The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 1 to 15.
Workshop on the Unique Identity Number (UID), the National Population Register (NPR) and Governance: What will happen to our data?
https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr
<b>On March 2nd, 2013, the Centre for Internet and Society and the Say No to UID campaign organized a workshop to discuss the present state of the UID and NPR schemes. Some of the questions which were addressed included ´How do the UID and NPR impact citizenship´, ´Why and how is national security linked to UID/NPR´, and ´What is the relationship between UID and Big Data´. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p class="italized" style="text-align: justify; "><i>“The UIDAI will own our data...When we hand over information, we hand over the ownership of that data...”</i>, stated Usha Ramanathan, legal researcher and human rights activist.She also pointed out that, although the UID has been set up by an executive order, there is no statute which legally backs up the UID. In other words, the collection of our data through the UID scheme is currently illegal in India, hinging only on an executive order. However, Usha Ramanathan stated that if the UID scheme is going to be carried out, it is highly significant that a statute for the UID is enacted to prevent potential abuse of human rights, especially since the UIDAI is currently collecting, sharing, using and storing our data on untested grounds.</p>
<blockquote class="italized"><i>´What is alarming is that the Indian government has not even attempted to legalize the UID! When a government does not even care about legalizing its actions, then we have much bigger problems...” </i></blockquote>
<p style="text-align: justify; "><span>The NPR is legally grounded in the provisions of the Citizenship Act 1955 and in the Citizenship Rules 2003 and it is mandatory for every usual resident in India to register with the NPR. Even though the collection of biometrics is not accounted for in the statute or rules, the NPR is currently collecting photographs, iris prints and fingerprints. Concerns regarding the use of biometrics in the UID and NPR schemes were raised during the workshop; biometrics are not infallible and can be spoofed, an individual´s biometrics can change in response to a number of factors (including age, environment and stress), the accuracy of a biometric match depends on the accuracy of the technology used and the larger the population is, the higher the probability of an error. Thus, individuals are required to re-enrol every two to three years, to ensure that the biometric data collected is accurate; but the accuracy of the data is not the only problem. The Indian government is illegally collecting biometrics and as of yet has not amended the 2003 Citizenship Rules to include the collection of biometrics! As Usha Ramanathan stated:</span></p>
<blockquote class="italized" style="text-align: justify; "><span> </span><i>“It´s not really about the UID and the NPR per se...it´s more about the idea of profiling citizens and the technologies which enable this...”</i></blockquote>
<p style="text-align: justify; "><span>In his presentation, Anant Maringanti, from the Hyderabad Urban Labs and Right to the City Foundation, stated that even though seventy seven lakh duplicates have been found, no action has been taken, other than discarding one of them. Despite the fact that enrolment with the UID is considered to be voluntary, children in India are forced to get a unique identification number as a prerequisite of going to school. Anant emphasized that the UID scheme supposedly provides some form of identity to the poor and marginalised groups in India, but it actually targets some of the most vulnerable groups of people, such as HIV patients and sex workers. Furthermore, though Indians living below the poverty line (BPL) are eligible for direct cash transfer programmes, apparently registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BLP category. This is problematic as individuals who have not enrolled in the UID or do not want to enroll in the UID could risk being denied benefits because they did not enroll and thus were not classified in the BPL category. Anant also pointed out that, linking biometric data to a bank account through the UID scheme is basically exposing personal data to fraud. Anant Maringanti characteristically stated: </span></p>
<blockquote class="italized"><span> </span><i>“I wish the 100 people applying the UID scheme had UIDs so that we could track them...!”</i></blockquote>
<p style="text-align: justify; "><span>Following the end of the workshop on the UID and NPR schemes, CIS interviewed Usha Ramanathan and Anant Maringanti: <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/P1CdCkdKtcU" width="250"></iframe> </span></p>
<p style="text-align: justify; "><span>The workshop can be viewed in two parts: <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/o7X1Af5Jw3s" width="250"></iframe> <iframe frameborder="0" height="250" src="http://www.youtube.com/embed/rSFYOfvtOr8" width="250"></iframe> </span></p>
<p style="text-align: justify; "><span><br /></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr'>https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:28:50ZBlog EntryWhy 'Facebook' is More Dangerous than the Government Spying on You
https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you
<b>In this article, Maria Xynou looks at state and corporate surveillance in India and analyzes why our "choice" to hand over our personal data can potentially be more harmful than traditional, top-down, state surveillance. Read this article and perhaps reconsider your "choice" to use social networking sites, such as Facebook. </b>
<p align="JUSTIFY"><i>Do you have a profile on Facebook?</i> Almost every time I ask this question, the answer is ‘yes’. In fact, I think the amount of people who have replied ‘no’ to this question can literally be counted on my right hand. But this is not an article about Facebook per se. It’s more about the ‘Facebooks’ of the world, and of people’s increasing “choice” to hand over their most personal data. More accurate questions are probably:</p>
<p align="JUSTIFY">“<i>Would you like the Government to go through your personal diary? If not, then why do you have a profile on Facebook?”</i></p>
<h2><span><b>The Indian Surveillance State</b></span></h2>
<p align="JUSTIFY">Following <span style="text-decoration: underline;"><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">Snowden</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">’</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">s</a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html"> </a><a href="http://news.yahoo.com/nsa-revelations-timeline-whats-come-since-snowden-leaks-203656274.html">revelations</a></span>, there’s finally been more talk about surveillance. But what is surveillance?</p>
<p align="JUSTIFY">David Lyon - who directs the <span style="text-decoration: underline;"><a href="http://www.sscqueens.org/">Surveillance</a><a href="http://www.sscqueens.org/"> </a><a href="http://www.sscqueens.org/">Studies</a><a href="http://www.sscqueens.org/"> </a><a href="http://www.sscqueens.org/">Centre</a></span> - <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">defines</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a></span> as <i>“any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered”</i>. <a href="http://www.polity.co.uk/book.asp?ref=9780745635910"><span style="text-decoration: underline;">Surveillance</span></a> can also be defined as the monitoring of the behaviour, activities or other changing information of individuals or groups of people. However, this definition implies that individuals and/or groups of people are being monitored in a top-down manner, without this being their “choice”. But is that actually the case? To answer this question, let’s have a look at how the Indian government and corporations operating in India spy on us.</p>
<h3><b>State Surveillance</b></h3>
<p align="JUSTIFY">The first things that probably come to mind when thinking about India from a foreigner’s perspective are poverty and corruption. Surveillance appears to be a “Western, elitist issue”, which mainly concerns those who have already solved their main survival problems. In other words, the most mainstream argument I hear in India is that surveillance is not a <i>real </i>issue, especially since the majority of the population in the country lives below the line of poverty and does not even have any Internet access. Interestingly enough though, the other day when I was walking around a slum in Koramangala, I noticed that most people have Airtel satellites...even though they barely have any clean water!</p>
<p align="JUSTIFY">The point though is that surveillance in India is a fact, and the state plays a rather large role in it. In particular, Indian law enforcement agencies follow three steps in ensuring that targeted and mass surveillance is carried out in the country:</p>
<p align="JUSTIFY">1. They create surveillance schemes, such as the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> (</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">)</a></span>, which carry out targeted and/or mass surveillance</p>
<p align="JUSTIFY">2. They create laws, guidelines and license agreements, such as the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span>, which mandate targeted and mass surveillance and which require ISP and telecom operators to comply</p>
<p align="JUSTIFY">3. They buy surveillance technologies from companies, such as CCTV cameras and spyware, and use them to carry out targeted and/or mass surveillance</p>
<p align="JUSTIFY">While Indian law enforcement agencies don’t necessarily follow these steps in this precise order, they usually try to create surveillance schemes, legalise them and then buy the gear to carry them out.</p>
<p align="JUSTIFY">In particular, surveillance in India is regulated under five laws: the <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> 1885</a></span>, the <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Office</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> 1898</a></span>, the <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> 1933</a></span>, <span style="text-decoration: underline;"><a href="http://indiankanoon.org/doc/911085/">section</a><a href="http://indiankanoon.org/doc/911085/"> 91 </a><a href="http://indiankanoon.org/doc/911085/">of</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">the</a><a href="http://indiankanoon.org/doc/911085/"> 1973 </a><a href="http://indiankanoon.org/doc/911085/">Code</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">of</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">Criminal</a><a href="http://indiankanoon.org/doc/911085/"> </a><a href="http://indiankanoon.org/doc/911085/">Procedure</a><a href="http://indiankanoon.org/doc/911085/"> (</a><a href="http://indiankanoon.org/doc/911085/">CrPc</a><a href="http://indiankanoon.org/doc/911085/">)</a></span> and the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span>. These laws mandate targeted surveillance, but remain silent on the issue of mass surveillance which means that technically it is neither allowed nor prohibited, but remains a grey legal area.</p>
<p align="JUSTIFY">While surveillance laws in India may not mandate mass surveillance, some of their sections are particularly concerning. Section 69 of the<span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> 2008</a></span> allows for the interception of all information transmitted through a computer resource, while requiring that all users disclose their private encryption keys or face a jail sentence of up to seven years. This appears to be quite bizarre, as individuals can only keep their data private and protect themselves from surveillance through encryption.</p>
<p align="JUSTIFY">Section 44 of the Information Technology (Amendment) Act 2008 imposes stiff penalties on anyone who fails to provide requested information to authorities - which kind of reminds us of Orwell’s totalitarian regime in <a href="http://www.ministryoflies.com/1984.pdf"><span style="text-decoration: underline;">“1984”</span></a>. Furthermore, section 66A of the same law states that individuals will be punished for sending “offensive messages through communication services”. However, the vagueness of this section raises huge concerns, as it remains unclear what defines an “offensive message” and whether this will have grave implications on the freedom of expression. The <span style="text-decoration: underline;"><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">arrest</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">of</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">two</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">Indian</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">women</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">last</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">November</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">over</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">a</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">Facebook</a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx"> </a><a href="http://www.hindustantimes.com/india-news/mumbai/outrage-after-arrest-of-2-women-for-facebook-post-on-mumbai-shutdown/article1-961377.aspx">post</a></span> reminds us of this.</p>
<p align="JUSTIFY">Laws in India may not mandate mass surveillance, but guidelines and license agreements issued by the Department of Telecommunications do. In particular, the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">regarding</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">the</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Central</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Monitoring</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">System</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> (</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">CMS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">) </a></span>not only mandates mass surveillance, but also attempts to legalise a mass surveillance scheme which aims to intercept all telecommunications and Internet communications in India. Furthermore, the Department of Telecommunications has issued <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/data-services/internet-services">numerous</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">guidelines</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">and</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">license</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">agreements</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">for</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">ISPs</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">and</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">telecom</a><a href="http://www.dot.gov.in/data-services/internet-services"> </a><a href="http://www.dot.gov.in/data-services/internet-services">operators</a></span>, which require them to not only be “surveillance-friendly”, but to also enable law enforcement agencies to tap into their servers on the grounds of national security. And then, of course, there’s the new <span style="text-decoration: underline;"><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">National</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Cyber</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Security</a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1"> </a><a href="http://deity.gov.in/content/national-cyber-security-policy-2013-1">Policy</a></span>, which mandates surveillance to tackle cyber-crime, cyber-terrorism, cyber-war and cyber-vandalism.</p>
<p align="JUSTIFY">As both a result and prerequisite of these laws, the Indian government has created various surveillance schemes and teams to aid them. In particular, <span style="text-decoration: underline;"><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">India</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">’</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">s</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Computer</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Emergency</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Response</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> </a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">Team</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert"> (</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">CERT</a><a href="http://deity.gov.in/content/indian-computer-emergency-response-team-cert">)</a></span> is currently monitoring “any suspicious move on the Internet” in order to checkmate any potential cyber attacks from hackers. While this may be useful for the purpose of preventing and detecting cyber-criminals, it remains unclear how “any suspicious move” is defined and whether that inevitably enables mass surveillance, without individuals’ knowledge or consent.</p>
<p align="JUSTIFY">The <span style="text-decoration: underline;"><a href="http://ncrb.gov.in/cctns.htm">Crime</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">and</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Criminal</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Tracking</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">and</a><a href="http://ncrb.gov.in/cctns.htm"> </a><a href="http://ncrb.gov.in/cctns.htm">Network</a><a href="http://ncrb.gov.in/cctns.htm"> & </a><a href="http://ncrb.gov.in/cctns.htm">Systems</a><a href="http://ncrb.gov.in/cctns.htm"> (</a><a href="http://ncrb.gov.in/cctns.htm">CCTNS</a><a href="http://ncrb.gov.in/cctns.htm">)</a></span> is the creation of a nationwide networking infrastructure for enhancing the efficiency and effectiveness of policing and sharing data among 14,000 police stations across the country. It has been estimated that Rs. 2000 crore has been allocated for the CCTNS project and while it may potentially increase the effectiveness of tackling crime and terrorism, it raises questions around the legality of data sharing and its potential implications on the right to privacy and other human rights - especially if such data sharing results in data being disclosed or shared with unauthorised third parties.</p>
<p align="JUSTIFY">Similarly, the <span style="text-decoration: underline;"><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">National</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> </a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">Intelligence</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> </a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">Grid</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html"> (</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">NATGRID</a><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">)</a></span> is an integrated intelligence grid that will link the databases of several departments and ministries of the Government of India so as to collect comprehensive patterns of intelligence that can be readily accessed by intelligence agencies. This was first proposed in the aftermath of the Mumbai 2008 terrorist attacks and while it may potentially aid intelligence agencies in countering crime and terrorism, enforced privacy legislation should be a prerequisite, which would safeguard our data from potential abuse.</p>
<p align="JUSTIFY">However, the most controversial surveillance scheme being implemented in India is probably the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a></span> (CMS). While several states, such as Assam, already have <span style="text-decoration: underline;"><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Internet</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Monitoring</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Systems</a></span> in place, the Central Monitoring System appears to raise even graver concerns. In particular, the CMS is a system through which all telecommunications and Internet communications in India will be monitored by Indian authorities. In other words, the CMS will be capable of intercepting our calls and of analyzing our data on social networking sites, while all such data would be retained in a centralised database. Given that India currently lacks privacy legislation, such a system would mostly be unregulated and would pose major threats to our right to privacy and other human rights. Given that data would be centrally stored, the system would create a type of “honeypot” for centralised cyber attacks. Given that the centralised database would have massive volumes of data for literally a billion people, the probability of error in pattern and profile matching would be high - which could potentially result in innocent people being convicted for crimes they did not commit. Nonetheless, mass surveillance through the CMS is currently a reality in India.</p>
<p align="JUSTIFY">And the even bigger question: How can law enforcement agencies mine the data of 1.2 billion people? How do they even carry out surveillance in practice? Well, that’s where surveillance technology companies come in. In fact, the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">surveillance</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">industry</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">in</a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers"> </a><a href="https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers">India</a></span> is massively expanding - especially in light of its new surveillance schemes which require advanced and sophisticated technology. According to <span style="text-decoration: underline;"><a href="https://cis-india.org/cisprivacymonitor">CIS</a><a href="https://cis-india.org/cisprivacymonitor">’ </a><a href="https://cis-india.org/cisprivacymonitor">India</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Privacy</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Monitor</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">Map</a></span> - which is part of ongoing research - Indian law enforcement agencies use CCTV cameras in pretty much every single state in India. The map also shows that Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are being used in most states in India and the <span style="text-decoration: underline;"><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">DRDO</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">’</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">s</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/"> “</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">Netra</a><a href="http://defence.pk/threads/drdo-develops-uav-netra-to-aid-anti-terrorist-operations.64086/">”</a></span> - which is a lightweight drone, not much bigger than a bird - is particularly noteworthy.</p>
<p align="JUSTIFY">But Indian law enforcement agencies also buy surveillance software and hardware which is aimed at intercepting telecommunications and Internet communications. In particular, <span style="text-decoration: underline;"><a href="http://www.clear-trail.com/">ClearTrail</a><a href="http://www.clear-trail.com/"> </a><a href="http://www.clear-trail.com/">Technologies</a></span> is an Indian company - based in Indore - which equips law enforcement agencies in India and around the world with <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">surveillance</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">software</a></span> which can probably be compared with the “notorious” FinFisher. So in short, there appears to be a tight collaboration between Indian law enforcement agencies and the surveillance industry, which can be clearly depicted in the <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">surveillance</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">trade</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">shows</a></span>, otherwise known as “the wiretappers’ ball”.</p>
<h3><b>Corporate Surveillance</b></h3>
<p align="JUSTIFY">When I ask people about corporate surveillance, the answer I usually get is: <i>“Corporations only care about their profit - they don’t do surveillance per se”</i>. And while that may be true, <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">David</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">Lyon</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">’</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">s</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">definition</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">of</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a></span> - as <i>“any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” </i>- may indicate otherwise.</p>
<p align="JUSTIFY">Corporations, like Google, Amazon and Facebook, may not have an agenda for spying per se, but they do collect massive volumes of personal data and, in cases such as PRISM, <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">allow</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">law</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">enforcement</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">to</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">tap</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">into</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">their</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">servers</a></span>. Once law enforcement agencies get hold of data collected by companies, such as Facebook, they then use data mining software - equipped by various surveillance technology companies - to process and mine the data. And how do companies, like Google and Facebook, make money off our personal data? By selling it to big buyers, such as law enforcement agencies.</p>
<p align="JUSTIFY">So while Facebook and all the ‘Facebooks’ of the world may not profit from surveillance per se, they do profit from collecting our personal data and selling it to third parties, which include law enforcement agencies. And David Lyon argues that <span style="text-decoration: underline;"><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">surveillance</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">involves</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">the</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">collection</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">of</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">personal</a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society"> </a><a href="https://globalsociology.pbworks.com/w/page/14711234/Network%20Society%20or%20Surveillance%20Society">data</a></span> - which corporations, like Facebook, do - for the purpose of influencing and managing individuals. While this last point can probably be widely debated on, it is clear that corporations share their collected data with third parties, which ultimately leads to the influence or managing of individuals - directly or indirectly. In other words, the collection of personal data, in combination with its disclosure to third parties, <i>is</i> surveillance. So when we think about companies, like Google or Facebook, we should not just think of businesses interested in their profit - but also of spying agencies. After all, <span style="text-decoration: underline;"><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">“</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">if</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">the</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">product</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">is</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">free</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">, </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">you</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">are</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">the</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/"> </a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">product</a><a href="http://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/">”</a></span>.</p>
<p align="JUSTIFY">Now if we look at online corporations more closely, we can probably identify three categories:</p>
<p align="JUSTIFY">1. Websites through which we <i>buy products </i>and hand over our personal details - e.g. Amazon</p>
<p align="JUSTIFY">2. Websites through which we <i>use services</i> and hand over our personal details - e.g. flight ticket</p>
<p align="JUSTIFY">3. Websites through which we <i>communicate</i> and hand over our personal details - e.g. Facebook</p>
<p align="JUSTIFY">And why could the above be considered “spying” at all? Because such corporations collect massive volumes of personal data and subsequently:</p>
<p align="JUSTIFY">- <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">Disclose</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">such</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">data</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">to</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">law</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">enforcement</a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html"> </a><a href="http://www.nytimes.com/2013/03/22/technology/microsoft-releases-report-on-law-enforcement-requests.html">agencies</a></span></p>
<p align="JUSTIFY">- <span style="text-decoration: underline;"><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">Allow</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">law</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">enforcement</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">agencies</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">to</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">tap</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">into</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">their</a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&"> </a><a href="http://www.nytimes.com/2013/06/09/us/revelations-give-look-at-spy-agencys-wider-reach.html?_r=2&">servers</a></span></p>
<p align="JUSTIFY">- Sell such data to “third parties”</p>
<p align="JUSTIFY">What’s notable about so-called corporate surveillance is that, in all cases, there is a mutual, key element: we <i><span style="text-decoration: underline;"><a href="https://www.eff.org/wp/know-your-rights">consent</a><a href="https://www.eff.org/wp/know-your-rights"> </a></span></i><span style="text-decoration: underline;"><a href="https://www.eff.org/wp/know-your-rights">to</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">the</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">handing</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">over</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">of</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">our</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">personal</a><a href="https://www.eff.org/wp/know-your-rights"> </a><a href="https://www.eff.org/wp/know-your-rights">information</a></span>. We are not forced to hand over our personal data when buying a book online, booking a flight ticket or using Facebook. Instead, we “choose” to hand over our personal data in exchange for a product or service. Now what significantly differentiates state surveillance to corporate surveillance is the factor of <i>“choice”</i>. While we may choose to hand over our most personal details to large online corporations, such as Google and Facebook, we do not have a choice when the government monitors our communications, collects and stores our personal data.</p>
<h2 align="JUSTIFY"><span><b>State Surveillance </b></span><i><b>vs.</b></i><span><b> Corporate Surveillance</b></span></h2>
<p align="JUSTIFY">Both Indian law enforcement agencies and corporations collect massive volumes of personal data. In fact, it is probably noteworthy to mention that Facebook, in particular, <span style="text-decoration: underline;"><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">collects</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> 20 </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">times</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">more</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">data</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">per</a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/"> </a><a href="http://www.zdnet.com/data-driven-analysis-debunks-claims-that-nsa-is-out-of-control-special-report-7000019522/">day</a></span> than the NSA in total. In addition, Facebook has <a href="http://www.ft.com/cms/s/0/7536d216-0f36-11e3-ae66-00144feabdc0.html#axzz2jDSrZPHv"><span style="text-decoration: underline;">claimed</span></a> that it has received more demands from the US government for information about its users than from all other countries combined. In this sense, the corporate collection of personal data can potentially be more harmful than government surveillance, especially when law enforcement agencies are tapping into the servers of companies like Facebook. After all, the Indian government and all other governments would have very little data to analyse if it weren’t for such corporations.</p>
<p align="JUSTIFY">Surveillance is not just about “spying” or about “watching people” - it’s about much much more. Observing people’s behaviour only really becomes harmful when the data observed is collected, retained, analysed, shared and disclosed to unauthorised third parties. In other words, surveillance is meaningful to examine because it involves the <a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"><i><span style="text-decoration: underline;">analysis</span></i></a><span style="text-decoration: underline;"><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"> </a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance">of</a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance"> </a><a href="https://www.sogeti.nl/updates/vint/internet-things-has-dark-side-well-surveillance">data</a></span>, which in turn involves <span style="text-decoration: underline;"><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">pattern</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">matching</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">and</a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf"> </a><a href="http://www.surveillance-and-society.org/articles1/whatsnew.pdf">profiling</a></span>, which can potentially have actual, real-world implications - good or bad. But such analysis cannot be possible without having access to large volumes of data - most of which belong to large corporations, like Facebook. The question, though, is: How do corporations collect such large volumes of personal data, which they subsequently share with law enforcement agencies? Simple: Because <i>we “choose”</i> to hand over our data!</p>
<p align="JUSTIFY">Three years ago, when I was doing research on young people’s perspective of Facebook, all of the interviewees replied that they feel that they are in control of their personal data, because they “choose” what they share online. While this may appear to be a valid point, the “choice” factor can widely be debated on. There are many reasons why people “choose” to hand over their personal data, whether to buy a product, use a service, to communicate with peers or because they feel socially pressured into using social networking sites. Nonetheless, it all really comes down to one main reason: <a href="http://edition.cnn.com/2010/TECH/04/14/oppmann.off.the.grid/"><i><span style="text-decoration: underline;">convenience</span></i></a>. Today, in most cases, the reason why we hand over our personal data online in exchange for products or services is because it is simply more convenient to do so. And while that is understandable, at the same time we are exposing our data (and ultimately our lives) in the name of convenience.</p>
<p align="JUSTIFY">The irony in all of this is that, while many people reacted to <span style="text-decoration: underline;"><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">Snowden</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">’</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">s</a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html"> </a><a href="http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html">revelations</a></span> on NSA dragnet surveillance, most of these people probably have profiles on Facebook. Secret, warrantless government surveillance is undeniably intrusive, but in the end of the day, our profiles on Facebook - and on all the ‘Facebooks’ of the world - is what enabled it to begin with. In other words, if we didn’t choose to give up our personal data - especially without really knowing how it would be handled - large databases would not exist and the NSA - and all the ‘NSAs’ of the world - would have had a harder time gathering and analysing data.</p>
<p align="JUSTIFY">In short, the main difference between state and corporate surveillance is that the first is imposed in a top-down manner by authorities, while the second is a result of our “choice” to give up our data. While many may argue that it’s worse to have control imposed on you, I strongly disagree. When control and surveillance are imposed on us in a top-down manner, it’s likely that we will perceive this - sooner or later - as a <i>direct</i> threat to our human rights, which means that it’s likely that we will resist to it at some point. People usually react to what they perceive as a direct threat, whereas <span style="text-decoration: underline;"><a href="https://www.schneier.com/essay-155.html">they</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">rarely</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">react</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">to</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">what</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">does</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">not</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">directly</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">affect</a><a href="https://www.schneier.com/essay-155.html"> </a><a href="https://www.schneier.com/essay-155.html">them</a></span>. For example, one may perceive murder or suicide as a direct threat due the immediateness of its effect, whereas smoking may not be seen as an equally direct threat, because its consequences are indirect and can usually be seen in the long term. It’s somehow like that with surveillance.</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">University</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">students</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">have</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">protested</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">on</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">the</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">streets</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">against</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">the</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">installation</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">of</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">CCTV</a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities"> </a><a href="https://cis-india.org/internet-governance/blog/privacy/cctv-in-universities">cameras</a></span>, but how many of them have profiles on social networking sites, such as Facebook? People may react to the installation of CCTV cameras, because it may appear as a direct threat to their right to privacy. However, the irony is that the real danger does not necessarily lie within some CCTV cameras, but rather within the profile of each person on a major commercial social networking site. At very best, a CCTV camera will capture some images of us and through that, track our location and possibly our acquaintances. What type of data is captured through a simple, “harmless” Facebook profile? The following probably only includes a tiny percentage of what is actually captured:</p>
<p align="JUSTIFY">- Personal photos</p>
<p align="JUSTIFY">- Biometrics (possibly through photos)</p>
<p align="JUSTIFY">- Family members</p>
<p align="JUSTIFY">- Friends and acquaintances</p>
<p align="JUSTIFY">- Habits, hobbies and interests</p>
<p align="JUSTIFY">- Location (through IP address)</p>
<p align="JUSTIFY">- Places visited</p>
<p align="JUSTIFY">- Economic standing (based on pictures, comments, etc.)</p>
<p align="JUSTIFY">- Educational background</p>
<p align="JUSTIFY">- Ideas and opinions (which may be political, religious, etc.)</p>
<p align="JUSTIFY">- Activities</p>
<p align="JUSTIFY">- Affiliations</p>
<p align="JUSTIFY">The above list could potentially go on and on, probably depending on how much - or what type - of data is disclosed by the individual. The interesting element to this is that <span style="text-decoration: underline;"><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">we</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">can</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">never</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">really</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">know</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">how</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">much</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">data</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">we</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">are</a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/"> </a><a href="http://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/">disclosing</a></span>, even if we think we control it. While an individual may argue that he/she chooses to disclose an x amount of data, while retaining the rest, that individual may actually be disclosing a 10x amount of data. This may be the case because usually every bit of data hides lots of other bits of data, that we may not be aware of. <i>It all really comes down to who is looking at our data, when and why.</i></p>
<p align="JUSTIFY">For example, (fictional) Priya may choose to share on her Facebook profile (through photos, comments, or any other type of data) that she is female, Indian, a Harvard graduate and that her favourite book is <span style="text-decoration: underline;"><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">“</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">Anarchism</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">and</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">other</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view"> </a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">Essays</a><a href="http://www.free-ebooks.net/ebook/Anarchism-and-other-essays/pdf/view">”</a></span> by Emma Goldman. At first glance, nothing appears to be “wrong” with what Priya is revealing and in fact, she appears to care about her privacy by not revealing “the most intimate details” of her life. Moreover, one could argue that there is absolutely nothing “incriminating” about her data and that, on the contrary, it just reflects that she is a “shiny star” from Harvard. However, I am not sure if a data analyst would be restricted to this data and if data analysis would show the same “sparkly” image.</p>
<p align="JUSTIFY">In theory, the fact that Priya is an Indian who attended Harvard reveals another bit of information, that Priya did not choose to share: her economic standing. Given that the majority of Indians live below the line of poverty, there is a big probability that Priya belongs to India’s middle class - if not elite. Priya may not have intentionally shared this information, but it was indirectly revealed through the bits of data that she did reveal: female Indian and Harvard graduate. And while there may not be anything “incriminating” about the fact that she has a good economic standing, in India this usually means that there’s also some strong political affiliation. That brings us to her other bit of information, that her favourite author is a feminist, anarchist. While that may be viewed as indifferent information, it may be crucial depending on the specific political actors in the country she’s in and on the general political situation. If a data analyst were to map the data that Priya chose to share, along with all her friends and acquaintances that she inevitably has through Facebook, that data analyst could probably tell a story about her. And the concerning part is that that story may or may not be true. But that doesn’t really matter.</p>
<p align="JUSTIFY">Today, governments don’t judge us and take decisions based on our version of our data, but<span style="text-decoration: underline;"><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">based</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">on</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">what</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">our</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">data</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">says</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">about</a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us"> </a><a href="http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us">us</a></span>. And perhaps, under certain political, social and economic circumstances, our “harmless” data could be more incriminating than what we think. While an individual may express strong political views within a democratic regime, if that political system were to change in the future and to become authoritarian, that individual would possibly be suspicious in the eyes of the government - to say the least. This is where data retention plays a significant role.</p>
<p align="JUSTIFY">Most companies <span style="text-decoration: underline;"><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">retain</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">data</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">indefinitely</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">or</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">for</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">a</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">long</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">period</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">of</a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf"> </a><a href="http://www.bryancave.com/files/Publication/cbd3503b-c968-4565-9cc7-016b9aa3b6f1/Presentation/PublicationAttachment/b24d1c5a-4550-4207-9486-062a025da8d9/Data%20Privacy%20and%20Security%20Team_Retaining%20Data_March%202012.pdf">time</a></span>, which means that future, potentially less-democratic governments may have access to it. And the worst part is that we can never really know what data is being held about us, because within data analysis, <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/spy-files-three">every</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">bit</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">data</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">may</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">potentially</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">entails</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">various</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">other</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">bits</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">data</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">that</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">we</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">are</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">not</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">even</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">aware</a><a href="https://cis-india.org/internet-governance/blog/spy-files-three"> </a><a href="https://cis-india.org/internet-governance/blog/spy-files-three">of</a></span>. So, when we “choose” to hand over our data, we don’t necessarily know what or how much we are choosing to disclose. Thus, this is why I agree with Bruce Schneier’s argument that people have an <i><span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">illusionary</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">sense</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">of</a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"> </a><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html">control</a></span></i><a href="https://www.schneier.com/blog/archives/2006/09/facebook_and_da.html"><span style="text-decoration: underline;"> </span></a>over their personal data.</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">Social</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">network</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">analysis</a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/"> </a><a href="http://www.faculty.ucr.edu/~hanneman/nettext/">software</a></span> is specifically designed to mine huge volumes of data that is collected through social networking sites, such as Facebook. Such software is specifically designed to profile individuals, to create “trees of communication” around them and to <span style="text-decoration: underline;"><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf">match</a><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf"> </a><a href="http://www.scs.ryerson.ca/~bgajdero/research/Malta08.pdf">patterns</a></span>. In other words, this software tells a story about each and every one of us, based on our activities, interests, acquaintances, and all other data. And as mentioned before, such a story may or may not be true.</p>
<p align="JUSTIFY">In data mining, <span style="text-decoration: underline;"><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf">behavioural</a><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf"> </a><a href="http://www.sagepub.com/upm-data/40006_Chapter1.pdf">statistics</a></span> are being used to analyse our data and to predict how we are likely to behave. When applied to national databases, this may potentially amount to predicting how masses or groups within the public are likely to behave and to subsequently control them. If a data analyst can predict an individual’s future behaviour - with some probability - based on that individuals’ data, the same could potentially occur on a mass, public level. As such, the danger within surveillance - especially corporate surveillance through which we<span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">voluntarily</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">disclose</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">massive</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">amounts</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">of</a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html">data</a></span> about ourselves - is that it appears to come down to <i>public control</i>.</p>
<p align="JUSTIFY">According to security expert Bruce Schneier, <span style="text-decoration: underline;"><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">data</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">today</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">is</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">a</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">byproduct</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">of</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">the</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">Information</a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/"> </a><a href="http://edition.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/">Society</a></span>. Unlike an Orwellian totalitarian state where surveillance is imposed in a top-down manner, surveillance today appears to widely exist because we indirectly choose and enable it (by handing over our data to online companies), rather than it being imposed on us in a solely top-down manner. However, contemporary surveillance may potentially be far worse than that described in Orwell’s “1984”, because surveillance is publicly perceived to be an <i>indirect </i>threat - if considered to be a threat at all. It is more likely that people will resist a direct threat, than an indirect threat, which means that the possibility of mass violations of human rights as a result of surveillance is real.</p>
<p align="JUSTIFY">Hannah Arendt argued that a main prerequisite and component of totalitarian power is <span style="text-decoration: underline;"><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">support</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">by</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">the</a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/"> </a><a href="http://livingtext.wordpress.com/2012/11/26/totalitarianism-was-supported-by-the-masses/">masses</a></span>. Today, surveillance appears to be socially integrated within societies which indicates that contemporary power fueled by surveillance has mass support. While the argument that surveillance is being socially integrated can potentially be widely debated on and requires an entire in depth research of its own, few simple facts might be adequate to prove it at this stage. Firstly, <span style="text-decoration: underline;"><a href="https://cis-india.org/cisprivacymonitor">CCTV</a><a href="https://cis-india.org/cisprivacymonitor"> </a><a href="https://cis-india.org/cisprivacymonitor">cameras</a></span> are installed in most countries, yet there has been very little resistance - on the contrary, there appears to be a type of universal acceptance on the grounds of security. Secondly, different types of spy products exist in the market - such as <span style="text-decoration: underline;"><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Spy</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Coca</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">Cola</a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/"> </a><a href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">cans</a></span> - which can be purchased by anyone online. Thirdly, countries all over the world carry out controversial surveillance schemes - such as the <span style="text-decoration: underline;"><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">Central</a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml"> </a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">Monitoring</a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml"> </a><a href="http://www.techdirt.com/articles/20130629/17255423670/how-indian-governments-central-monitoring-system-makes-nsa-look-like-paragon-restraint.shtml">System</a></span> in India - yet public resistance to such projects is limited. And while one may argue that the above cases don’t necessarily prove that surveillance is being socially integrated, it would be interesting to look at a fourth fact: most people who have Internet access <i>choose </i>to share their personal data through the use of social networking sites.</p>
<p align="JUSTIFY">Reality shows, such as Big Brother, which broadcast the surveillance of people’s lives and present it as a form of entertainment - when actually, I think it should be worrisome - appear to enable the social integration of surveillance. The very fact that we all probably - or, hopefully - know that Facebook can share our personal data with unauthorised third parties and - now, after the Snowden revelations - that governments can tap into Facebook’s servers, should be enough to convince us to delete our profiles. Yet, why do we still all have Facebook profiles? Perhaps because surveillance is socially integrated and perhaps because it is just <span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">convenient</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">to</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">be</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">on</a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html"> </a><a href="https://www.schneier.com/blog/archives/2013/06/trading_privacy_1.html">Facebook</a></span>. But that doesn’t change the fact that surveillance can potentially be a threat to our human rights. It just means that we perceive surveillance as an indirect threat and that we are unlikely to react to it.</p>
<p align="JUSTIFY">In the long term, what does this mean? Well, it seems like we will probably be <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">more</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">acceptive</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">towards</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">more</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">authoritarian</a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate"> </a><a href="https://cis-india.org/internet-governance/blog/interview-with-caspar-bowden-privacy-advocate">power</a></span>, that we will be used to the idea of censoring our own thoughts and actions (in the fear of getting caught by the CCTV camera on the street or the spyware which may or may not be implanted in our laptop) and that ultimately, we will be less politically active and more reluctant to challenge the authority.</p>
<p align="JUSTIFY">What’s particularly interesting though about surveillance today is that it is fueled and <span style="text-decoration: underline;"><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">enabled</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">through</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">our</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">freedom</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">of</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">speech</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">and</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">general</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">Internet</a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063"> </a><a href="http://www.amazon.com/The-Net-Delusion-Internet-Freedom/dp/1610391063">freedom</a></span>. If we didn’t have any Internet freedom - or as much as we do - we would have disclosed less personal data and thus surveillance would probably have been more restricted. The more Internet freedom we have, the more personal data we will disclose on Facebook - and on all the ‘Facebooks’ of the world - and the more data will potentially be available to mine, analyse, share and generally incorporate in the surveillance regime. So in this sense, Internet freedom appears to be a type of prerequisite of surveillance, as contradictory and ironic as it may seem. No wonder why the Chinese government has gone the extra mile in creating the <span style="text-decoration: underline;"><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Chinese</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">versions</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">of</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Facebook</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">and</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515">Twitter</a><a href="http://www.mirror.co.uk/news/world-news/weibo-chinese-version-of-twitter-can-1545515"> </a></span>- it’s probably no coincidence.</p>
<p align="JUSTIFY">While we may blame governments for establishing surveillance schemes, ISP and TSP operators for complying with governments’ license agreements which often mandate that they create backdoors for spying on us and security companies for creating the surveillance gear in the first place, in the end of the day, we are all equally a part of this mess. If we didn’t <i>choose </i>to hand over our personal data to begin with, none of the above would have been possible.</p>
<p align="JUSTIFY">The real danger in the Digital Age is not necessarily surveillance per se, but our <i>choice</i> to voluntarily disclose our personal data.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you'>https://cis-india.org/internet-governance/blog/why-facebook-is-more-dangerous-than-the-government-spying-on-you</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-11-23T08:38:30ZBlog EntryUAS License Agreement Amendment regarding the Central Monitoring System (CMS)
https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment'>https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-01-30T12:43:56ZFileThe Surveillance Industry in India: At Least 76 Companies Aiding Our Watchers!
https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers
<b>Maria Xynou is conducting research on surveillance technology companies operating in India. So far, 76 companies have been detected which are currently producing and selling different types of surveillance technology. This post entails primary data on the first ever investigation of the surveillance industry in India. Check it out! </b>
<hr />
<p style="text-align: justify; ">This blog post has been <a class="external-link" href="http://www.medianama.com/2013/05/223-surveillance-industry-study-shows-at-least-76-companies-aiding-surveillance-in-india-cis-india/">cross-posted</a> in Medianama on May 8, 2013. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">So yes, we live in an <a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">Internet Surveillance State</a>. And yes, we are constantly under the microscope. But how are law enforcement agencies even equipped with such advanced technology to surveille us in the first place?</p>
<p style="text-align: justify; "><span>Surveillance exists because certain companies produce and sell products and solutions which enable mass surveillance. Law enforcement agencies would not be capable of mining our data, of intercepting our communications and of tracking our every move if they did not have the technology to do so. Thus an investigation of the surveillance industry should be an integral part of research for any privacy advocate, which is why I started looking at surveillance technology companies. India is a very interesting case not only because it</span><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting"> lacks privacy legislation </a><span>which could safeguard us from the use of intrusive technologies, but also because no thorough investigation of the surveillance industry in the country has been carried out to date.</span></p>
<p style="text-align: justify; "><span>The investigation of the Indian surveillance industry has only just begun and so far, 76 surveillance technology companies have been detected. No privacy legislation...and a large surveillance industry. What does this mean?</span></p>
<h2><b>A glimpse of the surveillance industry in India</b></h2>
<p style="text-align: justify; "><span>In light of the </span><a href="http://uidai.gov.in/">UID scheme</a><span>, the </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">National Intelligence Grid</a><span> (NATGRID), the </span><a href="http://ncrb.nic.in/cctns.htm">Crime and Criminal Tracking Network System</a><span> (CCTNS) and the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System</a><span> (CMS), who supplies law enforcement agencies the technology to surveille us?</span></p>
<p style="text-align: justify; "><span>In an attempt to answer this question and to uncover the surveillance industry in India, I randomly selected a sample of 100 companies which appeared to produce and sell surveillance technology. This sample consisted of companies producing technology ranging from internet and phone monitoring software to biometrics, CCTV cameras, GPS tracking and access control systems. The reason why these companies were randomly selected was to reduce the probability of research bias and out of the 100 companies initially selected, 76 of them turned out to sell surveillance technology. These companies vary in the types of surveillance technology they produce and it should be noted that most of them are not restricted to surveillance technologies, but also produce other non-surveillance technologies. Paradoxically enough, some of these companies </span><a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html">simultaneously produce internet monitoring software and encryption tools</a><span>! Thus it would probably not be fair to label companies as ´surveillance technology companies´ per se, but rather to acknowledge the fact that, among their various products, they also sell surveillance technologies to law enforcement agencies.</span></p>
<p style="text-align: justify; ">Companies selling surveillance technology in India are listed in <a href="https://cis-india.org/internet-governance/blog/table-1.pdf" class="internal-link">Table 1</a>. Some of these companies are Indian, whilst others have international headquarters and offices in India. Not surprisingly, the majority of these companies are based in India's IT hub, Bangalore.</p>
<p style="text-align: justify; "><span><a href="https://cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> shows the types of surveillance technology produced and sold by these 76 companies.</span></p>
<p style="text-align: justify; ">The graph below is based on <a href="https://cis-india.org/internet-governance/blog/table-2.pdf" class="internal-link">Table 2</a> and shows which types of surveillance are produced the most by the 76 companies.</p>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy_of_Surveillancetechgraph.png" alt="Surveillance Graph" class="image-inline" title="Surveillance Graph" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Graph on types of surveillance sold to law enforcement agencies by 76 companies in India</p>
<p style="text-align: justify; "><span>Out of the 76 companies, the majority (32) sell surveillance cameras, whilst 31 companies sell biometric technology; this is not a surprise, given the </span><a href="http://www.economist.com/node/21542814">UID scheme</a><span> which is rapidly expanding across India. Only </span><a href="http://www.clear-trail.com/">one company</a><span> from the sample produces social network analysis software, but this is not to say that this type of technology is low in the Indian market, as this sample was randomly selected and many companies producing this type of software may have been excluded. Moreover, many companies (13) from the sample produce data mining and profiling technology, which could be used in social networking sites and which could have similar - if not the same - capabilities as social network analysis software. Such technology may potentially be aiding the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central Monitoring System (CMS)</a><span>, especially since the project would have to monitor and mine Big Data.</span></p>
<p style="text-align: justify; "><span>On countless occasions I have been told that surveillance is an issue which concerns the elite and which does not affect the poorer classes, especially since </span><a href="https://opennet.net/research/profiles/india">the majority of the population in India does not even have Internet access</a><span>. However, the data in the graph above falsifies this mainstream belief, as many companies operating in India produce and sell phone and SMS monitoring technology, while </span><a href="http://www.thehindu.com/news/national/half-of-indias-homes-have-cellphones-but-not-toilets/article2992061.ece">more than half the population owns mobile phones</a><span>. Seeing as companies, such as </span><a href="http://www.clear-trail.com/">ClearTrail Technologies</a><span> and </span><a href="http://www.shoghicom.com/">Shoghi Communications</a><span>, sell phone monitoring equipment to law enforcement agencies and more than half the population in India has mobile phones, it is probably safe to say that surveillance is an issue which affects everyone, not just the elite.</span></p>
<h2>Did you Know:</h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/spywarepic.jpg" alt="Spyware" class="image-inline" title="Spyware" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><span>CARLOS62 on flickr </span></p>
<ol>
<li>WSS Security Solutions Pvt. Ltd. is <a href="http://www.wssgroup.in/aboutus.html">north India´s first CCTV zone</a></li>
<li>Speck Systems Limited was <a href="http://www.specksystems.com/sub-links/Strengths/core-strengths-UAV.htm">the first Indian company to design, manufacture and fly a micro UAV indigenously</a></li>
<li>Mobile Spy India (Retina-X Studios) has the following <a href="http://www.mobilespy.co.in/">mobile spying features</a>: </li>
</ol>
<ul>
<li><i>SniperSpy</i>: remotely monitors smartphones and computers from any location</li>
</ul>
<ul>
<li><i>Mobile Spy: </i>monitors up to three phones and uploads SMS data to a server using GPRS without leaving traces</li>
</ul>
<p>4. Infoserve India Private Limited produces an<a href="http://www.infoserveindia.com/products/26/Internet-Monitoring-System.html"> Internet monitoring System</a> with the following features:</p>
<ul>
<li>Intelligence gathering for an entire state or a region</li>
<li>Builds a chain of suspects from a single start point</li>
<li>Data loss of less than 2%</li>
<li>2nd Generation Interception System</li>
<li>Advanced link analysis and pattern matching algorithms</li>
<li>Completely Automated System</li>
<li>Data Processing of up to 10 G/s</li>
<li>Automated alerts on the capture of suspicious data (usually based on keywords)</li>
</ul>
<p>5. ClearTrail Technologies<b> </b>deploys <a href="https://www.documentcloud.org/documents/409231-111-cleartrail.html#document/p3/a68269">spyware into a target´s machine</a><br />6. Spy Impex<b> </b>sells <a href="http://www.tradedir.in/s/coca-cola-tin-camera">Coca Cola Tin Cameras</a>!<br />7. Nice Deal<b> </b>also sells Coca Cola Spy Cameras, as well as Spy Pen Cameras, Wrist Watch Cameras and <a href="http://www.indiamart.com/nicedeal/spy-hidden-cameras.html">Lighter Video Cameras</a> to name a few...<br />8. Raviraj Technologies<b> </b>is an Indian company which supplies <a href="http://www.ravirajtech.com/index.html">RFID and biometric technology</a> to multiple countries all around the world... Countries served by Raviraj Technologies include non-democracies, such as Zimbabwe and Saudi Arabia...as well as post-revolutionary countries, such as Egypt and Tunisia... Why is this concerning?</p>
<ul>
<li style="text-align: justify; ">Non-democracies lack adequate privacy and human rights safeguards and by supplying such regimes with biometric and tracking technology, the probability is that this will lead to further <a href="http://www.rogerclarke.com/DV/Biometrics.html">oppression</a> within these countries </li>
</ul>
<ul>
<li style="text-align: justify; ">Egypt and Tunisia had elections to transit to democracy and by providing them biometric technology, this could lead to further oppression and stifle efforts to increase human rights safeguards</li>
</ul>
<h2><b>“I´m not a terrorist, I have nothing to hide!”</b></h2>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/surveillancetechpic.jpg" alt="Surveillance Tec" class="image-inline" title="Surveillance Tec" /></th>
</tr>
</tbody>
</table>
<p><span> </span><a href="http://www.flickr.com/photos/r1chard/">r1chardm</a> on flickr</p>
<p style="text-align: justify; ">It´s not a secret: Everyone knows we are being surveilled, more or less. Everyone is aware of the CCTV cameras (luckily there are public notices to warn us...for now). Most people are aware that the data they upload on Facebook is probably surveilled...one way or the other. Most people are aware that mobile phones can potentially be wiretapped or intercepted. Yet, that does not prevent us from using our smartphones and from disclosing our most intimate secrets to our friends, from uploading hundreds of photos on Facebook and on other social networking sites, or from generally disclosing our personal data on the Internet. The most mainstream argument in regards to surveillance and the disclosure of personal data today appears to be the following:</p>
<blockquote class="italized"><i>“I´m not a terrorist, I have nothing to hide!”</i></blockquote>
<p style="text-align: justify; "><span>Indeed. You may not be a terrorist...and you may </span><i>think </i><span>you have nothing to hide. But in a surveillance state, to what extent does it really matter if you are a terrorist? And how do we even define ´risky´ and ´non-risky´ information?</span></p>
<p style="text-align: justify; "><span>Last year at the </span><a href="http://lcaunderthestars.org.au/programme/schedule">linux.conf.au</a><span>, </span><a href="http://www.youtube.com/watch?v=GMN2360LM_U">Jacob Appelbaum</a><span> stated that in a surveillance state, everyone can potentially be a suspect. The argument “I´m not a terrorist, I have nothing to hide” is merely a psychological coping mechanism when dealing with surveillance and expresses a lack of agency. </span><a href="http://www.schneier.com/essay-155.html">Bruce Schneier</a><span> has argued that the psychology of security does not necessarily reflect the reality of security. In other words, we may feel or think that our data is secure because we consider it to ential ´non-risky´ information, but the reality of security may indicate that our data may entail ´risky information´ depending on who is looking at it, when, how and why. I disagree with the distinction between ´risky´ and ´non-risky´ information, as any data can potentially be ´risky´ depending on the circumstances of its access.</span></p>
<p style="text-align: justify; "><span>That being said, we do not necessarily need to disclose nude photos or be involved in some criminal organization in order to be tracked. In a surveillance society, </span><a href="http://www.schneier.com/blog/archives/2013/03/our_internet_su.html">we are all potentially suspects</a><span>. The mining and profiling of our data may lead to us somehow being linked to someone who, for whatever reason, is a suspect (regardless of whether that person has committed an actual offence) and thus may ultimately end us up being suspects. Perhaps one of our interests (as displayed in our data), our publicly expressed ideas or even our browsing habits may fall under ´suspicious activity´. It´s not really an issue of whether we are involved in a criminal organisation per se or if we are disclosing so-called </span><a href="http://www.computerworld.com/s/article/9176265/Half_of_social_networkers_post_risky_information_study_finds_">´risky information´</a><span>. As long as our data is being surveilled, we are all suspects, which means that </span><a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239412">we can all potentially be arrested, interrogated and maybe even tortured</a><span>, just like any other criminal suspect.</span></p>
<p style="text-align: justify; "><span>But what fuels a surveillance society? How can law enforcement agencies mine such huge volumes of data? Many companies, such as the 76 listed in this research, equip law enforcement agencies with the technology to monitor the Internet and our phones, to deploy malware to our computers, to mine and profile our data on social networking sites and to track our vehicles and movement. A main reason why we currently live in a Surveillance State is because the surveillance industry is blooming and currently equipping law enforcement agencies with the technology to watch our every move. Thus companies producing and selling surveillance technologies play an essential role in maintaining the surveillance state and should be accountable for the implications their products have on individuals´ right to privacy and other human rights.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies, however, are not the only factor which fuels a surveillance state. Companies produce technologies based on the market´s demand and without it, the surveillance industry would not exist. The </span><a href="http://www.sourcesecurity.com/news/articles/co-1753-ga.4047.html">market appears to demand for surveillance technologies</a><span> because a pre-existing </span><a href="http://www.abc.net.au/tv/bigideas/stories/2012/04/16/3476847.htm">surveillance culture</a><span> has been established which in turn may or may not have been created by political interests of public control. Nonetheless, surveillance appears to be socially integrated. The fact that some of the most profitable businesses in the world, such as </span><a href="http://money.cnn.com/magazines/fortune/global500/2012/snapshots/284.html">3M</a><span>, produce and sell surveillance technologies, as well as the fact that, in most countries in the world, it is considered socially prestigious to work in such a company is minimum proof that </span><a href="http://www.sscqueens.org/davidlyon/">surveillance is being socially integrated</a><span>. In other words, companies should be accountable in regards to the technologies they produce and who they sell them to, but we should also take into consideration that the only reason why these companies exist to begin with is because there is a demand for them.</span></p>
<p style="text-align: justify; "><span>By not opposing to repressive surveillance laws, to the CCTV cameras in every corner, to surveillance schemes -such as </span><a href="http://cybersecurityforindia.blogspot.in/2012/12/national-intelligence-grid-natgrid.html">NATGRID </a><span>and the </span><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><span> in India- or by handing over our data, </span><a href="http://www.schneier.com/essay-167.html"><i>we </i></a><a href="http://www.schneier.com/essay-167.html">are fuelling the surveillance state</a><span>. Unlike Orwell's totalitarian state described in 1984, surveillance today does not appear to be imposed in a top-down manner, but rather it appears to be a product of both the Information Revolution </span><i>and </i><span>of our illusionary sense of control over our personal data. Our ´apathy´ enables surveillance laws to be enacted and companies to produce the technology which will aid law enforcement agencies in putting us all under the microscope. As easy as it would be to blame companies for producing surveillance technologies, the reality of surveillance appears to be much more complicated than that, especially if surveillance is socially integrated.</span></p>
<p style="text-align: justify; "><span>Yet, the reality in India is that at least 76 companies are producing and selling surveillance technologies and equipping law enforcement agencies with them. This is extremely concerning because </span><a href="https://cis-india.org/internet-governance/blog/report-on-the-first-privacy-round-table-meeting">India lacks privacy legislation </a><span>which could safeguard individuals from potential abuse. The fact that India has not enacted a privacy law ultimately means that individuals are not informed when their data is collected, who has access to it, whether it is being processed, shared, disclosed and/or retained. Furthermore, the absence of privacy legislation in India also means that law enforcement agencies are not held liable and this has an impact on accountability and transparency, as it is not possible to determine whether surveillance is effective or not. In other words, there are currently absolutely no safeguards for the individual in India and simultaneously, the rapidly expanding surveillance industry poses major threats to human rights.</span></p>
<p style="text-align: justify; "><span>Not only does India urgently need privacy legislation to be enacted to safeguard citizens from potential abuse, but the use of all surveillance technologies should be strictly regulated now. As previously mentioned, some companies, such as </span><a href="http://www.ravirajtech.com/index.html">Raviraj Technologies</a><span>, are exporting biometric technology to non-democratic countries and to fragile states transitioning to democracy. This should be prevented, as equipping a country - which lacks adequate safeguards for its citizens - with the technology to ultimately control its citizens can potentially have severe effects on human rights within the country. Thus </span><a href="https://www.privacyinternational.org/reports/our-response-to-eu-consultation-on-legality-of-exporting-surveillance-and-censorship-3">export controls</a><span> are necessary to prevent the expansion of surveillance technologies to countries which lack legal safeguards for their citizens. This also means that there should be some restrictions to international companies selling surveillance technologies from creating offices in India, since the country currently lacks privacy legislation.</span></p>
<p style="text-align: justify; "><span>Surveillance technologies can potentially have very severe effects, such as innocent people being arrested, interrogated, tortured...and maybe even </span><a href="http://edition.cnn.com/2013/03/15/world/asia/u-n-drone-objections">murdered</a><span> in some states. Should they be treated as weapons? Should the same export restrictions that apply to arms apply to surveillance technologies? Sure, the threat posed by surveillance technologies appears to be indirect. But don't indirect threats usually have worse outcomes in the long run? We may not be terrorists and we may have nothing to hide...but we have no privacy safeguards and a massively expanding surveillance industry in India. We are exposed to danger...to say the least.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers'>https://cis-india.org/internet-governance/blog/the-surveillance-industry-in-india-at-least-76-companies-aiding-our-watchers</a>
</p>
No publishermariasurveillance technologiesInternet GovernanceSAFEGUARDS2013-07-12T11:59:10ZBlog EntryThe Privacy (Protection) Bill 2013: A Citizen's Draft
https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft
<b>The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness around privacy, completing in depth research, and driving a privacy legislation in India. As part of this work, Bhairav Acharya has drafted the Privacy (Protection) Bill 2013.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">The Privacy (Protection) Bill 2013 contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of a possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf" class="internal-link">Click</a> to download a full draft of the Privacy (Protection) Bill, 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft'>https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:50:20ZBlog EntryThe Personal Data (Protection) Bill, 2013
https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013
<b>Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013.
Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.
</b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013'>https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T14:53:11ZFileThe National Privacy Roundtable Meetings
https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings
<b>The Centre for Internet & Society ("CIS"), the Federation of Indian Chambers of Commerce and Industry ("FICCI"), the Data Security Council of India ("DSCI") and Privacy International are, in partnership, conducting a series of national privacy roundtable meetings across India from April to October 2013. The roundtable meetings are designed to discuss possible frameworks to privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<h3>Background: The Roundtable Meetings and Organisers</h3>
<p style="text-align: justify; "><a href="https://cis-india.org/">CIS</a> is a Bangalore-based non-profit think-tank and research organisation with interests in, amongst other fields, the law, policy and practice of free speech and privacy in India. <a href="http://www.ficci.com/">FICCI</a> is a non-governmental, non-profit association of approximately 250,000 Indian bodies corporate. It is the oldest and largest organisation of businesses in India and represents a national corporate consensus on policy issues. <a href="http://www.dsci.in/">DSCI</a> is an initiative of the National Association of Software and Service Companies, a non-profit trade association of Indian information technology ("IT") and business process outsourcing ("BPO") concerns, which promotes data protection in India. <a href="https://www.privacyinternational.org/">Privacy International</a> is a London-based non-profit organisation that defends and promotes the right to privacy across the world.</p>
<h3 style="text-align: justify; ">Privacy in the Common Law and in India</h3>
<p style="text-align: justify; ">Because privacy is a multi-faceted concept, it has rarely been singly regulated. A taxonomy of privacy yields many types of individual and social activity to be differently regulated based on the degree of harm that may be caused by intrusions into these activities.<a href="#fn1" name="fr1">[1] </a></p>
<p style="text-align: justify; ">The nature of the activity is significant; activities that are implicated by the state are attended by public law concerns and those conducted by private persons <i>inter se</i> demand market-based regulation. Hence, because the principles underlying warranted police surveillance differ from those prompting consensual collections of personal data for commercial purposes, legal governance of these different fields must proceed differently. For this and other reasons, the legal conception of privacy — as opposed to its cultural construction – has historically been diverse and disparate.</p>
<p style="text-align: justify; ">Traditionally, specific legislations have dealt separately with individual aspects of privacy in tort law, constitutional law, criminal procedure and commercial data protection, amongst other fields. The common law does not admit an enforceable right to privacy.<a href="#fn2" name="fr2">[2]</a> In the absence of a specific tort of privacy, various equitable remedies, administrative laws and lesser torts have been relied upon to protect the privacy of claimants.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">The question of whether privacy is a constitutional right has been the subject of limited judicial debate in India. The early cases of <i>Kharak Singh</i> (1964)<a href="#fn4" name="fr4">[4]</a> and <i>Gobind</i> (1975)<a href="#fn5" name="fr5">[5]</a> considered privacy in terms of physical surveillance by the police in and around the homes of suspects and, in the latter case, the Supreme Court of India found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This inference held the field until 1994 when, in the <i>Rajagopal</i> case (1994),<a href="#fn6" name="fr6">[6]</a> the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty guaranteed by Article 21 of the Constitution of India. However, <i>Rajagopal</i> dealt specifically with a book, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the <i>PUCL</i> case (1996)<a href="#fn7" name="fr7">[7]</a> and, while finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards.<a href="#fn8" name="fr8">[8] </a>A more robust statement of the right to privacy was made recently by the Delhi High Court in the <i>Naz </i><i>Foundation</i> case (2011)<a href="#fn9" name="fr9">[9] </a>that de-criminalised consensual homosexual acts; however, this judgment is now in appeal.</p>
<h3 style="text-align: justify; ">Attempts to Create a Statutory Regime</h3>
<p style="text-align: justify; ">The silence of the common law leaves the field of privacy in India open to occupation by statute. With the recent and rapid growth of the Indian IT and BPO industry, concerns regarding the protection of personal data to secure privacy have arisen. In May 2010, the European Union ("EU") commissioned an assessment of the adequacy of Indian data protection laws to evaluate the continued flow of personal data of European data subjects into India for processing. That assessment made adverse findings on the adequacy and preparedness of Indian data protection laws to safeguard personal data.<a href="#fn10" name="fr10">[10]</a></p>
<p>Conducted amidst negotiations for a free trade agreement between India and the EU, the failed assessment potentially impeded the growth of India’s outsourcing industry that is heavily reliant on European and North American business.</p>
<p style="text-align: justify; ">Consequently, the Department of Electronics and Information Technology of the Ministry of Communications and Information Technology, Government of India, issued subordinate legislation under the rule-making power of the Information Technology Act, 2000 ("IT Act"), to give effect to section 43A of that statute. These rules – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Personal Data Rules")<a href="#fn11" name="fr11">[11]</a> — were subsequently reviewed by the Committee on Subordinate Legislation of the 15<sup>th</sup> Lok Sabha.<a href="#fn12" name="fr12">[12]</a> The Committee found that the Personal Data Rules contained clauses that were ambiguous, invasive of privacy and potentially illegal.<a href="#fn13" name="fr13">[13]</a></p>
<p style="text-align: justify; ">In 2011, a draft privacy legislation called the ‘Right to Privacy Bill, 2011’, which was drafted within the Department of Personnel and Training ("DoPT") of the Ministry of Personnel, Public Grievances and Pensions, Government of India, was made available on the internet along with several file notings ("First DoPT Bill"). The First DoPT Bill contained provisions for the regulation of personal data, interception of communications, visual surveillance and direct marketing. The First DoPT Bill was referred to a Committee of Secretaries chaired by the Cabinet Secretary which, on 27 May 2011, recommended several changes including re-drafts of the chapters relating to interception of communications and surveillance.</p>
<p style="text-align: justify; ">Aware of the need for personal data protection laws to enable economic growth, the Planning Commission constituted a Group of Experts under the chairmanship of Justice Ajit P. Shah, a retired Chief Justice of the Delhi High Court who delivered the judgment in the <i>Naz Foundation</i> case, to study foreign privacy laws, analyse existing Indian legal provisions and make specific proposals for incorporation into future Indian law. The Justice Shah Group of Experts submitted its Report to the Planning Commission on 16 October 2012 wherein it proposed the adoption of nine National Privacy Principles.<a href="#fn14" name="fr14">[14]</a> These are the principles of notice, choice and consent, collection limitation, purpose limitation, disclosure of information, security, openness, and accountability. The Report recommended the application of these principles in laws relating to interception of communications, video and audio recordings, use of personal identifiers, bodily and genetic material, and personal data.</p>
<h3 style="text-align: justify; ">Criminal Procedure and Special Laws Relating to Privacy</h3>
<p style="text-align: justify; ">While the <i>Kharak Singh</i> and <i>Gobind</i> cases first brought the questions of permissibility and limits of police surveillance to the Supreme Court, the power to collect information and personal data of a person is firmly embedded in Indian criminal law and procedure. Surveillance is an essential condition of the nation-state; the inherent logic of its foundation requires the nation-state to perpetuate itself by interdicting threats to its peaceful existence. Surveillance is a method by which the nation-state’s agencies interdict those threats. The challenge for democratic countries such as India is to find the optimal balance between police powers of surveillance and the essential freedoms of its citizens, including the right to privacy.</p>
<p style="text-align: justify; ">The regime governing the interception of communications is contained in section 5(2) of the Indian Telegraph Act, 1885 ("Telegraph Act") read with rule 419A of the Indian Telegraph Rules, 1951 ("Telegraph Rules"). The Telegraph Rules were amended in 2007<a href="#fn15" name="fr15">[15]</a> to give effect to, amongst other things, the procedural safeguards laid down by the Supreme Court in the <i>PUCL</i> case. However, India’s federal scheme permits States to also legislate in this regard. Hence, in addition to the general law on interceptions contained in the Telegraph Act and Telegraph Rules, some States have also empowered their police forces with interception functions in certain cases.<a href="#fn16" name="fr16">[16]</a> Ironically, even though some of these State laws invoke heightened public order concerns to justify their invasions of privacy, they establish procedural safeguards based on the principle of probable cause that surpasses the Telegraph Rules.</p>
<p style="text-align: justify; ">In addition, further subordinate legislation issued to fulfil the provisions of sections 69(2) and 69B(3) of the IT Act permit the interception and monitoring of electronic communications — including emails — to collect traffic data and to intercept, monitor, and decrypt electronic communications.<a href="#fn17" name="fr17">[17]</a></p>
<h3 style="text-align: justify; ">The proposed Privacy (Protection) Bill, 2013 and Roundtable Meetings</h3>
<p style="text-align: justify; ">In this background, the proposed Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.</p>
<p style="text-align: justify; ">Previous roundtable meetings to seek comments and opinion on the proposed Privacy (Protection) Bill, 2013 took place at:</p>
<ul>
<li style="text-align: justify; ">New Delhi: April 13, 2013 (<a class="external-link" href="http://bit.ly/17REl0W">http://bit.ly/17REl0W</a>) with 45 participants;</li>
<li style="text-align: justify; ">Bangalore: April 20, 2013 (<a class="external-link" href="http://bit.ly/162t8rU">http://bit.ly/162t8rU</a>) with 45 participants;</li>
<li style="text-align: justify; ">Chennai: May 18, 2013 (<a class="external-link" href="http://bit.ly/12ICGYD">http://bit.ly/12ICGYD</a>) with 25 participants.</li>
<li style="text-align: justify; ">Mumbai, June 15, 2013 (<a class="external-link" href="http://bit.ly/12fJSvZ">http://bit.ly/12fJSvZ</a>) with 20 participants;</li>
<li style="text-align: justify; ">Kolkata: July 13, 2013 (<a class="external-link" href="http://bit.ly/11dgINZ">http://bit.ly/11dgINZ</a>) with 25 participants; and</li>
<li style="text-align: justify; ">New Delhi: August 24, 2013 (<a class="external-link" href="http://bit.ly/195cWIf">http://bit.ly/195cWIf</a>) with 40 participants.</li>
</ul>
<p style="text-align: justify; ">The roundtable meetings were multi-stakeholder events with participation from industry representatives, lawyers, journalists, civil society organizations and Government representatives. On an average, 75 per cent of the participants represented industry concerns, 15 per cent represented civil society and 10 per cent represented regulatory authorities. The model followed at the roundtable meetings allowed for equal participation from all participants.</p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. See generally, Dan Solove, “A Taxonomy of Privacy” <i>University of Pennsylvania Law Review</i> (Vol. 154, No. 3, January 2006).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. <i>Wainwright</i> v. <i>Home Office</i> [2003] UKHL 53.</p>
<p>[<a href="#fr3" name="fn3">3</a>]. See <i>A</i> v. <i>B plc</i> [2003] QB 195; <i>Wainwright</i> v. <i>Home Office </i>[2001] EWCA Civ 2081; <i>R (Ellis)</i> v. <i>Chief Constable of Essex Police</i> [2003] EWHC 1321 (Admin).</p>
<p>[<a href="#fr4" name="fn4">4</a>]. <i>Kharak Singh</i> v. <i>State of Uttar Pradesh</i> AIR 1963 SC 1295.</p>
<p>[<a href="#fr5" name="fn5">5</a>]. <i>Gobind</i> v. <i>State of Madhya Pradesh</i> AIR 1975 SC 1378.</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <i>R. Rajagopal</i> v. <i>State of Tamil Nadu</i> AIR 1995 SC 264.</p>
<p>[<a href="#fr7" name="fn7">7</a>]. <i>People’s Union for Civil Liberties</i> v. <i>Union of India</i> (1997) 1 SCC 30.</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. A Division Bench of the Supreme Court of India comprising Kuldip Singh and Saghir Ahmad, JJ, found that the procedure set out in section 5(2) of the Indian Telegraph Act, 1885 and rule 419 of the Indian Telegraph Rules, 1951 did not meet the “just, fair and reasonable” test laid down in <i>Maneka Gandhi</i> v. <i>Union of India</i> AIR 1978 SC 597 requisite for the deprivation of the right to personal liberty, from whence the Division Bench found a right to privacy emanated, guaranteed under Article 21 of the Constitution of India. Therefore, Kuldip Singh, J, imposed nine additional procedural safeguards that are listed in paragraph 35 of the judgment.</p>
<p>[<a href="#fr9" name="fn9">9</a>]. <i>Naz Foundation</i> v. <i>Government of NCT Delhi</i> (2009) 160 DLT 277.</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. The 2010 data adequacy assessment of Indian data protection laws was conducted by Professor Graham Greenleaf. His account of the process and his summary of Indian law can found at Graham Greenleaf, "Promises and Illusions of Data Protection in Indian Law"<i> International Data Privacy Law</i> (47-69, Vol. 1, No. 1, March 2011).</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. The Rules were brought into effect vide Notification GSR 313(E) on 11 April 2011. CIS submitted comments on the Rules that can be found here – <a href="https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011">http://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011</a>.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. The Committee on Subordinate Legislation, a parliamentary ‘watchdog’ committee, is mandated by rules 317-322 of the Rules of Procedure and Conduct of Business in the Lok Sabha (14<sup>th</sup> edn., New Delhi: Lok Sabha Secretariat, 2010) to examine the validity of subordinate legislation.</p>
<p>[<a href="#fr13" name="fn13">13</a>]. See the 31<sup>st</sup> Report of the Committee on Subordinate Legislation that was presented on 21 March 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. See paragraphs 7.14-7.17 on pages 69-72 of the Report of the Group of Experts on Privacy, 16 October 2012, Planning Commission, Government of India.</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. See, the Indian Telegraph (Amendment) Rules, 2007, which were brought into effect <i>vide</i> Notification GSR 193(E) of the Department of Telecommunications of the Ministry of Communications and Information Technology, Government of India, dated 1 March 2007.</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. See, <i>inter alia</i>, section 14 of the Maharashtra Control of Organised Crime Act, 1999; section 14 of the Andhra Pradesh Control of Organised Crime Act, 2001; and, section 14 of the Karnataka Control of Organised Crime Act, 2000.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. See, the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data and Information) Rules, 2009 vide GSR 782 (E) dated 27 October 2009; and, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 vide GSR 780 (E) dated 27 October 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings'>https://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings</a>
</p>
No publisherbhairavSAFEGUARDSInternet GovernancePrivacy2014-03-21T10:03:44ZBlog EntryThe India Privacy Monitor Map
https://cis-india.org/internet-governance/blog/india-privacy-monitor-map
<b>The Centre for Internet and Society has started the first Privacy Watch in India! Check out our map which includes data on the UID, NPR and CCTNS schemes, as well as on the installation of CCTV cameras and the use of drones throughout the country. </b>
<p style="text-align: justify; ">In a country of twenty-eight diverse states and seven union territories, it remained unclear to what extent surveillance, biometric and other privacy-intrusive schemes are being implemented. We are trying to make up for this by mapping out data in every single state in India on the UID, CCTNS and NPR schemes, as well as on the installation of CCTV cameras and the use of Unmanned Aerial Vehicles (UAVs), otherwise known as drones.</p>
<p style="text-align: justify; ">In particular, the map in its current format includes data on the following:</p>
<p style="text-align: justify; "><b>UID:</b> The Unique Identification Number (UID), also known as AADHAAR, is a 12-digit unique identification number which the Unique Identification Authority of India (UIDAI) is currently issuing for all residents in India (on a voluntary basis). Each UID is stored in a centralised database and linked to the basic demographic and biometric information of each individual. The UIDAI and AADHAAR currently lack legal backing.</p>
<p style="text-align: justify; "><b>NPR:</b> Under the National Population Register (NPR), the demographic data of all residents in India is collected on a mandatory basis. The Unique Identification Authority of India (UIDAI) supplements the NPR with the collection of biometric data and the issue of the AADHAAR number.</p>
<p style="text-align: justify; "><b>CCTV:</b> Closed-circuit television cameras which can produce images or recordings for surveillance purposes.</p>
<p style="text-align: justify; "><b>UAV: </b>Unmanned Aerial Vehicles (UAVs), otherwise known as drones, are aircrafts without a human pilot on board. The flight of a UAV is controlled either autonomously by computers in the vehicle or under the remote control of a pilot on the ground or in another vehicle. UAVs are used for surveillance purposes.</p>
<p style="text-align: justify; "><b>CCTNS: </b>The Crime and Criminal Tracking Networks and Systems (CCTNS) is a nationwide networking infrastructure for enhancing efficiency and effectiveness of policing and sharing data among 14,000 police stations across India.</p>
<p style="text-align: justify; "><b>Our India Privacy Monitor Map can be viewed through the following link: http://cis-india.org/cisprivacymonitor </b></p>
<p style="text-align: justify; ">This map is part of on-going research and will hopefully expand to include other schemes and projects which are potentially privacy-intrusive. We encourage all feedback and additional data!</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/india-privacy-monitor-map'>https://cis-india.org/internet-governance/blog/india-privacy-monitor-map</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-10-09T16:26:14ZBlog EntryThe Difficult Balance of Transparent Surveillance
https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance
<b>Is it too much to ask for transparency in data surveillance? On occasion, companies like Microsoft, Facebook, and the other silicon valley giants would say no. When customers join these services, each company provides their own privacy statement which assures customers of the safety and transparency that accompanies their personal data.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">Google even publishes annual “Transparency Reports” which detail the data movement behind the scenes. Governments, too, are somewhat open about surveillance methods, for example with the public knowledge of the existence and role of institutions like America’s NSA and India’s CMS. These façades of assurance, however, never satisfy the public enough to protect them from feeling cheated and deceived when information leaks about surveillance practices. And in the face of controversy around surveillance, both service providers and governments scramble to provide explanations for discrepancies between their promises and their practices.</p>
<p style="text-align: justify; ">So it seems that transparency might not be too much to ask, but instead is perhaps more complicated of a request than imagined. For some citizens, nothing would be more satisfying than complete transparency on all data collection. For those who recognize surveillance as crucial for national security, however, complete transparency would mean undermining the very efficacy of surveillance practices. And data companies often find themselves caught between these two ends, simultaneously seeking profits by catering to the public, while also trying to abide by political and legal frameworks. Therefore, in the process of modern data surveillance, each attempt at resolution of the transparency issue will become a delicate balance between three actors: the government, the big data companies, and the people. As rightly stated on the Digital Due Process website, rules for surveillance must carefully consider “the individual’s constitutional right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust.”<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">So we must unpack the idea of transparency.</p>
<p style="text-align: justify; ">First, there should be a distinction made between proactive transparency and reactive transparency, or, the announcement of surveillance practices versus the later access to surveillance records. The former is more risky and therefore more difficult to entertain, while the latter may lack any real substance beyond satisfying inquiries. Also consider the discrepancy in motivation for transparency between the actors. For the citizen, is transparency really an end goal, or is it only a stepping stone in the argument for eradication of surveillance practices in the name of rights to privacy? Here, we ascertain the true value of total transparency; will it ever please citizens to learn of a government’s most recent undermining of the private sphere?</p>
<p style="text-align: justify; ">Reactive transparency has been achieved only in recent years in India, during a number of well publicized legal cases. In one of the earliest cases of reactive transparency, Reliance Communications made an affidavit in the Supreme Court over the exact number of surveillance directives given by the government. It was released that 151,000 Reliance accounts were monitored for a project between 2006 and 2010, with 3,588 tapped phones just from the Delhi region alone in 2005.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">But also there has been controversy over the extent of reactive transparency, because it has been especially problematic to discern the point where transparency once again encroaches on privacy, both for government and the people’s sake. After gathering the data, its release could further jeopardize the citizens and the government. It is important to carefully consider the productive extent of reactive transparency: What will become of the information? Will one publicly reveal how many people were spied on? Who was spied on? What was found when through spying? Citizens must take all of this into consideration when requesting transparency.</p>
<p style="text-align: justify; ">Meanwhile, service providers embrace transparency when it can benefit their corporation, or as a recent Facebook statement explained, “we’ve been in discussions with U.S. national security authorities urging them to allow more transparency, <i>so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds</i>.” <a href="#fna" name="fra">[a]</a> Many of the service providers mentioned in the recently leaked PRISM report have made well-publicized requests to the U.S. government for more transparency.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Not only have they allegedly written requests to the government to allow them to disclose information, but the companies (including Facebook <a href="#fna" name="fra">[a]</a>, Apple <a href="#fnb" name="frb">[b]</a>, Microsoft<a href="#fnc" name="frc">[c]</a>, and Google <a href="#fnd" name="frd">[d]</a>) have all released explanatory statements in the wake of the June 2013 PRISM scandal. Although service providers claim that the request to release data about their cooperation is in the ‘interest of transparency,’ it instead seems that the motivation for this transparency is to ease consumers’ concerns and help the companies save face. The companies (and the government) will admit their participation in surveillance once it has become impossible to deny their association with the programs. This shrewd aspect of transparency can be seen most clearly in statements like those from Microsoft, who included in their statement on June 14<sup>th</sup>, “We have not received any national security orders <i>of the type that Verizon was reported to have received</i>.” <a href="#fnc" name="frc">[c]</a> Spontaneous allusions like this are meant to contrast guilt-conscious service providers favorably to telecom service providers such as AT&T and Verizon, who allegedly yielded the most communications data and who as of now have yet to release defensive public statements.</p>
<p style="text-align: justify; ">Currently, we find ourselves in a situation where entities admit to their collusion in snooping only once information has leaked, indignation has ignited, and scandal has erupted. A half-hearted proactive transparency leads to an outrage demanding reactive semi-transparency. These weak forms of transparency neither satisfy the public, nor allow governments and service providers to maintain dignity.</p>
<p style="text-align: justify; ">But now is also a crucial moment for possible reevaluation and reformation of this system, especially in India. Not only is India enacting its own national security surveillance system, the CMS<a href="#fn4" name="fr4">[4]</a> but the recent NSA and PRISM revelations are still sending shockwaves throughout the world of cyber security and surveillance. Last week, a Public Interest Litigation (PIL) was sent to the Indian Supreme Court, arguing that nine foreign service providers (Facebook, Hotmail, Yahoo!, Google, Apple, Skype, Paltalk, AOL, YouTube) violated the trust and privacy of their Indian customers through their collusion with the US government’s surveillance programs.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">Among other things, the PIL emphatically sought prosecution of the mentioned corporations, demands for the service providers to establish servers in India, and also sought stricter rules to prevent Indian officials from using these foreign services for work involving national security. Ultimately, the PIL was rejected by the Supreme Court; although the PIL stated the grounds of Rule 6 of the Information Technology Rules 2011 for the guidelines in protecting sensitive Indian citizen information, the SC saw the PIL as addressing problems outside of SC jurisdiction, and was quoted as saying “we cannot entertain the <a href="https://cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">petition</a> as an Indian agency is not involved.”<a href="#fn5" name="fr5">[5]</a><a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">The SC considered the PIL only partially, however, as certain significant parts of the petition were indeed within Indian domestic agency, for example the urge to prohibit federal officials from using the private email services such as Gmail, Hotmail, and Yahoo. And although the SC is not the correct place to push for new safeguard legislation, the ideas of the PIL are not invalid, as Indian leaders have long searched for ways of ensuring basic Indian privacy laws in the context of international service providers. This is also not a problem distinctive to India. International service providers have entered into agreements regarding the same problems of incorporating international customers’ rights, formal agreements which India could emulate if it wanted to demand greater privacy or transparency.</p>
<p style="text-align: justify; ">For example, there is the Safe Harbor Framework, an institution in place to protect and mediate European Union citizens’ privacy rights within the servers of foreign (i.e. American) Internet companies. These regulations were established in 2000, and serve the purpose of adjusting foreign companies’ standards to incorporate E.U. privacy laws. In accordance with the agreement, E.U. data is only allowed to be sent to outside providers who maintain the seven Safe Harbor principles, several of which focus on transparency of data usage.<a href="#fn7" name="fr7">[7] </a>India could enact a system similar to this, and it would likely alleviate some of the concerns raised in the most recent PIL. These frameworks, however, have not proven completely reliable safeguards either, especially when the service providers’ own government uses national security as a means to override the agreement. Although the U.S. government has yet to fully confirm or deny many of the NSA and PRISM allegations in regards to Europe, there is currently strong room to believe that the surveillance practices may have violated the Safe Harbor agreements by delivering sensitive E.U. citizen data to the U.S. government.<a href="#fn8" name="fr8">[8]</a> It is uncertain how these revelations will impact the agreements made between the big Silicon-Valley companies and their E.U. customers.</p>
<p style="text-align: justify; ">The recent PIL also strongly suggested establishing domestic data servers to keep Indian citizens’ information within the country and under the direct supervision of Indian entities. It strongly pushes for self-reliance as the best way to ensure both citizen and national security. The PIL assumes that domestic servers will not only offer better information protection, but also create much needed jobs and raise national tax revenue.<a href="#fn5" name="fr5">[5]</a> If allegations about PRISM and the E.U. prove true, then the E.U. may also decide to support establishment of European servers as well.</p>
<p style="text-align: justify; ">Several of the ideas outlined in the PIL have merit, but may not be as productive as the requesters assume. It is true that establishing servers and domestic regulators in India may temporarily protect from unwanted foreign, i.e. American, surveillance. But at the same time, this also increases likelihood of India’s own central government taking a stronger surveillance stance, more stringently monitoring their own servers and databases. It has not yet been described how the CMS will be operate its surveillance methods, but moving data to domestic servers may just result in shifting power from NSA to CMS. Rather than more privacy or transparency, the situation could easily become a matter of <i>who</i> citizens prefer spying over them.</p>
<p style="text-align: justify; ">Even if one government establishes rules which enforce transparency, this may clash with the laws of the service providers’ domestic government, i.e. confidentiality in surveillance. Considering all of this, rejection of foreign service providers and promotion of domestic self reliance may ultimately prove the most effective alternative for nations which are growing rapidly in both internet presence and internet consciousness. But that does not make this option the easiest. Facing the revelations and disillusionment of domestic (CMS) and international (PRISM) surveillance methods, countries like India are reaching an impeding critical juncture. Now is the most important time to establish new norms, while public sentiment is at its highest and transition is most possible, not only creating new laws which can safeguard privacy, but also strongly considering alternatives to foreign service providers like those outlined in June’s PIL. Privacy International’s guiding principles of communications surveillance also offer useful advice, urging for the establishment of oversight institutions which can access surveillance records and periodically publish aggregate data on surveillance methods.<a href="#fn9" name="fr9">[9]</a> Although the balance between security on the national level and security on the personal level will continue to be problematic for nations in the upcoming years, and even though service providers’ positions on surveillance usually seem contrived, Microsoft Vice President John Frank made a statement which deserves appreciation, rightly saying, “Transparency alone may not be enough to restore public confidence, but it’s a great place to start.”<a href="#fnc" name="frc">[c]</a></p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. <a href="http://digitaldueprocess.org/">http://digitaldueprocess.org/</a></p>
<p>[<a href="#fr2" name="fn2">2</a>]. <a class="external-link" href="http://bit.ly/151Ue1H">http://bit.ly/151Ue1H</a></p>
<p>[<a href="#fr3" name="fn3">3</a>]. <a class="external-link" href="http://bit.ly/12XDb1Z">http://bit.ly/12XDb1Z</a></p>
<p>[<a href="#fr4" name="fn4">4</a>]. <a class="external-link" href="http://ti.me/11Xh08V">http://ti.me/11Xh08V</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. <a href="https://cis-india.org/internet-governance/blog/pil.pdf" class="internal-link">Copy of 2013 PIL to Supreme Court, Prof. S.N. Singh</a> [attached]</p>
<p>[<a href="#fr6" name="fn6">6</a>]. <a class="external-link" href="http://bit.ly/1aXWdbU">http://bit.ly/1aXWdbU</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. <a class="external-link" href="http://1.usa.gov/qafcXe">http://1.usa.gov/qafcXe</a></p>
<p>[<a href="#fr8" name="fn8">8</a>]. <a class="external-link" href="http://bit.ly/114hcCX">http://bit.ly/114hcCX</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. <a class="external-link" href="http://bit.ly/156wspI">http://bit.ly/156wspI</a></p>
<hr />
<p>[<a href="#fra" name="fna">a</a>]. <b>Facebook Statement</b>: <a class="external-link" href="http://bit.ly/ZQDcn6">http://bit.ly/ZQDcn6</a></p>
<p>[<a href="#frb" name="fnb">b</a>]. <b>Apple Statement</b>: <a class="external-link" href="http://bit.ly/1akaBuN">http://bit.ly/1akaBuN</a></p>
<p>[<a href="#frc" name="fnc">c</a>]. <b>Microsoft Statement</b>:<a class="external-link" href="http://bit.ly/1bFIt31">http://bit.ly/1bFIt31</a></p>
<p>[<a href="#frd" name="fnd">d</a>]. <b>Google Statement</b>: <a class="external-link" href="http://bit.ly/16QlaqB">http://bit.ly/16QlaqB</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance'>https://cis-india.org/internet-governance/blog/the-difficult-balance-of-transparent-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-15T04:23:35ZBlog EntrySummary of the CIS workshop on the Draft Human DNA Profiling Bill 2012
https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012
<b>On March 1st, 2013, the Centre for Internet and Society organized a workshop which analysed the April 2012 draft Human DNA Profiling Bill and its potential implications on human rights in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p>Think you control who has access to your DNA data? That might just be a myth of the past. Today, clearly things have changed, as draft Bills with the objective of creating state, regional, and national DNA databases in India have been leaked over the last years. Plans of profiling certain residents in India are being unravelled as, apparently, the new policy when collecting, handling, analysing, sharing and storing DNA data is that all personal information is welcome; the more, the merrier!<span> </span></p>
<p>Who is behind all of this? The Centre for DNA Fingerprinting and Diagnostics in India created the 2007 draft DNA Profiling Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn1">[1]</a>, with the aim of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked which was created by the Department of Biotechnology. The most recent version of the Bill was drafted in April 2012 and seeks to create DNA databases at the state, regional and national level in India<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn2">[2]</a>. According to the latest 2012 draft Human DNA Profiling Bill, each DNA database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of identification in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and a DNA Profiling Board for overseeing the carrying out of the Act.</p>
<p>However, the 2012 draft Human DNA Profiling Bill lacks adequate safeguards and its various loopholes and overreaching provisions could create a potential for abuse. The creation of DNA databases is currently unregulated in India and although regulations should be enacted to prevent data breaches, the current Bill raises major concerns in regards to the collection, use, analysis and retention of DNA samples, DNA data and DNA profiles. In other words, the proposed DNA databases would not only be restricted to criminals…</p>
<h2><b>DNA databases...and Justice for All?</b></h2>
<p><img src="http://farm8.staticflickr.com/7197/6959954129_fefd0f928a.jpg" /></p>
<p class="italized">Source: <span> </span><a href="http://www.flickr.com/photos/libertasacademica/">Libertas Academica</a> on flickr</p>
<p class="italized"><a class="external-link" href="http://dnaphenomena.blogspot.in/2011/05/dna-profiling.html"></a>Du<span>ring the workshop </span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn3">[3]</a><span>on the 2012 draft Human DNA Profiling Bill, DNA</span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn4">[4]</a><span> was defined as a material that determines a persons´ hereditary traits, whilst DNA profiling</span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn5">[5]</a><span> was defined as the processing and analysis of unique sequences of parts of DNA. Thus the uniqueness of DNA data is clear and the implications that could potentially occur through its profiling could be tremendous. The 2007 DNA Profiling Bill has been amended, yet its current 2012 version appears not only to be more intrusive, but to also be extremely vague in terms of protecting data, whilst very deterministic in regards to the DNA Profiling Board´s power. A central question in the meeting was:</span></p>
<blockquote class="italized"><i>Should DNA databases be created at all? </i></blockquote>
<p><i> </i></p>
<p>The following concerns were raised and discussed during the workshop:</p>
<h3>● The myth of the infallibility of DNA evidence</h3>
<p>The Innocence Project<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn6">[6]</a>, which was presented at the workshop, appears to provide an appeal towards the storage of DNA samples and profiles, as it represents clients seeking post-conviction DNA testing to prove their innocence. According to statistics presented at the workshop, there have been 303 post-conviction exonerations in the United States, as a result of individuals proving their innocence through DNA testing. Though post-conviction exonerations can be useful, they cannot be the basis and main justification for creating DNA databases. Although DNA testing could enable post-conviction exonerations, errors in matching data remain a high probability and could result in innocent people being accused, arrested and prosecuted for crimes they did not commit. Thus, arguments towards the necessity and utility of the creation of DNA databases in India appear to be weak, especially since DNA evidence is <i>not </i>infallible<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn7">[7]</a>.</p>
<p>False matches can occur based on the type of profiling system used, and errors can take place in the chain of custody of the DNA sample, all of which indicate the weakness of DNA evidence being used. DNA data only provides<i> probabilities</i> of potential matches between DNA profiles and the larger the amount of DNA data collected, the larger the probability of an error in matching profiles<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn8">[8]</a>.</p>
<h3>● <b>The non-criteria of DNA data collection</b></h3>
<p>How and when can DNA data be collected? The amended draft 2012 Bill remains extremely vague and broad. In particular, the Bill states that <i>all</i> offences under the Indian Penal Code and other laws, such as the Immoral Traffic (Prevention) Act, 1956, are applicable instances of human DNA profiling. Section B(viii) of the Schedule states that human DNA profiling will be applicable for offences under <i>´any other law as may be specified by the regulations made by the Board´</i>. This incredibly vague section empowers the DNA Profiling Board with the ultimate power to decide upon the offences under which DNA data will be collected. The issue is this: most laws have loopholes. A Bill which lists applicable instances of human DNA profiling, under the umbrella of a potentially indefinite number of laws, exposes individuals to the collection of their DNA data, which could lead to potential abuse.</p>
<h3>● <b>The DNA Profiling Board´s power</b></h3>
<p>The DNA Profiling Board has ´absolute´ power, especially according to the 2012 draft Human DNA Profiling Bill. Some of the Board´s functions include providing recommendations for provision of privacy protection laws, regulations and practices relating to access to, or use of, stored DNA samples or DNA analyses<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn9">[9]</a>. The Board is also required to advise on all ethical and human rights issues, as well as to take ´necessary steps´ to protect privacy. However, it remains unclear how a Board which lacks human rights expertise will carry out such tasks.</p>
<p><b>No human rights experts</b></p>
<p><b> </b></p>
<p>Despite the various amendments<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn10">[10]</a> to the section on the composition of the Board, no privacy or human rights experts have been included. According to the Bill, the Board will be comprised of many molecular biologists and other scientists, while human rights experts have not been included to the list. This can potentially be problematic as a lack of expertise on privacy and human rights laws can lead to the regulation of DNA databases without taking civil liberties into consideration.</p>
<p><b>Vague authorisation for communication of DNA profiles</b></p>
<p><b> </b></p>
<p>The Bill also empowers the Board to ´authorise procedures for communication of DNA profiles for<i> civil proceedings</i> and for crime investigation by law enforcement and <i>other agencies</i>´<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn11">[11]</a>. Although the 2007 Bill <a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn12">[12]</a>restricted the Boards´ authorisation to crime investigation by law enforcement agencies, its 2012 amendment extends such authorisation to ´civil proceedings´ which can also be carried out by so-called ´other agencies´.<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn13">[13]</a> This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ remain vague.</p>
<p><b>Protecting the public</b></p>
<p><b> </b></p>
<p>The Board is also authorised to ´assist law enforcement agencies in using DNA techniques to protect the public´<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn14">[14]</a>. Over the last years, laws are being enacted that enable law enforcement agencies to use technologies for surveillance purposes in the name of ´public security´, and the 2012 draft Bill is no exception. Many security measures have been applied to ´protect the public´, such as CCTV cameras and other technologies, but their actual contribution to public safety still remains a controversial debate<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn15">[15]</a>. DNA techniques which would effectively protect the public have not been adequately proven, thus it remains unclear how the Board would assist law enforcement agencies.</p>
<p><b>Sharing data with international agencies…and regulating DNA laboratories</b></p>
<p>In addition to the above, the Board would also encourage cooperation between Indian investigation agencies and international agencies<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn16">[16]</a>. This would potentially enable the sharing of DNA data between third parties and would enhance the probability of data being leaked to unauthorised third parties.</p>
<p>The Board would <i>also </i>be authorised to regulate the standards, quality control and quality assurance obligations of the DNA laboratories<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn17">[17]</a>. The draft 2012 Bill ultimately gives <i>monopolistic control</i> to the DNA Profiling Board over<i> all</i> the procedures related to the handling of DNA data!</p>
<h3>● <b>The DNA Data Bank Manager</b></h3>
<p>According to the 2012 draft Human DNA Profiling Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn18">[18]</a>, it is the DNA Data Bank Manager who would carry out ´all operations of and concerning the National DNA Data Bank´. All such operations are not clearly specified. The powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.</p>
<p>The Bill also empowers the Manager to determine appropriate instances for the communication of information<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn19">[19]</a>. In other words, law enforcement agencies and DNA laboratories can request the disclosure of information from the DNA Data Bank Manager, without prior authorisation. The DNA Data Bank Manager is empowered to decide the requested data.</p>
<p><span> </span></p>
<ul>
<li><span>DNA access restrictions</span></li>
</ul>
<p> </p>
<p><span> </span><span>Are you a victim or a cleared suspect? You better be, if you want access to your data to be restricted! The 2012 draft Human DNA Profiling Bill </span><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn20">[20]</a><span>states that access to information will be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect. The Bill is unclear as to how access to the data of non-victims or suspects is regulated.</span></p>
<h3>● Availability of DNA profiles and DNA samples</h3>
<p>According to the amended draft 2012 Bill<a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftn21">[21]</a>, DNA profiles and samples can be made available in criminal cases, judicial proceedings and for defence purposes among others. However, ´criminal cases´ are loosely defined and could enable the availability of DNA data in low profile cases. Furthermore, the availability of DNA data is also enabled for the ´creation and maintenance of a<i> population statistics database</i>´. This is controversial because it remains unclear how such a database would be used.</p>
<h3>● Data destruction</h3>
<p>According to an amendment to section 37, DNA data will be kept on a ´permanent basis´ and the DNA Data Bank Manager will expunge a DNA profile only once the court has certified that an individual is no longer a suspect. This raises major concerns, as it does not clarify under what conditions individuals can have access to their data during its retention, nor does it give volunteers and missing persons the opportunity to have their data deleted from the data bank.</p>
<h2>Workshop conclusions</h2>
<p><img src="http://farm4.staticflickr.com/3235/3080247531_bf04a5cbe5.jpg" /></p>
<p>Source: <span> </span><a href="http://www.flickr.com/photos/micahb37/">micahb37</a> on flickr</p>
<p>The various loopholes in the Bill which can create a potential for abuse were discussed throughout the workshop, as well as various issues revolving around DNA data retention, as previously mentioned.<span> </span></p>
<p>During the workshop, some participants questioned the creation of DNA databases to begin with, while others argued that they are inevitable and that it is not a question of whether they should exist, but rather a question of how they should be regulated. All participants agreed upon the need for further safeguards to protect individuals´ right to privacy and other human rights. Further research on the necessity and utility of the creation of DNA databases in regards to human rights was recommended. In addition to all the above, the Ministry of Law and Justice was recommended to pilot the draft DNA Profiling Bill to ensure better provisions in regards to privacy and data protection.</p>
<p>A debate on the use of DNA data in civil cases versus criminal cases was largely discussed in the workshop, with concerns raised in regards to DNA sampling being enabled in civil cases. The fact that the terms ´civil cases´ and ´criminal cases´ remain broad, vague and not legally-specified, raised huge concerns in the workshop as this could enable the misuse of DNA data by authorities. Thus, the members attending the workshop recommended the creation of two separate Bills regulating the use of DNA data: a DNA Profiling Bill for Criminal Investigation and a DNA Profiling Bill for Research. The creation of such Bills would restrict the access to, collection, analysis, sharing of and retention of DNA data to strictly criminal investigation and research purposes.</p>
<p>However, even if separate Bills were created, who is to say that when implemented DNA in the database would not be abused? Criminal investigations can be loosely defined and research purposes can potentially cover anything and everything. So the question remains:</p>
<blockquote class="italized"><i>Should DNA databases be created at all? </i></blockquote>
<p><br clear="all" /></p>
<hr align="left" size="1" width="33%" />
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref1">[1]</a> Draft DNA Profiling Bill 2007, <a href="http://dbtindia.nic.in/DNA_Bill.pdf">http://dbtindia.nic.in/DNA_Bill.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref2">[2]</a> Human DNA Profiling Bill 2012: Working draft versión – 29th April 2012,</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref3">[3]</a> Centre for Internet and Society, <i>Analyzing the Draft Human DNA Profiling Bill 2012, </i>25 February 2013, <a href="https://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill">http://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref4">[4]</a> Genetics Home Reference: Your Guide to Understanding Genetic Conditions, <i>What is DNA?, </i><a href="http://ghr.nlm.nih.gov/handbook/basics/dna"><i>http://ghr.nlm.nih.gov/handbook/basics/dna</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref5">[5]</a> Shanna Freeman, <i>How DNA profiling Works, </i><a href="http://science.howstuffworks.com/dna-profiling.htm"><i>http://science.howstuffworks.com/dna-profiling.htm</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref6">[6]</a> Innocence Project, <i>DNA exoneree case profiles, </i><a href="http://www.innocenceproject.org/know/"><i>http://www.innocenceproject.org/know/</i></a><i> </i></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref7">[7]</a> Australian Law Reform Commission (ALRC), <i>Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96), </i>´Criminal Proceedings: Reliability of DNA evidence´, Chapter 44, <a href="http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence">http://www.alrc.gov.au/publications/44-criminal-proceedings/reliability-dna-evidence</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref8">[8]</a> Ibid.</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref9">[9]</a> Human DNA Profiling Bill 2012: Working draft version – 29th April 2012, Section 12(o, p, t), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref10">[10]</a> Ibid: Section 4(q)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref11">[11]</a> Ibid: Section 12(j)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref12">[12]</a> Draft DNA Profiling Bill 2007, Section 13, <a href="http://dbtindia.nic.in/DNA_Bill.pdf">http://dbtindia.nic.in/DNA_Bill.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref13">[13]</a> : Human DNA Profiling Bill 2012: Working draft version – 29<sup>th</sup> April 2012, Sections 12(j), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref14">[14]</a> Ibid: Section 12(l)</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref15">[15]</a> Schneier, B.(2008), <i>Schneier on Security, </i>´CCTV cameras´, <a href="http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html">http://www.schneier.com/blog/archives/2008/06/cctv_cameras.html</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref16">[16]</a> Human DNA Profiling Bill 2012: Working draft version – 29<sup>th</sup> April 2012, Sections 12(u) and 12(v), <a href="https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf">http://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf</a></p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref17">[17]</a> Ibid: Section on the ´Standards, Quality Control and Quality Assurance Obligations of DNA Laboratories´</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref18">[18]</a> Ibid: Section 33</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref19">[19]</a> Ibid: Section 35</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref20">[20]</a> Ibid: Section 43</p>
<p><a href="file:///C:/Users/Owner/Documents/Documents/CIS%20blog%20on%20DNA%20Bills.docx#_ftnref21">[21]</a> Ibid: Section 40</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012'>https://cis-india.org/internet-governance/blog/summary-of-cis-workshop-on-dna-profiling-bill-2012</a>
</p>
No publishermariaWorkshopInternet GovernanceSAFEGUARDS2013-07-12T15:33:25ZBlog EntryState Surveillance and Human Rights Camp: Summary
https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary
<b>On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.</p>
<p style="text-align: justify; ">The camp also served as a platform for collaboration on the <i>Draft International Principles on Communications Surveillance and Human Rights</i>. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.</p>
<p>The draft principles were institutionalized for a number of reasons including:</p>
<ul>
<li style="text-align: justify; ">Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data. </li>
<li style="text-align: justify; ">Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated. </li>
<li style="text-align: justify; ">New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.</li>
<li style="text-align: justify; ">Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual. </li>
</ul>
<p style="text-align: justify; ">This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.</p>
<p>A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed <a class="external-link" href="http://necessaryandproportionate.net/">here</a><a href="http://necessaryandproportionate.net/">.</a></p>
<h2 style="text-align: justify; ">Summary of the Draft International Principles on Communications Surveillance and Human Rights</h2>
<p style="text-align: justify; "><b>Legality</b>: Any surveillance of communications undertaken by the government must be codified by statute. <b> </b></p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow surveillance of communications for legitimate purposes.<b> </b></p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes. <b> </b></p>
<p style="text-align: justify; "><b>Competent Authority</b>: Any authorization for surveillance of communications must be made by a competent and independent authority. <b> </b></p>
<p style="text-align: justify; "><b>Proportionality</b>: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose. <b> </b></p>
<p style="text-align: justify; "><b>Due process</b>: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.<b> </b></p>
<p style="text-align: justify; "><b>User notification</b>: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information. <b> </b></p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The governments ability to survey communications and the process for surveillance should be transparent to the public. <b> </b></p>
<p style="text-align: justify; "><b>Oversight</b>: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications. <b> </b></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.<b> </b></p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: When governments work with other governments across borders to fight crime, the higher/highest standard should apply. <b> </b></p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications. <b> </b></p>
<p><b>Cost of surveillance</b>: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.</p>
<h3>Types of Data</h3>
<p style="text-align: justify; ">The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.</p>
<h3 style="text-align: justify; ">Ways of Accessing Data</h3>
<p style="text-align: justify; ">Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.</p>
<h3 style="text-align: justify; ">Access and Technology</h3>
<p style="text-align: justify; ">In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).<a href="#fn4" name="fr4">[4]</a> Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.<a href="#fn5" name="fr5">[5]</a> With this information it is possible to read the actual content of packets, and identify the program or service being used.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".<a href="#fn8" name="fr8">[8]</a></p>
<h3 style="text-align: justify; ">Access and Legislation</h3>
<p style="text-align: justify; ">The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.</p>
<hr />
<p style="text-align: justify; "><a href="#fr1" name="fn1">1</a>]. EFF. Mandatory Data Retention: United States. Available at: <a class="external-link" href="https://www.eff.org/issues/mandatory-data-retention/us">https://www.eff.org/issues/mandatory-data-retention/us</a><br />[<a href="#fr2" name="fn2">2</a>].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. <a class="external-link" href="http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/">http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/</a><br />[<a href="#fr3" name="fn3">3</a>]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: <a class="external-link" href="http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0">http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0</a><br />[<a href="#fr4" name="fn4">4</a>]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: <a class="external-link" href="http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html">http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html</a><br />[<a href="#fr5" name="fn5">5</a>]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: <a class="external-link" href="http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works">http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works</a><br />[<a href="#fr6" name="fn6">6</a>]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: <a class="external-link" href="http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609">http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609</a><br />[<a href="#fr7" name="fn7">7</a>]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: <a class="external-link" href="http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&amp;_a=viewarticle&amp;kbarticleid=138">http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138</a><br />[<a href="#fr8" name="fn8">8</a>].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: <a class="external-link" href="http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/">http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary'>https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary</a>
</p>
No publisherelonnaiInternet GovernanceSAFEGUARDS2013-07-12T16:02:51ZBlog EntrySpy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry
https://cis-india.org/internet-governance/blog/spy-files-three
<b>In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights. </b>
<p align="JUSTIFY">Last month, WikiLeaks released <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html">“</a><a href="http://wikileaks.org/spyfiles3.html">Spy</a><a href="http://wikileaks.org/spyfiles3.html"> </a><a href="http://wikileaks.org/spyfiles3.html">Files</a><a href="http://wikileaks.org/spyfiles3.html"> 3”</a></span>, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.</p>
<h2><b>So what do the latest Spy Files reveal about India?</b></h2>
<p align="JUSTIFY">When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">India</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">is</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">once</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">again</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">on</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">the</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">list</a></span> with some of the most controversial spyware.</p>
<h3><b>ISS World Surveillance Trade Shows</b></h3>
<p align="JUSTIFY">The latest Spy Files include a <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">of</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">the</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013</a></span> -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. <span style="text-decoration: underline;"><a href="http://www.issworldtraining.com/iss_ap/">This</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">years</a><a href="http://www.issworldtraining.com/iss_ap/">’ </a><a href="http://www.issworldtraining.com/iss_ap/">ISS</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">World</a><a href="http://www.issworldtraining.com/iss_ap/"> </a><a href="http://www.issworldtraining.com/iss_ap/">Asia</a></span> will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The<span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">leaked</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013 </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a></span> entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.</p>
<p align="JUSTIFY">The following table lists the <a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"><i><span style="text-decoration: underline;">Indian</span></i></a><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">attendees</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">at</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">last</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">years</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a></span>:</p>
<table class="plain">
<tbody>
<tr>
<th>
<p align="JUSTIFY"><span><span><b>Law Enforcement, Defense and Interior Security Attendees</b></span></span></p>
</th><th>
<p align="JUSTIFY"><span><span><b>Telecom Operators and Private Enterprises Attendees</b></span></span></p>
</th><th>
<p align="JUSTIFY"><span><span><b>ISS Vendors and Technology Integrators Attendees</b></span></span></p>
</th>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Andhra Pradesh India Police</span></span></span></p>
</td>
<td>
<p align="JUSTIFY">BT</p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>AGC Networks</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>CBI Academy</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Cogence Investment Bank</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Aqsacom India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Government of India, Telecom Department</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>India Reliance Communications</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>ClearTrail Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Cabinet Secretariat</span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Span Telecom Pvt. Ldt. </span></span></span></p>
</td>
<td>
<p align="JUSTIFY"><span><span><span>Foundation Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Centre for Development of Telematics (C-DOT)</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY">Kommlabs</p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Chandigarh Police</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Paladion Networks</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Defence Agency</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Polaris Wireless</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India General Police</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Polixel Security Systems</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Intelligence Department</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Pyramid Cyber Security</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India National Institute of Criminology</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Schleicher Group</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India office LOKAYUKTA NCT DELHI</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Span Technologies</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Police Department, A.P.</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>TATA India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>India Tamil Nadu Police Department</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Tata Consultancy Services</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Indian Police Service, Vigilance</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Telecommunications India</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>Indian Telecommunications Authority</span></span></span></p>
</td>
<td></td>
<td>
<p align="JUSTIFY"><span><span><span>Vehere Interactive</span></span></span></p>
</td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>NTRO India</span></span></span></p>
</td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p align="JUSTIFY"><span><span><span>SAIC Indian Tamil Nadu Police</span></span></span></p>
</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<table class="plain">
<tbody>
<tr>
<th> 17 4 15<br /></th>
</tr>
</tbody>
</table>
<p align="JUSTIFY">According to the above table - which is based on data from the <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">WikiLeaks</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> 2013 </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">brochure</a></span>- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.</p>
<p align="JUSTIFY">In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.</p>
<h3><b>ClearTrail Technologies</b></h3>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.clear-trail.com/">ClearTrail</a><a href="http://www.clear-trail.com/"> </a><a href="http://www.clear-trail.com/">Technologies</a></span> is an Indian company based in Indore. The document titled <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Internet</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Monitoring</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Suite</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a></span> from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:</p>
<p align="JUSTIFY"><b>1. ComTrail: Mass Monitoring of IP and Voice Networks</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a> is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.</p>
<p align="JUSTIFY">ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.</p>
<p align="JUSTIFY">Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.</p>
<p align="JUSTIFY">In short, ComTrail’s key features include the following:</p>
<p align="JUSTIFY">- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links</p>
<p align="JUSTIFY">- Doubles up as Targeted Monitoring System</p>
<p align="JUSTIFY">- On demand data retention, capacity exceeding several years</p>
<p align="JUSTIFY">- Instant Analysis across thousands of Terabytes</p>
<p align="JUSTIFY">- Correlates Identities across multiple networks</p>
<p align="JUSTIFY">- Speaker Recognition and Target Location</p>
<p align="JUSTIFY"><b>2. xTrail: Targeted IP Monitoring</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">xTrail</span></a> is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.</p>
<p align="JUSTIFY">Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.</p>
<p align="JUSTIFY">In short, xTrail’s key features include the following:</p>
<p align="JUSTIFY">- Pure passive probe</p>
<p align="JUSTIFY">- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways</p>
<p align="JUSTIFY">- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic</p>
<p align="JUSTIFY">- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location</p>
<p align="JUSTIFY">- Huge data retention, rich analysis interface and tamper proof court evidence</p>
<p align="JUSTIFY">- Easily integrates with any existing centralized monitoring system for extended coverage</p>
<p align="JUSTIFY"><b>3. QuickTrail: Tactical Wi-Fi Monitoring</b></p>
<p align="JUSTIFY">Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.</p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.</p>
<p align="JUSTIFY">According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.</p>
<p align="JUSTIFY">In short, QuickTrail’s key features include the following:</p>
<p align="JUSTIFY">- Conveniently housed in a laptop computer</p>
<p align="JUSTIFY">- Intercepts Wi-Fi and wired LANs in five different ways</p>
<p align="JUSTIFY">- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks</p>
<p align="JUSTIFY">- Deploys spyware into a target’s machine</p>
<p align="JUSTIFY">- Monitor’s Gmail, Yahoo and all other HTTPS-based communications</p>
<p align="JUSTIFY">- Reconstructs webmails, chats, VoIP calls, news groups and social networks</p>
<p align="JUSTIFY"><b>4. mTrail: Off-The-Air Interception</b></p>
<p align="JUSTIFY"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.</p>
<p align="JUSTIFY">The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.</p>
<p align="JUSTIFY">Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.</p>
<p align="JUSTIFY">In short, mTrail’s key features include the following:</p>
<p align="JUSTIFY">- Designed for passive interception of GSM communications</p>
<p align="JUSTIFY">- Intercepts Voice and SMS “off-the-air”</p>
<p align="JUSTIFY">- Detects the location of the target</p>
<p align="JUSTIFY">- Can be deployed as a fixed unit or mounted in a surveillance van</p>
<p align="JUSTIFY">- No support required from GSM operator</p>
<p align="JUSTIFY"><b>5. Astra: Remote Monitoring and Infection framework</b></p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a></span> is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.</p>
<p align="JUSTIFY">The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment <i>without</i> requiring any physical access to the target device.</p>
<p align="JUSTIFY">In particular, Astra can push bot to <i>any</i> targeted machine sharing the <i>same</i> LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.</p>
<p align="JUSTIFY">Astra’s key features include the following:</p>
<p align="JUSTIFY">- Proactive intelligence gathering</p>
<p align="JUSTIFY">- End-to-end remote infection and monitoring framework</p>
<p align="JUSTIFY">- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots</p>
<p align="JUSTIFY">- Designed for centralized management of thousands of targets</p>
<p align="JUSTIFY">- A wide range of deployment mechanisms to optimize success ration</p>
<p align="JUSTIFY">- Non-traceable, non-detectable delivery mechanism</p>
<p align="JUSTIFY">- Intrusive yet stealthy</p>
<p align="JUSTIFY">- Easy interface for handling most complex tasks</p>
<p align="JUSTIFY">- Successfully tested over the current top 10 anti-virus available in the market</p>
<p align="JUSTIFY">- No third party dependencies</p>
<p align="JUSTIFY">- Free from any back-door intervention</p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Technologies</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">argue</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">that</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">they</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">meet</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">lawful</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">interception</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">regulatory</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">requirements</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a></span>across the globe. In particular, they claim that their products are compliant with <a href="http://www.etsi.org/technologies-clusters/technologies/regulation-legislation"><span style="text-decoration: underline;">ETSI</span></a> and <span style="text-decoration: underline;"><a href="http://cryptome.org/laes/calea-require.pdf">CALEA</a><a href="http://cryptome.org/laes/calea-require.pdf"> </a><a href="http://cryptome.org/laes/calea-require.pdf">regulations</a></span> and that they are efficient to cater to region specific requirements as well.</p>
<p align="JUSTIFY">The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">Telesoft</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">Technologies</a></span>, <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf">AGT</a><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/AGTINTERNATIONAL-2011-UrbaManaSolu-fr.pdf">International</a></span> and <span style="text-decoration: underline;"><a href="http://wikileaks.org/spyfiles3.html#an1">Verint</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">Systems</a></span>. In particular, <span style="text-decoration: underline;"><a href="http://verint.com/">Verint</a><a href="http://verint.com/"> </a><a href="http://verint.com/">Systems</a></span> has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:</p>
<p align="JUSTIFY">- Impact 360 Speech Analytics</p>
<p align="JUSTIFY">- Impact 360 Text Analytics</p>
<p align="JUSTIFY">- Nextiva Video Management Software (VMS)</p>
<p align="JUSTIFY">- Nextiva Physical Security Information Management (PSIM)</p>
<p align="JUSTIFY">- Nextiva Network Video Recorders (NVRs)</p>
<p align="JUSTIFY">- Nextiva Video Business Intelligence (VBI)</p>
<p align="JUSTIFY">- Nextiva Surveillance Analytics</p>
<p align="JUSTIFY">- Nextiva IP cameras</p>
<p align="JUSTIFY">- CYBERVISION Network Security</p>
<p align="JUSTIFY">- ENGAGE suite</p>
<p align="JUSTIFY">- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)</p>
<p align="JUSTIFY">- RELIANT</p>
<p align="JUSTIFY">- STAR-GATE</p>
<p>- VANTAGE</p>
<p align="JUSTIFY">While <span style="text-decoration: underline;"><a href="http://verint.com/">Verint</a><a href="http://verint.com/"> </a><a href="http://verint.com/">Systems</a></span> claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, <span style="text-decoration: underline;"><a href="http://www.issworldtraining.com/iss_europe/">Verint</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">Systems</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">has</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">participated</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">in</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">ISS</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">World</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">Trade</a><a href="http://www.issworldtraining.com/iss_europe/"> </a><a href="http://www.issworldtraining.com/iss_europe/">shows</a></span> which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.</p>
<h2><b>And what do the latest Spy Files mean for India?</b></h2>
<p align="JUSTIFY">Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:</p>
<p align="JUSTIFY">1. The Central Monitoring System (CMS)</p>
<p align="JUSTIFY">2. Is any of this surveillance even legal in India?</p>
<p align="JUSTIFY">3. Can such surveillance result in the violation of human rights?</p>
<h3><b>Spy Files 3...and the Central Monitoring System (CMS)</b></h3>
<p align="JUSTIFY">Following the <a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">Mumbai</a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html"> 2008 </a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">terrorist</a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html"> </a><a href="http://www.noeman.org/gsm/hindi/71159-26-november-2008-mumbai-terrorist-attacks.html">attacks</a>, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the <a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Central</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">Monitoring</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">System</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> (</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">)</a>. As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to<b> </b><span>install the gear which enables law enforcement agencies to carry</span> out the Central Monitoring System under the <a href="http://www.dot.gov.in/licensing/access-services">Unified</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Access</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Services</a><a href="http://www.dot.gov.in/licensing/access-services"> (</a><a href="http://www.dot.gov.in/licensing/access-services">UAS</a><a href="http://www.dot.gov.in/licensing/access-services">) </a><a href="http://www.dot.gov.in/licensing/access-services">License</a><a href="http://www.dot.gov.in/licensing/access-services"> </a><a href="http://www.dot.gov.in/licensing/access-services">Agreement</a>.</p>
<p align="JUSTIFY">The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is <span style="text-decoration: underline;"><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">Rs</a><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">. 4 </a><a href="http://www.ciol.com/ciol/news/184770/governments-central-monitoring-system-operational-soon">billion</a></span>. In addition to <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">equipping</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">government</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">agencies</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a></span>with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements<span style="text-decoration: underline;"><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">regional</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Internet</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Monitoring</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Systems</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">, </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">such</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">as</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">that</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">of</a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf"> </a><a href="http://www.assampolice.gov.in/tenders/20092012/EOI_IMS_20092012.pdf">Assam</a></span>, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.</p>
<p align="JUSTIFY">However, data monitored and collected through the CMS will be stored in a<span style="text-decoration: underline;"><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access"> </a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access">centralised</a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access"> </a><a href="http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/130509/india-central-monitoring-system-government-internet-access">database</a></span>, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">bigger</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">amount</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">of</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">data</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">, </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">bigger</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">probability</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">of</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">an</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">error</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">in</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">matching</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">profiles</a></span>, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">regarding</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">the</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">CMS</a></span> mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.</p>
<p align="JUSTIFY">Interestingly enough, Indian law enforcement agencies which attended <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">last</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">years</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">’ </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">ISS</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">World</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">trade</a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/ISS-2013-Sche2013-en.pdf">shows</a></span> are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the <span style="text-decoration: underline;"><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">agencies</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">which</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">will</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">have</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">access</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">to</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">the</a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system"> </a><a href="https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system">CMS</a></span>: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.</p>
<p align="JUSTIFY">Furthermore, Spy Files 3 entail a <a href="http://wikileaks.org/spyfiles3.html#an1">list</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">of</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">last</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">years</a><a href="http://wikileaks.org/spyfiles3.html#an1">’ </a><a href="http://wikileaks.org/spyfiles3.html#an1">ISS</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">World</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">security</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">company</a><a href="http://wikileaks.org/spyfiles3.html#an1"> </a><a href="http://wikileaks.org/spyfiles3.html#an1">attendees</a>, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">solutions</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">for</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">targeted</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">and</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">mass</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">monitoring</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">of</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">IP</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">and</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">voice</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">networks</a>, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.</p>
<p align="JUSTIFY">In fact, ClearTrail states in its brochure that its <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ComTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">product</a> is equipped to handle millions of communications per day, while its <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">xTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">product</a> can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">” </a>is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is <i>not </i>equipping the CMS? <span>And what are the odds that such technology is </span><i><span>not</span></i><span> being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?</span></p>
<h3><b>Spy Files 3...and the legality of India’s surveillance technologies</b></h3>
<p align="JUSTIFY">ClearTrail Technologies’ <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">brochure</span></a> -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with <a href="http://www.etsi.org/technologies-clusters/technologies/regulation-legislation"><span style="text-decoration: underline;">ETSI</span></a> and <span style="text-decoration: underline;"><a href="http://cryptome.org/laes/calea-require.pdf">CALEA</a><a href="http://cryptome.org/laes/calea-require.pdf"> </a><a href="http://cryptome.org/laes/calea-require.pdf">regulations</a></span>. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply <i>within</i> India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.</p>
<p align="JUSTIFY">India has five laws which regulate surveillance:</p>
<p align="JUSTIFY">1. The <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a></span>, 1885</p>
<p align="JUSTIFY">2. The <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Office</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a></span>, 1898</p>
<p align="JUSTIFY">3. The <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a></span>, 1933</p>
<p align="JUSTIFY">4. The <span style="text-decoration: underline;"><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Code</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">of</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Criminal</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> </a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">Procedure</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm"> (</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">CrPc</a><a href="http://www.delhidistrictcourts.nic.in/CrPC.htm">)</a></span>, 1973: Section 91</p>
<p align="JUSTIFY">5. The <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a></span>, 2008</p>
<p align="JUSTIFY">The <span style="text-decoration: underline;"><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Indian</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Post</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Offices</a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf"> </a><a href="http://www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf">Act</a></span> does not cover electronic communications and the <span style="text-decoration: underline;"><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Indian</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Wireless</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Telegraphy</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf">Act</a><a href="http://tdsat.nic.in/New%20Compendium19.11.2008/TD%20Set%20Vol-1%20PDF/53-58.pdf"> </a></span>lacks procedures which would determine if surveillance should be targeted or not. Neither the <span style="text-decoration: underline;"><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a></span> nor the <span style="text-decoration: underline;"><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> (</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Amendment</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">) </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a></span> cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.</p>
<p align="JUSTIFY">The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">a</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">public</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">emergency</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">or</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">for</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">public</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">safety</a>. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.</p>
<p align="JUSTIFY">The interception of Internet communications is mainly covered by the <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">2009 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Rules</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">under</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">the</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Information</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Technology</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Act</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 2008 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">and</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">Sections</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 69 </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">and</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> 69</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">B</a> are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.</p>
<p align="JUSTIFY">While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the <i>mass</i> surveillance of communications. In other words, ClearTrail’s products, such as <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a>, which enable the mass interception of IP networks, lack legal backing. However, the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Unified</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Access</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Services</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> (</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">) </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a></span> regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.</p>
<p align="JUSTIFY">Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">even</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">without</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">a</a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0"> </a><a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_r=0">warrant</a>, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> product.</p>
<p align="JUSTIFY"><span>More importantly, following <a class="external-link" href="http://www.financialexpress.com/news/states-begin-to-surrender-offair-phone-snooping-equipment/957859">allegations</a> that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a <a class="external-link" href="http://m.indianexpress.com/news/state-govts-hand-over-few-offair-phonetapping-sets-to-centre/1185166/">compete ban on use of such equipment</a> and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it. </span></p>
<p align="JUSTIFY">ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">“</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">Astra</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">”</a> product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such <a href="http://www.dot.gov.in/licensing/access-services"><span style="text-decoration: underline;">licenses</span></a> mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> is technically legal or not. The <a class="external-link" href="http://www.auspi.in/policies/UASL.pdf">UAS License agreement</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a>mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.</p>
<p align="JUSTIFY">The issue of data retention arises from <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">leaked</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">brochure</a>. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.</p>
<p align="JUSTIFY"><a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 7 of the Information Technology (Amendment) Act, 2008</a>, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.</p>
<p align="JUSTIFY">Data retention requirements for service providers are included in the <a href="https://cis-india.org/internet-governance/blog/data-retention-in-india" class="external-link">ISP and UASL licenses</a> and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.</p>
<p align="JUSTIFY">India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">spy</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">products</a></span> are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the <span style="text-decoration: underline;"><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">agreement</a></span> regarding the Central Monitoring System.</p>
<p align="JUSTIFY">In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the <a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">UAS</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">License</a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf"> </a><a href="http://www.dot.gov.in/sites/default/files/DOC231013-004.pdf">Agreement</a> mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while <a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">India</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">’</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">s</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Telegraph</a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf"> </a><a href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Act</a>, <a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Technology</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Act</a><a href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf"> </a>and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.</p>
<p align="JUSTIFY">One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to <span style="text-decoration: underline;"><a href="http://www.outlookindia.com/article.aspx?265192">Saikat</a><a href="http://www.outlookindia.com/article.aspx?265192"> </a><a href="http://www.outlookindia.com/article.aspx?265192">Datta</a></span>, an investigative journalist, a senior privacy telecom official stated:</p>
<blockquote class="italized">“<i>Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?” </i></blockquote>
<p style="text-align: justify; "></p>
<h3><b>Spy Files 3...and human rights in India</b></h3>
<p align="JUSTIFY">The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ClearTrail</span></a>, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.</p>
<p align="JUSTIFY">In particular, ClearTrail’s <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ComTrail</span></a> provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">xTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a></span>enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">QuickTrail</span></a> proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.</p>
<p align="JUSTIFY">And indeed, carrying a mobile phone is like carrying a GPS device, especially since <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">mTrail</span></a> provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">we</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">are</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">all</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">suspicious</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">until</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">proven</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">innocent</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">. </a></span></p>
<p align="JUSTIFY">And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">Astra</span></a>. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can <i>remotely</i> push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">we</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">should</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">all</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">have</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">something</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">to</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">hide</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">! </a></span></p>
<p align="JUSTIFY"><span style="text-decoration: underline;"><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">Privacy</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">us</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">from</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">abuse</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">from</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">those</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">in</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">power</a><a href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html"> </a></span>and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by <span style="text-decoration: underline;"><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">ClearTrail</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">’</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">s</a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"> </a><a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf">products</a></span> - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.</p>
<p align="JUSTIFY">And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, <span style="text-decoration: underline;"><a href="http://www.timeshighereducation.co.uk/402844.article">a</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">UK</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">student</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">studying</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">Islamic</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">terrorism</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">for</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">his</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">Masters</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">dissertation</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">was</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">detained</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">for</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">six</a><a href="http://www.timeshighereducation.co.uk/402844.article"> </a><a href="http://www.timeshighereducation.co.uk/402844.article">days</a><a href="http://www.timeshighereducation.co.uk/402844.article">.</a></span> The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.</p>
<p align="JUSTIFY">This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.</p>
<p align="JUSTIFY">This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always <span style="text-decoration: underline;"><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">“</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">have</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">something</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">to</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear"> </a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">hide</a><a href="https://www.aclu.org/blog/national-security/you-may-have-nothing-hide-you-still-have-something-fear">”</a></span>, as that is the only way to protect us from abuse by those in power.</p>
<p align="JUSTIFY">In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by <a href="http://www.wikileaks.org/spyfiles/docs/CLEARTRAIL-2011-Intemonisuit-en.pdf"><span style="text-decoration: underline;">ClearTrail</span></a>, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the <a class="external-link" href="https://en.necessaryandproportionate.org/text">International Principles on Communications Surveillance and Human Rights.</a></p>
<p align="JUSTIFY">Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.</p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">This article was <a class="external-link" href="http://www.medianama.com/2013/11/223-spy-files-3-wikileaks-sheds-more-light-on-the-global-surveillance-industry-cis-india/">cross-posted in Medianama </a>on 6th November 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/spy-files-three'>https://cis-india.org/internet-governance/blog/spy-files-three</a>
</p>
No publishermariaPrivacyInternet GovernanceSAFEGUARDSFeaturedHomepage2013-11-14T16:21:00ZBlog EntrySEBI and Communication Surveillance: New Rules, New Responsibilities?
https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance
<b>In this blog post, Kovey Coles writes about the activities of the Securities Exchange Board of India (SEBI), discusses the importance of call data records (CDRs), and throws light on the significant transition in governmental leniency towards access to private records.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<h3>Introduction</h3>
<p style="text-align: justify; ">The Securities Exchange Board of India (SEBI) is the country’s securities and market regulator, an investigation agency which seeks to combat market offenses such as insider trading. SEBI has received much media attention this month regarding its recent expansion of authority; the agency is reportedly on track to be granted powers to access telecom companies’ CDRs. These CDRs are kept by telecommunication companies for billing purposes, and contain information on who sent a call, who received a call, and how long the call lasted, but does not disclose information about call content. Although SEBI has emphatically sought several new investigative powers since 2009 (including access to CDRs, surveillance of email, and monitoring of social media), India’s Ministry of Finance only recently endorsed SEBI’s plea for direct access to service providers’ CDRs. In SEBI’s founding legislation, this capability is not mentioned. Very recently, however, the Ministry of Finance has decided to support expansion of current legislation in regards to CDR access for SEBI, the Reserve Bank of India (RBI), and potentially other agencies, when it comes to prevention of money laundering and other economic offenses.</p>
<h3 style="text-align: justify; ">SEBI’s Authority (Until Now)</h3>
<p style="text-align: justify; ">Established in 1992 under the Securities and Exchange Board of India Act, SEBI was created with the power of "registering and regulating the working of… [individuals] and intermediaries who may be associated with securities markets in any manner."<a href="#fn1" name="fr1">[1]</a> Its powers have included "calling for information from, undertaking inspection, conducting inquires and audits of the intermediaries and self-regulatory organisations in the securities market."<a href="#fn2" name="fr2">[2]</a> Although the agency has held the responsibility to investigate records on market activity, they have never explicitly enjoyed a right to CDRs or other communications data. Now, with the intention of “meeting new challenges thrown forward by the technological and market advances,”<a href="#fn3" name="fr3">[3]</a> SEBI and the Ministry of Finance want to extend their record keeping scope and investigative powers to include CDR access, a form of communications surveillance.</p>
<p>But the ultimate question is whether agencies like SEBI need this type of easy access to records of communication.</p>
<h3>What is the Importance of CDR Access?</h3>
<p style="text-align: justify; ">Reports on SEBI’s recent expansion are quick to ensure that the agency is not looking for phone-tapping rights, which intercepts messages within telephonic calls, but instead only seeks call records. CDRs, in effect, are “metadata,” a sort of information about information. In this case, it is data about communications, but it is not the communications themselves. Currently, there a total of nine agencies which are able to make actual phone-tapping requests in India. But when it comes to access of CDRs, the government seems much more generous in expanding powers of existing agencies. SEBI, as well as RBI and others, are all looking to be upgraded in their authority over CDRs. Experts argue, however, that "metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection."<a href="#fn4" name="fr4">[4]</a> Therefore, a second crucial question is whether this sensitive CDR data will feature the same detail of protection and safeguards which exist for communication interception.</p>
<p style="text-align: justify; ">One reason for the recent move in CDR access is that SEBI and RBI have found the process of obtaining CDRs too arduous and ill-defined.<a href="#fn5" name="fr5">[5]</a> Currently, under section 92 of the CrPc, Magistrates and Commissioners of Police can request a CDR only with an official corresponding first information report (FIR), while there exists no explicit guideline for SEBI’s role in the process of CDR acquisition.<a href="#fn6" name="fr6">[6]</a> Although the government may seek to relax this procedure, SEBI’s founding legislation prohibits investigation without the pretense of “reasonable grounds," as stipulated in section 11C of the SEBI Act.<a href="#fn7" name="fr7">[7]</a> It has always stood that only under these reasonable grounds could SEBI begin inspection of an intermediary’s "books, registers, and other documents."<a href="#fn7" name="fr7">[7] </a>With the government creating a way for SEBI and similar agencies to circumvent the traditional procedures for access to CDRs, these new standards should incorporate safeguards to ensure the protection of individual privacy. Banking companies, financial institutions, and intermediaries have already been obliged to maintain extensive record keeping of transactions, clients, and other financial data under section 12 of the Prevention of Money-Laundering Act of 2002.<a href="#fn8" name="fr8">[8] </a>But books and records containing financial data differ greatly from communication data, which can include much more personal information and therefore may compromise individuals’ freedom of speech and expression, as well as the right to privacy.</p>
<h3 style="text-align: justify; ">Significance and Responsibility in this Decision</h3>
<p style="text-align: justify; ">Judging from SEBI’s prior capabilities of inspection and inquiry, this change may initially seem only a minor expansion of power for the agency, but it actually represents a significant transition in governmental leniency toward access to private records. As mentioned, the recent goal of the Ministry of Finance to extend rights to CDRs is resulting in amended powers for more agencies than only SEBI. Moreover, this power expansion comes on the heels of controversy surrounding America’s National Security Agency (NSA) amassing millions of CDRs and other datasets both domestically and internationally. There is obvious room for concern over Indian citizen’s call records being made more easily accessible, with fewer checks and balances in place. The benefits of the new policy include easier access to evidence which could incriminate those involved in financial crimes. But is that benefit actually worth giving SEBI the right to request citizen’s call records? In the cases against economic offenses, CDR access often amounts only to circumstantial evidence. With its ongoing battle against insider trading and other financial malpractice, crimes which are inherently difficult to prove, SEBI could have aspirations to grow progressively more omnipresent. But as the agency’s breadth expands, citizen’s rights to privacy are simultaneously being curtailed. Ultimately, the value of preventing economic offense must be balanced with the value of the people’s rights to privacy.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(b).</p>
<p>[<a href="#fr2" name="fn2">2</a>]. 1992 Securities and Exchange Board of India Act, section 11, part 2(i).</p>
<p>[<a href="#fr3" name="fn3">3</a>]. “Sebi Finalising new Anti-money laundering guidelines,” <i>The Times of India, </i>June 16, 2013</p>
<p><a href="http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms">http://timesofindia.indiatimes.com/business/india-business/Sebi-finalizing-new-anti-money-laundering-guidelines/articleshow/20615014.cms</a></p>
<p style="text-align: left; ">[<a href="#fr4" name="fn4">4</a>]. International Principles on the Application of Human Rights to Communications Surveillance -<a href="http://www.necessaryandproportionate.net/#_edn1">http://www.necessaryandproportionate.net/#_edn1</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. “Sebi to soon to get Powers to Access Call Records,” <i>Business Today</i>, June 13, 2013</p>
<p><a href="http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html">http://businesstoday.intoday.in/story/sebi-call-record-access/1/195815.html</a></p>
<p>[<a href="#fr6" name="fn6">6</a>]. 1973 Criminal Procedure Code, Section 92 <a href="http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf">http://trivandrum.gov.in/~trivandrum/pdf/act/CODE_OF_CRIMINAL_PROCEDURE.pdf</a></p>
<p>“Govt gives Sebi, RBI Access to Call Data Records,” The Times of India, June 14, 2013</p>
<p><a href="http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary">http://articles.timesofindia.indiatimes.com/2013-06-14/india/39975284_1_home-ministry-access-call-data-records-home-secretary</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. 1992 Securities and Exchange Board of India Act, section 11C, part 8</p>
<p>[<a href="#fr8" name="fn8">8</a>]. 2002 Prevention of Money-Laundering Act, section 12</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance'>https://cis-india.org/internet-governance/blog/sebi-and-communication-surveillance</a>
</p>
No publisherkoveySAFEGUARDSInternet GovernancePrivacy2013-07-12T10:51:46ZBlog EntryReport on the Sixth Privacy Roundtable Meeting, New Delhi
https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi
<b>In 2013 the Centre for Internet and Society (CIS) drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with Federation of Indian Chambers of Commerce and Industry (FICCI) and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India. The following is a report on the Sixth Privacy Roundtable held in New Delhi on August 24, 2013.
</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p></p>
<p> </p>
<h2>Introduction<b> </b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">A series of seven multi-stakeholder roundtable meetings on "privacy" were conducted by CIS in collaboration with FICCI from April 2013 to August 2013 under the Internet Governance initiative. DSCI joined CIS and FICCI as a co-organizer on April 20, 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">CIS was a member of the Justice A.P. Shah Committee which drafted the "<a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of Groups of Experts on Privacy</a>". CIS also drafted a <a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft" class="external-link">Privacy (Protection) Bill 2013</a> (hereinafter referred to as ‘the Bill’), with the objective of establishing a well protected privacy regime in India. CIS has also volunteered to champion the session/workshops on "privacy" in the final meeting on Internet Governance proposed for October 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol>
<li>New Delhi Roundtable: April 13, 2013</li>
<li>Bangalore Roundtable: April 20, 2013</li>
<li>Chennai Roundtable: May 18, 2013</li>
<li>Mumbai Roundtable: June 15, 2013</li>
<li>Kolkata Roundtable: July 13, 2013</li>
<li>New Delhi Roundtable: August 24, 2013</li>
<li>New Delhi Final Roundtable and National Meeting: October 19, 2013</li>
</ol>
<p style="text-align: justify; ">This Report provides an overview of the proceedings of the Sixth Privacy Roundtable (hereinafter referred to as 'the Roundtable'), conducted at FICCI, Federation House in Delhi on August 24, 2013. <a href="https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="internal-link" title="The Personal Data (Protection) Bill, 2013">The Personal Data (Protection) Bill, 2013 </a>was discussed at the Roundtable.</p>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The Sixth Privacy Roundtable began with reflections on the evolution of the Bill. In its penultimate form, the Bill stands substantially changed as compared to its previous versions. For the purpose of this Roundtable, which entailed participation largely from industry organizations and other entities who handle personal data, only the personal data regime was discussed. This debate was distinguished from the general and specific discussion relating to privacy, surveillance and interception of communications as it was felt that greater expertise was required to deal adequately with such a vast and nuanced area. After further discussion with security experts, the provisions on surveillance and privacy of communications will be reincorporated resulting in omnibus privacy legislation. To reflect this alteration in the ambit of the Bill in its current form, its title was changed to <a href="https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill</a> from the more expansive – Privacy (Protection) Bill.</p>
<h2>Chapter I – Preliminary</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 2 of the first chapter enumerates various definitions including ‘personal data’, which is defined as any data that can lead to identification and ‘sensitive personal data’; a subset of personal data defined by way of a list. The main contentions arose in relation to the latter definition.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Religion and Caste</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">A significant modification is found in the definition of ‘sensitive personal data’, which has expanded to include two new categories, namely, (i) ethnicity, religion, race or caste, and (ii) financial and credit information. Although discussed previously, these two categories have hitherto been left out of the purview of the definition as they are fraught with issues of practicality. In the specific example of caste, the government has historically indulged in large-scale data collection for the purpose of census, for example as conducted by the Ministry of Rural Development and the Ministry of Social Justice and Empowerment, Government of India. Further, in the Indian scenario, various statutory benefits accrue from caste identities under the aegis of affirmative action policies. Hence, categorizing it as sensitive personal data may not be considered desirable. The problem is further exacerbated with respect to religion as even a person’s name can be an indicator. In light of this, some issues under consideration were –</p>
<ul>
<li>Whether religion and caste should be categorized as sensitive personal data or personal data?</li>
<li>Whether it is impracticable to include it in either category?</li>
<li>If included as sensitive personal data, how should it be implemented?</li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The majority seemed to lean towards including it under the category of sensitive personal data rather than personal data. It was argued that the categorization of some personal data as sensitive was done on the basis of higher potential for profiling or discrimination. In the same vein, caste and religious identities were sensitive information, requiring greater protection as provided under section 16 of the Bill. Regarding the difficulties posed by revealing names, it was proposed that since it was not an indicator by default, this consideration could not be used as a rationale to eliminate religion from the definition. Instead, it was suggested that programmes sensitizing the populous to the implications of names as indicators of religion/caste should be encouraged. With regard to the issue of census, where caste information is collected, it was opined that the same could be done in an anonymously as well. The maintenance of public databases including such information by various public bodies was considered problematic for privacy as they are often easily accessible and hence have a high potential for abuse. Overall, the conclusion was that the potential for abuse of such data could be better curtailed if greater privacy requirements were mandated for both private and public organizations. The collection of this kind of data should be done on a necessity basis and kept anonymous wherever possible. However, it was acknowledged that there were greater impracticalities associated with treating religion and caste as sensitive personal data. Further, the use and disclosure of indicative names was considered to be a matter of choice. Often caste information was revealed for affirmative action schemes, for example, rank lists for admissions or appointments. In such cases, it was considered to be counter-productive to discourage the beneficiary from revealing such information. Consequently, it was suggested that they could be regulated differently and qualified wherever required. The floor was then thrown open for discussing the other categories included under the definition of ‘sensitive personal data’.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Political Affiliation<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another contentious issue discussed at the Roundtable was the categorization of ‘political affiliation’ as ‘sensitive personal data’. A participant questioned the validity of including it in the definition, arguing that it is not an issue in India. Further, it was argued that one’s political affiliation was also subject to change and hence did not mandate higher protection as provided for sensitive personal data. Instead, if included at all, it should be categorized as ‘personal data’. This was countered by other participants who argued that revealing such information should be a matter of choice and if this choice is not protected adequately, it may lead to persecution. In light of this, changing one’s political affiliation particularly required greater protection as it may leave one more vulnerable. Everyone was in agreement that the aggregation of this class of data, particularly when conducted by public and private organizations, was highly problematic, as evidenced by its historic use for targeting dissident groups. Further, it was accepted unanimously that this protection should not extend to public figures as citizens had a right to know their political affiliation. However, although there was consensus on voting being treated as sensitive personal data, the same could not be reached for extending this protection to political affiliation.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conviction Data<b> <br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The roundtable also elicited a debate on conviction data being enumerated as sensitive personal data. The contention stemmed from the usefulness of maintaining this information as a matter of public record. Inter alia, the judicial practice of considering conviction history for repeat offenders, the need to consider this data before issuing passport and the possibility of establishing a sex offenders registry in India were cited as examples for the same.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Financial and Credit Information<b><br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">From the outset, the inclusion of Financial and Credit information as sensitive personal data was considered problematic as it would clash directly with existing legislations. Specifically, the Reserve Bank of India mandates on all issues revolving around this class of data. However, it was considered expedient to categorize it in this manner due to grave mismanagement associated with it, despite existing protections. In this regard, the handling of Credit Information was raised as an issue. Even though it is regulated under the Credit Information Companies (Regulation) Act, 2005, its implementation was found to be wanting by some participants. In this context, the harm sought to be prevented by its inclusion in the Bill was unregulated sharing of credit-worthiness data with foreign banks and organs of the state. Informed consent was offered as the primary qualifier. However, some participants proposed that extending a strong regime of protection to such information would not be economically viable for financial institutions. Thus, it was suggested that this category should be categorized as personal data with the aim of regulating unauthorized disclosures.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The debate on the definition of sensitive personal data concluded with the following suggestions and remarks:</p>
<ul>
<li style="text-align: justify; ">The categories included under sensitive personal data should be subject to contextual provisions instead of blanket protection.</li>
<li style="text-align: justify; ">Sensitive personal data mandates greater protection with regard to storage and disclosure than personal data.</li>
<li style="text-align: justify; ">While obtaining prior consent is important for both kinds of data, obtaining informed consent is paramount for sensitive personal data.</li>
<li style="text-align: justify; ">Both classes of data can be collected for legitimate purposes and in compliance with the protection provided by law. </li>
</ul>
<h2>Chapter II – Regulation of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter of the Bill establishes a negative statement of a positive right under Section 3 along with exemptions under Section 4, as opposed to the previous version of the Bill, discussed at the fifth Privacy Roundtable, which established a positive right. Thus, in its current form, the Bill provides a stronger regime for the regulation of personal data. The single exemption provided under this part is for personal or domestic use.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The main issues under consideration with regard to this part were –</p>
<ul>
<li>The scope of the protection provided</li>
<li>Whether the exemptions should be expanded or diminished. </li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">A participant raised a doubt regarding the subject of the right. In response, it was clarified that the Bill was subject to existing Constitutional provisions and relevant case law. According to the apex court, in <i>Kharak Singh v. The State of U.P.</i> (1964), the Right to Privacy arose from the Right to Life and Personal Liberty as enshrined under Article 21 of the Constitution of India. Since the Article 21 right is applicable to all persons, the Right to Privacy has to be interpreted in conjunction. Consequently, the Right to Privacy will apply to both citizens and non-citizens in India. It would also extend to information of foreigners stored by any entity registered in India and any other entity having an Indian legal personality irrespective of whether they are registered in India or not.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The next issue that arose at the Roundtable stemmed from the exemption provided under Section 4 of the Bill. A participant opined that excluding domestic use of such data was unadvisable as often such data was used maliciously during domestic rows such as divorce. With regard to the how ‘personal and domestic use’ was to be defined it was proposed that the same had to cater existing cultural norms. In India, this entailed that existing community laws had to be followed which does not recognize nuclear families as a legal entity. It was also acknowledged that Joint Hindu Families had to be dealt with specially and their connection with large businesses in India would have to be carefully considered.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another question regarding exemptions brought up at the Roundtable was whether they should be broadened to include the information of public servants and the handling of all information by intelligence agencies. Similarly, some participants proposed that exemptions or exceptions should be provided for journalists, private figures involved in cases of corruption, politicians, private detective agencies etc. It was also proposed that public disclosure of information should be handled differently than information handled in the course of business.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The overall conclusion of the discussion on this Chapter was –</p>
<ul>
<li>All exemptions and exceptions included in this Chapter should be narrowly tailored and specifically defined.</li>
<li>Blanket exemptions should be avoided. The specificities can be left to the Judiciary to adjudicate on as and when contentions arise. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Chapter III – Protection of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter seeks to regulate the collection, storage, processing, transfer, security and disclosure of personal data.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Personal Data</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Sections 5, 6 and 7 of the Bill regulate the collection of personal data. While section 5 establishes a broad bar for the collection of personal data, Section 6 and 7 provide for deviations from the same, for collecting data with and without prior informed consent respectively.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data with Prior Informed Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 6 establishes the obligation to obtain prior informed consent, sets out the regime for the same and by way of 2 provisos allows for withdrawal of consent which may result in denial of certain services.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The main issues discerned from this provision involved (i) notice for obtaining consent, (ii) mediated data collection, and (iv) destruction of data.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Regarding notice, some participants observed that although it was a good practice it was not always feasible. A participant raised the issue of the frequency of obtaining consent. It was observed that services that allowed its users to stay logged in and the storage of cookies etc. were considered benefits which would be disrupted if consent had to be obtained at every stage or each time the service was used. To solve this problem, it was unanimously accepted that consent only had to be obtained once for the entirety of the service offered except when the contract or terms and conditions were altered by the service provider. It was also decided that the entity directly conducting the collection of data was obligated to obtain consent, even if the same was conducted on behalf of a 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Mediated date collection proved to be a highly contentious issue at the Roundtable. The issue was determining the scope and extent of liability in cases where a mediating party collects data for a data controller for another subject who may or may not be a user. In this regard, two scenarios were discussed – (i) uploading pictures of a 3<sup>rd</sup> party by a data subject on social media sites like Facebook and (ii) using mobile phone applications to send emails, which involves, inter alia, the sender, the phone manufacturer and the receiver. The ancillary issues recognized by participants in this regard were – (i) how would data acquired in this manner be treated if it could lead to the identification of the 3<sup>rd</sup> party?, and (ii) whether destruction of user data due to withdrawal of consent amount to destruction of general data, i.e. of the 3<sup>rd</sup> party. The consensus was that there was no clarity on how such forms of data collection could be regulated, even though it seemed expedient to do so. The government’s inability to find a suitable solution was also brought to the table. In this regard it was suggested by some participants that the Principle of Collection Limitation, as defined in the A.P. Shah Committee Report, would provide a basic protection. Further the extent to which this would be exempted for being personal use was suggested as a threshold. A participant observed that it would be technically unfeasible for the service provider to regulate such collection, even if it involved illicit data such as pornographic or indecent photographs. Further, it was opined that such an oversight by the service provider could be undesirable since it would result in the violation of the user’s privacy. Thus, any proposal for regulation had to balance the data subject’s rights with that of the 3<sup>rd</sup> party. In light of this, it was suggested that the mediating party should be made responsible for obtaining consent from the 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another aspect of this provision which garnered much debate was the proviso mandating destruction of data in case of withdrawal of consent. A participant stated the need for including broad exceptions as it may not always be desirable. Regarding the definition of ‘destroy’, as provided for under Section 2, it was observed that it mandated the erasure/deletion of the data in its entirety. Instead, it was suggested, that the same could be achieved by merely anonymising the information.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data without Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 7 of the Bill outlines four scenarios which entail collection of personal data without prior consent, which are reproduced below -</p>
<p style="text-align: justify; "><i>“(a) necessary for the provision of an emergency medical service to the data subject;<br /></i><i>(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;<br />(c) necessary to prevent a reasonable threat to national security, defence or public order; or<br />(d) necessary to prevent, investigate or prosecute a cognisable offence”</i></p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Most participants at the Roundtable found that the list was too large in scope. The unqualified inclusion of prevention in that last two sub clauses was found to be particularly problematic. It was suggested that Section 7 (c) was entirely redundant as its provisions could be read into Section 7 (d). Furthermore, the inclusion of ‘national security’ as a basis for collecting information without consent was rejected almost unanimously. It was suggested that if it was to be included then a qualification was desirable, allowing collection of information only when authorized by law. Some participants extended this line of reasoning to Section 7 (c) as state agencies were already authorized to collect information in this manner. It was opined that including it under the Bill would reassert their right to do so in broader terms. For similar reasons, Section 7 (b) was found objectionable as well. It was further suggested that if sub clauses (b), (c) and (d) remained in the Bill, it should be subject to existing protections, for example those established by seminal cases such as <i>Maneka Gandhi v. Union of India</i> (1978) and<i> PUCL v. Union of India</i> (1997).</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Storage and Processing of Personal Data<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 8 of the Bill lays down a principle mandating the destruction of the information collected, following the cessation of the necessity or purpose for storage and provides exceptions to the same. It sets down a regime of informed consent, purpose specific storage and data anonymization.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The first amendment suggested for this provision was regarding the requirement of deleting the stored information ‘forthwith’. It was proposed by a participant that deleting personal data instantaneously had practical constraints and a reasonability criteria should be added. It was also noticed that in the current form of the Bill, the exception of historical, archival and research purposes had been replaced by the more general phrase ‘for an Act of Parliament’. The previous definition was altered as the terms being used were hard to define. In response, a participant suggested a broader phrase which would include any legal requirement. Another participant argued that a broader phrase would need to me more specifically defined to avoid dilution.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 9 of the Bill sets out two limitations for processing data in terms of (i) the kind of personal data being processed and (ii) the purpose for the same. The third sub clause enumerates exceptions to the abovementioned principles in language similar to that found in Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">With regard to the purpose limitation clause it was suggested by many participants that the same should be broadened to include multiple purposes as purpose swapping is widespread in existing practice and would be unfeasible and undesirable to curtail. Sub clause 3 of this Section was critiqued for the same reasons as Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 10 restricts cross-border transfer of data. It was clarified that different departments of the same company or the same holding company would be treated as different entities for the purpose of identifying the data processor. However, a concern was raised regarding the possibility of increased bureaucratic hurdles on global transfer of data in case this section is read too strictly. At the same time, to provide adequate protection of the data subject’s rights certain restrictions on the data controller and location of transfer.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The regime for disclosure of personal data without prior consent is provided for by Section 14. The provision did not specify the rank of the police officer in charge of passing orders for such disclosure. It was observed that a suitable rank had to be identified to ensure adequate protection. Further, it was suggested that the provision be broadened to include other competent agencies as well. This could be included by way of a schedule or subsequent notifications.</p>
<h3 class="MsoNormalCxSpLast" style="text-align: justify; ">Conclusion</h3>
<ul>
<li>Mediated collection of data should be qualified on the basis of purpose and intent of collection.</li>
<li>The issue of cost to company (C2C) was not given adequate consideration in the Bill.</li>
<li>The need to lay down Procedures at all stages of handling personal data.</li>
<li>Special exemptions need to be provided for journalistic sources. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Meeting Conclusion<b><br /></b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The Sixth Privacy Roundtable was the second to last of the stakeholder consultations conducted for the Citizens’ <a href="https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill, 2013</a>. Various changes made to the Bill from its last form were scrutinized closely and suitable suggestions were provided. Further changes were recommended for various aspects of it, including definitions, qualifications and procedures, liability and the chapter on offences and penalties. The Bill will be amended to reflect multi-stakeholder suggestions and cater to various interests.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi'>https://cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T15:04:51ZBlog EntryReport on the 4th Privacy Round Table meeting
https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting
<b>This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.
</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; "><span>In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.</span></p>
<p style="text-align: justify; "><span>In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.</span></p>
<p style="text-align: justify; "><span>At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</span></p>
<p style="text-align: justify; "><span>The dates of the six Privacy Round Table meetings are enlisted below:</span></p>
<ol style="text-align: justify; ">
<li>
<p align="JUSTIFY"><span>New Delhi Roundtable: 13 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Bangalore Roundtable: 20 April 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Chennai Roundtable: 18 May 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Mumbai Roundtable: 15 June 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>Kolkata Roundtable: 13 July 2013</span></p>
</li>
<li>
<p align="JUSTIFY"><span>New Delhi Final Roundtable and National Meeting: 17 August 2013</span></p>
</li>
</ol>
<p style="text-align: justify; "><span>Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.</span></p>
<h2><b><span>Discussion of the Draft Privacy (Protection) Bill 2013</span></b></h2>
<h3><b><span>Discussion of definitions: Chapter 1</span></b></h3>
<p style="text-align: justify; "><span>The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised. </span></p>
<p style="text-align: justify; "><span>Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection. </span></p>
<p style="text-align: justify; "><span>The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored. </span></p>
<p style="text-align: justify; "><span>Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards. </span></p>
<p style="text-align: justify; "><span>The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over. </span></p>
<p style="text-align: justify; "><span>The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.</span></p>
<p style="text-align: justify; "><span>In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts. </span></p>
<p style="text-align: justify; "><span>Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data. </span></p>
<p style="text-align: justify; "><span>On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions. </span></p>
<h3><b><span>Right to Privacy: Chapter 2</span></b></h3>
<p style="text-align: justify; "><span>The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill. </span></p>
<p style="text-align: justify; "><span>Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts. </span></p>
<p style="text-align: justify; "><span>The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.</span></p>
<p style="text-align: justify; "><span>Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly. </span></p>
<h3><b><span>Protection of Personal Data: Chapter 3</span></b></h3>
<p style="text-align: justify; "><span>Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data. </span></p>
<p style="text-align: justify; "><b><span>Collection of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention. </span></p>
<p style="text-align: justify; "><span>It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill. </span></p>
<p style="text-align: justify; "><span>Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty. </span></p>
<p style="text-align: justify; "><span>A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes. </span></p>
<p style="text-align: justify; "><span>The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill. </span></p>
<p style="text-align: justify; "><span>In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection. </span></p>
<p style="text-align: justify; "><span>It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well. </span></p>
<p style="text-align: justify; "><b><span>Storage and destruction of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data. </span></p>
<p style="text-align: justify; "><span>In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India. </span></p>
<p style="text-align: justify; "><span>Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases. </span></p>
<p style="text-align: justify; "><b><span>Security of personal data and duty of confidentiality</span></b></p>
<p style="text-align: justify; "><span>Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”. </span></p>
<p style="text-align: justify; "><span>One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India. </span></p>
<p style="text-align: justify; "><b><span>Disclosure of personal data</span></b></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to. </span></p>
<p style="text-align: justify; "><span>It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill. </span></p>
<p style="text-align: justify; "><span>Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism. </span></p>
<p style="text-align: justify; "><span>This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided. </span></p>
<p style="text-align: justify; "><span>Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill. </span></p>
<p style="text-align: justify; "><span>A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed. </span></p>
<p style="text-align: justify; "><span>However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed. </span></p>
<p style="text-align: justify; "><span>Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security. </span></p>
<p style="text-align: justify; "><span>The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill. </span></p>
<h2><b><span>Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner</span></b></h2>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013. </span></p>
<p style="text-align: justify; "><span>In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation. </span></p>
<p style="text-align: justify; "><span>There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a </span><i><span>competitive disadvantage </span></i><span>in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security. </span></p>
<p style="text-align: justify; "><span>As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control. </span></p>
<p style="text-align: justify; "><span>On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations. <br /></span></p>
<p style="text-align: justify; "><span>When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported. </span></p>
<p style="text-align: justify; "><span>Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data. </span></p>
<p style="text-align: justify; "><span>The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on </span><i><span>accountability</span></i><span>. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached. </span></p>
<p style="text-align: justify; "><span>On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated. </span></p>
<p style="text-align: justify; "><span>Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights. </span></p>
<h2><b><span>Meeting conclusion</span></b></h2>
<p style="text-align: justify; "><a name="_GoBack"></a><span>The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed. </span></p>
<p align="JUSTIFY"><span> </span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting'>https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting</a>
</p>
No publishermariaSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:04:25ZBlog Entry