The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
Whose Data is it Anyway?
https://cis-india.org/internet-governance/whose-data-is-it
<b>Tactical Technology Collective and the Centre for Internet & Society invite you to the second round of discussions of the Exposing Data Series at the CIS office in Bangalore on 24 January 2012. Siddharth Hande and Hapee de Groot will be speaking on this occasion.</b>
<p>Like countless others, this title is a convenient adaptation of a 1972 play by Brian Clark, Whose Life is it Anyway?, a meditation on 'euthanasia' and the extent to which governments or the law can determine the private life of an individual. In a similar sense we use the title to help frame the second set of conversations in the Exposing Data Series, to zero in on the idea of data and who has the right to decide what happens with it. Philosophically, and also at the level of code, computing and the law, the ownership of data can be a somewhat odd and a contentious thing to grapple with. The only other understandings of 'ownership' we really have are those of property and identity and these get imputed onto the intangibility of data. And, in some senses now, many aspects of one's identity exist as data.</p>
<p> </p>
<p> </p>
<p>There are a range of experiences of data ownership that we talk about and experience daily. On the one hand you can hoard hard disks with favourite content to retrieve memories and experiences. On the other end of things, you can aggregate your experiences and memories with that of thousands of others, that then gets treated almost like a private hard disk belonging to some mysterious X. Who is this Mysterious X? Is there a Y? Or an XY? What is the trajectory of data in its movement from the individual to a larger, shadowy infrastructure that harvests it? What happens to our idea of data in its reconfiguration from intangible code to an idea of politics and rights? To introduce another provocation, do our existing ideas of data ownership objectify individuals? What does this objectification imply for the notion of personal privacy? For example, does the fetishization of 'things' called data obfuscate the idea of personal privacy?</p>
<p>One of the ways in which we may consider looking at open data initiatives for transparency and accountability is to assess it as discourse, and in relation to what happens when communities aggregate data. Open Government Data usually involves a top-down approach in terms of how it is aggregated, collated, shared, whilst community based approaches are more particular, contextual and local. What do these different approaches give us when we bring them to the same table?</p>
<p>The second event in the Exposing Data Series will focus on data ownership, looking into open government data and community-based data aggregation, to explore the various levels of data collection, the movement of data and its exchange, its representation, and dissemination in different contexts.</p>
<h2>Speakers<br /></h2>
<ol><li>Siddharth Hande, Transparent Chennai</li><li>Hapee de Groot, Hivos, Netherlands</li></ol>
<p>This event is free and open to everyone. However, we would appreciate a confirmation of attendance ahead of time so as to ensure that your space is reserved. To confirm your attendance please write to: <a class="external-link" href="mailto:yelena.gyulkhandanyan@gmail.com">yelena.gyulkhandanyan@gmail.com <br /></a></p>
<p>Photo Source:<a class="external-link" href="http://www.freedigitalphotos.net/images/view_photog.php?photogid=2000"> http://www.freedigitalphotos.net/images/view_photog.php?photogid=2000</a></p>
<p><a class="external-link" href="http://www.freedigitalphotos.net/images/view_photog.php?photogid=2000"><strong>VIDEOS</strong><br /></a></p>
<p> </p>
<iframe src="http://blip.tv/play/AYLsxhgA.html?p=1" frameborder="0" height="250" width="250"></iframe><embed style="display:none" src="http://a.blip.tv/api.swf#AYLsxhgA" type="application/x-shockwave-flash"></embed>
<iframe src="http://blip.tv/play/AYLsxj8A.html?p=1" frameborder="0" height="250" width="250"></iframe><embed style="display:none" src="http://a.blip.tv/api.swf#AYLsxj8A" type="application/x-shockwave-flash"></embed>
<iframe src="http://blip.tv/play/AYLsxwAA.html?p=1" frameborder="0" height="250" width="250"></iframe><embed style="display:none" src="http://a.blip.tv/api.swf#AYLsxwAA" type="application/x-shockwave-flash"></embed>
<iframe src="http://blip.tv/play/AYLsxxUA.html?p=1" frameborder="0" height="250" width="250"></iframe><embed style="display:none" src="http://a.blip.tv/api.swf#AYLsxxUA" type="application/x-shockwave-flash"></embed>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/whose-data-is-it'>https://cis-india.org/internet-governance/whose-data-is-it</a>
</p>
No publisherpraskrishnaEvent TypeVideoInternet GovernancePrivacy2012-04-28T04:12:15ZEventWhole Body Imaging and Privacy Concerns that Follow
https://cis-india.org/internet-governance/blog/privacy_wholebodyimagingcomparison
<b>Law student at the National University of Juridical Sciences, and intern for Privacy India, Srishti Goyal compares, contrasts, and critiques the Whole Body Imaging practices found in the US, the UK, and Australia, and makes recommendations for an Indian regime. </b>
<h3>Introduction</h3>
<p>Whole Body Imaging has been introduced in many countries in light of growing security concerns, two examples in particular being the attack on the twin towers in USA, and what is commonly known as the Christmas Bomb (A man by the name of Umar Farouk Abdulmutallab tried to detonate a bomb on a flight from Amsterdam as it was about to land in Detroit.) Despite the security concerns that have motivated the implementation of Whole Body Imaging, there are also many concerns that have prevented the full fledged application of this technology. Opponents to the technology have stated that the full body scanner would expose travelers to harmful radiation and is thus a health hazard. Others have stated that these digital strip searches (as they are popularly known) will violate child pornography laws. Some, who are trying to encourage the use of full body scanners, are of the opinion that it is better to opt for a whole body scan as the “pat down” searches are more invasive in nature. There are also the concerns that persons may be singled out on the basis of their color and ethnicity. The scope of research for this particular paper is limited to the extent of the privacy concerns that have arisen in light of the use of the technology in order to achieve better security. The question that forms the crux of the debate is: should ones personal privacy be compromised in order to ensure security for one and all? The primary reason why whole body scanners are said to breach privacy is because of the invasive nature of the images produced, which can be detailed enough to show genitalia of the person being scanned.<br />Learning from the experience of other nations that have already implemented the use of Whole Body Imaging” we can decide what policies India should have in place and most importantly whether or not India realistically has a use for this technology. <br />Adequate privacy, it is said, is obtained when the restriction on access to persons and personal information allows a person not to be subjected to intrusion and public exposure [<a href="#1">1</a>]. Full body scanners can be called intrusive because in effect they allow the government to carry out strip searches by using technology to remove clothes instead of physically doing the same. Apart from this there are other concerns. For instance there have been instances when these images have been saved and have been uploaded on the internet [<a href="#2">2</a>]. In Lagos these images have been used as pornographic material. There is also a cause of concern amongst transgender who do not feel comfortable in revealing their gender which is different from the gender that they portray[<a href="#3">3</a>] and they are of the opinion that this information could lead to harassment. Since the scanners can detect medical equipment people who use colostomy bags and catheters which are otherwise hidden may find these scans embarrassing [<a href="#4">4</a>].</p>
<h3>USA</h3>
<p>In the U.S, Whole Body Imaging was introduced in light of the growing concerns with regard to security at airports and terrorist attacks. The Transportation Security Administration is responsible for monitoring security at the airport. The TSA has thus introduced Full Body Scanners at airports. In order to address the privacy concerns that have been raised the TSA has taken the following steps:</p>
<ul><li> Ensuring that the Security officer who is privy to the scan is not the same as the officer interacting with the person who is being scanned. </li><li>The TSA has also stated that personally identifiable information will not be stored and distributed.[<a href="#5">5</a>] </li><li>Another step towards safeguarding the privacy of the passengers has been to blur the faces of the person being scanned.[<a href="#6">6</a>]</li></ul>
<p> Though the TSA has taken various steps to ensure the privacy of individuals, one can argue that these measures are not without loopholes. The fact that the Security Officer looking at the scan and the Security officer handling the passenger are different does not do away with this invasion of privacy. There is also the added concern that these images may be uploaded on the internet, which in fact has already been done. The release and collection of these images is in contravention of the Privacy Act of 1974 that governs the collection, maintenance, use and dissemination of personal identifiable information about individuals which in the possession of the federal agencies. The TSA assures that the images will not be retained, but the fact is that the machines have been programmed such as to enable retention of images, if the same has been disable, it can be tampered with. Lastly, on the point of blurring of faces, it is a software fix and can be undone as easily as the application of the software. The TSA in its Privacy impact Assessment report had listed down that full body scanning would initially be a secondary screening measure. What this means is that everyone goes through one level of security screening and if one is randomly selected or the security has reason to suspect a passenger, the passenger can be called for a second level of screening. At which point the passengers will undergo full body scanning.<br /> A federal judge in California, in 1976 said that the laws of privacy “encompass the individual's regard for his own dignity; his resistance to humiliation and embarrassment; his privilege against unwanted exposure of his nude body and bodily functions." As already stated, these body scanners lead to situations that can be embarrassing, do lead to unwanted exposure of body, and can lead to situation where the person scanned could be humiliated (as in the case of transgender and other persons with catheters and colostomy bags). The Electronic Privacy Information Center is a non-profit group that was established to focus attention on civil liberties issue. EPIC challenged the constitutional validity of full body scanning, claiming that the same violated the fourth amendment [<a href="#9">9</a>]. The amendment guards against unlawful searches and seizures. In the case of whole body imaging, travelers are subjected to “invasive searches” without any suspicion that they did anything wrong, and without being informed of the reason he/she is being subjected to a search of such a nature. [<a href="#10">10</a>] The latest is the use of this technology in courthouses in Florida and at train stations. </p>
<h3>UK</h3>
<p>In the UK if a passenger is selected for full body scanning, the passenger must comply [<a href="#11">11</a>]. The passenger is forbidden from flying if he or she refuses to the scanning process and cannot ask for an alternate screening process [<a href="#12">12</a>] Unlike the US in the UK the option of a pat-down search is not available. The steps taken to protect the privacy of the passengers are the same as practiced in the US.</p>
<ul><li>The images of the passengers are not retained </li><li>The images are produce in such a manner that the Security officer cannot recognize the person.</li></ul>
<p>A major concern in UK is the violation of child pornography laws that do not allow the creation of indecent images of a child. However, a rule that would have exempted persons under the age of 18 from full body scans was overturned by the government in the UK [<a href="#13">13</a>]. Gordon Brown the Prime Minister of UK in 2010 gave permission for the use of full body scanners at the airports. BAA Ltd, which operates six airports in UK (including the Heathrow Airport) has undertaken the installation of these scanners at its airports. In general, the security at the airports comes under the ambit of the Homeland Security and the department will be supervising the installation of the machines. Lord Adonis, the Transport Secretary, confirmed the new policy in a written parliamentary statement, saying that the scanners would help security staff to detect explosives or other dangerous items [<a href="#14">14</a>].</p>
<p>One of the major opponents of Whole Body Imaging has been the Equality and Human Right Commission (EHRC), which is of the opinion that the use of this technology would breach the privacy rules under the Human Rights Act [<a href="#15">15</a>]. The move to use this technology has raised concerns about the excessive collection of personal data. Big Brother Watch, a campaign that fights intrusion on privacy and protects liberties of people, started an online movement that opposes and raises concerns with full body scanning. It has also listed down all the airports around the world that are using (or are going to be using) this technology [<a href="#16">16</a>]. The only group that has openly welcomed this move of the government has been the Liberal Democrats [<a href="#17">17</a>]. The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators.</p>
<p>The privacy policy should include as a minimum:</p>
<ul><li>rules regarding the location of the equipment;</li><li> A process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);</li><li>A process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);</li><li>Prohibition on copying or transferring the images in any way;</li><li>Instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and</li><li>A process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.</li></ul>
<p>The BodyScanner Task Force was established by the European Commission to publish an impact assessment report and to advise the commission, but the task force has yet to publish its report with specific legislative proposals [<a href="#18">18</a>]. </p>
<p>Concerns in the UK also arose in light of a response of a judge to a complaint by the Electronic Privacy Information Centre (based in Washington). The judge stated that the Department of Homeland Security (USA) would be allowed to keep images of individuals screened at the airport [<a href="#19">19</a>]. This raises concerns amongst activists as to which images can and which images cannot be saved by the airport authorities.</p>
<h3>Australia</h3>
<p>Post the attempted attack on Christmas Day, pressure on countries such as Australia increased to make use of whole body imaging technology. However, the Association of Asia Pacific Airliners, an association of the international carriers servicing in Australia, criticised the use of full body scanners [<a href="#20">20</a>]. Apart from the privacy concerns, that people all over the world share, another aspect that is cause for concern in Australia is the increase in traveling cost. The machines used for whole body imaging is extremely expensive, and thus the question posed time and again in Australia is if it will be economically viable to make use of this technology?[<a href="#21">21</a>] The Queensland Council for civil liberties has opposed the use of this Advance Imaging Technology (AIT) and has stated that passengers should be allowed to refuse being scanned and should be allowed to opt for a pat down. Kevin Rudd (the Prime Minister of Australia at the time of implementation of this technology) had taken note of the privacy concerns and assured that such measure would be undertaken that would mitigate these concerns. Currently, Body scanners are installed at the international airports in Australia. The transport minister has said that the images produced would be stick figures and not naked images [<a href="#22">22</a>]. This move has been taken in light of the back clash that body scanners faced in the USA. Changes regarding whole body imaging have been referred to the Privacy Commissioner in order to ensure that privacy is not intruded. Namely, Full Body screening will not be applied to all the passengers - instead passengers will either be randomly selected or will be selected on the basis of their profiles [<a href="#23">23</a>].</p>
<h3>India</h3>
<p>Currently in India whole body scanners can be found at the Delhi International Airport [<a href="#24">24</a>]. Thus, debate and discussion about the use of these scanners has not gained much momentum in India. It would be advisable that when framing legislation or guidelines to govern full body scanners, India incorporates the experiences of other nations who have already started the use of this technology.</p>
<p>Generally speaking it seems as though the use of a full body scanner would not be recommendable for the Indian scenario. It has already been seen that these scans are not very effective in detecting plastic and fluids [<a href="#25">25</a>]. Additionally the scanner only shows objects that are on the body and not in the body. Thus, the effectiveness of these scanners is questionable (especially considering it cannot detect plastics and light fluids) [<a href="#26">26</a>]. Additionally, in India the demographic using these scanners would be very different from the people using these scanners in other countries. For instance, it has been pointed out that the interest of Muslim women has not been taken into account when introducing this method of screening. Apart from personal privacy issues there are religious issues that arise, and though the instances of the same maybe far apart in other nations, in India the same will act as a hindrance on a daily basis. If not dealt with delicately this can be a major cause of concern that will have far reaching ramifications. Furthermore, one cannot stress enough the cost that will be involved with the implementation of these scanners. These scanners are extremely expensive and require trained Security Officers to operate them. Additionally, what the scanners seek to accomplish can be achieved by insuring that the pat-downs are carried out properly. But there is a caveat that must be mentioned here. In US, one is allowed to choose between a pat-down and a body scanner. There have been instances when these pat-downs have been more intrusive than the body scanners. Thus, there should be guidelines in place as to how these pat-downs should be carried out. The guidelines should specify actions that the Security Officials would not be allowed to carry out.</p>
<p>Lastly, even if India decided to adopt the full body scanners, considering it helps save time and takes only 15 seconds to complete, it should not be used as a primary screening method. Hypothetically, if body scanners are used as a secondary screening process, alternate screening processes should be available if the passenger does not wish to subject himself/ herself to the scan. But then the question is why should the government invest so much in an expensive technology which the passengers can easily avoid?</p>
<p> </p>
<h3>Bibliography:</h3>
<p> <br /><a name="1">[1].A Companion to Philosophy of Law and Legal Theory, Constitutional Law and Privacy, Anita. L. Allen Pg 147.</a></p>
<p><a name="2">[2]</a><a href=".http://gizmodo.com/5690749/these-are-the-first-100-leaked-body-scans">.http://gizmodo.com/5690749/these-are-the-first-100-leaked-body-scans.</a></p>
<p><a name="3">[3]</a>.<a href="http://www.airlinereporter.com/2010/08/we-do-not-have-all-the-same-body-parts-and-body-scanners-violates-your-privacy/"> Available at http://www.airlinereporter.com/2010/08/we-do-not-have-all-the-same-body-parts-and-body-scanners-violates-your-privacy/.</a></p>
<p><a name="4">[4]</a><a href=".http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searchers">.http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searchers.</a></p>
<p><a name="5">[5]</a>.<a href="http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_wbi.pdf">Privacy impact assessment report. Available at - http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_wbi.pdf.</a></p>
<p><a name="6">[6]</a><a href="http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searches">.http://www.aclu.org/technology-and-liberty/aclu-backgrounder-body-scanners-and-virtual-strip-searches.</a></p>
<p><a name="7">[7].</a><a href="http://travel.usatoday.com/flights/2010-07-13-1Abodyscans13_ST_N.htm">http://travel.usatoday.com/flights/2010-07-13-1Abodyscans13_ST_N.htm .</a></p>
<p><a name="8">[8]</a><a href="https://cis-india.org/internet-governance/blog/">.http://www.stopdigitalstripsearches.org/.</a></p>
<p><a name="9">[9].</a><a href="http://epic.org/privac/airtravel/backscatter/"> http://epic.org/privac/airtravel/backscatter/.</a></p>
<p><a name="10">[10]</a><a href="http://www.dailymail.co.uk/news/article-2012249/TSA-scanners-catch-implant-bomber-admit-officials.html?ito=feeds-newsxml">.http://www.dailymail.co.uk/news/article-2012249/TSA-scanners-catch-implant-bomber-admit-officials.html?ito=feeds-newsxml.</a></p>
<p><a name="11">[11]</a><a href="http://news.bbc.co.uk/2/hi/uk_news/8490860.stm">.http://news.bbc.co.uk/2/hi/uk_news/8490860.stm.</a></p>
<p><a name="12">[12]</a><a href="http://www.bigbrotherwatch.org.uk/home/2010/03/body-scanner-refuseniks.html">.http://www.bigbrotherwatch.org.uk/home/2010/03/body-scanner-refuseniks.html.</a></p>
<p><a name="13">[13]</a><a href="http://news.bbc.co.uk/2/hi/uk_news/8490860.stm">.http://news.bbc.co.uk/2/hi/uk_news/8490860.stm.</a></p>
<p><a name="14">[14].</a><a href="http://www.timesonline.co.uk/tol/news/uk/article7011224.ece">http://www.timesonline.co.uk/tol/news/uk/article7011224.ece.</a></p>
<p><a name="15">[15].</a><a href="http://www.timesonline.co.uk/tol/news/politics/article6990990.ece">http://www.timesonline.co.uk/tol/news/politics/article6990990.ece.</a></p>
<p><a name="16">[16]</a><a href="http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html">.http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html.</a></p>
<p><a name="17">[17]</a><a href="http://news.bbc.co.uk/2/hi/8438355.stm">.http://news.bbc.co.uk/2/hi/8438355.stm.</a></p>
<p><a name="18">[18]</a><a href="http://www.huntonprivacyblog.com/2010/02/articles/european-union-1/uk-airports-implement-compulsory-use-of-full-body-scanners/">.http://www.huntonprivacyblog.com/2010/02/articles/european-union-1/uk-airports-implement-compulsory-use-of-full-body-scanners/.</a></p>
<p><a name="19">[19]</a><a href="http://www.bigbrotherwatch.org.uk/home/2011/01/judge-blocks-investigations-into-body-scanners.html">.http://www.bigbrotherwatch.org.uk/home/2011/01/judge-blocks-investigations-into-body-scanners.html.</a></p>
<p><a name="20">[20].</a><a href="http://www.theaustralian.com.au/travel/backlash-to-airport-body-scans/story-e6frg8rf-1225817485755">http://www.theaustralian.com.au/travel/backlash-to-airport-body-scans/story-e6frg8rf-1225817485755.</a></p>
<p><a name="21">[21].</a><a href="http://www.sbs.com.au/news/article/1190826/full-body-scanners-to-be-introduced-at-airports">http://www.sbs.com.au/news/article/1190826/full-body-scanners-to-be-introduced-at-airports.</a></p>
<p><a name="22">[22].</a><a href="http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html">http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html.</a></p>
<p><a name="23">[23].</a><a href="http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html">http://www.theage.com.au/travel/travel-news/fullbody-airport-scans-part-of-security-revamp-20100209-npqo.html.</a></p>
<p><a name="24">[24].</a><a href="http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html">List of Airports with full body scanners. Available at http://www.bigbrotherwatch.org.uk/home/2010/06/airports-with-body-scanners.html.</a></p>
<p><a name="25">[25].</a><a href="http://www.independent.co.uk/news/uk/home-news/are-planned-airport-scanners-just-a-scam-1856175.html">http://www.independent.co.uk/news/uk/home-news/are-planned-airport-scanners-just-a-scam-1856175.html.</a></p>
<p><a name="26">[26].</a><a href="http://www.bigbrotherwatch.org.uk/home/2010/01/invasion-of-the-body-scanners.html">http://www.bigbrotherwatch.org.uk/home/2010/01/invasion-of-the-body-scanners.html.</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy_wholebodyimagingcomparison'>https://cis-india.org/internet-governance/blog/privacy_wholebodyimagingcomparison</a>
</p>
No publisherSrishti GoyalInternet GovernancePrivacy2011-09-29T05:38:00ZBlog EntryWho Governs the Internet? Implications for Freedom and National Security
https://cis-india.org/internet-governance/blog/yojana-april-2014-sunil-abraham-who-governs-the-internet-implications-for-freedom-and-national-security
<b>The second half of last year has been quite momentous for Internet governance thanks to Edward Snowden. German Chancellor Angela Merkel and Brazilian President Dilma Rousseff became aware that they were targets of US surveillance for economic not security reasons. They protested loudly.</b>
<hr />
<p>The article was published in Yojana (April 2014 Issue). <a href="https://cis-india.org/internet-governance/blog/yojana-april-2014-who-governs-the-internet.pdf" class="external-link">Click to download the original here</a>. (PDF, 177 Kb)</p>
<hr />
<p style="text-align: justify; ">The role of the US perceived by some as the benevolent dictator or primary steward of the Internet because of history, technology, topology and commerce came under scrutiny again. The I star bodies also known as the technical community - Internet Corporation for Assigned Names and Numbers (ICANN); five Regional Internet Registries (RIRs) ie. African, American, Asia-Pacific, European and Latin American; two standard setting organisations - World Wide Web Consortium (W3C) & Internet Engineering Task Force (IETF); the Internet Architecture Board (IAB); and Internet Society (ISOC) responded by issuing the Montevideo Statement <a href="#fn1" name="fr1">[1] </a> on the 7th of October. The statement expressed "strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for "accelerating the globalization of ICANN and IANA functions..." - did this mean that the I star bodies were finally willing to end the special role that US played in Internet governance? However, that dramatic shift in position was followed with the following qualifier "...towards an environment in which all stakeholders, including all governments, participate on an equal footing." Clearly indicating that for the I star bodies multistakeholderism was non-negotiable. Two days later President Rousseff after a meeting with Fadi Chehadé, announced on Twitter that Brazil would host "an international summit of governments, industry, civil society and academia." <a href="#fn2" name="fr2">[2] </a> The meeting has now been dubbed Net Mundial and 188 proposals for “principles” or “roadmaps for the further evolution of the Internet governance ecosystem” have been submitted for discussion in São Paulo on the 23rd and 24th of April. The meeting will definitely be an important milestone for multilateral and multi-stakeholder mechanisms in the ecosystem.</p>
<p style="text-align: justify; ">It has been more than a decade since this debate between multilateralism and multi-stakeholderism has ignited. Multistakeholderism is a form of governance that seeks to ensure that every stakeholder is guaranteed a seat at the policy formulation table (either in consultative capacity or in decision making capacity depending who you ask). The Tunis Agenda, which was the end result of the 2003-05 WSIS upheld the multistakeholder mode. The 2003–2005 World Summit on the Information Society process was seen by those favouring the status quo at that time as the first attempt by the UN bodies or multilateralism - to takeover the Internet. However, the end result i.e. Tunis Agenda <a href="#fn3" name="fr3">[3]</a> clarified and reaffirmed multi-stakeholderism as the way forward even though multilateral governance mechanisms were also accepted as a valid component of Internet governance. The list of stakeholders included states, the private sector, civil society, intergovernmental organisations, international standards organisations and the “academic and technical communities within those stakeholder groups mentioned” above. The Tunis Agenda also constituted the Internet Governance Forum (IGF) and the process of Enhanced Cooperation.</p>
<p style="text-align: justify; ">The IGF was defined in detail with a twelve point mandate including to “identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations.” In brief it was to be a learning Forum, a talk shop and a venue for developing soft law not international treaties. Enhanced Cooperation was defined as “to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues” – and to this day, efforts are on to define it more clearly.</p>
<p style="text-align: justify; ">Seven years later, during the World Conference on Telecommunication in Dubai, the status quoists dubbed it another attempt by the UN to take over the Internet. Even those non-American civil society actors who were uncomfortable with US dominance were willing to settle for the status quo because they were convinced that US court would uphold human rights online more robustly than most other countries. In fact, the US administration had laid a good foundation for the demonization of the UN and other nation states that preferred an international regime. "Internet freedom" was State Department doctrine under the leadership of Hillary Clinton. As per her rhetoric – there were good states, bad states and swing states. The US, UK and some Scandinavian countries were the defenders of freedom. China, Russia and Saudi Arabia were examples of authoritarian states that were balkanizing the Internet. And India, Brazil and Indonesia were examples of swing states – in other words, they could go either way – join the good side or the dark side.</p>
<p style="text-align: justify; ">But Internet freedom rhetoric was deeply flawed. The US censorship regime is really no better than China’s. China censors political speech – US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby that has tremendous influence on the Hill. Statistics of television viewership across channels around the world will tell us how the majority privileges cultural speech over political speech on any average day. The great firewall of China only affects its citizens – netizens from other jurisdictions are not impacted by Chinese censorship. On the other hand, the US acts of censorship are usually near global in impact.</p>
<p style="text-align: justify; ">This is because the censorship regime is not predominantly based on blocking or filtering but by placing pressure on identification, technology and financial intermediaries thereby forcing their targets offline. When it comes to surveillance, one could argue that the US is worse than China. Again, as was the case with censorship, China only conducts pervasive blanket surveillance upon its citizens – unlike US surveillance, which not only affects its citizens but targets every single user of the Internet through a multi-layered approach with an accompanying acronym soup of programmes and initiatives that include malware, trojans, software vulnerabilities, back doors in encryption standards, over the top service providers, telcos, ISPs, national backbone infrastructure and submarine fibre optic cables.</p>
<p class="callout" style="text-align: justify; ">Security guru Bruce Schneier tells us that "there is no security without privacy. And liberty requires both security and privacy.” Blanket surveillance therefore undermines the security imperative and compromises functioning markets by make e-commerce, e-banking, intellectual property, personal information and confidential information vulnerable. Building a secure Internet and information society will require ending mass surveillance by states and private actors.</p>
<h3 style="text-align: justify; ">The Opportunity for India</h3>
<p style="text-align: justify; ">Unlike the America with its straitjacketed IP regime, India believes that access to knowledge is a precondition for freedom of speech and expression. As global intellectual property policy or access to knowledge policy is concerned, India is considered a leader both when it comes to domestic policy and international policy development at the World Intellectual Property Organisation. From the 70s our policy-makers have defended the right to health in the form of access to medicines. More recently, India played a critical role in securing the Marrakesh Treaty for Visually Impaired Persons in June 2013 which introduces a user right [also referred to as an exception, flexibility or limitation] which allows the visually impaired to convert books to accessible formats without paying the copyright-holder if an accessible version has not been made available. The Marrakesh Treaty is disability specific [only for the visually impaired] and works specific [only for copyright]. This is the first instance of India successfully exporting policy best practices. India's exception for the disabled in the Copyright Act unlike the Marrakesh Treaty, however, is both disability-neutral and works-neutral.</p>
<p style="text-align: justify; ">Given that the Internet is critical to the successful implementation of the Treaty ie. cross border sharing of works that have been made accessible to disabled persons in one country with the global community, it is perhaps time for India to broaden its influence into the sphere of Internet governance and the governance of information societies more broadly.</p>
<p style="text-align: justify; ">Post-Snowden, the so called swing states occupy the higher moral ground. It is time for these states to capitalize on this moment using strong political will. Instead of just being a friendly jurisdiction from the perspective of access to medicine, it is time for India to also be the enabling jurisdiction for access to knowledge more broadly. We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware [especially mobile phones] to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit from India going beyond being the pharmacy of the world to becoming the electronics store of the world. We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content [text, images, video, audio, games and software] at affordable rates and rights-holders get some royalty from all Internet users in India. This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy – we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media. Given that privacy is a precondition for security, this will also make India very secure from a cyber security perspective. Of course this is a fanciful pipe dream given our current circumstances but is definitely a possible future for us as a nation to pursue.</p>
<h3 style="text-align: justify; ">What is the scope of Internet Governance?</h3>
<p style="text-align: justify; ">Part of the tension between multi-stakeholderism and multilateralism is that there is no single, universally accepted definition of Internet governance. The conservative definitions of Internet Governance limits it to management of critical Internet resources, including the domain name system, IP addresses and root servers – in other words, the ICANN, IANA functions, regional registries and other I* bodies. This is where US dominance has historically been most explicit. This is also where the multi-stakeholder model has clearly delivered so far and therefore we must be most careful about dismantling existing governance arrangements. There are very broadly four approaches for reducing US dominance here – a) globalization [giving other nation-states a role equal to the US within the existing multi-stakeholder paradigm], b) internationalization [bring ICANN, IANA functions, registries and I* bodies under UN control or oversight], c) eliminating the role for nation states in the IANA functions<a href="#fn4" name="fr4">[4]</a> and d) introducing competitors for names and numbers management. Regardless of the final solution, it is clear that those that control domain names and allocate IP addresses will be able to impact the freedom of speech and expression. The impact on the national security of India is very limited given that there are three root servers <a href="#fn5" name="fr5">[5] </a> within national borders and it would be near impossible for the US to shut down the Internet in India.</p>
<p style="text-align: justify; ">For a more expansive definition – The Working Group on Internet Governance report<a href="#fn6" name="fr6">[6] </a>has four categories for public policy issues that are relevant to Internet governance:</p>
<p style="text-align: justify; ">“(a) Issues relating to infrastructure and the management of critical Internet resources, including administration of the domain name system and Internet protocol addresses (IP addresses), administration of the root server system, technical standards, peering and interconnection, telecommunications infrastructure, including innovative and convergent technologies, as well as multilingualization. These issues are matters of direct relevance to Internet governance and fall within the ambit of existing organizations with responsibility for these matters;</p>
<p style="text-align: justify; ">(b) Issues relating to the use of the Internet, including spam, network security and cybercrime. While these issues are directly related to Internet governance, the nature of global cooperation required is not well defined;</p>
<p style="text-align: justify; ">(c)Issues that are relevant to the Internet but have an impact much wider than the Internet and for which existing organizations are responsible, such as intellectual property rights (IPRs) or international trade. ...;</p>
<p style="text-align: justify; ">(d) Issues relating to the developmental aspects of Internet governance, in particular capacity-building in developing countries.”</p>
<p style="text-align: justify; ">Some of these categories are addressed via state regulation that has cascaded from multilateral bodies that are associated with the United Nations such as the World Intellectual Property Organisation for "intellectual property rights" and the International Telecommunication Union for “telecommunications infrastructure”. Other policy issues such as "cyber crime" are currently addressed via plurilateral instruments – for example the Budapest Convention on Cybercrime – and bilateral arrangements like Mutual Legal Assistance Treaties. "Spam" is currently being handled through self-regulatory efforts by the private sector such as Messaging, Malware and Mobile Anti-Abuse Working Group.<a href="#fn7" name="fr7">[7] </a> Other areas where there is insufficient international or global cooperation include "peering and interconnection" - the private arrangements that exist are confidential and it is unclear whether the public interest is being adequately protected.</p>
<h3 style="text-align: justify; ">So who really governs the Internet?</h3>
<p style="text-align: justify; ">So in conclusion, who governs the Internet is not really a useful question. This is because nobody governs the Internet per se. The Internet is a diffuse collection of standards, technologies and actors and dramatically different across layers, geographies and services. Different Internet actors – the government, the private sector, civil society and the technical and academic community are already regulated using a multiplicity of fora and governance regimes – self regulation, coregulation and state regulation. Is more regulation always the right answer? Do we need to choose between multilateralism and multi-stakeholderism? Do we need stable definitions to process? Do we need different version of multi-stakeholderism for different areas of governance for ex. standards vs. names and numbers? Ideally no, no, no and yes. In my view an appropriate global governance system will be decentralized, diverse or plural in nature yet interoperable, will have both multilateral and multistakeholder institutions and mechanisms and will be as interested in deregulation for the public interest as it is in regulation for the public interest.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. Montevideo Statement on the Future of Internet Cooperation <a class="external-link" href="https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm">https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Brazil to host global internet summit in ongoing fight against NSA surveillance <a class="external-link" href="http://rt.com/news/brazil-internet-summit-fight-nsa-006/">http://rt.com/news/brazil-internet-summit-fight-nsa-006/</a></p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Tunis Agenda For The Information Society <a class="external-link" href="http://www.itu.int/wsis/docs2/tunis/off/6rev1.html">http://www.itu.int/wsis/docs2/tunis/off/6rev1.html</a></p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. Roadmap for globalizing IANA: Four principles and a proposal for reform: a submission to the Global Multistakeholder Meeting on the Future of Internet Governance by Milton Mueller and Brenden Kuerbis March 3rd 2014 See: <a class="external-link" href="http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf">http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Mumbai (I Root), Delhi (K Root) and Chennai (F Root). See: <a class="external-link" href="http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers">http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers</a></p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. Report of the Working Group on Internet Governance to the President of the Preparatory Committee of the World Summit on the Information Society, Ambassador Janis Karklins, and the WSIS Secretary-General, Mr Yoshio Utsumi. Dated: 14 July 2005 See: <a class="external-link" href="http://www.wgig.org/WGIG-Report.html">http://www.wgig.org/WGIG-Report.html</a></p>
<p>[<a href="#fr7" name="fn7">7</a>].Messaging, Malware and Mobile Anti-Abuse Working Group website See: <a class="external-link" href="http://www.maawg.org/">http://www.maawg.org/</a></p>
<hr />
<p style="text-align: justify; "><i>The author is is the Executive Director of the Centre for Internet and Society (CIS), Bangalore. He is also the founder of Mahiti, a 15 year old social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. He is an Ashoka fellow. For three years, he also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region</i>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/yojana-april-2014-sunil-abraham-who-governs-the-internet-implications-for-freedom-and-national-security'>https://cis-india.org/internet-governance/blog/yojana-april-2014-sunil-abraham-who-governs-the-internet-implications-for-freedom-and-national-security</a>
</p>
No publishersunilSurveillanceInternet GovernancePrivacy2014-04-05T16:23:36ZBlog EntryWhite Paper on RTI and Privacy V1.2
https://cis-india.org/internet-governance/blog/white-paper-on-rti-and-privacy-v-1.2
<b>This white paper explores the relationship between privacy and transparency in the context of the right to information in India. Analysing pertinent case law and legislation - the paper highlights how the courts and the law in India address questions of transparency vs. privacy. </b>
<h3 style="text-align: justify; "><b>Introduction</b></h3>
<p style="text-align: justify; ">Although the right to information is not specifically spelt out in the Constitution of India, 1950, it has been read into Articles 14 (right to equality), 19(1)(a) (freedom of speech and expression) and 21 (right to life) through cases such as <i>Bennet Coleman</i> v. <i>Union of India</i>,<a href="#_ftn1" name="_ftnref1">[1]</a> <i>Tata Press Ltd. </i>v.<i> Maharashtra Telephone Nigam Ltd.</i>,<a href="#_ftn2" name="_ftnref2">[2]</a> etc. The same Articles of the Constitution were also interpreted in <i>Kharak Singh</i> v.<i>State of U.P.</i>,<a href="#_ftn3" name="_ftnref3">[3]</a> <i>Govind</i> v. <i>State of M.P.</i>, <a href="#_ftn4" name="_ftnref4">[4]</a> and a number of other cases, to include within their scope a right to privacy. At the very outset it appears that a right to receive information -though achieving greater transparency in public life - could impinge on the right to privacy of certain people. The presumed tension between the right to privacy and the right to information has been widely recognized and a framework towards balancing the two rights, has been widely discussed across jurisdictions. In India, nowhere is this conflict and the attempt to balance it more evident than under the Right to Information Act, 2005 (the "<b>RTI Act</b>").</p>
<p style="text-align: justify; ">Supporting the constitutional right to information enjoyed by the citizens, is the statutorily recognized right to information granted under the RTI Act. Any potential infringement of the right to privacy by the provisions of the RTI Act are sought to be balanced by section 8 which provides that no information should be disclosed if it creates an unwarranted invasion of the privacy of any individual. This exception states that there is no obligation to disclose information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information. <a href="#_ftn5" name="_ftnref5">[5]</a> The Act further goes on to say that where any information relating to or supplied by a third party and treated by that party as confidential, is to be disclosed, the Central Public Information Officer or State Public Information Officer has to give written notice to that party within five days of receiving such a request inviting such third party (within ten days) to make its case as to whether such information should or should not be disclosed.<a href="#_ftn6" name="_ftnref6">[6]</a></p>
<p style="text-align: justify; ">A plain reading of section 11 suggests that for the section to apply the following three conditions have to be satisfied, i.e. (i) if the PIO is considering disclosing the information (ii) the information relates to the third party or was given to a Public Authority by the third party in confidence; and (iii) the third party treated the information to be a confidential. It has been held that in order to satisfy the third part of the test stated above, the third party has to be consulted and therefore a notice has to be sent to the third party. Even if the third party claims confidentiality, the proviso to the section provides that the information cannot be withheld if the public interest in the disclosure outweighs the possible harm or injury that may be caused to the third party, except in cases of trade or commercial secrets.<a href="#_ftn7" name="_ftnref7">[7]</a> The Courts have also held that section 11 should be read keeping in mind the exceptions contained in section 8 (discussed in detail later) and the exceptions contained therein. <a href="#_ftn8" name="_ftnref8">[8]</a></p>
<p style="text-align: justify; ">This principle of non disclosure of private information can be found across a number of common law jurisdictions. The United Kingdom's Freedom of Information Act, 2000 exempts the disclosure of information where it would violate the data protection principles contained in the Data Protection Act, 1998 or constitute an actionable breach of confidence.<a href="#_ftn9" name="_ftnref9">[9]</a> The Australian Freedom of Information Act, 1982 categorizes documents involving unreasonable disclosure of personal information as conditionally exempt i.e. allows for their disclosure unless such disclosure would be contrary to public interest.<a href="#_ftn10" name="_ftnref10">[10]</a> The Canadian Access to Information Act also has a provision which allows the authorities to refuse to disclose personal information except in accordance with the provisions of the Canadian Privacy Act. <a href="#_ftn11" name="_ftnref11">[11]</a></p>
<p style="text-align: justify; ">An overview of the RTI Act, especially sections 6 to 8 seems to give the impression that the legislature has tried to balance and harmonize conflicting public and private rights and interests by building sufficient safeguards and exceptions to the general principles of disclosure under the Act. <a href="#_ftn12" name="_ftnref12">[12]</a> This is why it is generally suggested that section 8, when applied, should be given a strict interpretation as it is a fetter on not only a statutory right granted under the RTI Act but also a pre-existing constitutional right. <a href="#_ftn13" name="_ftnref13">[13]</a> Logical as this argument may seem and appropriate in some circumstances, it does present a problem when dealing with the privacy exception contained in section 8(1)(j). That is because the right to privacy envisaged in this section is also a pre-existing constitutional right which has been traced to the same provisions of the Constitution from which the constitutional right of freedom of information emanates.<a href="#_ftn14" name="_ftnref14">[14]</a> Therefore there is an ambiguity regarding the treatment and priority given to the privacy exception vs. the disclosure mandate in the RTI Act, as it requires the balancing of not only two competing statutory rights but also two constitutional rights.</p>
<h3 style="text-align: justify; "><b>The Privacy Exception </b></h3>
<p style="text-align: justify; ">As discussed earlier, the purpose of the RTI Act is to increase transparency and ensure that people have access to as much public information as possible. Such a right is critical in a democratic country as it allows for accountability of the State and allows individuals to seek out information and make informed decisions. However, it seems from the language of the RTI Act that at the time of its drafting the legislature did realize that there would be a conflict between the endeavor to provide information and the right to privacy of individuals over the information kept with public authorities, which is why a privacy exception was carved into section 8(1)(j) of the Right to Information Act. The Act does not only protect the privacy of the third party who's information is at risk of being disclosed, but also the privacy of the applicant. In fact it has now been held that a private respondent need not give his/her ID or address as long as the information provided by him/her is sufficient to contact him/her.<a href="#_ftn15" name="_ftnref15">[15]</a></p>
<p style="text-align: justify; ">It is interesting to note that although the RTI Act gives every citizen a right to information, it does not limit this right with a stipulation as to how the information shall be used by the applicant or the reason for which the applicant wants such information. <a href="#_ftn16" name="_ftnref16">[16]</a> This lack of a purpose limitation in the Act may have privacy implications as non sensitive personal information could be sought from different sources and processed by any person so as to convert such non-sensitive or anonymous information into identifiable information which could directly impact the privacy of individuals.</p>
<p style="text-align: justify; ">The exception in S. 8(1)(j) prohibits the disclosure of personal information for two reasons (i) its disclosure does not relate to any public activity or interest or (ii) it would be an unwarranted invasion into privacy. The above two conditions however get trumped if a larger public interest is satisfied by the disclosure of such information.</p>
<p style="text-align: justify; ">One interesting thing about the exception contained in section 8(1)(j) is that this exception itself has an exception to it in the form of a proviso. The proviso says that any information which cannot be denied to the central or state legislature shall not be denied to any person. Since the proviso has been placed at the end of sub-section 8(1) which is also the end of clause 8(1)(j), one might be tempted to ask whether this proviso applies only to the privacy exception i.e. clause 8(1)(j) or to the entire sub-section 8(1) (which includes other exceptions such as national interest, etc.). This issue was put to rest by the Bombay High Court when it held that since the proviso has been put only after clause 8(1)(j) and not before each and every clause, it would not apply to the entire sub-section 8(1) but only to clause 8(1)(j), thus ensuring that the exceptions to disclosure other than the right to privacy are not restricted by this proviso.<a href="#_ftn17" name="_ftnref17">[17]</a></p>
<p style="text-align: justify; "><b>Scope of Proviso to section 8(1)(j)</b><br />Though the courts have agreed that the proviso is applicable only to section 8(1)(j), the import of the proviso to section 8(1)(j) is a little more ambiguous and there are conflicting decisions by different High Courts on this point. Whereas the Bombay High Court has laid emphasis on the letter of the proviso and derived strength from the objects and overall scheme of the Act to water down the provisions of section 8(1)(j), <a href="#_ftn18" name="_ftnref18">[18]</a> the Delhi High Court has disagreed with such an approach which gives "undue, even overwhelming deference" to Parliamentary privilege in seeking information. Such an approach would render the protection under section 8(1)j) meaningless, and the basic safeguard bereft of content.<a href="#_ftn19" name="_ftnref19">[19]</a> In the words of the Delhi High Court:</p>
<p style="text-align: justify; ">" <i> The proviso has to be only as confined to what it enacts, to the class of information that Parliament can ordinarily seek; if it were held that all information relating to all public servants, even private information, can be accessed by Parliament, Section 8(1)(j) would be devoid of any substance, because the provision makes no distinction between public and private information. Moreover there is no law which enables Parliament to demand all such information; it has to be necessarily in the context of some matter, or investigation. If the reasoning of the Bombay High Court were to be accepted, there would be nothing left of the right to privacy, elevated to the status of a fundamental right, by several judgments of the Supreme Court. </i> "</p>
<p style="text-align: justify; ">The interpretation given by the Delhi High Court thus ensures that section 8(1)(j) still has some effect, as otherwise the privacy exception would have gotten steamrolled by parliamentary privilege and all sorts of information such as Income Tax Returns, etc. of both private and public individuals would have been liable to disclosure under the RTI Act.</p>
<p style="text-align: justify; ">Unfortunately, the RTI Act does not describe the terms "personal information" or "larger public interest" used in section 8(1)(j), which leaves some amount of ambiguity in interpreting the privacy exception to the RTI Act. Therefore the only option for anyone to understand these terms in greater depth is to discuss and analyse the case laws developed by the Hon'ble Supreme Court and the High Courts which have tried to throw some light on this issue.</p>
<p style="text-align: justify; ">We shall discuss some of these landmark judgments to understand the interpretations given to these terms and then move on to specific instances where (applying these principles) information has been disclosed or denied.</p>
<p style="text-align: justify; "><b>Personal Information</b><br />The RTI Act defines the term information but does not define the term "personal information". Therefore one has to rely on judicial pronouncements to understand the term a more clearly. Looking at the common understanding and dictionary meaning of "personal" as well as the definition of "information" contained in the RTI Act it could be said that personal information would be information, information that pertains to a person and as such it takes into its fold possibly every kind of information relating to the person. Now, such personal information of the person may, or may not, have relation to any public activity, or to public interest. At the same time, such personal information may, or may not, be private to the person. <a href="#_ftn20" name="_ftnref20">[20]</a></p>
<p style="text-align: justify; ">The Delhi High Court has tried to draw a distinction between the term "private information" which encompasses the personal intimacies of the home, the family, marriage, motherhood, procreation, child rearing and of the like nature and "personal information" which would be any information that pertains to an individual. This would logically imply that all private information would be part of personal information but not the other way round. <a href="#_ftn21" name="_ftnref21">[21]</a> The term 'personal information' has in other cases, been variously described as "identity particulars of public servants, i.e. details such as their dates of birth, personal identification numbers",<a href="#_ftn22" name="_ftnref22">[22]</a> and as including tax returns, medical records etc.<a href="#_ftn23" name="_ftnref23">[23]</a> It is worth noting that just because the term used is "personal information" does not mean that the information always has to relate to an actual person, but may even be a juristic entity such as a trust or corporation, etc.<a href="#_ftn24" name="_ftnref24">[24]</a></p>
<p style="text-align: justify; "><b>Larger Public Interest</b><br />The term larger public interest has not been discussed or defined in the RTI Act, however the Courts have developed some tests to determine if in a given situation, personal information should be disclosed in the larger public interest.</p>
<p style="text-align: justify; ">Whenever a Public Information Officer is asked for personal information about any person, it has to balance the competing claims of the privacy of the third party on the one hand and claim of public interest on the other and determine whether the public interest in such a disclosure satisfies violating a person's privacy. The expression "public interest" is not capable of a precise definition and does not have a rigid meaning. It is therefore an elastic term and takes its colors from the statute in which it occurs, the concept varying with the time and the state of the society and its needs. This seems to be the reason why the legislature and even the Courts have shied away from a precise definition of "public interest". However, the term public interest does not mean something that is merely interesting or satisfies the curiosity or love of information or amusement; but something in which a class of the community have some interest by which their rights or liabilities are affected.<a href="#_ftn25" name="_ftnref25">[25]</a></p>
<p style="text-align: justify; ">There have been suggestions that the use of the word "larger" before the term "public interest" denotes that the public interest involved should serve a large section of the society and not just a small section of it, i.e. if the information has a bearing on the economy, the moral values in the society; the environment; national safety, or the like, the same would qualify as "larger public interest".<a href="#_ftn26" name="_ftnref26">[26]</a> However this is not a very well supported theory and the usage of the term "larger public interest" cannot be given such a narrow meaning, for example what if the disclosure of the information could save the lives of only 10 people or even just 5 children? Would the information not be released just because it violates one person's right to privacy and there is not a significant number of lives at stake? This does not seem to be what all the cases on the right to privacy, right from <i>Kharak Singh<a href="#_ftn27" name="_ftnref27"><b>[27]</b></a></i> all the way to <i>Naz Foundation</i>, <a href="#_ftn28" name="_ftnref28">[28]</a> seem to suggest. Infact, in the very same judgment where the above interpretation has been suggested, the Court undermines this argument by giving the example of a person with a previous crime of sexual assault being employed in an orphanage and says that the interest of the small group of children in the orphanage would outweigh the privacy concerns of the individual thus requiring disclosure of all information regarding the employee's past.</p>
<p style="text-align: justify; ">In light of the above understanding of section 8(1)(j), there seem to be two different tests that have been proposed by the Courts, which seem to connote the same principle although in different words:</p>
<p style="text-align: justify; ">1. The test laid down by <i>Union Public Service Commission</i> v. <i>R.K. Jain</i>:</p>
<p style="text-align: justify; ">(i) The information sought must relate to „Personal information‟ as understood above of a third party. Therefore, if the information sought does not qualify as personal information, the exemption would not apply;</p>
<p style="text-align: justify; ">(ii) Such personal information should relate to a third person, i.e., a person other than the information seeker or the public authority; AND</p>
<p style="text-align: justify; ">(iii) (a) The information sought should not have a relation to any public activity qua such third person, or to public interest. If the information sought relates to public activity of the third party, i.e. to his activities falling within the public domain, the exemption would not apply. Similarly, if the disclosure of the personal information is found justified in public interest, the exemption would be lifted, otherwise not; OR (b) The disclosure of the information would cause unwarranted invasion of the privacy of the individual, and that there is no larger public interest involved in such disclosure. <a href="#_ftn29" name="_ftnref29">[29]</a></p>
<p style="text-align: justify; ">2. The other test was laid down in <i>Vijay Prakash</i> v. <i>Union of India</i>, but in the specific circumstances of disclosure of personal information relating to a public official:</p>
<p style="text-align: justify; ">(i) whether the information is deemed to comprise the individual's private details, unrelated to his position in the organization;</p>
<p style="text-align: justify; ">(ii) whether the disclosure of the personal information is with the aim of providing knowledge of the proper performance of the duties and tasks assigned to the public servant in any specific case; and</p>
<p style="text-align: justify; ">(iii) whether the disclosure will furnish any information required to establish accountability or transparency in the use of public resources. <a href="#_ftn30" name="_ftnref30">[30]</a></p>
<p style="text-align: justify; "><b>Constitutional Restrictions</b><br />Since there is not extensive academic discussion on the meaning of the term "larger public interest" or "public interest" as provided in section 8(1)(j), one is forced to turn to other sources to get a better idea of these terms. One such source is constitutional law, since the right to privacy, as contained in section 8(1)(j) has its origins in Articles 14,<a href="#_ftn31" name="_ftnref31">[31]</a> 19(1)(a) <a href="#_ftn32" name="_ftnref32">[32]</a> and 21<a href="#_ftn33" name="_ftnref33">[33]</a> of the Constitution of India. The constitutional right to privacy in India is also not an absolute right and various cases have carved out a number of exceptions to privacy, a perusal of which may give some indication as to what may be considered as 'larger public interest', these restrictions are:</p>
<p style="text-align: justify; ">a) Reasonable restrictions can be imposed on the right to privacy in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence; <a href="#_ftn34" name="_ftnref34"><sup><sup>[34]</sup></sup></a></p>
<p style="text-align: justify; ">b) Reasonable restrictions can be imposed upon the right to privacy either in the interests of the general public or for the protection of the interests of any Scheduled Tribe;<a href="#_ftn35" name="_ftnref35"><sup><sup>[35]</sup></sup></a></p>
<p style="text-align: justify; ">c) The right to privacy can be restricted by procedure established by law which procedure would have to satisfy the test laid down in the <i>Maneka Gandhi case</i>.<a href="#_ftn36" name="_ftnref36"><sup><sup>[36]</sup></sup></a></p>
<p style="text-align: justify; ">d) The right can be restricted if there is an important countervailing interest which is superior; <a href="#_ftn37" name="_ftnref37"><sup><sup>[37]</sup></sup></a></p>
<p style="text-align: justify; ">e) It can be restricted if there is a compelling state interest to be served by doing so; <a href="#_ftn38" name="_ftnref38"><sup><sup>[38]</sup></sup></a></p>
<p style="text-align: justify; ">f) It can be restricted in case there is a compelling public interest to be served by doing so; <a href="#_ftn39" name="_ftnref39"><sup><sup>[39]</sup></sup></a></p>
<p style="text-align: justify; ">g) The <i>Rajagopal tests - </i>This case lays down three exceptions to the rule that a person's private information cannot be published, <i>viz. </i> i) person voluntarily thrusts himself into controversy or voluntarily raises or invites a controversy, ii) if publication is based on public records other than for sexual assault, kidnap and abduction, iii) there is no right to privacy for public officials with respect to their acts and conduct relevant to the discharge of their official duties. It must be noted that although the Court talks about public records, it does not use the term 'public domain' and thus it is possible that even if a document has been leaked in the public domain and is freely available, if it is not a matter of public record, the right to privacy can still be claimed in regard to it.<a href="#_ftn40" name="_ftnref40"><sup><sup>[40]</sup></sup></a></p>
<h3 style="text-align: justify; "><b>Section 8(1)(j) in Practice <br /></b></h3>
<p style="text-align: justify; ">The discussion in the previous chapter regarding the interpretation of section 8(1)(j), though (hopefully) helpful still seems a little abstract without specific instances and illustrations to drive home the point. In this chapter we shall endeavor to briefly discuss some specific cases regarding information disclosure where the issue of violation of privacy of a third party was raised.</p>
<p style="text-align: justify; "><b>Private Information of Public Officials</b><br />Some of the most common problems regarding section 8(1)(j) come up when discussing information (personal or otherwise) regarding public officers. The issue comes up because an argument can be made that certain information such as income tax details, financial details, medical records, etc. of public officials should be disclosed since it has a bearing on their public activities and disclosure of such information in case of crooked officers would serve the interests of transparency and cleaner government (hence serving a larger public interest). Although section 8(1)(j) does not make any distinction between a private person and a public servant, a distinction in the way their personal information is treated does appear in reality due to the inherent nature of a public servant. Infact it has sometimes been argued that public servants must waive the right to privacy in favour of transparency.<a href="#_ftn41" name="_ftnref41">[41]</a> However this argument has been repeatedly rejected by the Courts, <a href="#_ftn42" name="_ftnref42">[42]</a> just because a person assumes public office does not mean that he/she would automatically lose their right to privacy in favour of transparency.</p>
<p style="text-align: justify; ">If personal information regarding a public servant is asked for, then a distinction must be made between the information that is inherently personal to the person and that which has a connection with his/her public functions. The information exempted under section 8(1)(j) is personal information which is so intimately private in nature that the disclosure of the same would not benefit any other person, but would result in the invasion of the privacy of the third party.<a href="#_ftn43" name="_ftnref43">[43]</a> In short, the Courts have concluded that there can be no blanket rule regarding what information can and cannot be disclosed when it comes to a public servant, and the disclosure (or lack of it) would depend upon the circumstances of each case.</p>
<p style="text-align: justify; ">Although the earlier thinking of the CIC as well as various High Courts of the country was that information regarding disciplinary proceedings and service records of public officials is to be treated as public information in order to boost transparency,<a href="#_ftn44" name="_ftnref44">[44]</a> however this line of thinking took almost a U-turn in 2012 after the decision of the Supreme Court in <i>Girish Ramchandra Deshpande </i>v. <i>Central Information Commissioner,<a href="#_ftn45" name="_ftnref45"><b>[45]</b></a></i> and now the prevailing principle is that such information is personal information and should not be disclosed unless a larger public interest is would be served by the disclosure.</p>
<p style="text-align: justify; ">It would also be helpful to look at a list of the type of information regarding public servants which has been disclosed in the past, gleaned from various cases, to get a better understanding of the prevailing trends in such cases:</p>
<p style="text-align: justify; ">(i) Details of postings of public servants at various points of time, since this was not considered as personal information; <a href="#_ftn46" name="_ftnref46">[46]</a></p>
<p style="text-align: justify; ">(ii) Copies of posting/ transfer orders of public servants, since it was not considered personal information; <a href="#_ftn47" name="_ftnref47">[47]</a></p>
<p style="text-align: justify; ">(iii) Information regarding transfers of colleagues cannot be exempted from disclosure, since disclosure would not cause any unwarranted invasion of privacy and non disclosure would defeat the object of the RTI Act;<a href="#_ftn48" name="_ftnref48">[48]</a></p>
<p style="text-align: justify; ">(iv) Information regarding the criteria adopted and the marks allotted to various academic qualifications, experience and interview in selection process for government posts by the state Public Service Commission;<a href="#_ftn49" name="_ftnref49">[49]</a></p>
<p style="text-align: justify; ">(v) Information regarding marks obtained in written test, interview, annual confidential reports of the applicant as well as the marks in the written test and interview of the last candidate selected, since this information was not considered as personal information; <a href="#_ftn50" name="_ftnref50">[50]</a></p>
<p style="text-align: justify; ">(vi) Information relating to the appointment and educational certificates of teachers in an educational institution (which satisfies the requirements of being a public authority) was disclosed since this was considered as relevant to them performing their functions. <a href="#_ftn51" name="_ftnref51">[51]</a></p>
<p style="text-align: justify; ">The performance of an employee/officer in an organization is primarily a matter between the employee and the employer and normally those aspects are governed by the service rules which fall under the expression "personal information", the disclosure of which has no relationship to any public activity or public interest. To understand this better below is a brief list of the type of information that has been considered by the Courts as personal information which is liable to be exempt from disclosure under section 8(1)(j):</p>
<p style="text-align: justify; ">(i) (a) Salary details, (b) show cause notice, memo and censure, (c) return of assets and liabilities, (d) details of investment and other related details, (e) details of gifts accepted, (f) complete enquiry proceedings, (g) details of income tax returns;<a href="#_ftn52" name="_ftnref52">[52]</a></p>
<p style="text-align: justify; ">(ii) All memos issued, show cause notices and orders of censure/punishment etc. are personal information. Cannot be revealed unless a larger public interest justifies such disclosure;<a href="#_ftn53" name="_ftnref53">[53]</a></p>
<p style="text-align: justify; ">(iii) Disciplinary information of an employee is personal information and is exempt under section 8(1)(j); <a href="#_ftn54" name="_ftnref54">[54]</a></p>
<p style="text-align: justify; ">(iv) Medical records cannot be disclosed due to section 8(1)(j) as they come under "personal information", unless a larger public interest can be shown meriting such disclosure;<a href="#_ftn55" name="_ftnref55">[55]</a></p>
<p style="text-align: justify; ">(v) Copy of personnel records and service book (containing Annual Confidential Reports, etc.) of a public servant is personal information and cannot be disclosed due to section 8(1)(j);<a href="#_ftn56" name="_ftnref56">[56]</a></p>
<p style="text-align: justify; ">(vi) Information regarding sexual disorder, DNA test between an officer and his surrogate mother, name of his biological father and step father, name of his mother and surrogate step mother and such other aspects were denied by the Courts as such information was considered beyond the perception of decency and was an invasion into another man's privacy.<a href="#_ftn57" name="_ftnref57">[57]</a></p>
<p style="text-align: justify; ">It is not just the issue of disclosure of personal details of public officials that raises complicated questions regarding the right to information, but the opposite is equally true, i.e. what about seemingly "public" details of private individuals. A very complicated question arose with regard to information relating to the passport details of private individuals.</p>
<p style="text-align: justify; "><b>Passport Information of Private Individuals</b><br />The disclosure of passport details of private individuals is complicated because for a long time there was some confusion because of the treatment to be given to passport details, i.e. would its disclosure cause an invasion of privacy since it contains personally identifying information, specially because photocopies of the passport are regularly given for various purposes such as travelling, getting a new phone connection, etc. The Central Information Commission used a somewhat convoluted logic that since a person providing information relating to his residence and identity while applying for a passport was engaging in a public activity therefore such information relates to a public activity and should be disclosed. This view was rejected by the Delhi High Court in the case of <i>Union of India</i> v. <i>Hardev Singh</i>,<a href="#_ftn58" name="_ftnref58">[58]</a> and the view taken in<i>Hardev Singh</i> was later endorsed and relied upon in <i>Union of India </i>v. <i>Rajesh Bhatia</i>, <a href="#_ftn59" name="_ftnref59">[59]</a> while hearing a number of petitions to decide what details of a third party's passport should be disclosed and what should be exempt from disclosure.</p>
<p style="text-align: justify; ">A list of the Courts conclusions is given below:</p>
<p style="text-align: justify; "><i><span>Information that can be revealed:</span></i></p>
<p style="text-align: justify; ">(i) Name of passport holder;</p>
<p style="text-align: justify; ">(ii) Whether a visa was issued to a third party or not;</p>
<p style="text-align: justify; ">(iii) Details of the passport including dates of first issue, subsequent renewals, dates of application for renewals, numbers of the new passports and date of expiry;</p>
<p style="text-align: justify; ">(iv) Nature of documents submitted as proof;</p>
<p style="text-align: justify; ">(v) Name of police station from where verification for passport was done;</p>
<p style="text-align: justify; ">(vi) Whether any report was called for from the jurisdictional police;</p>
<p style="text-align: justify; ">(vii) Whether passport was renewed through an agent or through a foreign embassy;</p>
<p style="text-align: justify; ">(viii) Whether it was renewed in India or any foreign country;</p>
<p style="text-align: justify; ">(ix) Whether tatkal facility was availed by the passport holder;</p>
<p style="text-align: justify; "><i><span>Information that cannot be revealed:</span></i></p>
<p style="text-align: justify; ">(i) Contents of the documents submitted with the passport application;</p>
<p style="text-align: justify; ">(ii) Marital status and name and address of husband;</p>
<p style="text-align: justify; ">(iii) Whether person's name figures as mother/guardian in the passport of any minor;</p>
<p style="text-align: justify; ">(iv) Copy of passport application form;</p>
<p style="text-align: justify; ">(v) Residential address of passport holder;</p>
<p style="text-align: justify; ">(vi) Details of cases filed/pending against passport holder;</p>
<p style="text-align: justify; ">(vii) Copy of old passport;</p>
<p style="text-align: justify; ">(viii) Report of the police and CID for issuing the passport;</p>
<p style="text-align: justify; ">(ix) Copy of the Verification Certificate, if any such Verification Certificate was relied upon for the issue of the passport.</p>
<p style="text-align: justify; "><b>Other Instances </b></p>
<p style="text-align: justify; ">Apart from the above two broad categories of information that has been the subject of intense judicial discussion, certain other situations have also arisen where the Courts have had to decide the issue of disclosure under section 8(1)(j), a brief summary of such situations is given below:</p>
<p style="text-align: justify; ">(i) names and details of people who received money as donations from the President out of public funds was considered as information which has a definite link to public activities and was therefore liable to be disclosed;<a href="#_ftn60" name="_ftnref60">[60]</a></p>
<p style="text-align: justify; ">(ii) information regarding the religion practiced by a person, who is alleged to be a public figure, collected by the Census authorities was not disclosed since it was held that the quest to obtain the information about the religion professed or not professed by a citizen cannot be in any event; <a href="#_ftn61" name="_ftnref61">[61]</a></p>
<p style="text-align: justify; ">(iii) information regarding all FIRs against a person was not protected under section 8(1)(j) since it was already a matter of public record and Court record and could not be said to be an invasion of the person's privacy;<a href="#_ftn62" name="_ftnref62">[62]</a></p>
<p style="text-align: justify; ">(iv) information regarding the income tax returns of a public charitable trust was held not to be exempt under section 8(1)(j), since the trust involved was a public charitable trust functioning under a Scheme formulated by the District Court and registered under the Bombay Public Trust Act as such due to its character and activities its tax returns would be in relation to public interest or activities.<a href="#_ftn63" name="_ftnref63">[63]</a></p>
<h3 style="text-align: justify; "><b>Conclusion</b></h3>
<p style="text-align: justify; ">A discussion of the provisions of section 8 and 11 of the RTI Act as well as the case laws under it reveals that the legislature was aware of the dangers posed to the privacy of individuals from such a powerful transparency law. However, it did not want the exceptions carved out to protect the privacy of individuals to nullify the objects of the RTI Act and therefore drafted the legislation to incorporate the principle that although the RTI Act should not be used to violate the privacy of individuals, such an exception will not be applicable if a larger public interest is to be served by the disclosure. This principle is in line with other common law jurisdictions such as the U.K, Austalia, Canada, etc. which have similar exceptions based on privacy or confidentiality.</p>
<p style="text-align: justify; ">However it is disappointing to note that the legislature has only left the legislation at the stage of the principle which has left the language of the exception very wide and open to varied interpretations. It is understandable that the legislature would try to keep specifics out of the scope of the section to make it future proof. It is obvious that it would be impossible for the legislature or the courts to imagine every single circumstance that could arise where the right to information and the right to privacy would be at loggerheads. However, such wide and ambiguous drafting has led to cases where the Courts and the Central Information Commission have taken opposing views, with the views of the Court obviously prevailing in the end. This was illustrated by the issue of disclosure of passport details of private individuals with a large number of CIC cases taking different views till the High Court of Delhi gave categorical findings on the issue in the <i>Hardev Singh</i> and <i>Rajesh Bhatia</i> cases. Similar was the issue of service details of public officials since before the decision of the Supreme Court in the case of <i>Girish Ramchandra Deshpande</i> in 2012 the prevailing thinking of the CIC was that details of disciplinary proceedings against public officials are not covered by section 8(1)(j), however this thinking has now taken a U-turn as the Supreme Court's understanding of the right to privacy has taken stronger roots and such information is now outside the scope of the RTI Act, unless a larger public interest in the disclosure can be shown.</p>
<p style="text-align: justify; ">The ambiguity that arises in application when trying to balance the right to privacy against the right to information is a drawback in incorporating only a principle and leaving the language ambiguous in any legislation. This paper does not advocate that the legislature try to list out all the instances of this problem that are possibly imaginable, this would be too time consuming and may even be counterproductive. However, it is possible for the legislature to adopt an accepted practice of legislative drafting and list certain instances where there is an obvious balancing required between the two rights and put them as "<i>Illustrations</i>" to the section. This device has been utilised to great effect by some of the most fundamental legislations in India such as the Contract Act, 1872 and the Indian Penal Code, 1860. An alternative to this approach could be to utilize the approach taken in the Australian Freedom of Information Act, where the Act itself gives certain factors which should be considered to determine whether access to a particular document would be in the public interest or not.</p>
<h2 style="text-align: justify; "><b>List of References</b></h2>
<p style="text-align: justify; "><span style="text-decoration: underline;"><b>Primary Sources</b></span></p>
<p style="text-align: justify; ">1. Australia Freedom of Information Act, 1982.</p>
<p style="text-align: justify; ">2. <i>Bennet Coleman</i> v. <i>Union of India</i>, AIR 1973 SC 106.</p>
<p style="text-align: justify; ">3. <i>Bhagat Singh </i>v. <i>Chief Information Commissioner, </i>2008 (64) AIC 284 (Del).</p>
<p style="text-align: justify; ">4. Calcutta High Court, WP (W) No. 33290 of 2013, dated 20-11-2013.</p>
<p style="text-align: justify; ">5. Canadian Access to Information Act.</p>
<p style="text-align: justify; ">6. <i>Canara Bank</i> v. <i>Chief Information Commissioner</i>, 2007 (58) AIC Ker 667</p>
<p style="text-align: justify; ">7. Constitution of India, 1950.</p>
<p style="text-align: justify; ">8. <i>Govind</i> v. <i>State of M.P.</i>, Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.</p>
<p style="text-align: justify; ">9. <i>Haryana Public Service Commission </i>v. <i>State Information Commission, </i>AIR 2009 P & H 14.</p>
<p style="text-align: justify; ">10. <i>Jamia Millia Islamia v. Sh. Ikramuddin</i>, Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.</p>
<p style="text-align: justify; ">11. <i>Jitendra Singh</i> v. <i>State of U.P.</i>, 2008 (66) AIC 685 (All).</p>
<p style="text-align: justify; ">12. <i>Kharak Singh</i> v. <i>State of U.P.</i>, AIR 1963 SC 129.</p>
<p style="text-align: justify; ">13. <i>Maneka Gandhi </i>v. <i>Union of India</i>, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978.</p>
<p style="text-align: justify; ">14. <i>Naz Foundation</i> Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.</p>
<p style="text-align: justify; ">15. <i>P.C. Wadhwa</i> v. <i>Central Information Commission</i>, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.</p>
<p style="text-align: justify; ">16. <i>Paardarshita Public Welfare Foundation</i> v. <i>Union of India and others</i>, AIR 2011 Del 82.</p>
<p style="text-align: justify; ">17. <i>President's Secretariat</i> v. <i>Nitish Kumar Tripathi</i>, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.</p>
<p style="text-align: justify; ">18. <i>Public Information Officer</i> v. <i>Andhra Pradesh Information Commission</i>,2009 (76) AIC 854 (AP).</p>
<p style="text-align: justify; ">19. <i>R. Rajagopal v. Union of India</i>, Supreme Court of India, dated 7-10-1994.</p>
<p style="text-align: justify; ">20. <i>Rajendra Vasantlal Shah</i> v. <i>Central Information Commissioner, New Delhi</i>, AIR 2011 Guj 70.</p>
<p style="text-align: justify; ">21. <i>Rajinder Jaina</i> v. <i>Central Information Commission</i>, 2010 (86) AIC 510 (Del. H.C.).</p>
<p style="text-align: justify; ">22. Right to Information Act, 2005</p>
<p style="text-align: justify; ">23. <i>Secretary General, Supreme Court of India</i> v. <i>Subhash Chandra,</i> Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.</p>
<p style="text-align: justify; ">24. <i>Srikant Pandaya</i> v. <i>State of M.P.</i>, AIR 2011 MP 14.</p>
<p style="text-align: justify; ">25. <i>Surendra Singh </i>v. <i>State of U.P</i>, AIR 2009 Alld. 106.</p>
<p style="text-align: justify; ">26. <i>Surup Singh Hyra Naik</i> v. <i>State of Maharashtra</i>, 2007 (58) AIC 739 (Bom).</p>
<p style="text-align: justify; ">27. <i>Tata Press Ltd. </i>v.<i> Maharashtra Telephone Nigam Ltd.</i>, (1995) 5 SCC 139.</p>
<p style="text-align: justify; ">28. U.K. Freedom of Information Act, 2000.</p>
<p style="text-align: justify; ">29. <i>UCO Bank</i> v. <i>Central Information Commissioner and another</i>, 2009 (79) AIC 545 (P&H).</p>
<p style="text-align: justify; ">30. <i>Union Centre for Earth Science Studies </i>v. <i>Anson Sebastian, </i>AIR 2010 Ker. 151</p>
<p style="text-align: justify; ">31. <i>Union of India</i> v. <i>Hardev Singh</i> WP(C) 3444 of 2012 dated 23-08-2013.</p>
<p style="text-align: justify; ">32. <i>Union of India </i>v. <i>Rajesh Bhatia</i> WP(C) 2232/2012 dated 17-09-2013.</p>
<p style="text-align: justify; ">33. <i>Union Public Service Commission </i>v. <i>R.K. Jain</i>, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.</p>
<p style="text-align: justify; ">34. <i>Vijay Prakash</i> v. <i>Union of India</i>, 2009 (82) AIC 583 (Del).</p>
<p style="text-align: justify; "><span style="text-decoration: underline;"><b>Secondary Sources</b></span></p>
<p style="text-align: justify; ">1. "Country Report for U.K.", Privacy International, available at <a href="https://www.privacyinternational.org/reports/united-kingdom">https://www.privacyinternational.org/reports/united-kingdom</a>.</p>
<p style="text-align: justify; ">2. "Country Report for Australia", Privacy International, available at <a href="https://www.privacyinternational.org/reports/australia">https://www.privacyinternational.org/reports/australia</a>.</p>
<p style="text-align: justify; ">3. "Country Report for Canada", Privacy International, available at <a href="https://www.privacyinternational.org/reports/canada">https://www.privacyinternational.org/reports/canada</a>.</p>
<div style="text-align: justify; ">
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> AIR 1973 SC 106. This case held that the freedom of the press embodies in itself the right of the people to read.</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> (1995) 5 SCC 139.</p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> AIR 1963 SC 129.</p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.</p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5">[5]</a> Section 8(1) in its entirety states as follows:</p>
<p>(1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,-</p>
<p>(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;</p>
<p>(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;</p>
<p>(c) information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature;</p>
<p>(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;</p>
<p>(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;</p>
<p>(f) information received in confidence from foreign Government;</p>
<p>(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;</p>
<p>(h) information which would impede the process of investigation or apprehension or prosecution of offenders;</p>
<p>(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:</p>
<p>Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:</p>
<p>Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;</p>
<p>(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:</p>
<p>Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.</p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6">[6]</a> Section 11 of the RTI Act.</p>
</div>
<div id="ftn7">
<p><a href="#_ftnref7" name="_ftn7">[7]</a> <i>The Registrar General</i> v. <i>A. Kanagaraj</i>, (Madras High Court, 14 June 2013, available at http://www.indiankanoon.org/doc/36226888/.</p>
</div>
<div id="ftn8">
<p><a href="#_ftnref8" name="_ftn8">[8]</a> Arvind Kejriwal v. Central Public Information Officer, (Delhi High Court, 30 September 2011, available at http://www.indiankanoon.org/doc/1923225/.</p>
</div>
<div id="ftn9">
<p><a href="#_ftnref9" name="_ftn9">[9]</a> Sections 40 and 41 of the U.K. Freedom of Information Act, 2000.</p>
</div>
<div id="ftn10">
<p><a href="#_ftnref10" name="_ftn10">[10]</a> Section 11A read with section 47-F of the Australia Freedom of Information Act, 1982.</p>
</div>
<div id="ftn11">
<p><a href="#_ftnref11" name="_ftn11">[11]</a> Section 19 of the Canadian Access to Information Act.</p>
</div>
<div id="ftn12">
<p><a href="#_ftnref12" name="_ftn12">[12]</a> <i>Public Information Officer</i> v. <i>Andhra Pradesh Information Commission</i>,2009 (76) AIC 854 (AP).</p>
</div>
<div id="ftn13">
<p><a href="#_ftnref13" name="_ftn13">[13]</a> <i>Bhagat Singh </i> v. <i>Chief Information Commissioner, </i>2008 (64) AIC 284 (Del).</p>
</div>
<div id="ftn14">
<p><a href="#_ftnref14" name="_ftn14">[14]</a> Articles 14, 19(1)(a) and 21 of the Constitution of India, 1950.</p>
</div>
<div id="ftn15">
<p><a href="#_ftnref15" name="_ftn15">[15]</a> Calcutta High Court, WP(W) No. 33290 of 2013, dated 20-11-2013.</p>
</div>
<div id="ftn16">
<p><a href="#_ftnref16" name="_ftn16">[16]</a> <i>Jitendra Singh</i> v. <i>State of U.P.</i>, 2008 (66) AIC 685 (All).</p>
</div>
<div id="ftn17">
<p><a href="#_ftnref17" name="_ftn17">[17]</a> <i>Surup Singh Hyra Naik</i> v. <i>State of Maharashtra</i>, 2007 (58) AIC 739 (Bom).</p>
</div>
<div id="ftn18">
<p><a href="#_ftnref18" name="_ftn18">[18]</a> <i>Surup Singh Hyra Naik</i> v. <i>State of Maharashtra</i>, 2007 (58) AIC 739 (Bom), para 14. Where the Court held that since the medical records of a convict cannot be denied to Parliament or State legislature therefore they cannot be exempted from disclosure under the Act.</p>
</div>
<div id="ftn19">
<p><a href="#_ftnref19" name="_ftn19">[19]</a> <i>Vijay Prakash</i> v. <i>Union of India</i>, 2009 (82) AIC 583 (Del).</p>
</div>
<div id="ftn20">
<p><a href="#_ftnref20" name="_ftn20">[20]</a> <i>Union Public Service Commission </i> v. <i>R.K. Jain</i>, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.</p>
</div>
<div id="ftn21">
<p><a href="#_ftnref21" name="_ftn21">[21]</a> <i>Union Public Service Commission </i> v. <i>R.K. Jain</i>, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.</p>
</div>
<div id="ftn22">
<p><a href="#_ftnref22" name="_ftn22">[22]</a> <i>Vijay Prakash</i> v. <i>Union of India</i>, 2009 (82) AIC 583 (Del).</p>
</div>
<div id="ftn23">
<p><a href="#_ftnref23" name="_ftn23">[23]</a> <i>Secretary General, Supreme Court of India</i> v. <i>Subhash Chandra,</i> Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.</p>
</div>
<div id="ftn24">
<p><a href="#_ftnref24" name="_ftn24">[24]</a> <i>Jamia Millia Islamia v. Sh. Ikramuddin</i> , Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.</p>
</div>
<div id="ftn25">
<p><a href="#_ftnref25" name="_ftn25">[25]</a> <i>Union Public Service Commission </i> v. <i>R.K. Jain</i>, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.</p>
</div>
<div id="ftn26">
<p><a href="#_ftnref26" name="_ftn26">[26]</a> <i>Union Public Service Commission </i> v. <i>R.K. Jain</i>, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.</p>
</div>
<div id="ftn27">
<p><a href="#_ftnref27" name="_ftn27">[27]</a> AIR 1963 SC 129.<i> </i></p>
</div>
<div id="ftn28">
<p><a href="#_ftnref28" name="_ftn28">[28]</a> Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.</p>
</div>
<div id="ftn29">
<p><a href="#_ftnref29" name="_ftn29">[29]</a> <i>Union Public Service Commission </i> v. <i>R.K. Jain</i>, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012. This ruling was overturned by a Division Bench of the High Court relying upon a subsequent Supreme Court ruling, however, it could be argued that the Division Bench did not per se disagree with the discussion and the principles laid down in this case, but only the way they were applied.</p>
</div>
<div id="ftn30">
<p><a href="#_ftnref30" name="_ftn30">[30]</a> <i>Vijay Prakash</i> v. <i>Union of India</i>, 2009 (82) AIC 583 (Del).</p>
</div>
<div id="ftn31">
<p><a href="#_ftnref31" name="_ftn31">[31]</a> Right to equality.</p>
</div>
<div id="ftn32">
<p><a href="#_ftnref32" name="_ftn32">[32]</a> Freedom of speech and expression.</p>
</div>
<div id="ftn33">
<p><a href="#_ftnref33" name="_ftn33">[33]</a> Right to life.</p>
</div>
<div id="ftn34">
<p><a href="#_ftnref34" name="_ftn34">[34]</a> Article 19(2) of the Constitution of India, 1950.</p>
</div>
<div id="ftn35">
<p><a href="#_ftnref35" name="_ftn35">[35]</a> Article 19(5) of the Constitution of India, 1950.</p>
</div>
<div id="ftn36">
<p><a href="#_ftnref36" name="_ftn36">[36]</a> <i>Maneka Gandhi </i> v. <i>Union of India</i>, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978. The test laid down in this case is universally considered to be that the procedure established by law which restricts the fundamental right should be just, fair and reasonable.</p>
</div>
<div id="ftn37">
<p><a href="#_ftnref37" name="_ftn37">[37]</a> <i>Govind </i> v.<i> State of M.P</i><i>.</i>, Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.</p>
</div>
<div id="ftn38">
<p><a href="#_ftnref38" name="_ftn38">[38]</a> <i>Govind </i> v.<i> State of M.P</i><i>.</i>,<i> </i>Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.</p>
</div>
<div id="ftn39">
<p><a href="#_ftnref39" name="_ftn39">[39]</a> <i>Govind </i> v.<i> State of M.P</i><i>.</i>, Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975. However the Court later used phrases such as "reasonable restriction in public interest" and "reasonable restriction upon it for compelling interest of State" interchangeably which seems to suggest that the terms "compelling public interest" and "compelling state interest" used by the Court are being used synonymously and the Court does not draw any distinction between them. It is also important to note that the wider phrase "countervailing interest is shown to be superior" seems to suggest that it is possible, atleast in theory, to have other interests apart from public interest or state interest also which could trump the right to privacy.</p>
</div>
<div id="ftn40">
<p><a href="#_ftnref40" name="_ftn40">[40]</a> <i>R. Rajagopal v. Union of India</i> , Supreme Court of India, dated 7-10-1994. These tests have been listed as one group since they are all applicable in the specific context of publication of private information.</p>
</div>
<div id="ftn41">
<p><a href="#_ftnref41" name="_ftn41">[41]</a> <i>Vijay Prakash</i> v. <i>Union of India</i>, 2009 (82) AIC 583 (Del).</p>
</div>
<div id="ftn42">
<p><a href="#_ftnref42" name="_ftn42">[42]</a> <i>Secretary General, Supreme Court of India</i> v. <i>Subhash Chandra,</i> Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010. Also see <i>Vijay Prakash</i> v. <i>Union of India</i>, 2009 (82) AIC 583 (Del).</p>
</div>
<div id="ftn43">
<p><a href="#_ftnref43" name="_ftn43">[43]</a> <i>Canara Bank</i> v. <i>Chief Information Commissioner</i>, 2007 (58) AIC Ker 667. This case also held that information cannot be denied on the ground that it would be too voluminous.</p>
</div>
<div id="ftn44">
<p><a href="#_ftnref44" name="_ftn44">[44]</a> <i>Union Centre for Earth Science Studies </i> v. <i>Anson Sebastian, </i>AIR 2010 Ker. 151; <i>Union Public Service Commission </i>v. <i>R.K. Jain</i>, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012</p>
</div>
<div id="ftn45">
<p><a href="#_ftnref45" name="_ftn45">[45]</a> 2012 (119) AIC 105 (SC).</p>
</div>
<div id="ftn46">
<p><a href="#_ftnref46" name="_ftn46">[46]</a> <i>Girish Ramchandra Deshpande</i> v. <i>Central Information Commissioner</i>, 2012 (119) AIC 105 (SC).</p>
</div>
<div id="ftn47">
<p><a href="#_ftnref47" name="_ftn47">[47]</a> <i>Girish Ramchandra Deshpande</i> v. <i>Central Information Commissioner</i>, 2012 (119) AIC 105 (SC).</p>
</div>
<div id="ftn48">
<p><a href="#_ftnref48" name="_ftn48">[48]</a> <i>Canara Bank</i> v. <i>Chief Information Commissioner</i>, 2007 (58) AIC Ker 667.</p>
</div>
<div id="ftn49">
<p><a href="#_ftnref49" name="_ftn49">[49]</a> <i>Haryana Public Service Commission </i> v. <i>State Information Commission, </i>AIR 2009 P & H 14.</p>
</div>
<div id="ftn50">
<p><a href="#_ftnref50" name="_ftn50">[50]</a> <i>UCO Bank</i> v. <i>Central Information Commissioner and another</i>, 2009 (79) AIC 545 (P&H).</p>
</div>
<div id="ftn51">
<p><a href="#_ftnref51" name="_ftn51">[51]</a> <i>Surendra Singh </i> v. <i>State of U.P</i>, AIR 2009 Alld. 106.</p>
</div>
<div id="ftn52">
<p><a href="#_ftnref52" name="_ftn52">[52]</a> <i>Girish Ramchandra Deshpande</i> v. <i>Central Information Commissioner</i>, 2012 (119) AIC 105 (SC).</p>
</div>
<div id="ftn53">
<p><a href="#_ftnref53" name="_ftn53">[53]</a> <i>Girish Ramchandra Deshpande</i> v. <i>Central Information Commissioner</i>, 2012 (119) AIC 105 (SC).</p>
</div>
<div id="ftn54">
<p><a href="#_ftnref54" name="_ftn54">[54]</a> <i>R.K. Jain</i> v. <i>Union Public Service Commission</i>, Delhi High Court, LPA No. 618 of 2012, dated 12-11-2012.</p>
</div>
<div id="ftn55">
<p><a href="#_ftnref55" name="_ftn55">[55]</a> <i>Secretary General, Supreme Court of India</i> v. <i>Subhash Chandra,</i> Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.</p>
</div>
<div id="ftn56">
<p><a href="#_ftnref56" name="_ftn56">[56]</a> <i>Srikant Pandaya</i> v. <i>State of M.P.</i>, AIR 2011 MP 14.</p>
</div>
<div id="ftn57">
<p><a href="#_ftnref57" name="_ftn57">[57]</a> <i>Paardarshita Public Welfare Foundation</i> v. <i>Union of India and others</i>, AIR 2011 Del 82. It must be mentioned that this case was not exactly under the procedure prescribed under the RTI Act but was a public interest litigation although the courts relied upon the provisions of the RTI Act.</p>
</div>
<div id="ftn58">
<p><a href="#_ftnref58" name="_ftn58">[58]</a> WP(C) 3444 of 2012 dated 23-08-2013.</p>
</div>
<div id="ftn59">
<p><a href="#_ftnref59" name="_ftn59">[59]</a> WP(C) 2232/2012 dated 17-09-2013.</p>
</div>
<div id="ftn60">
<p><a href="#_ftnref60" name="_ftn60">[60]</a> <i>President's Secretariat</i> v. <i>Nitish Kumar Tripathi</i>, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.</p>
</div>
<div id="ftn61">
<p><a href="#_ftnref61" name="_ftn61">[61]</a> <i>P.C. Wadhwa</i> v. <i>Central Information Commission</i>, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.</p>
</div>
<div id="ftn62">
<p><a href="#_ftnref62" name="_ftn62">[62]</a> <i>Rajinder Jaina</i> v. <i>Central Information Commission</i>, 2010 (86) AIC 510 (Del. H.C.).</p>
</div>
<div id="ftn63">
<p><a href="#_ftnref63" name="_ftn63">[63]</a> <i>Rajendra Vasantlal Shah</i> v. <i>Central Information Commissioner, New Delhi</i>, AIR 2011 Guj 70.</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/white-paper-on-rti-and-privacy-v-1.2'>https://cis-india.org/internet-governance/blog/white-paper-on-rti-and-privacy-v-1.2</a>
</p>
No publishervipulFeaturedHomepageInternet GovernancePrivacy2014-11-09T02:53:51ZBlog EntryWhite Paper on Data Protection and Privacy
https://cis-india.org/internet-governance/news/white-paper-on-data-protection-and-privacy
<b>National Institute of Public Finance and Policy is organizing a roundtable on data protection and privacy in New Delhi on March 8, 2018. Sunil Abraham is participating as a moderator in the session on Rights and Protections. Amber Sinha is also participating as a panelist.</b>
<p>Agenda <a class="external-link" href="http://cis-india.org/internet-governance/files/white-paper-on-data-protection-and-privacy/">here</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/white-paper-on-data-protection-and-privacy'>https://cis-india.org/internet-governance/news/white-paper-on-data-protection-and-privacy</a>
</p>
No publisherAdminInternet GovernancePrivacy2018-03-07T14:57:53ZNews ItemWhen Data Means Privacy, What Traces Are You Leaving Behind?
https://cis-india.org/internet-governance/blog/privacy/when-data-is-privacy
<b>How do you know yourself to be different from others? What defines the daily life that you live and the knowledge you produce in the span of this life? Is all that information yours or are you a mere stakeholder on behalf of the State whose subject you are? What does privacy really mean? In a society that is increasingly relying on information to identify people, collecting and archiving ‘personal’ details of your lives, your name, age, passport details, ration card number, call records etc, how private is your tweet, status update, text message or simply, your restaurant bill? </b>
<p>The CIC (central information commission) that arbitrates decisions on RTI appeals in case of conflict of interest provides interesting notions of what the State thinks is privacy. Ironically, the cornerstones of RTI that is privacy and its invasion are yet to be defined in the context of the judiciary. Then, how does the CIC decide what is private enough and what can be revealed to anyone? Of course, it relies on the discretion of its judges who attempt to draw from a range of sources that include the principles of natural justice drawn from western jurisprudence to quotes by Gandhi and Aristotle to the UK Data Protection Act, 1998 and US Torts that define invasion of privacy. To begin with, let us examine who constitutes the private sphere. As ruled in case of<em> Mr. Ajeet Kumar Khanna vs Punjab & Sind Bank </em>on 29 July, 2008 and <em>Mr. G. Atchaiah vs State Bank of India</em> on 22 August, 2008, the appellant can seek information only for himself/herself. Anyone outside the self, commonly believed as the personal connection, sons, daughters, parents or even spouse is not allowed information of a relative. One needs a distinct power of attorney for right to information. The contradiction is that one does not need to state the purpose for asking information, thereby making unnecessary any connection with the person you want information about.</p>
<p><span class="Apple-style-span">
</span></p>
<p>CIC has been increasingly relying on the UK Data Protection Act, 1998 to make a correlation between data and privacy. Hence, to map privacy and its invasion, the RTI act depends on the UK Data Protection Act that classifies the following as sensitive personal data: </p>
<p>We have no equivalent of UK's Data Protection Act, 1998, Sec 2 of which, titled Sensitive Personal Data, reads as follows: In this Act "sensitive personal data" means personal data consisting of information as to:</p>
<p> </p>
<ol><li>The racial or ethnic origin of the data subject</li><li>His political opinions</li><li>His religious beliefs or other beliefs of a similar nature </li><li>Whether he is a member of a Trade Union</li><li>His physical or mental health or condition</li><li>His sexual life</li><li>The commission or alleged commission by him of any offence</li><li>Any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.</li></ol>
<div>While this blanket reference to sensitive personal data does not account for nuances in the Indian context, it also does not capture the essence of public-private interaction. It is mostly at the intersection of the public domain and the individual that the demarcation occurs. While personal family photographs lying in my attic may constitute a beautiful memory that can be proudly displayed on my walls, it is when one acknowledges the dual nature of any information source, the potential of these photographs to contribute to larger politicized information narratives, that their access and usage comes to define the real crux of the privacy debate.</div>
<div><br />The US Restatement of the Law, Second, Torts, defines the Intrusion to Privacy more generally in the following manner: “One, who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Of course, we don’t know whether a father paying for bills and wanting access to his daughter’s cell phone records can be seen as highly offensive to a reasonable person in the Indian context. In the context of the recent <strong>Padmanabhswamy Temple</strong>treasure trove found in Kerala, since under the Ancient Monuments and Archaeological Sites and Remains Act 1958, such sites qualify as sites of ‘national importance’ and imply a certain larger public interest, would one be able to access such 'nationally personal data' pertaining to a temple (public space) owned by a family trust registered with the government (publicly private), containing a national treasure lying locked on geographical territory (public) that is rightly shared by all citizens? </div>
<div> </div>
<div>Here’s how the CIC defined the personal and the extent of personal in the context of state as illustrated in <em>Mr. Kanhiya Lal vs MCD, GNCT, Delhi</em> on 13 June, 2011.To qualify for this exemption the information must satisfy the following criteria:</div>
<div><br /><strong>It must be personal information</strong></div>
<div>Words in a law should normally be given the meanings given in common language. In common language we would ascribe the adjective 'personal' to an attribute which applies to an individual and not to an institution or a corporate. From this it flows that 'personal' cannot be related to Institutions, organizations or corporate. (Hence, we could state that section 8 (1) (j) cannot be applied when the information concerns institutions, organizations or corporate). The phrase 'disclosure of which has no relationship to any public activity or interest' means that the information must have some relationship to a public activity. Various public authorities in performing their functions routinely ask for 'personal' information from Citizens, and this is clearly a public activity. When a person applies for a job, or gives information about himself to a public authority as an employee, or asks for a permission, licence or authorisation, all these are public activities. The information sought in this case by the appellant has certainly been obtained in the pursuit of a public activity. We can also look at this from another aspect. The State has no right to invade the privacy of an individual. There are some extraordinary situations where the State may be allowed to invade on the privacy of a Citizen. In those circumstances special provisos of the law apply, always with certain safeguards. Therefore it can be argued that where the State routinely obtains information from Citizens, this information is in relationship to a public activity and will not be an intrusion on privacy.<strong><br /></strong></div>
<div><br />In that case, does data at several layers demand for us to relook privacy from the subject positions we acquire at different levels and hence, the larger private collectives that we partake of?</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/when-data-is-privacy'>https://cis-india.org/internet-governance/blog/privacy/when-data-is-privacy</a>
</p>
No publisherNoopur RavalInternet GovernancePrivacy2011-11-24T09:24:03ZBlog EntryWhatsApp spy attack and after
https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after
<b>Bengaluru experts analyse the Pegasus snooping scandal, and provide advice on what you can do about the gaping holes in your mobile phone security.</b>
<p>The article by Theres Sudeep was published in <a class="external-link" href="https://www.deccanherald.com/metrolife/metrolife-your-bond-with-bengaluru/whatsapp-spy-attack-and-after-773955.html">Deccan Herald</a> on November 6, 2019. Aayush Rathi was quoted.</p>
<hr />
<p>Last week ended with a sensational piece of news: WhatsApp said spyware Pegasus was being used to hack into the phones of activists and journalists in India.</p>
<p style="text-align: justify; ">The software is the brainchild of the NSO Group, an Israeli company. WhatsApp has detected 1,400 instances of Pegasus being used in the latest wave of attacks between April 29 and May 10. WhatsApp has identified 100-plus cases targeting human rights defenders and journalists. About two dozen of these attacks were in India.</p>
<p style="text-align: justify; ">Among those whose security was reportedly compromised is Congress leader Priyanka Gandhi.The first question is who ordered this snooping. NSO claims they sell their technology only to government agencies for lawful investigation into crime and terrorism. Speculation is rife that there is government involvement in the snooping.</p>
<p style="text-align: justify; ">Vinay Srinivas, lawyer with Alternative Law Forum, Bengaluru, says,“The targets of the attack seem to be those who had critical things to say about the current government.”Referring to a tweet by journalist Arvind Gunasekar, Srinivas says there is clear proof that the government knew of the breach and its severity.The tweet includes a screenshot of a report from the CERT-IN (Indian Computer Emergency Response Team) website dated May 17.</p>
<p style="text-align: justify; ">It shows severity rating as “High”.WhatsApp says the vulnerability has now been patched and urged users to update the app. But a level of paranoia around smartphones and privacy has been created. Apar Gupta, executive director of the Internet Freedom Foundation, based in Delhi works towards internet freedom and privacy, says Pegasus,specially, is too expensive (it can cost up to eight million dollars a year to licence) to be used on ordinary citizens.</p>
<p style="text-align: justify; ">But not all spyware is expensive. “Multiple kinds are now commercially available and easy to procure. These can be used by an estranged lover or even a professional rival to find information about you,” he says. Jija Hari Singh, retired DGP and Karnataka’s first woman IPS officer, says Pegasus is one of the smaller players, and spyware akin to it has been around for three decades. “Monsters bigger than Pegasus are still snooping on us,” she says.</p>
<h3 style="text-align: justify; ">NOTHING TO HIDE?</h3>
<p style="text-align: justify; ">Many people fall back on the narrative of ‘I have nothing to hide, so I’m not worried’.Aayush Rathi, Programme Officer at the Centre for Internet and Society, says that this is a flawed premise: “It is like saying free speech is not important for you because you have nothing useful to say.”Gupta breaks down this rationale: “If a person has ‘nothing to hide’ then they should just unlock their phone and hand it over to any person who asks for it. But the minute such a demand is made they would feel uncomfortable.”This discomfort, he says, doesn’t come because they are doing something illegal but because they fear social judgement.“There is a level of intimacy in their conversations that they’d rather not share with anyone else,” he says.Many people believe only illegal activity leads to surveillance, but that is not the case.“Even the most inconsequential actions are being logged on digital devices, and much of this information can be monetised,” he says.The most tangible risks are financial fraud and identity theft, and spyware is also commonly used for corporate espionage.</p>
<h3 style="text-align: justify; ">UPDATE SECURITY</h3>
<p style="text-align: justify; ">So what must one do if one’s phone is spied on? In the case of Pegasus, Rathi says, “You would have received a communication from WhatsApp if you were targeted. Irrespective, you should update the application immediately as the latest update fixes the vulnerability.”Srinivas says legally the recourse available is the fundamental right to privacy. “Since the government doesn’t have any regulation in place to deal with this, the National Human Rights Commission will have to take it up,” he says.</p>
<p style="text-align: justify; ">Gupta advises precautions against preventable hacks. He advises a reading of online guides on surveillance self-defence, especially those by Electronic Frontier Foundation.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after'>https://cis-india.org/internet-governance/news/deccan-herald-november-6-2019-theres-sudeep-whatsapp-spy-attack-and-after</a>
</p>
No publisherTheres SudeepInternet GovernancePrivacy2019-12-15T05:06:27ZNews ItemWhatsApp ruling: Experts seek privacy law
https://cis-india.org/internet-governance/news/business-standard-september-24-apurva-venkat-and-moulishree-srivastava-whasapp-ruling-experts-seek-privacy-law
<b>On August 25, Whatsapp updated its policy to share user content with social network; the decision opened new monetisation models for the messaging app.</b>
<p style="text-align: justify; ">The article by Apurva Venkat and Moulishree Srivastava quoted Sunil Abraham. It was <a href="http://www.business-standard.com/article/current-affairs/whatsapp-ruling-experts-seek-privacy-law-116092400750_1.html">published in the Business Standard</a> on September 24, 2016.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><span>The recent<span class="Apple-converted-space"> </span></span><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Delhi+High+Court" target="_blank">Delhi High Court<span class="Apple-converted-space"> </span></a><span>ruling that<span class="Apple-converted-space"> </span></span><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Messaging+App" target="_blank">messaging app</a><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Whatsapp" target="_blank">Whatsapp<span class="Apple-converted-space"> </span></a><span>cannot share user data highlights the need for legislation on privacy, according to experts.</span><br /> <br /> <span>On August 25, Whatsapp, a platform with 70 million users in India that was acquired by Facebook in 2014, updated its policy to share user content with the social network. The decision opened new monetisation models for the messaging app.</span></p>
<p style="text-align: justify; "><span>In response to a PIL, the court ordered<span class="Apple-converted-space"> </span></span><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Whatsapp" target="_blank">WhatsApp<span class="Apple-converted-space"> </span></a><span>to delete data of users who chose to opt out of its policy changes before September 25. It also ordered</span><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Whatsapp" target="_blank">WhatsApp<span class="Apple-converted-space"> </span></a><span>not to share data collected before September 25 with Facebook for users who had not opted out.</span><br /> <br /> <span>"The decision makes a strong statement on privacy," said Sunil Abraham, executive director of the Centre for Internet Society. According to him, a user trusts a platform and provides access to his data. As another firm acquires the platform, it gains access to the data.</span><br /> <br /> <span>"Facebook owns Whatsapp. It has to look at ways of monetising it," said Nikhil Pahwa, co-founder of SavetheInternet.in.</span><br /> <br /> <span>"With so much digital data being generated, there is a need for a privacy law in the country," said Pahwa.</span><br /> <br /> <span>"Facebook's consent interface is confusing. It can make a person who wants to opt out let the company access his data," said Abraham, adding a law would take care of such intricacies. The government is working on a privacy bill.</span><br /> <br /> <span>Saroj Kumar Jha, partner, SRGR Law Offices, said there were few judgments on privacy in India based on constitutional rights.</span><br /> <br /> <span>"While the Information Technology Act enables courts to pass judgments on global companies on privacy, enforcing the orders is difficult," he said.</span><br /> <br /> <span>"What is required is a privacy law that can protect user data and uphold the individual's right to privacy," he added.</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/business-standard-september-24-apurva-venkat-and-moulishree-srivastava-whasapp-ruling-experts-seek-privacy-law'>https://cis-india.org/internet-governance/news/business-standard-september-24-apurva-venkat-and-moulishree-srivastava-whasapp-ruling-experts-seek-privacy-law</a>
</p>
No publisherpraskrishnaSocial MediaWhatsAppInternet GovernancePrivacy2016-09-27T02:35:06ZNews ItemWhatsApp races against time to fix fake news mess ahead of 2019 general elections
https://cis-india.org/internet-governance/news/economic-times-venkat-ananth-july-24-2018-whatsapp-races-against-time-to-fix-fake-news-mess-ahead-of-2019-general-elections
<b>On Friday, when WhatsApp announced that it would pilot a ‘five media-based forwards limit’ in India, the government came up with an unequivocal reminder.</b>
<p style="text-align: justify; ">The article by Venkat Ananth was published in <a class="external-link" href="https://economictimes.indiatimes.com/tech/internet/whatsapp-races-against-time-to-fix-fake-news-mess-ahead-of-2019-general-elections/articleshow/65112280.cms">Economic Times</a> on July 24, 2018. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">“When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter face consequent legal action,” noted a ministry of electronics and information technology (MeitY) statement.</p>
<p style="text-align: justify; ">The statement also said there was a need for bringing in traceability and accountability, “when a provocative/inflammatory message is detected and a request is made by law enforcement agencies.”</p>
<p style="text-align: justify; ">Significantly, MeitY took aim at WhatsApp’s core end-to-end encryptionbased product feature and its oft-quoted and reiterated commitment to privacy. It was specific, going beyond the usual “do more” requests.</p>
<p style="text-align: justify; ">The stand also poses an interesting dilemma for the messenger service. How can it act while protecting its privacy commitment?</p>
<p style="text-align: justify; ">“It is practical ly impossible for WhatsApp to regulate content in the peer-to-peer encrypted environment it is set up in,” says Rahul Matthan, partner, Trilegal. “An encrypted platform is what we want. The government is trying to maintain a strict and difficult balance. The government tends to err on the side of violating civil liberties over offering privacy to innocent users. The WhatsApp case is going in that direction.”</p>
<h3 style="text-align: justify; ">No Longer Low-Key</h3>
<p style="text-align: justify; ">In India, its largest market, WhatsApp has benefitted from quietly operating in the shadows of its more popular parent, Facebook, growing to a currently active user base of 200 million.</p>
<p style="text-align: justify; ">However, in the last six months, while it continues to be perceived as an asset by politicos for outreach and propaganda, WhatsApp is now increasingly being tapped by the bad guys to disseminate deliberate misinformation, rumour mongering and fake news. And not the Donald Trump kind either.</p>
<p style="text-align: justify; ">It is leading to loss of lives on the ground, through lynchings, kidnappings and related crimes.</p>
<p style="text-align: justify; ">WhatsApp spokesperson Carl Woog says, “The recent acts of violence in India have been heartbreaking and reinforce the need for government, civil society and technology companies to work together to keep people safe.”</p>
<p style="text-align: justify; ">“By focusing on solutions to fake news inside our smartphones, we are ignoring a tougher problem that requires several complementary solutions,” says Apar Gupta, a Delhi-based lawyer and cofounder of the Internet Freedom Foundation.</p>
<p style="text-align: justify; ">“Let us not forget that a platform is not responsible for policing.”</p>
<p style="text-align: justify; ">But the general public and government perception — and, to some extent, concern — remains that WhatsApp has been slow to react to these situations.</p>
<h3 style="text-align: justify; ">To Police or Not to Police</h3>
<p style="text-align: justify; ">Interestingly, the government and ruling party realise WhatsApp could be pivotal to their fortunes in the next electoral cycle — in the run-up to Elections<br />2019.</p>
<p style="text-align: justify; ">“The government is coming under increased pressure to act on these lynchings, which is why it is taking a shootthe-messenger kind of an approach,” says Matthan. “An unsophisticated government would have advocated a blanket ban on the source. But here, the government, it appears, wants to regulate tech by having access to your device, through an app, in the case of the (telecom regulator) Trai DND app to battle spam.”</p>
<p style="text-align: justify; ">This is also why WhatsApp has intensified its outreach efforts. Over the past 10 days, a team of its US and India-based executives have been meeting key stakeholders in Delhi and Mumbai, including the Election Commission, political parties, the Reserve Bank of India, banks and civil society, as ET reported last week.</p>
<p style="text-align: justify; ">The team includes public policy manager Ben Supple, senior director, customer operations, Komal Lahiri and WhatsApp India communication manager Pragya Misra Mehrishi. They are now expected to meet key government officials from MeitY from Monday, sources say.</p>
<p style="text-align: justify; ">“The intense outreach efforts is essentially linked to WhatsApp wanting to protect its payments play in India,” says a Delhi-based public policy professional, who did not want to be named as he is not authorised to speak to the media.</p>
<p style="text-align: justify; ">“It (WhatsApp) is really worried about Google’s efforts with Tez and the gap that will only widen if the government delays grant of permission.”</p>
<p style="text-align: justify; ">WhatsApp is stressing some key points while reinforcing the steps it is taking to counter challenges. One, the best practices of using the platform. Two, the need to work together to prevent abuse of WhatsApp, and three, most importantly, to educate people about the best ways of using the platform. WhatsApp was primarily designed for private, oneon-one messaging or group chats among acquaintances, not for mass broadcast, which parties resort to during elections.</p>
<p style="text-align: justify; ">WhatsApp says it is working on a warfooting to tackle the problems. It has introduced product changes to counter user behaviour. There’s more control, where a group ‘admin’ can restrict users who can send messages to the group, modify a group icon or edit description, a feature for which it has taken a leaf out of rival Telegram’s book. To counter fake news, it added a ‘forwarded’ label. And now, limited the forwarding to five in India, and 20 in the rest of the markets, a significant reduction from 250 prior to that.</p>
<p style="text-align: justify; ">While the impact of these product tweaks is yet to be seen at an individual user level, the larger concern for WhatsApp today is the potential misuse of its platform to manipulate elections, a very real possibility next year.</p>
<h3 style="text-align: justify; ">Tipping Point</h3>
<p style="text-align: justify; ">The company’s noticeable change of tack comes after it noticed certain trends during the recent Karnataka elections, during which one of its executives spent a week in Bengaluru.</p>
<p style="text-align: justify; ">One of the political parties, which a person aware of the developments in WhatsApp declined to name, was using “dozens of accounts to create thousands of groups,” as part of its campaign.</p>
<p style="text-align: justify; ">The party, the source says, was adding random numbers (approximately 100) to the group during creation. By random numbers, he meant people who did not know each other, something WhatsApp can identify using the metadata it collects when a user gives it access to its phone book. WhatsApp deems this behaviour ‘organised spamming.’</p>
<p style="text-align: justify; ">“These were real people not necessarily known to each other,” says the person quoted above. “A specific account would be added to that group to be made the admin.”</p>
<p style="text-align: justify; ">Mostly, this admin was the number used to create these multiple groups or, in WhatsApp terms, the account that was not behaving the way private or group communication happens.</p>
<p style="text-align: justify; ">Also, the users would be a mix of fake accounts, which is a major red flag for WhatsApp. “The group starts with some bulk added users and then the real ones get bulk-added,” says the source. WhatsApp deems this practice a violation of its terms of service.</p>
<p style="text-align: justify; ">Company sources add that WhatsApp was able to detect these trends and proactively banned these users before they were able to add people. “In some cases, our systems didn’t catch this in time, but we were able to proactively prevent users from receiving such spam. That detection is now internalised and if someone tries to replicate that behaviour anywhere in the world, we will be able to detect them,” says another person familiar with developments at WhatsApp.</p>
<p style="text-align: justify; ">According to several media reports, the BJP and the Congress too created over 30,000 groups for campaigning and organising efforts. To counter organised political spamming, WhatsApp has now begun using machine learning tools. WhatsApp can trace the last few messages in a group and block it entirely from the platform. At the detection level, WhatsApp checks for familiarity. “Do the persons know each other, or have they interacted before?” through metadata it possesses through phone numbers.</p>
<p style="text-align: justify; ">The second person quoted in the story says the company now focuses its detection “upstream,” that is, catching the user at the registration stage. “When you register on WhatsApp and immediately create a group, questions asked are, ‘Does this behaviour look like what a regular user does? Or does it look like users who have misused it in the past?’” he says.</p>
<p style="text-align: justify; ">WhatsApp, sources tell ET, is also using machine learning to detect sequential numbers that could be used to create these groups. “If they go and buy a phone number, they go to one carrier and its mostly sequential. If we notice 100 numbers with the same prefix have signed up, nearly 80 get automatically banned. What we do is feed these sequences, permutations and combinations to detect good/bad users,” the person quoted above says. “It learns millions of these combination signals on behaviour and help us make a decision.”</p>
<h3 style="text-align: justify; ">Civil Society as a Key Layer</h3>
<p style="text-align: justify; ">WhatsApp also sees an enabling role for civil society, especially for digital literacy. Its team has currently met seven non-governmental organisations, including digital literacy groups and others involved in the area of financial inclusion. This is part of its public policy efforts while also solidifying its payments play.</p>
<p style="text-align: justify; ">“The level of responsibility for a platform is to not consciously cause — and, in fact, to take active measures to prevent — social harm,” says Gupta of IFF. “It has to be done without injury to end-to-end encryption, which offers safety and privacy to users.</p>
<p style="text-align: justify; ">Many products and product strategies can be adopted — from increasing media diversity on the platform to promoting auditing features that rely on partnerships with fact-checking organisations. We must demand accountability but resist the rhetorical attraction of technophobia.”</p>
<p style="text-align: justify; ">As ET has reported, WhatsApp will adapt a fact-checking model, Verificado 2018, deployed during the recent Mexican presidential elections. Verificado proactively debunked fake news and misinformation on the platform. “The rumours were found to be very similar to India.</p>
<p style="text-align: justify; ">Verificado was specifically focused on misinformation from candidates,” says the first person quoted in the story. “Plus, it helped effectively tackle misinformation during an earthquake in Mexico.”</p>
<p style="text-align: justify; ">For WhatsApp, one of the key learnings from the Mexico elections was that it could look at the spam reports and categorise them as politics-related. The company, unsurprisingly, saw an increase in political spam in the buildup to election day.</p>
<p style="text-align: justify; ">“They realised Verificado assists users to get help within the app. But it also aids news organisations, political parties, the government and users,” adds the person. The company is undertaking a similar exercise in Brazil, where 24 media outlets have come together under the Comprova initiative to fact-check viral content and rumours on WhatsApp.</p>
<p style="text-align: justify; ">Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society believes WhatsApp can further tweak its product to enable real-time checks. “They can enable a ‘fact check this’ button for users to upload content to a fact-checking database. If the content has already been fact-checked, the score can be displayed immediately. Alternatively, the fact-checking service can return the score at a later date,” he explains.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/economic-times-venkat-ananth-july-24-2018-whatsapp-races-against-time-to-fix-fake-news-mess-ahead-of-2019-general-elections'>https://cis-india.org/internet-governance/news/economic-times-venkat-ananth-july-24-2018-whatsapp-races-against-time-to-fix-fake-news-mess-ahead-of-2019-general-elections</a>
</p>
No publisherAdminSocial MediaWhatsAppInternet GovernancePrivacy2018-07-25T15:27:20ZNews ItemWhat’s up with WhatsApp?
https://cis-india.org/internet-governance/blog/asia-times-april-20-2018-aayush-rathi-sunil-abraham-what-s-up-with-whatsapp
<b>In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing?</b>
<p style="text-align: justify; ">The article by Aayush Rathi and Sunil Abraham was published in <a class="external-link" href="http://www.atimes.com/article/whats-up-with-whatsapp/">Asia Times</a> on April 20, 2018.</p>
<hr />
<p style="text-align: justify; ">Back in April 2016, when WhatsApp Inc announced it was rolling out end-to-end encryption (E2EE) for its billion-plus strong user base as a default setting, the messaging behemoth signaled to its users it was at the forefront of providing technological solutions to protect privacy.</p>
<p class="p4" style="text-align: justify; ">Emphasized in the security white paper explaining the implementation of the technology is the encryption of both forms of communication – one-to-one and group and also of all types of messages shared within such communications – text as well as media.</p>
<p class="p4" style="text-align: justify; ">Simply put, all communication taking place over WhatsApp would be decipherable only to the sender and recipient – it would be virtual gibberish even to WhatsApp.</p>
<p class="p4" style="text-align: justify; ">This announcement came in the backdrop of <a href="https://www.theguardian.com/us-news/2016/feb/17/apple-ordered-to-hack-iphone-of-san-bernardino-shooter-for-fbi">Apple locking horns with the FBI</a> after being asked to provide a backdoor to unlock the San Bernardino mass shooter’s iPhone. This further reinforced WhatsApp Inc’s stand on the ensuing debate between the interplay of privacy and security in the digital age.</p>
<p class="p4" style="text-align: justify; ">Kudos to WhatsApp, for there is <a href="http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx">growing discussion</a> around how encryption and anonymity is central to enabling secure online communication which in turn is integral to essential human rights such as those of freedom of opinion and expression.</p>
<p class="p4" style="text-align: justify; ">WhatsApp may have taken encryption to the masses, but here we outline why WhatsApp’s provisioning of privacy and security measures needs a more granular analysis – is the company doing what it claims to be doing? Security issues with WhatsApp’s messaging protocol certainly are not new.</p>
<h3 style="text-align: justify; ">Man-in-the-middle attacks</h3>
<p class="p4" style="text-align: justify; ">A <a href="https://eprint.iacr.org/2017/713.pdf">study</a> published by a group of German researchers from Ruhr University highlighted issues with WhatsApp’s implementation of its E2EE protocol to group communications. Another <a href="https://courses.csail.mit.edu/6.857/2016/files/36.pdf">paper</a> points out how WhatsApp’s session establishment strategy itself could be problematic and potentially be targeted for what are called man-in-the-middle (MITM) attacks.</p>
<p class="p4" style="text-align: justify; ">An MITM attack takes the form of a malicious actor, as the term suggests, placing itself between the communicating parties to eavesdrop or impersonate. The Electronic Frontier Foundation also <a href="https://www.eff.org/deeplinks/2016/10/where-whatsapp-went-wrong-effs-four-biggest-security-concerns">highlighted</a> other security vulnerabilities, or trade-offs, depending upon ideological inclinations, with respect to WhatsApp allowing for storage of unencrypted backups, issues with WhatsApp’s web client and also with its approach to cryptographic key change notifications.</p>
<p class="p4" style="text-align: justify; ">Much has been written questioning WhatsApp’s shifting approach to ensuring privacy too. Quoting straight from <a href="https://www.whatsapp.com/legal/#privacy-policy-affiliated-companies">WhatsApp’s Privacy Policy:</a> “We joined the Facebook family of companies in 2014. As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies.” Speaking of Facebook …</p>
<p class="p4" style="text-align: justify; ">Culling out larger issues with WhatsApp’s privacy policies is not the intention here. What we specifically seek to explore is right at the nexus of WhatsApp’s security and privacy provisioning clashing with its marketing strategy: the storage of data on WhatsApp’s servers, or ‘blobs,’ as they are referred to in the technical paper. Facebook’s rather. In WhatsApp’s words: “Once your messages (including your chats, photos, videos, voice messages, files and share location information) are delivered, they are deleted from our servers. Your messages are stored on your own device.”</p>
<p class="p4" style="text-align: justify; ">In fact, this non-storage of data on their ‘blobs’ is emphasizes at several other points on the official website. Let us call this the deletion-upon-delivery model.</p>
<h3 style="text-align: justify; ">A simple experiment</h3>
<p class="p4" style="text-align: justify; ">While drawing up a rigorous proof of concept, made near-impossible thanks to WhatsApp being a closed source messaging protocol, a simple experiment is enough to raise some very pertinent questions about WhatsApp’s outlined deletion-upon-delivery model. It should, however, be mentioned that the Signal Protocol developed by Open Whisper Systems and pivotal in WhatsApp’s rolling out of E2EE is <a href="https://github.com/signalapp">open source</a>. Here is how the experiment proceeds:</p>
<p class="p4" style="text-align: justify; "><i>Rick sends Morty an attachment.</i></p>
<p class="p4" style="text-align: justify; "><i>Morty then switches off the data on her mobile device.</i></p>
<p class="p4" style="text-align: justify; "><i>Rick downloads the attachment, an image.</i></p>
<p class="p4" style="text-align: justify; "><i>Subsequently, Rick deletes the image from his mobile device’s internal storage.</i></p>
<p class="p4" style="text-align: justify; "><i>Rick then logs into a WhatsApp’s web client on his browser. (Prior to this experiment, both Rick and Morty had logged out from all instances of the web client)</i></p>
<p class="p4" style="text-align: justify; "><i>Upon a fresh log-in to the web client and opening the chat with Morty, the option to download the image is available to Rick.</i></p>
<p class="p4" style="text-align: justify; ">The experiment concludes with bewilderment at WhatsApp’s claim of deletion-upon-delivery as outlined earlier. The only place from which Morty could have downloaded the image would be from Facebook’s ‘blobs.’ The attachment could not have been retrieved from Morty’s mobile device as it had no way of sending data and neither from Rick’s mobile device as it no longer existed in the device’s storage.</p>
<p class="p4" style="text-align: justify; ">As per the Privacy Policy, the data is stored on the ‘blobs’ for a period of 30 days after transmission of a message only when it can’t be delivered to the recipient. Upon delivery, the deletion-upon-delivery model is supposed to kick in.</p>
<p class="p4" style="text-align: justify; ">Another straightforward experiment that leads to a similar conclusion is seeing the difference in time taken for a large attachment to be forwarded as opposed to when the same large attachment is uploaded. Forwarding is palpably quicker than uploading afresh: non-storage of attachments on the ‘blob’ would entail that the same amount should be taken for both.</p>
<p class="p4" style="text-align: justify; ">The plot thickens. WhatsApp’s Privacy Policy goes on to state: “To improve performance and deliver media messages more efficiently, such as when many people are sharing a popular photo or video, we may retain that content on our servers for a longer period of time.” The technical paper offers no help in understanding how WhatsApp systems assess frequently shared encrypted media messages without decrypting it at its end.</p>
<p class="p4" style="text-align: justify; ">A possible explanation could be the usage of metadata by WhatsApp, which it discloses in its Privacy Policy while simultaneously being sufficiently vague about the specifics of it. That WhatsApp may be capable of reading encrypted communication through the inclusion of a backdoor bodes well for law enforcement, but not so much for unsuspecting users.</p>
<h3 style="text-align: justify; ">The weakest link in the chain</h3>
<p class="p4" style="text-align: justify; ">Concerns about backdoors in WhatsApp’s product have led the French government to start developing their <a href="https://www.reuters.com/article/us-france-privacy/france-builds-whatsapp-rival-due-to-surveillance-risk-idUSKBN1HN258">own encrypted messaging service</a>. This will be built using Matrix – an open protocol designed for real-time communication. Indeed, the Privacy Policy lays out that the company “may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary to respond pursuant to applicable law or regulations, to legal process, or to government requests.”</p>
<p class="p4" style="text-align: justify; ">The Signal Protocol is the undisputed gold standard of E2EE implementations. It is the integration with the surrounding functionality that WhatsApp offers which leads to vulnerabilities. After all, a chain is only as strong as its weakest link. Assuming that the attachments stored on the ‘blobs’ are in encrypted form, indecipherable to all but the intended recipients, this does not pose a privacy risk for the users from a technological point of view.</p>
<p class="p4" style="text-align: justify; ">However, it is easy lose sight of the fact that the Privacy Policy is a legally binding document and it specifically states that messages are not stored on the ‘blobs’ as a matter of routine. As a side note, WhatsApp’s Privacy Policy and Terms of Service are refreshing in their readability and lack of legalese.</p>
<p class="p4" style="text-align: justify; ">As we were putting the final touches to this piece, <a href="https://wabetainfo.com/whatsapp-allows-to-redownload-deleted-media/#more-2781">news from <i>WABetaInfo</i></a>, a well-reputed source of information on WhatsApp features, has broken that newer updates of WhatsApp for Android are permitting users to re-download media deleted up to three months back. WhatsApp cannot possibly achieve this without storing the media in the ‘blobs,’ or in other words, in violation of its Privacy Policy.</p>
<p class="p4" style="text-align: justify; ">As the aphorism goes: “When the service is free, you are the product.”</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/asia-times-april-20-2018-aayush-rathi-sunil-abraham-what-s-up-with-whatsapp'>https://cis-india.org/internet-governance/blog/asia-times-april-20-2018-aayush-rathi-sunil-abraham-what-s-up-with-whatsapp</a>
</p>
No publisherAayush Rathi and Sunil AbrahamSocial MediaPrivacyInternet GovernanceFeaturedWhatsAppHomepage2018-04-23T16:45:51ZBlog EntryWhat’s Hard To Digest About The Zomato Hacking
https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking
<b>Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.</b>
<div class="story__element__wrapper" style="text-align: justify; ">
<div class="story__element__text story__element">
<div class="story-element-">
<p>The blog post by Aayush Ailawadi was published by <a class="external-link" href="https://www.bloombergquint.com/technology/2017/05/18/whats-hard-to-digest-about-the-zomato-hacking">Bloomberg Quint</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p>The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in <a href="http://blog.zomato.com/post/160791675411/security-notice" target="_blank">its blog</a> that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.</p>
</div>
</div>
</div>
<div class="story__element__wrapper" style="text-align: justify; ">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.</p>
<div class="__container">
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Late on Thursday night, the story took an interesting turn when the company updated <a href="http://blog.zomato.com/post/160807042556/security-notice-update" target="_blank">its blog post yet again</a>. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.</p>
</div>
</div>
</div>
</div>
<div class="card-block-qsection-technology card">
<div class="__container">
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.</p>
</div>
</div>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Disclose To Confuse?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>What’s So Scary About The Zomato Hacking?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.</p>
<p>What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Genuine Disclosures Vs False Promises</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Where’s My Privacy And Security?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.</p>
<p>Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking'>https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-19T09:22:37ZNews ItemWhat You Need To Worry About Before Linking Your Mobile Number With Aadhaar
https://cis-india.org/internet-governance/news/youth-ki-awaaz-roopa-sudarshan-what-you-need-to-worry-about-before-linking-your-mobile-number-with-aadhaar
<b>As part of the directive issued by the Department of Telecommunications (DoT) dated March 23, 2017, major telecom service providers have issued a deadline of February 6, 2018, for linking mobile numbers with Aadhaar as part of the E-KYC verification.</b>
<p style="text-align: justify; ">The blog post by Roopa Raju and Shekhar Rai was published in <a class="external-link" href="https://www.youthkiawaaz.com/2017/11/linking-aadhar-with-mobile-number-pros-and-cons/">Youth Ki Awaaz</a> on November 8, 2017</p>
<hr />
<p style="text-align: justify; ">The landmark case referenced by the DoT in the circular was the order issued by the Supreme Court on February 6, 2017, delivered by Justice JS Khehar (the erstwhile Chief Justice of India) in the case of <a href="https://thewire.in/109330/aadhaar-phone-legal-battle/" rel="noopener" target="_blank">Lokniti Foundation vs Union of India</a>. The petitioner <a href="http://supremecourtofindia.nic.in/jonew/courtnic/rop/2016/23429/rop_885627.pdf" rel="noopener" target="_blank">contended</a> that terrorists, criminals and anti-social elements frequently used SIM cards to commit atrocious, organised and unorganised crimes across the country. The petition called for <a href="http://supremecourtofindia.nic.in/jonew/courtnic/rop/2016/23429/rop_885627.pdf" rel="noopener" target="_blank">ensuring 100% verification</a> on the identity of telecom service subscribers in public interest under <a href="https://indiankanoon.org/doc/981147/" rel="noopener" target="_blank">Article 32</a> of the Constitution of India. The PIL added that unverified SIM cards pose a serious threat to the country’s security as they are routinely used in criminal and terrorist activities, thereby affecting a citizen’s right (as ensured under <a href="https://indiankanoon.org/doc/1199182/" rel="noopener" target="_blank">Article 21</a> of the Constitution). As per the CAG report tabled at the Parliament in 2014, the identities of <a href="https://timesofindia.indiatimes.com/india/Identities-of-4-59-crore-mobile-users-still-unverified-CAG/articleshow/39572824.cms" rel="noopener" target="_blank">4.59 crore mobile users</a> still remained unverified.</p>
<p style="text-align: justify; ">Article 21 of the Constitution of India, 1949, <a href="https://indiankanoon.org/doc/1199182/" rel="noopener" target="_blank">states</a> that – <i>“No person shall be deprived of his life or personal liberty except according to procedure established by law.”</i> While there is a threat to the common public interest through increased acts of terrorism and atrocities due to unverified SIM cards, the safety of information provided and linked to Aadhaar are increasingly being questioned.</p>
<p style="text-align: justify; ">In a study dated May 1, 2017, published by the Centre for Internet and Society (CIS), a Bangalore-based organisation, it was observed that data of <a href="http://indiatoday.intoday.in/technology/story/aadhaar-data-of-130-millions-bank-account-details-leaked-from-govt-websites-report/1/943632.html" rel="noopener" target="_blank">over 130 million</a> Aadhaar card-holders were leaked from just four government portals dealing with the National Social Assistance programme, the National Rural Employment Guarantee Scheme, the Chandranna Bima Scheme and the Daily Online Payment Reports of NREGA.</p>
<p style="text-align: justify; ">On October 25, 2017, the chief minister of West Bengal, Mamata Banerjee, also <a href="https://thewire.in/190932/west-bengal-mamata-banerjee-bjp-aadhaar/" rel="noopener" target="_blank">strongly opposed</a> the government’s plan to link mobile numbers with Aadhaar cards. She said that it was a breach of privacy and that the ruling government was intruding upon the citizen’s right to personal freedom. However, the Supreme Court <a href="https://www.ndtv.com/india-news/aadhaar-petitions-in-supreme-court-today-including-bengals-10-points-1768703" rel="noopener" target="_blank">questioned</a> the state government’s right to challenge the Centre and asked her to file a plea with the court in her individual capacity.</p>
<p style="text-align: justify; ">As per the data published by Telecom Regulatory Authority of India (TRAI) on September 14, 2017, India’s telecom subscriber base <a href="http://indianexpress.com/article/technology/tech-news-technology/telecom-subscriber-base-dips-marginally-to-121-crore/" rel="noopener" target="_blank">dipped by 1.3 lakh</a> to 121.07 crore in July 2017. Moreover, only three operators – Reliance Jio, Bharti Airtel and the state-run BSNL – reported additions to their subscriber base.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td><b>Month</b></td>
<td><b>Telephone subscriber base<br /> (in million)</b></td>
<td><b>Growth rate</b></td>
</tr>
<tr>
<td><b>Mar-17</b></td>
<td>1194.58</td>
<td>–</td>
</tr>
<tr>
<td><b>Apr-17</b></td>
<td>1198.89</td>
<td>0.36%</td>
</tr>
<tr>
<td><b>May-17</b></td>
<td>1204.98</td>
<td>0.51%</td>
</tr>
<tr>
<td><b>Jun-17</b></td>
<td>1210.84</td>
<td>0.49%</td>
</tr>
<tr>
<td><b>Jul-17</b></td>
<td>1210.71</td>
<td>-0.01%</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><i>(Source: <a href="http://www.trai.gov.in/release-publication/reports/telecom-subscriptions-reports" rel="noopener" target="_blank">TRAI monthly subscription data</a>)</i></p>
<p style="text-align: justify; ">The dip in the subscriber count for various telecom operators can be accredited to the phasing of registration of SIM cards through E-KYC for new mobile numbers. While there is a the possibility of addition of genuine subscribers in the following months, the direct subscriber acquisition cost (DSAC) has been significantly reduced owing to the overall reduction in subscriber addition (assuming exclusion of sunk cost).</p>
<p style="text-align: justify; ">Prior to the DoT directive, telecom service providers relied heavily on the documents provided by the subscribers for SIM registration. The two-fold impact of this was the delay in SIM activation, owing to the transfer of documents from the retailer to the distributor to the company and the possibility of documents not matching with the usage timeline of usage. Additionally, tracking the ever-changing retailers was difficult for the service providers – and with the subscriber documents being collected and stored at one location by the service providers, verification of dummy subscribers was difficult.</p>
<p style="text-align: justify; ">With the introduction of Aadhaar linkage for mobile numbers, subscribers are held accountable for its usage, thereby tagging responsibility for any acts arising as a result. Savings from the digitisation of documents and paper should also be considered.</p>
<p style="text-align: justify; ">However, an increased number of job losses is possible, owing to the ‘optimisation’ of the process by way of document verification, servicing costs and reliance on third parties (to name just a few). Increased compliance costs are also an issue of concern.</p>
<p style="text-align: justify; ">The key question that looms prominently with the approaching deadline is how secure public data will be, given that it may possibly be linked with bank account numbers and income tax returns. With retailers using fingerprints of the subscribers to validate Aadhaar numbers with the mobile numbers at the time of SIM registration, there is an increased risk of exposure to identity theft.</p>
<p style="text-align: justify; ">While the government is increasingly trying to bring in a seamless process to assimilate data for transparency in analysing consumer patterns, it is suggested that they also allocate funds for enhancing the cyber-security of the data consolidated from this directive. Furthermore, cyber security regulations can be strengthened to avoid data leakages to third party organisations. Severe penalties should also be implemented to ensure robust compliance to these measures.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/youth-ki-awaaz-roopa-sudarshan-what-you-need-to-worry-about-before-linking-your-mobile-number-with-aadhaar'>https://cis-india.org/internet-governance/news/youth-ki-awaaz-roopa-sudarshan-what-you-need-to-worry-about-before-linking-your-mobile-number-with-aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-11-26T05:55:49ZNews ItemWhat privacy? 13 crore Aadhaar numbers accessible on government portals
https://cis-india.org/internet-governance/news/one-india-may-2-2017-anusha-ravi-what-privacy-13-crore-aadhaar-numbers-accessible-on-governmental-portals
<b>At least 13 crore Aadhaar numbers and 10 crore bank account numbers are readily accessible on government portals, a report claims.</b>
<p style="text-align: justify; ">The blog post by Anusha Ravi was <a href="http://www.oneindia.com/india/what-privacy-13-crore-aadhaar-numbers-accessible-on-government-portals-2422904.html">published in Oneindia</a> on May 2, 2017.</p>
<hr />
<p style="text-align: justify; ">The centre for internet and society, in its report, has claimed that Aadhaar numbers with sensitive personal financial information were publicly available on four government portals built to oversee <a href="http://www.oneindia.com/topic/welfare" title="Topic: welfare schemes">welfare schemes</a>. The report said that the government portals made it easy to access sensitive details, despite it being <a href="http://www.oneindia.com/topic/illegal" title="Topic: illegal">illegal</a>. "It is extremely irresponsible on the part of the UIDAI [Unique Identification Authority of India], the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may be used for mischief," said Amber Sinha and Srinivas Kodali, the authors of the report.<br /> <br /> Apart from accessing a person's details, the portals made it possible for anyone to get data on beneficiaries of welfare schemes. In many cases, it included bank account numbers of beneficiaries. The report suggests that close to 23 crore Aadhaar number could have been leaked if most of the government portals connected to direct benefit transfers used the 'same negligent standards for storing data as the ones examined'. "The document shows that the breaches are an indicator of potentially irreversible privacy harm and the data could be used for financial fraud," the authors said in the report. The report was documented after authors studied the National Social Assistance Programme, National Rural Employment Guarantee Scheme, Andhra Pradesh government's Chandranna Bima Scheme and Andhra Pradesh's Daily Online Payment Reports of NREGA. <br /> <br /> The report said that sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information were easily available with a few clicks and suggested how poorly conceived these initiatives were. The report highlights that it was illegal to make personal data public and also refers to # #AadhaarLeaks, a campaign on twitter aimed at exposing the loopholes in the Aadhaar system.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/one-india-may-2-2017-anusha-ravi-what-privacy-13-crore-aadhaar-numbers-accessible-on-governmental-portals'>https://cis-india.org/internet-governance/news/one-india-may-2-2017-anusha-ravi-what-privacy-13-crore-aadhaar-numbers-accessible-on-governmental-portals</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-05-03T14:39:46ZNews ItemWhat India can Learn from the Snowden Revelations
https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations
<b>Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.</b>
<p>The title of the article was changed in the<a class="external-link" href="http://in.news.yahoo.com/why-india-needs-a-snowden-of-its-own-054956734.html"> version published by Yahoo</a> on October 23, 2013.</p>
<hr />
<p>Since the ‘<a href="http://www.theguardian.com/world/edward-snowden" target="_blank">Snowden revelations</a>’, which uncovered the United States government’s massive global <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_3">surveillance</span> through the <a href="http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29" target="_blank">PRISM</a> program, there have been reactions aplenty to their impact.</p>
<p style="text-align: justify; ">The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.</p>
<p style="text-align: justify; ">The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.</p>
<p style="text-align: justify; ">Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.</p>
<p style="text-align: justify; ">This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including <span class="cs4-visible yshortcuts" id="lw_1382621265093_1">India</span>.</p>
<h3 style="text-align: justify; ">India’s reaction</h3>
<p style="text-align: justify; ">After the first news of the Snowden revelations, the Indian Supreme Court <a href="http://www.medianama.com/2013/06/223-supreme-court-to-hear-pil-against-nsa-surveillance-of-indian-data-report/" target="_blank">agreed</a> to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.<br /><br />The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_7">government</span> or individual can take against the US government or companies incorporated there.<br /><br />In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take. <br /><br />For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.<br /><br />To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same. <br /><br />In India, P. Rajeev, Member of Parliament from Kerala, has started a <a href="http://www.change.org/petitions/google-facebook-microsoft-yahoo-reveal-information-on-data-of-indian-citizens-given-to-us-security-agencies-2" target="_blank">petition</a> asking that the companies disclose information on <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_8">Indian data</span> given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.<br /><br />The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been <a href="http://articles.economictimes.indiatimes.com/2013-08-14/news/41409701_1_traffic-originating-and-terminating-servers-mocit" target="_blank">voiced by many</a>, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal <a href="http://mha.nic.in/Policy_Planing_Division" target="_blank">Mutual Legal Assistance Treaty</a> process, it does not necessarily enhance the privacy of Indian data. <br /><br />As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.</p>
<h3 style="text-align: justify; ">Snooping</h3>
<p style="text-align: justify; ">The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India. <br /><br />For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually <a href="http://timesofindia.indiatimes.com/tech/tech-news/telecom/BlackBerry-sets-up-server-in-Mumbai-to-aid-interception/articleshow/11969224.cms" target="_blank">set up servers in Mumbai</a> and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from <a href="http://news.cnet.com/8301-1009_3-20015418-83.html" target="_blank">Skype and Google</a>. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.<br /><br />Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive. <br /><br />The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.</p>
<p style="text-align: justify; ">The gaps in the Indian <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_4">surveillance</span> regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, <span class="cs4-visible yshortcuts" id="lw_1382621265093_2">India</span> is in the process of realizing a privacy legislation. <br /><br />In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf" target="_blank">The Report of the Group of Experts on Privacy</a>, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.<br /><br />The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.<br /><br />For example, telecoms in India are now required to include <a href="http://www.firstpost.com/tech/exclusive-location-tracking-of-every-indian-mobile-user-by-2014-876109.html/2" target="_blank">user location data</a> as part of the ‘call detail record’ and be able to <a href="http://www.medianama.com/2012/08/223-indian-government-revises-location-accuracy-guidelines-says-telcos-should-bear-the-cost/" target="_blank">provide</a> the same to law enforcement agencies on request under <a href="http://www.cca.ap.nic.in/i_agreement.pdf" target="_blank">provisions</a> in the Unified Access Service and Internet Service Provider Licenses. <br /><br />At the same time, the Government of India is in the process of putting in place a <a href="http://en.wikipedia.org/wiki/Central_Monitoring_System" target="_blank">Central Monitoring System</a> that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.</p>
<p style="text-align: justify; ">Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.<br /><br />If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.<br /><br />Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.</p>
<h3 style="text-align: justify; ">Policy vacuum</h3>
<p style="text-align: justify; ">For any <span class="cs4-ndcor yshortcuts" id="lw_1382621265093_5">government</span>, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe. <br /><br />When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.<br /><br />In 2013, the <a href="https://en.necessaryandproportionate.org/text" target="_blank">International Principles on the Application of Human Rights to Communications Surveillance</a> were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications. <br /><br />When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.</p>
<hr />
<p style="text-align: justify; "><i>Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations'>https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-10-25T07:29:57ZBlog EntryWhat Does Facebook's Transparency Report Tell Us About the Indian Government's Record on Free Expression & Privacy?
https://cis-india.org/internet-governance/blog/what-does-facebook-transparency-report-tell-us-about-indian-government-record-on-free-expression-and-privacy
<b>Given India's online population, the number of user data requests made by the Indian government aren't very high, but the number of content restriction requests are not only high on an absolute number, but even on a per-user basis.</b>
<p style="text-align: justify; ">Further, Facebook's data shows that India is more successful at getting Facebook to share user data than France or Germany. Yet, our government complains far more about Facebook's lack of cooperation with Indian authorities than either of those countries do. I think it unfair for any government to raise such complaints unless that government independently shows to its citizens that it is making legally legitimate requests.</p>
<p style="text-align: justify; ">Since the Prime Minister of India Shri Narendra Modi has stated that "<a class="external-link" href="http://pmindia.gov.in/en/quest-for-transparency/">transparency and accountability are the two cornerstones of any pro-people government</a>", the government ought to publish a transparency report about the requests it makes to Internet companies, and which must, importantly, provide details about how many user data requests actually ended up being used in a criminal case before a court, as well as details of all their content removal requests and the laws under which each request was made.</p>
<p style="text-align: justify; ">At the same time, <a class="external-link" href="https://govtrequests.facebook.com/">Facebook's Global Government Requests Report</a> implicitly showcases governments as the main causes of censorship and surveillance. This is far from the truth, and it behoves Facebook to also provide more information about private censorship requests that it accedes to, including its blocking of BitTorrent links, it's banning of pseudonymity, and the surveillance it carries out for its advertisers.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/what-does-facebook-transparency-report-tell-us-about-indian-government-record-on-free-expression-and-privacy'>https://cis-india.org/internet-governance/blog/what-does-facebook-transparency-report-tell-us-about-indian-government-record-on-free-expression-and-privacy</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionTransparency ReportsInternet GovernancePrivacy2015-04-05T05:08:37ZBlog Entry