, irrelevant to modern society." So the handful who hold the reigns of the digital (states, corporates, artificial intelligence clusters) are either going to rule the world, or, well, write books about it.</p>
<p style="text-align: justify; ">The long version is slightly more nuanced, even though it fails to give us what we have grown to expect of all things Google — the bleeding edge of back and beyond. For a lay person, observations that Schmidt and Cohen make about the future of the digital age might be mildly interesting in the way title credits to your favourite movie can be. Once they have convinced us, many, many times, that the internet is fast and fluid and that it makes things fast and fluid and hence the future we imagine is going to be fast and fluid, the authors tell us that the internet is spawning a new "caste system" of haves, have-nots, and wants-but-does-not-haves.</p>
<p style="text-align: justify; ">Citing the internet as "the largest experiment involving anarchy in history" they look at the new negotiations of power around the digital. Virulent viruses from the "Middle East" make their appearance. Predictably wars of censorship and free information in China get due attention. Telcos get a big hand for building the infrastructure which can sell Google phones to people in Somalia. The book offers a straightforward (read military) reading of drones and less-than-expected biased views on cyberterrorism, which at least escapes the jingoism that the USA has been passing off in the service of a surveillance state. And more than anything else, the book shows politicos and governments around the world, that the future is messy, anarchy is at hand, but as long as they put their trust in Big Internet Brothers, the world will be a manageable place.</p>
<p style="text-align: justify; ">So while you can clearly see where my review for the book is heading, I must give it its due credit.</p>
<p style="text-align: justify; ">There are three things about this book that make it interesting. The first is how Schmidt and Cohen seem to be in a seesaw dialogue with themselves. They realise that five billion people are going to get connected online. They gush a little about what this net-universality is going to mean. And then immediately, they also realise that we have to prepare ourselves for a "Brave New World," which is going to be infinitely more messy and scary. They recognise that the days of anonymity on the Web are gone, with real life identities becoming our primary digital avatars. However, they also hint at a potential future of pseudonymity that propels free speech in countries with authoritarian regimes. This oscillation between the good, the bad, the plain and the incredible, keeps their writing grounded without erring too much either on the side of techno-euphoria or dystopic visions of the future.</p>
<p style="text-align: justify; ">Second, and perhaps justly so, the book doles out a lot of useful information not just for the techno-neophytes but also the amateur savant. There are stories about "Currygate" in Singapore, or of what Vodaphone did in Egypt after the Arab Spring, or of the "Human Flesh Search Engine" in China, which offer a comprehensive, if not critical, view of the way things are. Schmidt and Cohen have been everywhere on the ether and they have cyberjockeyed for decades to tell us stories that might be familiar but are still worth the effort of writing.</p>
<p style="text-align: justify; ">Third, it is a readable book. It doesn't require you to Telnet your way into obscure meaning sets in the history of computing. It is written for people who are still mystified not only about the past of the Net but also its future, and treads a surprisingly balanced ground in both directions. It is a book you can give to your grandmother, and she might be inspired to get herself a Facebook (or maybe a Google +) account.</p>
<p style="text-align: justify; ">But all said and done, I expected more. It is almost as if Schmidt and Cohen are sitting on a minefield of ideas which they want to hint at but don't yet want to share because they might be able to turn it into a new app for the Nexus instead. It is a book that could have been. It wasn't. It is ironic how silent the book is about the role that big corporations play in shaping our techno-futures, and the fact that it is printed on dead-tree books with closed licensing so I couldn't get a free copy online. For people claiming to build new and political futures, the fact that this wisdom could not come out in more accessible forms and formats, speaks a lot about how seriously we can take their views of the future.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/indian-express-june-14-2013-nishant-shah-world-wide-rule'>https://cis-india.org/internet-governance/blog/indian-express-june-14-2013-nishant-shah-world-wide-rule</a>
</p>
No publishernishantInternet Governance2013-07-01T10:26:24ZBlog EntryInternet firms deny existence of PRISM
https://cis-india.org/news/times-of-india-javed-anwer-ishan-srivastava-june-8-2013-internet-firms-deny-existence-of-prism
<b>Nothing is private anymore. According to a leak in the US, which revealed the wide reach of a mass surveillance programme by intelligence agencies, messages, posts, chats on your computer or phone are all vulnerable to interception, thanks to direct access to servers of major tech companies.</b>
<hr />
<p>The article by Javed Anwer and Ishan Srivastava was <a class="external-link" href="http://articles.timesofindia.indiatimes.com/2013-06-08/internet/39833419_1_assistance-treaty-user-data-personal-data">published in the Times of India</a> on June 8, 2013. Sunil Abraham and Pranesh Prakash are quoted.</p>
<hr />
<p style="text-align: justify; ">The existence of the programme, called Prism, was first reported by the Washington Post and the Guardian newspaper after they received a tip-off from a whistleblower in <a href="http://timesofindia.indiatimes.com/topic/National-Security-Agency">National Security Agency</a> in the US. The whistleblower claimed that NSA has direct access to all the data that flows through the servers of Google, Facebook, Microsoft, Apple, Sykpe, <a href="http://timesofindia.indiatimes.com/topic/YouTube">Youtube</a>, AOL and Paltalk.</p>
<p style="text-align: justify; ">Later, the NSA reportedly acknowledged the existence of the programme but said that it collected data only from foreign nationals. While it may come as a relief to the US citizens, it underscores the fact that people not residing in the US, including Indians, are fair game. What is even more alarming is the fact that US authorities are using the technology companies headquartered in the country to spy on <a href="http://timesofindia.indiatimes.com/topic/The-Rest-%28musician%29">the rest</a> of the world.</p>
<p style="text-align: justify; ">All companies named in the leaks have denied the existence of Prism. A Yahoo spokesperson said on Friday, ""Yahoo! takes users' privacy very seriously. We do not provide the government with direct access to our servers, systems, or network."</p>
<p style="text-align: justify; ">Privacy International, a privacy watchdog organisation, said it is possible that companies would not be aware of the government tapping into their servers. "Until we know whether this information was obtained through filters, interception, or some another method, it is difficult to know how the breadth of access the NSA has."</p>
<p style="text-align: justify; ">However, Indian users would seem to have no way to defend themselves if the <a href="http://timesofindia.indiatimes.com/topic/US-Government">US government</a> wants to access their data. Pavan Duggal, a specialist in cyber law, said, "Indian users don't have any protection against the US authorities seeking their data from the US companies."</p>
<p style="text-align: justify; ">Technology companies said they comply with local laws while dealing with issues related to personal data of a user. In response to queries from TOI, both Google and Facebook said that they used "mutual legal assistance treaty" to handle international requests for data.</p>
<p style="text-align: justify; ">Mutual legal assistance treaty is understood to have governed by actual treaties that two nations may have between them for sharing of user data. A Facebook official said that if a US agency wanted to access the data belonging to an Indian citizen, the sleuths would have to follow the diplomatic channels and get the data only when Indian authorities have approved it.</p>
<p style="text-align: justify; ">Google too talked "mutual legal assistance treaty" but it didn't clarify how it worked. Google officials pointed out the company guidelines which noted that any non-US government agency would have to use mutual legal assistance treaty to access user data. But the company public guidelines don't make any mention of the procedure followed in the cases where a US agency requests data on non-US users.</p>
<p style="text-align: justify; ">Microsoft directed TOI to its official statement denying the existence of Prism. It refused to discuss how it handled the requests from US authorities seeking data of foreigners.</p>
<p style="text-align: justify; ">Pranesh Prakash, a policy director with Centre for Internet and Society (CIS), said that it was high time the <a href="http://timesofindia.indiatimes.com/topic/Indian-Government">Indian government</a> stood up for its citizens.</p>
<p style="text-align: justify; ">"Indian government needs to come with a strong and clear law to protect the privacy of Indian users. The law has to make it clear to companies operating in India that they need to respect the privacy of Indian users, even when they are dealing with the governments outside India," he said.</p>
<p style="text-align: justify; ">However, providing direct access to servers to an agency like NSA may not necessarily be a breach of agreement between the users of websites like Google and Facebook and its owners. Sunil Abraham, executive director at CIS said, "I have not studied end-user agreements carefully, but usually they have provisions for communication interception and data access in accordance with legal procedure."</p>
<p style="text-align: justify; ">"But more importantly, this is a violation of US data access and interception law. The US government has been going around the world preaching Internet freedom to authoritarian regimes. And now it turns out that their practices are worse that many of the regimes they have been criticizing. That is why it is a complete <a href="http://timesofindia.indiatimes.com/topic/Scandal">scandal</a>," Abraham said.</p>
<p style="text-align: justify; ">Besides, the surveillance may run contrary to a whole range of international legal instruments. For example, the ICCPR, ratified by the USA, says that "no one shall be subject to arbitrary or unlawful interference with his private life, family, home or correspondence," said Joe McNamee, executive director of European Digital Rights, a privacy watchdog based in Europe.</p>
<p>
For more details visit <a href='https://cis-india.org/news/times-of-india-javed-anwer-ishan-srivastava-june-8-2013-internet-firms-deny-existence-of-prism'>https://cis-india.org/news/times-of-india-javed-anwer-ishan-srivastava-june-8-2013-internet-firms-deny-existence-of-prism</a>
</p>
No publisherpraskrishnaInternet Governance2013-07-02T07:47:27ZNews Item‘Hacking’ sparks row over exam evaluation
https://cis-india.org/news/the-hindu-june-7-2013-vasudha-venugopal-karthik-subramanian-hacking-sparks-row-over-exam-evaluation
<b>Over the past two days, Cornell University student Debarghya Das’ blog post on ‘Hacking the Indian Education System’ has kicked off a debate across the country over the security of data published online and the practice of moderation of marks obtained by school students in board examinations. </b>
<hr />
<p style="text-align: justify; ">The article by Vasudha Venugopal and Karthik Subramanian was <a class="external-link" href="http://www.thehindu.com/news/national/hacking-sparks-row-over-exam-evaluation/article4788750.ece">published in the Hindu</a> on June 7, 2013. Pranesh Prakash is quoted.</p>
<hr />
<p class="body" style="text-align: justify; ">The 20-year-old Cornell student extracted large amounts of class X and XII student results from a website that hosted the ICSE results using an automated program. Over 1,760 schools are affiliated to the ICSE and more than 1.2 lakh students took the board exams. Based on interpretation of the data sets, he raised allegations of large-scale “tampering” of marks by the authorities, ostensibly to maintain a healthy graph on the results.</p>
<p class="body" style="text-align: justify; ">Information Security experts said what the student did could not be viewed as a major security breach as much as it was exploiting a loophole. “Anyone with basic programming skills will be able to pull it off,” said Pranesh Prakash, policy director at the Bangalore-based Center for Internet and Society. “There are add-ons available on popular internet browers that allow users to read the embedded codes on a website and run programs to mine data.”</p>
<p class="body" style="text-align: justify; ">Government websites are most susceptible to loopholes because too many people use them, says Nitesh Betala, Chennai coordinator of Null, a community of programmers that meets regularly to explore these loopholes in public domain websites. “We inform the system administrators directly hoping that they would plug loopholes before others exploit them.”</p>
<p class="body" style="text-align: justify; ">Debarghya too explained on his blog (deedy.quora.com) on Thursday that what he did was not illegal. “I did not illegally access any database system. All I did was access information that was available to any person who entered a number into the website could access. I simply mined the data.”</p>
<p class="body" style="text-align: justify; ">The ICSE council, on its part, said it does not publish the examination results in an online manner on its website. Instead, hard copies of results are despatched to schools. But the results are disseminated to third parties such as media organisations.</p>
<p class="body" style="text-align: justify; ">Krupakar Manukonda, who runs a blog on education for the not-for-profit organisation Takshashila, said: “The online results of all the boards have serious privacy problems. I think the respective boards should issue a passcode along with a hall ticket or entering Date of Birth, First name and Last name should be made mandatory to access marks.”</p>
<p class="body" style="text-align: justify; ">Das deduced after much data crunching and statistical analysis that the “marks had been tampered with”. His claim is supported by graphs purporting to show that nearly 33 scores, such as 91, 92, 86 and so on, were never awarded to any student.</p>
<p class="body" style="text-align: justify; ">However, teachers deny the allegation. “The word tampering is wrong. There is moderation that happens across education boards,” explained a teacher, who has worked with ICSE schools in Hyderabad and Chennai. “After the first round of corrections, raw data is given to officials and head examiners who analyse how students have performed. They try to ensure the bell curve of the results does not look awkward. If it does, the implication is that the checking has been either too liberal or very strict.”</p>
<p class="body" style="text-align: justify; ">After the first moderation, there is a final moderation which is often done by a different set of teachers. “There are some instructions given to us earlier, and some changes made later, depending on analysis by the board,” said a teacher. Teachers are not told about moderation methods in both CBSE and ICSE boards.</p>
<p class="body" style="text-align: justify; ">The ICSE council says that it does follow the practice of moderation. “In keeping with the practice followed by examination conducting bodies, a process of standardisation is applied to the results, so as to take into account the variations in difficulty level of questions over the years (which may occur despite applying various norms and yardsticks), as well as the marginal variations in evaluation of answer scripts by hundreds of examiners (inter-examiner variability), for each subject.”</p>
<p class="body" style="text-align: justify; ">Some teachers are however puzzled by the findings. “It is understandable that there are many 35s because a student on the verge of passing, is often pushed to the mark. But I don’t understand why there are no 85, 87, 89, 91 and 93. And, with cut throat competition for every single mark in colleges, teachers are very careful, especially with top scoring papers,” said another senior teacher.</p>
<p>
For more details visit <a href='https://cis-india.org/news/the-hindu-june-7-2013-vasudha-venugopal-karthik-subramanian-hacking-sparks-row-over-exam-evaluation'>https://cis-india.org/news/the-hindu-june-7-2013-vasudha-venugopal-karthik-subramanian-hacking-sparks-row-over-exam-evaluation</a>
</p>
No publisherpraskrishnaInternet Governance2013-07-02T08:58:17ZNews ItemIndian Government Quietly Brings In Its 'Central Monitoring System': Total Surveillance Of All Telecommunications
https://cis-india.org/news/tech-dirt-june-8-2013-indian-govt-quietly-brings-central-monitoring-system
<b>There's a worrying trend around the world for governments to extend online surveillance capabilities to encompass all citizens -- often justified with the usual excuse of combatting terrorism and/or child pornography.</b>
<hr />
<p>The blog post was <a class="external-link" href="https://www.techdirt.com/articles/20130508/09302923002/indian-government-quietly-brings-its-central-monitoring-system-total-surveillance-all-communications.shtml">published in <b>tech dirt</b></a> on June 8, 2013. Pranesh Prakash is quoted.</p>
<hr />
<p>The latest to join this unhappy club is India, which has put in place what sounds like <a href="http://timesofindia.indiatimes.com/tech/tech-news/internet/Government-can-now-snoop-on-your-SMSs-online-chats/articleshow/19932484.cms">a massively intrusive system</a>, as this article from The Times of India makes clear:</p>
<blockquote style="text-align: justify; "><i>The government last month quietly began rolling out a project that gives it access to everything that happens over India's telecommunications network -- online activities, phone calls, text messages and even social media conversations. Called the Central Monitoring System, it will be the single window from where government arms such as the National Investigation Agency or the tax authorities will be able to monitor every byte of communication.</i></blockquote>
<p style="text-align: justify; ">This project has been under development for two years, but in almost total secrecy: <i> </i></p>
<blockquote style="text-align: justify; "><i>"In the absence of a strong privacy law that promotes transparency about surveillance and thus allows us to judge the utility of the surveillance, this kind of development is very worrisome," warned Pranesh Prakash, director of policy at the Centre for Internet and Society. "Further, this has been done with neither public nor parliamentary dialogue, making the government unaccountable to its citizens."</i></blockquote>
<p style="text-align: justify; "><i> </i> That combination of total surveillance and zero transparency is a dangerous one, providing the perfect tool for monitoring and controlling political and social dissent. If India wishes to maintain its claim to be "the world's largest democracy", its government would do well to introduce some safeguards against abuse of the new system, such as strong privacy laws, as well as engaging the Indian public in an open debate about <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">what exactly such extraordinary surveillance powers might be used for</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/news/tech-dirt-june-8-2013-indian-govt-quietly-brings-central-monitoring-system'>https://cis-india.org/news/tech-dirt-june-8-2013-indian-govt-quietly-brings-central-monitoring-system</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2013-07-02T09:12:49ZNews ItemIssue of duplication of identities of users under control: Nilekani
https://cis-india.org/news/livemint-anirban-sen-june-29-2013-issue-of-duplication-of-identities-of-users-under-control
<b>Nandan Nilekani says UIDAI system almost completely accurate, duplication of identities virtually negligible.</b>
<hr />
<p>The article by Anirban Sen was <a class="external-link" href="http://www.livemint.com/Politics/jgihdb9IkoT0ui0sC2viIM/Issue-of-duplication-of-identities-of-users-under-control-N.html">published in Livemint</a> on June 29, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) chief <span class="person"><a href="http://www.livemint.com/Search/Link/Keyword/Nandan%20Nilekani">Nandan Nilekani</a></span> said the government agency was in preliminary discussions with some embassies to use the Aadhaar project to simplify visa application procedures and that the issue of duplication of identities of users was well under control.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">In March, a UIDAI spokesperson told <i>Mint</i> that it had detected 34,015 cases where one person had been issued two Aadhaar numbers. The figures represented a little over 0.01% of the 290 million people who had been enrolled at the time.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">Nilekani, who was delivering a keynote address at a three-day conference on the success and failures of information technology (IT) in the public and private sector at the Indian Institute of Management in Bangalore, said the UIDAI system was almost completely accurate and duplication of identities was virtually negligible.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">“Knowing what we know now, we believe we have accuracy of upto 99.99%,” said Nilekani, chairman of the Unique Identification Authority of India (UIDAI).</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">Nilekani, on Saturday, assured that the project was completely secure and user data and biometrics were safe in the hands of the agencies it works with and brushed aside any concerns on security of user data that have been widely raised by Internet security groups and activists.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">“We’re not giving any access to data, except when it is resident authorized. It is shared only when a resident participates in a transaction and authorizes the data which is shared,” said Nilekani, who was one of the seven co-founders of India’s second largest software exporter <span class="company"><a href="http://www.livemint.com/Search/Link/Keyword/Infosys%20Ltd">Infosys Ltd</a></span>. He served as CEO of Infosys from 2002 to 2007.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">“The system is also not open to the internet—the system has rings of authentications of service agencies. There are lots of concentric rings of security,” he added. “The biometric data is not used except for enrolment, re-duplication and authentication.”</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">Internet rights groups and activists such as <span class="person"><a href="http://www.livemint.com/Search/Link/Keyword/Sunil%20Abraham">Sunil Abraham</a></span> of the Centre for Internet and Society (CIS), a research thinktank that focuses on issues of Internet governance, have often raised concerns over UID’s overtly broad scope and privacy issues in the project.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">“We don’t need Aadhaar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a “billions-of-users” scale on the Internet with reasonable security. The Unique Identification (UID) project based on the so-called “infallibility of biometrics” is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies,” Abraham wrote in a blog post on the CIS website last year.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">Nilekani also acknowledged that the department had faced several challenges, due to the sheer scale of the project that aims to cover the country’s entire population of 1.2 billion.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">“We have had lots of challenges on this project—we have backlogs of enrolment because we have more packets than we can process, we backlogs of letter deliveries because we cannot handle so many letters…but fundamentally notwithstanding those challenges, we believe we are on the right track,” said Nilekani.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">Both UIDAI and the census department under the National Population Register project are recording biometric data, which includes fingerprint and iris data. Even though both the agencies reached a truce after a cabinet decision in January 2012 and were allowed to co-exist, there have been several reports of duplication between the two agencies in biometric collection.</p>
<p class="mceContentBody documentContent" style="text-align: justify; ">UIDAI is not just being used as the main platform for rolling out the government’s direct cash transfer scheme, but is also being regarded as an important authentication scheme for financial transactions and other security measures.</p>
<p>
For more details visit <a href='https://cis-india.org/news/livemint-anirban-sen-june-29-2013-issue-of-duplication-of-identities-of-users-under-control'>https://cis-india.org/news/livemint-anirban-sen-june-29-2013-issue-of-duplication-of-identities-of-users-under-control</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2013-07-02T10:13:10ZNews Item