The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 11 to 25.
Stand up for Digital Rights
https://cis-india.org/internet-governance/events/stand-up-for-digital-rights
<b>The Centre for Internet & Society (CIS) invites you to a discussion on a set of recommendations for Ethical Tech, a report on human rights and private online intermediaries which describes key areas where such actors have responsibilities. The event will be held at CIS office in Bangalore on June 15, 2016 from 5 p.m. to 7 p.m.</b>
<p style="text-align: justify; ">The discussion intends to launch a report on human rights and private online intermediaries, which describes key areas where such actors have responsibilities and provides a detailed set of recommendations for Ethical Tech. This work is the culmination of a year long research project led by the Centre for Law and Democracy (CLD), in collaboration with the Arabic Network for Human Rights Information (ANHRI), the Centre for Internet and Society (CIS), Open Net Korea, the Center for Studies on Freedom of Expression and Access to Information at the University of Palermo (CELE) and researchers with the University of Ottawa and the Munk School of Global Affairs at the University of Toronto. The key themes for discussion would include:</p>
<div id="_mcePaste">
<ul>
<li><span>General Human Rights Responsibilities and Private Online Intermediaries</span></li>
<li><span>Expanding Access</span></li>
<li><span>Net Neutrality</span></li>
<li><span>Content Moderation</span></li>
<li><span>Privacy</span></li>
<li><span>Transparency and Informed Consent</span></li>
<li><span>Responding to State Interferences</span></li>
</ul>
</div>
<p>We look forward to meeting you and making this forum for knowledge exchange a success.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/stand-up-for-digital-rights'>https://cis-india.org/internet-governance/events/stand-up-for-digital-rights</a>
</p>
No publisherelonnaiEventInternet GovernanceDigital Rights2016-06-13T15:30:12ZEventGNI-Industry Dialogue Learning Session: Human Rights Impact Assessments and Due Diligence in the ICT sector
https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector
<b>Elonnai Hickok attended the meeting organized by Global Network Initiative on March 11, 2016 in Washington D.C.</b>
<p style="text-align: justify; ">The GNI welcomed its new observers from the Telecommunications Industry Dialogue by holding a learning session in conjunction with the GNI Board Meeting on March 10. This learning session aimed to increase understanding between the GNI and the ID by examining some of the common challenges that face ICT companies in the area of human rights due diligence and highlighting good practices. A second objective was to help the GNI develop a learning program and materials that will be useful for its members and draw on their expertise. Finally, this learning session informed the review of the GNI Implementation Guidelines that will take place during 2016.</p>
<p style="text-align: justify; ">The session took place according to the Chatham House Rule. Each short presentation was followed by a space for questions and answers.</p>
<ul>
<li>
<div style="text-align: justify; ">Human Rights Impact Assessments in the ICT sector – Michael Samway</div>
</li>
<li>
<div style="text-align: justify; ">The Human Rights Due Diligence Process at Nokia – Laura Okkonen</div>
</li>
<li>
<div style="text-align: justify; ">Yahoo’s approach to Human Rights Impact Assessments– Nicole Karlebach and Katie Shay</div>
</li>
<li>
<div style="text-align: justify; ">Orange’s challenges and approach to doing business in Africa – Yves Nissim</div>
</li>
<li>
<div style="text-align: justify; ">Microsoft’s human rights impacts and the warrant case – Steve Crown and Bernard Shen</div>
</li>
<li>
<div style="text-align: justify; ">TeliaSonera’s approach to withdrawing from Eurasia – Patrik Hiselius</div>
</li>
<li>
<div style="text-align: justify; ">Considerations for company due diligence on the ground – Kathleen Reen and Babette Ngene, Internews</div>
</li>
</ul>
<p>For discussion:</p>
<ul>
<li>What are some of the common challenges facing current GNI member companies and ID member companies?</li>
<li>What do we consider to be good practices that are applicable to all?</li>
<li>What lessons can be applied to the review of the GNI Implementation Guidelines that will take place during 2016?</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector'>https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2016-04-06T15:42:41ZNews ItemPolicy Brief: Oversight Mechanisms for Surveillance
https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance
<b></b>
<p><a href="https://cis-india.org/internet-governance/blog/oversight-mechanisms-for-surveillance" class="internal-link"><b>Download the PDF </b></a></p>
<hr />
<h2 style="text-align: justify; ">Introduction</h2>
<p style="text-align: justify; ">Across jurisdictions, the need for effective and relevant oversight mechanisms (coupled with legislative safeguards) for state surveillance has been highlighted by civil society, academia, citizens and other key stakeholders.<a href="#fn1" name="fr1">[1] </a>A key part of oversight of state surveillance is accountability of intelligence agencies. This has been recognized at the international level. Indeed, the Organization for Economic Co-operation and Development, The United Nations, the Organization for Security and Cooperation in Europe, the Parliamentary Assembly of the Council of Europe, and the Inter-Parliamentary Union have all recognized that intelligence agencies need to be subject to democratic accountability.<a href="#fn2" name="fr2">[2] </a>Since 2013, the need for oversight has received particular attention in light of the information disclosed through the 'Snowden Revelations'. <a href="#fn3" name="fr3">[3]</a> Some countries such as the US, Canada, and the UK have regulatory mechanisms for the oversight of state surveillance and the intelligence community, while many other countries – India included - have piecemeal oversight mechanisms in place. The existence of regulatory mechanisms for state surveillance does not necessarily equate to effective oversight – and piecemeal mechanisms – depending on how they are implemented, could be more effective than comprehensive mechanisms. This policy brief seeks to explore the purpose of oversight mechanisms for state surveillance, different forms of mechanisms, and what makes a mechanism effective and comprehensive. The brief also reviews different oversight mechanisms from the US, UK, and Canada and provides recommendations for ways in which India can strengthen its present oversight mechanisms for state surveillance and the intelligence community.</p>
<h2 style="text-align: justify; ">What is the purpose and what are the different components of an oversight mechanism for State Surveillance?</h2>
<p style="text-align: justify; ">The International Principles on the Application of Human Rights to Communication Surveillance, developed through a global consultation with civil society groups, industry, and international experts recommends that public oversight mechanisms for state surveillance should be established to ensure transparency and accountability of Communications Surveillance. To achieve this, mechanisms should have the authority to:</p>
<ul style="text-align: justify; ">
<li>Access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information;</li>
<li>Assess whether the State is making legitimate use of its lawful capabilities;</li>
<li>Evaluate whether the State has been comprehensively and accurately publishing information about the use and scope of Communications Surveillance techniques and powers in accordance with its Transparency obligations publish periodic reports and other information relevant to Communications Surveillance;</li>
<li>Make public determinations as to the lawfulness of those actions, including the extent to which they comply with these Principles<a href="#fn4" name="fr4">[4] </a></li>
</ul>
<h2 style="text-align: justify; ">What can inform oversight mechanisms for state surveillance?</h2>
<p style="text-align: justify; ">The development of effective oversight mechanisms for state surveillance can be informed by a number of factors including:</p>
<ul style="text-align: justify; ">
<li>Rapidly changing technology – how can mechanisms adapt, account for, and evaluate perpetually changing intelligence capabilities?</li>
<li>Expanding surveillance powers – how can mechanisms evaluate and rationalize the use of expanding agency powers?</li>
<li style="text-align: justify; ">Tensions around secrecy, national interest, and individual rights – how can mechanisms respect, recognize, and uphold multiple competing interests and needs including an agency's need for secrecy, the government's need to protect national security, and the citizens need to have their constitutional and fundamental rights upheld?</li>
<li style="text-align: justify; ">The structure, purpose, and goals of specific intelligence agencies and circumstances– how can mechanisms be sensitive and attuned to the structure, purpose, and functions of differing intelligence agencies and circumstances? </li>
</ul>
<p style="text-align: justify; ">These factors lead to further questions around:</p>
<ul style="text-align: justify; ">
<li style="text-align: justify; ">The purpose of an oversight mechanism: Is an oversight mechanism meant to ensure effectiveness of an agency? Perform general reviews of agency performance? Supervise the actions of an agency? Hold an agency accountable for misconduct?</li>
<li>The structure of an oversight mechanism: Is it internal? External? A combination of both? How many oversight mechanisms that agencies should be held accountable to?</li>
<li>The functions of an oversight mechanism: Is an oversight mechanism meant to inspect? Evaluate? Investigate? Report?</li>
<li style="text-align: justify; ">The powers of an oversight mechanism: The extent of access that an oversight mechanism needs and should have to the internal workings of security agencies and law enforcement to carry out due diligence? The extent of legal backing that an oversight mechanism should have to hold agencies legally accountable.</li>
</ul>
<h2 style="text-align: justify; ">What oversight mechanisms for State Surveillance exist in India?</h2>
<p style="text-align: justify; ">In India the oversight 'ecosystem' for state surveillance is comprised of:</p>
<ol style="text-align: justify; ">
<li style="text-align: justify; "><b>Review committee</b>: Under the Indian Telegraph Act 1885 and the Rules issued thereunder (Rule 419A), a Central Review Committee that consists of the Cabinet Secretary, Secretary of Legal Affairs to the Government of India, Secretary of Department of Telecommunications to the Government of India is responsible for meeting on a bi-monthly basis and reviewing the legality of interception directions. The review committee has the power to revoke the directions and order the destruction of intercepted material.<a href="#fn5" name="fr5">[5]</a> This review committee is also responsible for evaluating interception, monitoring, and decryption orders issued under section 69 of the Information Technology Act 2000.<a href="#fn6" name="fr6">[6]</a> and orders for the monitoring and collection of traffic data under section 69B of the Information Technology Act 2000.<a href="#fn7" name="fr7">[7]</a></li>
<li style="text-align: justify; "><b>Authorizing Authorities</b>: The Secretary in the Ministry of Home Affairs of the Central Government is responsible for authorizing requests for the interception, monitoring, and decryption of communications issued by central agencies.<a href="#fn8" name="fr8">[8]</a> The Secretary in charge of the Home Department is responsible for authorizing requests for the interception, monitoring, and decryption of communications from state level agencies and law enforcement.<a href="#fn9" name="fr9">[9]</a> The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is responsible for authorizing requests for the monitoring and collection of traffic data.<a href="#fn10" name="fr10">[10]</a> Any officer not below the rank of Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary or the State Home Secretary in this behalf, may authorize the interception of communications in case of an emergency.<a href="#fn11" name="fr11">[11]</a> A Commissioner of Police, District Superintendent of Police or Magistrate may issue requests for stored data to any postal or telegraph authority.<a href="#fn12" name="fr12">[12]</a></li>
<li style="text-align: justify; "><b>Administrative authorities</b>: India does not have an oversight mechanism for intelligence agencies, but agencies do report to different authorities. For example: The Intelligence Bureau reports to the Home Minister, the Research and Anaylsis Wing is under the Cabinet Secretariat and reports to the Prime Minister, the Joint Intelligence Committee (JIC), National Technical Research Organisation (NTRO) and Aviation Research Centre (ARC) report to the National Security Adviser; and the National Security Council Secretariat under the NSA which serves the National Security Council.<a href="#fn13" name="fr13">[13] </a></li>
</ol>
<p style="text-align: justify; ">It is important to note that though India has a Right to Information Act, but most of the security agencies are exempt from the purview of the Act<a href="#fn14" name="fr14">[14]</a> as is disclosure of any information that falls under the purview of the Official Secrets Act 1923.<a href="#fn15" name="fr15">[15]</a> [Note: There is no point in listing out all the exceptions given in section 8 and other sections as well. I think the point is sufficiently made when we say that security agencies are exempt from the purview of the Act.] The Official Secrets Act does not provide a definition of an 'official secret' and instead protects information: pertaining to national Security, defence of the country, affecting friendly relations with foreign states, etc.<a href="#fn16" name="fr16">[16] </a>Information in India is designated as classified in accordance to the Manual of Departmental Security Instruction which is circulated by the Ministry of Home Affairs. According to the Public Records Rules 1997, “classified records" means the files relating to the public records classified as top-secret, confidential and restricted in accordance with the procedure laid down in the Manual of Departmental Security Instruction circulated by the Ministry of Home affairs from time to time;”<a href="#fn17" name="fr17">[17] </a>Bi-annually officers evaluate and de-classify classified information and share the same with the national archives.<a href="#fn18" name="fr18">[18] </a>In response to questions raised in the Lok Sabha on the 5th of May 2015 regarding if the Official Secrets Act, 1923 will be reviewed, the number of classified files stored with the Government under the Act, and if the Government has any plans to declassify some of the files – the Ministry of Home Affairs clarified that a committee consisting of Secretaries of the Ministry of Home Affairs, the Department of Personnel and Training, and the Department of Legal Affairs has been established to examine the provisions of the Official Secrets Act, 1923 particularly in light of the Right to Information Act, 2005. The Ministry of Home Affairs also clarified that the classification and declassification of files is done by each Government Department as per the Manual of Departmental Security Instructions, 1994 and thus there is no 'central database of the total number of classified files'.<a href="#fn19" name="fr19">[19] </a></p>
<h3 style="text-align: justify; ">How can India's oversight mechanism for state surveillance be clarified?</h3>
<p style="text-align: justify; ">Though these mechanisms establish a basic framework for an oversight mechanism for state surveillance in India, there are aspects of this framework that could be clarified and there are ways in which the framework could be strengthened.</p>
<p style="text-align: justify; ">Aspects of the present review committee that could be clarified:</p>
<ol style="text-align: justify; ">
<li style="text-align: justify; ">Powers of the review committee: Beyond having the authority to declare that orders for interception, monitoring, decryption, and collection of traffic data are not within the scope of the law and order for destruction of any collected information – what powers does the review committee have? Does the committee have the power to compel agencies to produce additional or supporting evidence? Does the committee have the power to compel information from the authorizing authority?</li>
<li style="text-align: justify; ">Obligations of the review committee: The review committee is required to 'record its findings' as to whether the interception orders issued are in accordance with the law. Is there a standard set of questions/information that must be addressed by the committee when reviewing an order? Does the committee only review the content of the order or do they also review the implementation of the order? Beyond recording its findings, are there any additional reporting obligations that the review committee must fulfill?</li>
<li style="text-align: justify; ">Accountability of the review committee: Does the review committee answer to a higher authority? Do they have to submit their findings to other branches of the government – such as Parliament? Is there a mechanism to ensure that the review committee does indeed meet every two months and review all orders issued under the relevant sections of the Indian Telegraph Act 1885 and the Information Technology Act 2008?</li>
</ol>
<h2 style="text-align: justify; ">Proposed oversight mechanisms in India</h2>
<p style="text-align: justify; ">Oversight mechanisms can help with avoiding breaches of national security by ensuring efficiency and effectiveness in the functioning of security agencies. The need for the oversight of state surveillance is not new in India. In 1999 the Union Government constituted a Committee with the mandate of reviewing the events leading up to Pakistani aggression in Kargil and to recommend measures towards ensuring national security. Though the Kargil Committee was addressing surveillance from the perspective of gathering information on external forces, there are parellels in the lessons learned for state surveillance. Among other findings, in their Report the Committee found a number of limitations in the system for collection, reporting, collation, and assessment of intelligence. The Committee also found that there was a lack of oversight for the intelligence community in India – resulting in no mechanisms for tasking the agencies, monitoring their performance and overall functioning, and evaluating the quality of the work.</p>
<p style="text-align: justify; ">The Committee also noted that such a mechanism is a standard feature in jurisdictions across the world. The Committee emphasized this need from an economic perspective – that without oversight – the Government and the nation has no way of evaluating whether or not they are receiving value for their money. The Committee recommended a review of the intelligence system with the objective of solving such deficiencies.<a href="#fn20" name="fr20">[20] </a></p>
<p style="text-align: justify; ">In 2000 a Group of Ministers was established to review the security and intelligence apparatus of the country. In their report issued to the Prime Minister, the Group of Ministers recommended the establishment of an Intelligence Coordination Group for the purpose of providing oversight of intelligence agencies at the Central level. Specifically the Intelligence Coordination Group would be responsible for:</p>
<ul style="text-align: justify; ">
<li>Allocation of resources to the intelligence agencies</li>
<li>Consideration of annual reviews on the quality of inputs</li>
<li>Approve the annual tasking for intelligence collection</li>
<li>Oversee the functions of intelligence agencies</li>
<li>Examine national estimates and forecasts<a href="#fn21" name="fr21">[21] </a></li>
</ul>
<p style="text-align: justify; ">Past critiques of the Indian surveillance regime have included the fact that intelligence agencies do not come under the purview of any overseeing mechanism including Parliament, the Right to Information Act 2005, or the General Comptroller of India.</p>
<p style="text-align: justify; ">In 2011, Manish Tewari, who at the time was a Member of Parliament from Ludhiana, introduced the Private Member's Bill - “The Intelligence Services (Powers and Regulation) Bill” proposed stand alone statutory regulation of intelligence agencies. In doing so it sought to establish an oversight mechanism for intelligence agencies within and outside of India. The Bill was never introduced into Parliament.<a href="#fn22" name="fr22">[22]</a> Broadly, the Bill sought to establish: a National Intelligence and Security Oversight Committee which would oversee the functionings of intelligence agencies and would submit an annual report to the Prime Minister, a National Intelligence Tribunal for the purpose of investigating complaints against intelligence agencies, an Intelligence Ombudsman for overseeing and ensuring the efficient functioning of agencies, and a legislative framework regulating intelligence agencies.<a href="#fn23" name="fr23">[23] </a></p>
<p style="text-align: justify; ">Proposed policy in India has also explored the possibility of coupling surveillance regulation and oversight with private regulation and oversight. In 2011 the Right to Privacy Bill was drafted by the Department of Personnel and Training. The Bill proposed to establish a “Central Communication Interception Review Committee” for the purposes of reviewing orders for interception issued under the Telegraph Act. The Bill also sought to establish an authorization process for surveillance undertaken by following a person, through CCTV's, or other electronic means.<a href="#fn24" name="fr24">[24] </a>In contrast, the 2012 Report of the Group of Experts on Privacy, which provided recommendations for a privacy framework for India, recommended that the Privacy Commissioner should exercise broad oversight functions with respect to interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material.<a href="#fn25" name="fr25">[25] </a></p>
<p style="text-align: justify; ">A 2012 report by the Institute for Defence Studies and Analyses titled “A Case for Intelligence Reforms in India” highlights at least four 'gaps' in intelligence that have resulted in breaches of national security including: zero intelligence, inadequate intelligence, inaccurate intelligence, and excessive intelligence – particularly in light of additional technical inputs and open source inputs.<a href="#fn26" name="fr26">[26]</a> In some cases, an oversight mechanism could help in remediating some of these gaps. Returning to the 2012 IDSA Report, the Report recommends the following steps towards an oversight mechanism for Indian intelligence:</p>
<ul style="text-align: justify; ">
<li>Establishing an Intelligence Coordination Group (ICG) that will exercise oversight functions for the intelligence community at the Central level. This could include overseeing functions of the agencies, quality of work, and finances. </li>
<li>Enacting legislation defining the mandates, functions, and duties of intelligence agencies.</li>
<li>Holding intelligence agencies accountable to the Comptroller & Auditor General to ensure financial accountability. </li>
<li>Establishing a Minister for National Security & Intelligence for exercising administrative authority over intelligence agencies. </li>
<li>Establishing a Parliamentary Accountability Committee for oversight of intelligence agencies through parliament. </li>
<li>Defining the extent to which intelligence agencies can be held accountable to reply to requests pertaining to violations of privacy and other human rights issued under the Right to Information Act.</li>
</ul>
<p style="text-align: justify; ">Highlighting the importance of accountable surveillance frameworks, in 2015 the external affairs ministry director general of India Santosh Jha stated at the UN General Assembly that the global community needs to "to create frameworks so that Internet surveillance practices motivated by security concerns are conducted within a truly transparent and accountable framework.”<a href="#fn27" name="fr27">[27] </a></p>
<h2 style="text-align: justify; ">In what ways can India's mechanisms for state surveillance be strengthened?</h2>
<p style="text-align: justify; ">Building upon the recommendations from the Kargil Committee, the Report from the Group of Ministers, the Report of the Group of Experts on Privacy, the Draft Privacy Bill 2011, and the IDSA report, ways in which the framework for oversight of state surveillance in India could be strengthened include:</p>
<ul style="text-align: justify; ">
<li style="text-align: justify; ">Oversight to enhance public understanding, debate, accountability, and democratic governance: State surveillance is unique in that it is enabled with the objective of protecting a nations security. Yet, to do so it requires citizens of a nation to trust the actions taken by intelligence agencies and to allow for possible access into their personal lives and possible activities that might infringe on their constitutional rights (such as freedom of expression) for a larger outcome of security. Because of this, oversight mechanisms for state surveillance must balance securing national security while submitting itself to some form of accountability to the public.</li>
<li style="text-align: justify; ">Independence of oversight mechanisms: Given the Indian context, it is particularly important that an oversight mechanism for surveillance powers and the intelligence community is capable of addressing and being independent from political interference. Indeed, the majority of cases regarding illegal interceptions that have reached the public sphere pertain to the surveillance of political figures and political turf wars.<a href="#fn28" name="fr28">[28] </a>Furthermore, though the current Review Committee established in the Indian Telegraph Act does not have a member from the Ministry of Home Affairs (the Ministry responsible for authorizing interception requests), it is unclear how independent this committee is from the authorizing Ministry. To ensure non-biased oversight, it is important that oversight mechanisms are independent.</li>
<li style="text-align: justify; ">Legislative regulation of intelligence agencies: Currently, intelligence agencies are provided surveillance powers through the Information Technology Act and the Telegraph Act, but beyond the National Intelligence Agency Act which establishes the National Intelligence Agency, there is no legal mechanism creating, regulating and overseeing intelligence agencies using these powers. In the 'surveillance ecosystem' this creates a policy vacuum, where an agency is enabled through law with a surveillance power and provided a procedure to follow, but is not held legally accountable for the effective, ethical, and legal use of the power. To ensure legal accountability of the use of surveillance techniques, it is important that intelligence are created through legislation that includes oversight provisions.</li>
<li style="text-align: justify; ">Comprehensive oversight of all intrusive measures: Currently the Review Committee established under the Telegraph Act is responsible for the evaluation of orders for the interception, monitoring, decryption, and collection of traffic data. The Review Committee is not responsible for reviewing the implementation or effectiveness of such orders and is not responsible for reviewing orders for access to stored information or other forms of electronic surveillance. This situation is a result of 1. Present oversight mechanisms not having comprehensive mandates 2. Different laws in India enabling different levels of access and not providing a harmonized oversight mechanism and 3.Indian law not formally addressing and regulating emerging surveillance technologies and techniques. To ensure effectiveness, it is important for oversight mechanisms to be comprehensive in mandate and scope.</li>
<li style="text-align: justify; ">Establishment of a tribunal or redress mechanism: India currently does not have a specified means for individuals to seek redress for unlawful surveillance or surveillance that they feel has violated their rights. Thus, individuals must take any complaint to the courts. The downsides of such a system include the fact that the judiciary might not be able to make determinations regarding the violation, the court system in India is overwhelmed and thus due process is slow, and given the sensitive nature of the topic – courts might not have the ability to immediately access relevant documentation. To ensure redress, it is important that a tribunal or a redress mechanism with appropriate powers is established to address complaints or violations pertaining to surveillance.</li>
<li style="text-align: justify; ">Annual reporting by security agencies, law enforcement, and service providers: Information regarding orders for surveillance and the implementation of the same is not disclosed by the government or by service providers in India.<a href="#fn29" name="fr29">[29] </a> Indeed, service providers by law are required to maintain the confidentiality of orders for the interception, monitoring, or decryption of communications and monitoring or collection of traffic data. At the minimum, an oversight mechanism should receive annual reports from security agencies, law enforcement, and service providers with respect to the surveillance undertaken. Edited versions of these Reports could be shared with Parliament and the public.</li>
<li style="text-align: justify; ">Consistent and mandatory reviews of relevant legislation: Though committees have been established to review various legislation and policy pertaining to state surveillance, the time frame for these reviews is not clearly defined by law. These reviews should take place on a consistent and publicly stated time frame. Furthermore, legislation enabling surveillance in India do not require review and assessment for relevance, adequacy, necessity, and proportionality after a certain period of time. Mandating that legislation regulating surveillance is subject to review on a consistent is important in ensuring that the provisions are relevant, proportionate, adequate, and necessary. </li>
<li style="text-align: justify; ">Transparency of classification and declassification process and centralization of de-classified records: Currently, the Ministry of Home Affairs establishes the process that government departments must follow for classifying and de-classifying information. This process is not publicly available and de-classified information is stored only with the respective department. For transparency purposes, it is important that the process for classification of records be made public and the practice of classification of information take place in exceptional cases. Furthermore, de-classified records should be stored centrally and made easily accessible to the public. </li>
<li style="text-align: justify; ">Executive and administrative orders regarding establishing of agencies and surveillance projects should be in the public domain: Intelligence agencies and surveillance projects in India are typically enabled through executive orders. For example, NATGRID was established via an executive order, but this order is not publicly available. As a form of transparency and accountability to the public, it is important that if executive orders establish an agency or a surveillance project, these are made available to the public to the extent possible.</li>
<li style="text-align: justify; ">Oversight of surveillance should incorporate privacy and cyber/national security: Increasingly issues of surveillance, privacy, and cyber security are interlinked. Any move to establish an oversight mechanism for surveillance and the intelligence committee must incorporate and take into consideration privacy and cyber security. This could mean that an oversight mechanism for surveillance in India works closely with CERT-IN and a potential privacy commissioner or that the oversight mechanism contains internal expertise in these areas to ensure that they are adequately considered. </li>
<li style="text-align: justify; ">Oversight by design: Just like the concept of privacy by design promotes the ideal that principles of privacy are built into devices, processes, services, organizations, and regulation from the outset – oversight mechanisms for state surveillance should also be built in from the outset of surveillance projects and enabling legislation. In the past, this has not been the practice in India– the National Intelligence Grid was an intelligence system that sought to link twenty one databases together – making such information easily and readily accessible to security agencies – but the oversight of such a system was never defined.<a href="#fn30" name="fr30">[30]</a> Similarly, the Centralized Monitoring System was conceptualized to automate and internalize the process of intercepting communications by allowing security agencies to intercept communications directly and bypass the service provider.<a href="#fn31" name="fr31">[31]</a> Despite amending the Telecom Licenses to provide for the technical components of this project, oversight of the project or of security agencies directly accessing information has yet to be defined.<a href="#fn32" name="fr32">[32] </a></li>
</ul>
<h2 style="text-align: justify; ">Examples of oversight mechanisms for State Surveillance: US, UK, Canada and United States</h2>
<h3 style="text-align: justify; ">United States</h3>
<p style="text-align: justify; ">In the United States the oversight 'ecosystem' for state surveillance is made up of:</p>
<p style="text-align: justify; "><b>The Foreign Intelligence Surveillance Court</b></p>
<p style="text-align: justify; ">The U.S Foreign Intelligence Surveillance Court (FISA) is the predominant oversight mechanism for state surveillance and oversees and authorizes the actions of the Federal Bureau of Investigation and the National Security Agency.<a href="#fn33" name="fr33">[33]</a> The court was established by the enactment of the Foreign Intelligence Surveillance Act 1978 and is governed by Rules of Procedure, the current Rules being formulated in 2010.<a href="#fn34" name="fr34">[34] </a>The Court is empowered to ensure compliance with the orders that it issues and the government is obligated to inform the Court if orders are breached.<a href="#fn35" name="fr35">[35] </a>FISA allows for individuals who receive an order from the Court to challenge the same,<a href="#fn36" name="fr36">[36] </a>and public filings are available on the Court's website.<a href="#fn37" name="fr37">[37] </a>Additionally, organizations, including the American Civil Liberties Union<a href="#fn38" name="fr38">[38] </a>and the Electronic Frontier Foundation, have filed motions with the Court for release of records. <a href="#fn39" name="fr39">[39] </a>Similarly, Google has approached the Court for the ability to publish aggregate information regarding FISA orders that the company recieves.<a href="#fn40" name="fr40">[40] </a></p>
<p style="text-align: justify; "><b>Government Accountability Office </b></p>
<p style="text-align: justify; ">The U.S Government Accountability Office (GAO) is an independent office that works for Congress and conducts audits, investigates, provides recommendations, and issues legal decisions and opinions with regard to federal government spending of taxpayer's money by the government and associated agencies including the Defence Department, the FBI, and Homeland Security.<a href="#fn41" name="fr41">[41] </a>The head of the GAO is the Comptroller General of the United States and is appointed by the President. The GAO will initiate an investigation if requested by congressional committees or subcommittees or if required under public law or committee reports. The GOA has reviewed topics relating to Homeland Security, Information Security, Justice and Law Enforcement, National Defense, and Telecommunications.<a href="#fn42" name="fr42">[42] </a>For example, in June 2015 the GOA completed an investigation and report on 'Foreign Terrorist Organization Process and U.S Agency Enforcement Actions” <a href="#fn43" name="fr43">[43] </a>and an investigation on “Cyber Security: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies”.<a href="#fn44" name="fr44">[44]</a></p>
<p style="text-align: justify; "><b>Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence</b></p>
<p style="text-align: justify; ">The U.S. Senate Select Committee on Intelligence is a standing committee of the U.S Senate with the mandate to review intelligence activities and programs and ensure that these are inline with the Constitution and other relevant laws. The Committee is also responsible for submitting to Senate appropriate proposals for legislation, and for reporting to Senate on intelligence activities and programs.<a href="#fn45" name="fr45">[45] </a>The House Permanent Select Committee holds similar jurisdiction. The House Permanent Select Committee is committed to secrecy and cannot disclose classified information excepted authorized to do so. Such an obligation does not exist for the Senate Select Committee on Intelligence and the committee can disclose classified information publicly on its own.<a href="#fn46" name="fr46">[46]</a></p>
<p style="text-align: justify; "><b>Privacy and Civil Liberties Oversight Board</b> (PCLOB)</p>
<p style="text-align: justify; ">The Privacy and Civil Liberties Oversight Board was established by the Implementing Recommendations of the 9/11 Commission Act of 2007 and is located within the executive branch.<a href="#fn47" name="fr47">[47] </a>The objective of the PCLOB is to ensure that the Federal Government's actions to combat terrorism are balanced against privacy and civil liberties. Towards this, the Board has the mandate to review and analyse ant-terrorism measures the executive takes and ensure that such actions are balanced with privacy and civil liberties, and to ensure that privacy and civil liberties are liberties are adequately considered in the development and implementation of anti-terrorism laws, regulations and policies.<a href="#fn48" name="fr48">[48] </a>The Board is responsible for developing principles to guide why, whether, when, and how the United States conducts surveillance for authorized purposes. Additionally, officers of eight federal agencies must submit reports to the PCLOB regarding the reviews that they have undertaken, the number and content of the complaints, and a summary of how each complaint was handled. In order to fulfill its mandate, the Board is authorized to access all relevant records, reports, audits, reviews, documents, papers, recommendations, and classified information. The Board may also interview and take statements from necessary personnel. The Board may request the Attorney General to subpoena on the Board's behalf individuals outside of the executive branch.<a href="#fn49" name="fr49">[49]</a></p>
<p style="text-align: justify; ">To the extent possible, the Reports of the Board are made public. Examples of recommendations that the Board has made in the 2015 Report include: End the NSA”s bulk telephone records program, add additional privacy safeguards to the bulk telephone records program, enable the FISC to hear independent views on novel and significant matters, expand opportunities for appellate review of FISC decisions, take advantage of existing opportunities for outside legal and technical input in FISC matters, publicly release new and past FISC and DISCR decisions that involve novel legal, technical, or compliance questions, publicly report on the operation of the FISC Special Advocate Program, Permit Companies to Disclose Information about their receipt of FISA production orders and disclose more detailed statistics on surveillance, inform the PCLOB of FISA activities and provide relevant congressional reports and FISC decisions, begin to develop principles for transparency, disclose the scope of surveillance authorities affecting US Citizens.<a href="#fn50" name="fr50">[50]</a></p>
<p style="text-align: justify; "><b>The Wiretap Report </b></p>
<p style="text-align: justify; ">The Wiretap Report is an annual compilation of information provided by federal and state officials regarding applications for interception orders of wire, oral, or electronic communications, data address offenses under investigation, types and locations of interception devices, and costs and duration of authorized intercepts.<a href="#fn51" name="fr51">[51] </a>When submitting information for the report a judge will include the name and jurisdiction of the prosecuting official who applied for the order, the criminal offense under investigation, the type of intercept device used, the physical location of the device, and the duration of the intercept. Prosecutors provide information related to the cost of the intercept, the number of days the intercept device was in operation, the number of persons whose communications were intercepted, the number of intercepts, and the number of incriminating intercepts recorded. Results of the interception orders such as arrest, trials, convictions, and the number of motions to suppress evidence are also noted in the prosecutor reports. The Report is submitted to Congress and is legally required under Title III of the Omnibus Crime Control and Safe Streets Act of 1968. The report is issued by the Administrative Office of the United States Courts.<a href="#fn52" name="fr52">[52] </a></p>
<h3 style="text-align: justify; ">United Kingdom</h3>
<p style="text-align: justify; "><b>The Intelligence and Security Committee (ISC) of Parliament </b></p>
<p style="text-align: justify; ">The Intelligence Security Committee was established by the Intelligence Services Act 1994. Members are appointed by the Prime Minster and the Committee reports directly to the same. Additionally, the Committee submits annual reports to Parliament. Towards this, the Committee can take evidence from cabinet ministers, senior officials, and from the public.<a href="#fn53" name="fr53">[53] </a>The most recent report of the Committee is the 2015 “Report on Privacy and Security”.<a href="#fn54" name="fr54">[54] </a>Members of the Committee are subject to the Official Secrets Act 1989 and have access to classified material when carrying out investigations.<a href="#fn55" name="fr55">[55]</a></p>
<p style="text-align: justify; "><b>Joint Intelligence Committee (JIC)</b></p>
<p style="text-align: justify; ">This Joint Intelligence Committee is located in the Cabinet office and is broadly responsible for overseeing national intelligence organizations and providing advice to the Cabinet on issues related to security, defense, and foreign affairs. The JIC is overseen by the Intelligence and Security Committee.<a href="#fn56" name="fr56">[56]</a></p>
<p style="text-align: justify; "><b>The Interception of Communications Commissioner </b></p>
<p style="text-align: justify; ">The Interception of Communications Commissioner is appointed by the Prime Minster under the Regulation of Investigatory Powers Act 2000 for the purpose of reviewing surveillance conducted by intelligence agencies, police forces, and other public authorities. Specifically, the Commissioner inspects the interception of communications, the acquisition and disclosure of communications data, the interception of communications in prisons, and the unintentional electronic interception.<a href="#fn57" name="fr57">[57] </a>The Commissioner submits an annual report to the Prime Minister. The Reports of the Commissioner are publicly available.<a href="#fn58" name="fr58">[58]</a></p>
<p style="text-align: justify; "><b>The Intelligence Services Commissioner </b></p>
<p style="text-align: justify; ">The Intelligence Services Commissioner is an independent body appointed by the Prime Minister that is legally empowered through the Regulation of Investigatory Powers Act (RIPA) 2000. The Commissioner provides independent oversight on the use of surveillance by UK intelligence services.<a href="#fn59" name="fr59">[59] </a>Specifically, the Commissioner is responsible for reviewing authorized interception orders and the actions and performance of the intelligence services.<a href="#fn60" name="fr60">[60]</a> The Commissioner is also responsible for providing assistance to the Investigatory Powers Tribunal, submitting annual reports to the Prime Minister on the discharge of its functions, and advising the Home Office on the need of extending the Terrorism Prevention and Investigation Measures regime.<a href="#fn61" name="fr61">[61] </a>Towards these the Commissioner conducts in-depth audits on the orders for interception to ensure that the surveillance is within the scope of the law, that the surveillance was necessary for a legally established reason, that the surveillance was proportionate, that the information accessed was justified by the privacy invaded, and that the surveillance authorized by the appropriate official. The Commissioner also conducts 'site visits' to ensure that orders are being implemented as per the law.<a href="#fn62" name="fr62">[62] </a>As a note, the Intelligence Services Commissioner does not undertake any subject that is related to the Interception of Communications Commissioner. The Commissioner has access to any information that he feels is necessary to carry out his investigations. The Reports of the Intelligence Service Commissioner are publicly available.<a href="#fn63" name="fr63">[63] </a></p>
<p style="text-align: justify; "><b>Investigatory Powers Tribunal </b></p>
<p style="text-align: justify; ">The Investigatory Powers Tribunal is a court which investigates complaints of unlawful surveillance by public authorities or intelligence/law enforcement agencies.<a href="#fn64" name="fr64">[64]</a> The Tribunal was established under the Regulation of Investigatory Powers Act 2000 and has a range of oversight functions to ensure that public authorities act and agencies are in compliance with the Human Rights Act 1998.<a href="#fn65" name="fr65">[65]</a> The Tribunal specifically is an avenue of redress for anyone who believes that they have been a victim of unlawful surveillance under RIPA or wider human rights infringements under the Human Rights Act 1998. The Tribunal can provide seven possible outcomes for any application including 'found in favor of complainant, no determination in favour of complainant, frivolous or vexatious, out of time, out of jurisdiction, withdrawn, or no valid complaint.<a href="#fn66" name="fr66">[66] </a>The Tribunal has the authority to receive and consider evidence in any form, even if inadmissible in an ordinary court.<a href="#fn67" name="fr67">[67]</a> Where possible, cases are available on the Tribunal's website. Decisions by the Tribunal cannot be appealed, but can be challenged in the European Court of Human Rights.<a href="#fn68" name="fr68">[68] </a></p>
<h3 style="text-align: justify; ">Canada</h3>
<p style="text-align: justify; ">In Canada the oversight 'ecosystem' for state surveillance includes:</p>
<p style="text-align: justify; "><b>Security Intelligence Review Committee </b></p>
<p style="text-align: justify; ">The Security Intelligence Review Committee is an independent body that is accountable to the Parliament of Canada and reports on the Canadian Security Intelligence Service.<a href="#fn69" name="fr69">[69]</a> Members of the Security Intelligence Review Committee are appointed by the Prime Minister of Canada. The committee conducts reviews on a pro-active basis and investigates complaints. Committee members have access to classified information to conduct reviews. The Committee submits an annual report to Parliament and an edited version is publicly available. The 2014 Report was titled “Lifting the Shroud of Secrecy”<a href="#fn70" name="fr70">[70] </a>and includes reviews of the CSIS's activities, reports on complaints and subsequent investigations, and provides recommendations.</p>
<p style="text-align: justify; "><b>Office of the Communications Security Establishment Commissioner </b></p>
<p style="text-align: justify; ">The Communications Security Commissioner conducts independent reviews of Communications Security Establishment (CSE) activities to evaluate if they are within the scope of Canadian law.<a href="#fn71" name="fr71">[71] </a>The Commissioner submits a report to Parliament on an annual basis and has a number of powers including the power to subpoena documents and personnel.<a href="#fn72" name="fr72">[72]</a> If the Commissioner believes that the CSE has not complied with the law – it must report this to the Attorney General of Canada and to the Minister of National Defence. The Commissioner may also receive information from persons bound to secrecy if they deem it to be in the public interest to disclose such information.<a href="#fn73" name="fr73">[73] </a>The Commissioner is also responsible for verifying that the CSE does not surveil Canadians and for promoting measures to protect the privacy of Canadians.<a href="#fn74" name="fr74">[74] </a>When conducting a review, the Commissioner has the ability to examine records, receive briefings, interview relevant personnel, assess the veracity of information, listen to intercepted voice recordings, observe CSE operators and analysts to verify their work, examine CSI electronic tools, systems and databases to ensure compliance with the law.<a href="#fn75" name="fr75">[75] </a></p>
<p style="text-align: justify; "><b>Office of the Privacy Commissioner</b></p>
<p style="text-align: justify; ">The Office of the Privacy Commissioner of Canada (OPC) oversees the implementation of and compliance with the Privacy Act and the Personal information and Electronic Documents Act.<a href="#fn76" name="fr76">[76] </a></p>
<p style="text-align: justify; ">The OPC is an independent body that has the authority to investigate complaints regarding the handling of personal information by government and private companies, but can only comment on the activities of security and intelligence agencies. For example, in 2014 the OPC issued the report “Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber Surveillance”<a href="#fn77" name="fr77">[77]</a> The OPC can also provide testimony to Parliament and other government bodies.<a href="#fn78" name="fr78">[78] </a>For example, the OPC has made appearances before the Senate Standing Committee of National Security and Defense on Bill C-51.<a href="#fn79" name="fr79">[79]</a> The OPC cannot conduct joint audits or investigations with other bodies.<a href="#fn80" name="fr80">[80]</a></p>
<p style="text-align: justify; "><b>Annual Interception Reports</b></p>
<p style="text-align: justify; "><b> </b></p>
<p style="text-align: justify; ">Under the Criminal Code of Canada, regional governments must issue annual interception reports. The reports must include number of individuals affected by interceptions, average duration of the interception, type of crimes investigated, numbers of cases brought to court, and number of individuals notified that interception had taken place.<a href="#fn81" name="fr81">[81] </a></p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">The presence of multiple and robust oversight mechanisms for state surveillance does not necessarily correlate to effective oversight. The oversight mechanisms in the UK, Canada, and the U.S have been criticised. For example, Canada . For example, the Canadian regime has been characterized as becoming weaker it has removed one of its key over sight mechanisms – the Inspector General of the Canadian Security Intelligence Service which was responsible for certifying that the Service was in compliance with law.<a href="#fn82" name="fr82">[82] </a></p>
<p style="text-align: justify; ">Other weaknesses in the Canadian regime that have been highlighted include the fact that different oversight bodies do not have the authority to share information with each other, and transparency reports do not include many new forms of surveillance.<a href="#fn83" name="fr83">[83]</a> Oversight mechanisms in the U.S on the other hand have been criticized as being opaque<a href="#fn84" name="fr84">[84] </a>or as lacking the needed political support to be effective.<a href="#fn85" name="fr85">[85]</a> The UK oversight mechanism has been criticized for not having judicial authorization of surveillance requests, have opaque laws, and for not having a strong right of redress for affected individuals.<a href="#fn86" name="fr86">[86] </a>These critiques demonstrate that there are a number of factors that must come together for an oversight mechanism to be effective. Public transparency and accountability to decision making bodies such as Parliament or Congress can ensure effectiveness of oversight mechanisms, and are steps towards providing the public with means to debate in an informed manner issues related to state surveillance and allows different bodies within the government the ability to hold the state accountable for its actions.</p>
<ol style="text-align: justify; "> </ol><ol style="text-align: justify; "> </ol><ol style="text-align: justify; "> </ol>
<ul style="text-align: justify; ">
<hr />
<p style="text-align: justify; ">.[<a href="#fr1" name="fn1">1</a>]. For example, “Public Oversight” is one of the thirteen Necessary and Proportionate principles on state communications surveillance developed by civil society and academia globally, that should be incorporated by states into communication surveillance regimes. The principles can be accessed here: https://en.necessaryandproportionate.org/</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Hans Born and Ian Leigh, “Making Intelligence Accountable. Legal Standards and Best Practice for Oversight of Intelligence Agencies.” Pg. 13. 2005. Available at: http://www.prsindia.org/theprsblog/wp-content/uploads/2010/07/making-intelligence.pdf. Last accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. For example, this point was made in the context of the UK. For more information see: Nick Clegg, 'Edward Snowden's revelations made it clear: security oversight must be fit for the internet age,”. The Guardian. March 3rd 2014. Available at: <a href="http://www.theguardian.com/commentisfree/2014/mar/03/nick-clegg-snowden-security-oversight-internet-age">http://www.theguardian.com/commentisfree/2014/mar/03/nick-clegg-snowden-security-oversight-internet-age</a>. Accessed: July 27, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. International Principles on the Application of Human Rights to Communications Surveillance. Available at: https://en.necessaryandproportionate.org/</p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Sub Rules (16) and (17) of Rule 419A, Indian Telegraph Rules, 1951. Available at:http://www.dot.gov.in/sites/default/files/march2007.pdf Note: This review committee is responsible for overseeing interception orders issued under the Indian Telegraph Act and the Information Technology Act.</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. Information Technology Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009. Definition q. Available at: <a href="http://dispur.nic.in/itact/it-procedure-interception-monitoring-decryption-rules-2009.pdf">http://dispur.nic.in/itact/it-procedure-interception-monitoring-decryption-rules-2009.pdf</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, 2009). Definition (n). Available at: <a href="http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. This authority is responsible for authorizing interception requests issued under the Indian Telegraph Act and the Information Technology Act. Section 2, Indian Telegraph Act 1885 and Section 4, Information Technology Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009</p>
<p style="text-align: justify; ">[<a href="#fr9" name="fn9">9</a>]. This authority is responsible for authorizing interception requests issued under the Indian Telegraph Act and the Information Technology Act. Section 2, Indian Telegraph Act 1885 and Section 4, Information Technology Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Definition (d) and section 3 of the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules, 2009). Available at: <a href="http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009">http://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009</a></p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. Rule 1, of the 419A Rules, Indian Telegraph Act 1885. Available at:http://www.dot.gov.in/sites/default/files/march2007.pdf This authority is responsible for authorizing interception requests issued under the Indian Telegraph Act and the Information Technology Act.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Section 92, CrPc. Available at: http://www.icf.indianrailways.gov.in/uploads/files/CrPC.pdf</p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn13">13</a>]. Press Information Bureau GOI. Reconstitution of Cabinet Committees. June 19th 2014. Available at: <a href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=105747">http://pib.nic.in/newsite/PrintRelease.aspx?relid=105747</a>. Accessed August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. Press Information Bureau, Government of India. Home minister proposes radical restructuring of security architecture. Available at: <a href="http://www.pib.nic.in/newsite/erelease.aspx?relid=56395">http://www.pib.nic.in/newsite/erelease.aspx?relid=56395</a>. Accessed August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. Section 24 read with Schedule II of the Right to Information Act 2005. Available at: http://rti.gov.in/rti-act.pdf</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. Section 8 of the Right to Information Act 2005. Available at: http://rti.gov.in/rti-act.pdf</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. Abhimanyu Ghosh. “Open Government and the Right to Information”. Legal Services India. Available at: <a href="http://www.legalservicesindia.com/articles/og.htm">http://www.legalservicesindia.com/articles/og.htm</a>. Accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Public Record Rules 1997. Section 2. Definition c. Available at: <a href="http://nationalarchives.nic.in/writereaddata/html_en_files/html/public_records97.html">http://nationalarchives.nic.in/writereaddata/html_en_files/html/public_records97.html</a>. Accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. Times of India. Classified information is reviewed after 25-30 years. April 13th 2015. Available at: <a href="http://timesofindia.indiatimes.com/india/Classified-information-is-reviewed-after-25-30-years/articleshow/46901878.cms">http://timesofindia.indiatimes.com/india/Classified-information-is-reviewed-after-25-30-years/articleshow/46901878.cms</a>. Accessed: August 8, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr20" name="fn20">20</a>]. Government of India. Ministry of Home Affairs. Lok Sabha Starred Question No 557. Available at: <a href="http://mha1.nic.in/par2013/par2015-pdfs/ls-050515/557.pdf">http://mha1.nic.in/par2013/par2015-pdfs/ls-050515/557.pdf</a>.</p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. The Kargil Committee report Executive Summanry. Available at: http://fas.org/news/india/2000/25indi1.htm. Accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. PIB Releases. Group of Ministers Report on Reforming the National Security System”. Available at: <a href="http://pib.nic.in/archieve/lreleng/lyr2001/rmay2001/23052001/r2305200110.html">http://pib.nic.in/archieve/lreleng/lyr2001/rmay2001/23052001/r2305200110.html</a>. Last accessed: August 6, 2015</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. The Observer Research Foundation. “Manish Tewari introduces Bill on Intelligence Agencies Reform. August 5th 2011. Available at: <a href="http://www.observerindia.com/cms/sites/orfonline/modules/report/ReportDetail.html?cmaid=25156&mmacmaid=20327">http://www.observerindia.com/cms/sites/orfonline/modules/report/ReportDetail.html?cmaid=25156&mmacmaid=20327</a>. Last accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr24" name="fn24">24</a>]. The Intelligence Services (Powers and Regulation) Bill, 2011. Available at: <a href="http://www.observerindia.com/cms/export/orfonline/documents/Int_Bill.pdf">http://www.observerindia.com/cms/export/orfonline/documents/Int_Bill.pdf</a>. Accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr25" name="fn25">25</a>]. The Privacy Bill 2011. Available at: https://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. The Report of Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. Institute for Defence Studies and Analyses. “A Case for Intelligence Reforms in India”. Available at: <a href="http://www.idsa.in/book/AcaseforIntelligenceReformsinIndia.html">http://www.idsa.in/book/AcaseforIntelligenceReformsinIndia.html</a>. Accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. India Calls for Transparency in internet Surveillance. NDTV. July 3rd 2015. Available at: <a href="http://gadgets.ndtv.com/internet/news/india-calls-for-transparency-in-internet-surveillance-710945">http://gadgets.ndtv.com/internet/news/india-calls-for-transparency-in-internet-surveillance-710945</a>. Accessed: July 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. Lovisha Aggarwal. “Analysis of News Items and Cases on Surveillance and Digital Evidence in India”. Available at: http://cis-india.org/internet-governance/blog/analysis-of-news-items-and-cases-on-surveillance-and-digital-evidence-in-india.pdf</p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. Rule 25 (4) of the Information Technology (Procedures and Safeguards for the Interception, Monitoring, and Decryption of Information Rules) 2011. Available at: http://dispur.nic.in/itact/it-procedure-interception-monitoring-decryption-rules-2009.pdf</p>
<p style="text-align: justify; ">[<a href="#fr31" name="fn31">31</a>]. Ministry of Home Affairs, GOI. National Intelligence Grid. Available at: <a href="http://www.davp.nic.in/WriteReadData/ADS/eng_19138_1_1314b.pdf">http://www.davp.nic.in/WriteReadData/ADS/eng_19138_1_1314b.pdf</a>. Last accessed: August 6, 2015</p>
<p style="text-align: justify; ">[<a href="#fr32" name="fn32">32</a>]. Press Information Bureau, Government of India. Centralised System to Monitor Communications Rajya Sabha. Available at: <a href="http://pib.nic.in/newsite/erelease.aspx?relid=54679">http://pib.nic.in/newsite/erelease.aspx?relid=54679</a>. Last accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr33" name="fn33">33</a>]. Department of Telecommunications. Amendemnt to the UAS License agreement regarding Central Monitoring System. June 2013. Available at: http://cis-india.org/internet-governance/blog/uas-license-agreement-amendment</p>
<p style="text-align: justify; ">[<a href="#fr34" name="fn34">34</a>]. United States Foreign Intelligence Surveillance Court. July 29th 2013. Available at: <a href="http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf">http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf</a>. Last accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr35" name="fn35">35</a>]. United States Foreign Intelligence Surveillance Court. Rules of Procedure 2010. Available at: http://www.fisc.uscourts.gov/sites/default/files/FISC%20Rules%20of%20Procedure.pdf</p>
<p style="text-align: justify; ">[<a href="#fr36" name="fn36">36</a>]. United States Foreign Intelligence Court. Honorable Patrick J. Leahy. 2013. Available at: http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf</p>
<p>[<a href="#fr37" name="fn37">37</a>]. United States Foreign Intelligence Surveillance Court. July 29th 2013. Available at: <a href="http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf">http://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf</a>. Last accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr38" name="fn38">38</a>]. Public Filings – U.S Foreign Intelligence Surveillance Court. Available at: http://www.fisc.uscourts.gov/public-filings</p>
<p style="text-align: justify; ">[<a href="#fr39" name="fn39">39</a>]. ACLU. FISC Public Access Motion – ACLU Motion for Release of Court Records Interpreting Section 215 of the Patriot Act. Available at: https://www.aclu.org/legal-document/fisc-public-access-motion-aclu-motion-release-court-records-interpreting-section-215</p>
<p style="text-align: justify; ">[<a href="#fr40" name="fn40">40</a>]. United States Foreign Intelligence Surveillance Court Washington DC. In Re motion for consent to disclosure of court records or, in the alternative a determination of the effect of the Court's rules on statutory access rights. Available at: https://www.eff.org/files/filenode/misc-13-01-opinion-order.pdf</p>
<p style="text-align: justify; ">[<a href="#fr41" name="fn41">41</a>]. Google Official Blog. Shedding some light on Foreign Intelligence Surveillance Act (FISA) requests. February 3rd 2014. Available at: http://googleblog.blogspot.in/2014/02/shedding-some-light-on-foreign.html</p>
<p style="text-align: justify; ">[<a href="#fr42" name="fn42">42</a>]. U.S Government Accountability Office. Available at: http://www.gao.gov/key_issues/overview#t=1. Last accessed: August 8, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr43" name="fn43">43</a>]. Report to Congressional Requesters. Combating Terrorism: Foreign Terrorist Organization Designation Proces and U.S Agency Enforcement Actions. Available at: http://www.gao.gov/assets/680/671028.pdf. Accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr44" name="fn44">44</a>]. United States Government Accountability Office. Cybersecurity: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies. Available: http://www.gao.gov/assets/680/670935.pdf. Last accessed: August 6, 2015.</p>
<p style="text-align: justify; ">[<a href="#fr45" name="fn45">45</a>]. Committee Legislation. Available at: http://ballotpedia.org/United_States_Senate_Committee_on_Intelligence_(Select)#Committee_legislation</p>
<p style="text-align: justify; ">[<a href="#fr46" name="fn46">46</a>]. Congressional Research Service. Congressional Oversight of Intelligence: Current Structure and Alternatives. May 14th 2012. Available at: https://fas.org/sgp/crs/intel/RL32525.pdf. Last Accessed: August 8, 2015</p>
<p style="text-align: justify; ">[<a href="#fr40" name="fn47">47</a>]. The Privacy and Civil Liberties Oversight Board: About the Board. Available at: https://www.pclob.gov/aboutus.html</p>
<p style="text-align: justify; ">[<a href="#fr48" name="fn48">48</a>]. The Privacy and Civil Liberties Oversight Board: About the Board. Available at: https://www.pclob.gov/aboutus.html</p>
<p style="text-align: justify; ">[<a href="#fr49" name="fn49">49</a>]. Congressional Research Service. Congressional Oversight of Intelligence: Current Structure and Alternatives. May 14th 2012. Available at: https://fas.org/sgp/crs/intel/RL32525.pdf. Last Accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr50" name="fn50">50</a>]. United States Courts. Wiretap Reports. Available at: http://www.uscourts.gov/statistics-reports/analysisreports/wiretap-reports</p>
<p style="text-align: justify; ">[<a href="#fr51" name="fn51">51</a>]. United States Courts. Wiretap Reports. Available at: http://www.uscourts.gov/statisticsreports/<br />analysis-reports/wiretap-reports/faqs-wiretap-reports#faq-What-information-does-the-AO-receive-from-prosecutors?. Last Accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr52" name="fn52">52</a>]. Intelligence and Security Committee of Parliament. Transcripts and Public Evidence. Available at: http://isc.independent.gov.uk/public-evidence. Last accessed: August 8th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr53" name="fn53">53</a>]. Intelligence and Security Committee of Parliament. Special Reports. Available at http://isc.independent.gov.uk/committee-reports/special-reports. Last accessed: August 8th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr54" name="fn54">54</a>]. Hugh Segal. The U.K. has legislative oversight of surveillance. Why not Canada. The Globe and Mail. June 12th 2013. Available at: http://www.theglobeandmail.com/globe-debate/uk-haslegislative-oversight-of-surveillance-why-not-canada/article12489071/. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr55" name="fn55">55</a>]. The Joint Intelligence Committee home page. For more information see: https://www.gov.uk/government/organisations/national-security/groups/joint-intelligence-committee</p>
<p style="text-align: justify; ">[<a href="#fr56" name="fn56">56</a>]. Interception of Communications Commissioner's Office. RIPA. Available at: http://www.iocco-uk.info/sections.asp?sectionID=2&type=top. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr57" name="fn57">57</a>]. Interception of Communications Commissioner's Office. Reports. Available at: http://www.iocco-uk.info/sections.asp?sectionID=1&type=top. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr58" name="fn58">58</a>]. The Intelligence Services Commissioner's Office Homepage. For more information see: http://intelligencecommissioner.com/</p>
<p style="text-align: justify; ">[<a href="#fr59" name="fn59">59</a>]. The Intelligence Services Commissioner's Office – The Commissioner's Statutory Functions. Available at: http://intelligencecommissioner.com/content.asp?id=4</p>
<p style="text-align: justify; ">[<a href="#fr60" name="fn60">60</a>]. The Intelligence Services Commissioner's Office – The Commissioner's Statutory Functions. Available at: http://intelligencecommissioner.com/content.asp?id=4</p>
<p style="text-align: justify; ">[<a href="#fr61" name="fn61">61</a>]. The Intelligence Services Commissioner's Office. What we do. Available at: http://intelligencecommissioner.com/content.asp?id=5. Last Accessed: August 8th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr62" name="fn62">62</a>]. The Intelligence Services Commissioner's Office. Intelligence Services Commissioner's Annual Reports. Available at: http://intelligencecommissioner.com/content.asp?id=19. Last<br />accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr63" name="fn63">63</a>]. The Investigatory Powers Tribunal Homepage. Available at: http://www.ipt-uk.com/</p>
<p style="text-align: justify; ">[<a href="#fr64" name="fn64">64</a>]. The Investigatory Powers Tribunal – Functions – Key role. Available at: http://www.ipt-uk.com/section.aspx?pageid=1</p>
<p style="text-align: justify; ">[<a href="#fr65" name="fn65">65</a>]. Investigatory Powers Tribunal. Functions – Decisions available to the Tribunal. Available at: http://www.ipt-uk.com/section.aspx?pageid=4. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr66" name="fn66">66</a>]. Investigator Powers Tribunal. Operation - Available at: http://www.ipt-uk.com/section.aspx?pageid=7</p>
<p style="text-align: justify; ">[<a href="#fr67" name="fn67">67</a>]. Investigatory Powers Tribunal. Operation- Differences to the ordinary court system. Available at: http://www.ipt-uk.com/section.aspx?pageid=7. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr68" name="fn68">68</a>]. Security Intelligence Review Committee – Homepage. Available at: http://www.sirc-csars.gc.ca/index-eng.html</p>
<p style="text-align: justify; ">[<a href="#fr69" name="fn69">69</a>]. SIRC Annual Report 2013-2014: Lifting the Shroud of Secrecy. Available at: http://www.sirccsars. gc.ca/anrran/2013-2014/index-eng.html. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr70" name="fn70">70</a>]. The Office of the Communications Security Establishment – Homepage. Available at: http://www.ocsecbccst.gc.ca/index_e.php</p>
<p style="text-align: justify; ">[<a href="#fr71" name="fn71">71</a>]. The Office of the Communications Security Establishment – Homepage. Available at: http://www.ocsecbccst.gc.ca/index_e.php</p>
<p style="text-align: justify; ">[<a href="#fr72" name="fn72">72</a>]. The Office of the Communications Security Establishment – Mandate. Available at: http://www.ocsecbccst.gc.ca/mandate/index_e.php</p>
<p style="text-align: justify; ">[<a href="#fr73" name="fn73">73</a>]. The Office of the Communications Security Establishment – Functions. Available at: http://www.ocsecbccst.gc.ca/functions/review_e.php</p>
<p style="text-align: justify; ">[<a href="#fr74" name="fn74">74</a>]. The Office of the Communications Security Establishment – Functions. Available at: http://www.ocsecbccst.gc.ca/functions/review_e.php</p>
<p style="text-align: justify; ">[<a href="#fr75" name="fn75">75</a>]. Office of the Privacy Commissioner of Canada. Homepage. Available at: https://www.priv.gc.ca/index_e.ASP</p>
<p style="text-align: justify; ">[<a href="#fr76" name="fn76">76</a>]. Office of the Privacy Commissioner of Canada. Reports and Publications. Special Report to Parliament “Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance. January 28th 2014. Available at: https://www.priv.gc.ca/information/srrs/201314/sr_cic_e.asp</p>
<p style="text-align: justify; ">[<a href="#fr77" name="fn77">77</a>]. Office of the Privacy Commissioner of Canada. Available at: https://www.priv.gc.ca/index_e.asp. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr78" name="fn78">78</a>]. Office of the Privacy Commissioner of Canada. Appearance before the Senate Standing Commitee National Security and Defence on Bill C-51, the Anti-Terrorism Act, 2015. Available at: https://www.priv.gc.ca/parl/2015/parl_20150423_e.asp. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr79" name="fn79">79</a>]. Office of the Privacy Commissioner of Canada. Special Report to Parliament. January 8th 2014. Available at: https://www.priv.gc.ca/information/sr-rs/201314/sr_cic_e.asp. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr80" name="fn80">80</a>]. Telecom Transparency Project. The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians. Available at: http://www.telecomtransparency.org/wp-content/uploads/2015/05/Governance-of-Telecommunications-Surveillance-Final.pdf. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr81" name="fn81">81</a>]. Patrick Baud. The Elimination of the Inspector General of the Canadian Security Intelligence Serive. May 2013. Ryerson University. Available at; http://www.academia.edu/4731993/The_Elimination_of_the_Inspector_General_of_the_Canadian_Security_Intelligence_Service</p>
<p style="text-align: justify; ">[<a href="#fr82" name="fn82">82</a>]. Telecom Transparency Project. The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians. Available at: http://www.telecomtransparency.org/wp-content/uploads/2015/05/Governance-of-Telecommunications-Surveillance-Final.pdf. Last accessed: August 6th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr83" name="fn83">83</a>]. Glenn Greenwald. Fisa court oversight: a look inside a secret and empty process. The Guardian. June 19th 2013. Available at: http://www.theguardian.com/commentisfree/2013/jun/19/fisa-court-oversight-process-secrecy, Nadia Kayyali. Privacy and Civil Liberties Oversight Board to NSA: Why is Bulk Collection of Telelphone Records Still Happening? February 2105. Available at :https://www.eff.org/deeplinks/2015/02/privacy-and-civil-liberties-oversight-board-nsa-whybulk-collection-telephone. Last accessed: August 8th 2015.</p>
<p style="text-align: justify; ">[<a href="#fr84" name="fn84">84</a>]. Scott Shance. The Troubled Life of the Privacy and Civil Liberties Oversight Board. August 9th 2012. The Caucus. Available at: http://thecaucus.blogs.nytimes.com/2012/08/09/thetroubled-life-of-the-privacy-and-civil-liberties-oversight-board/?_r=0. Last accessed: August 8th 2015</p>
<p style="text-align: justify; ">[<a href="#fr85" name="fn85">85</a>]. The Open Rights Group. Don't Spy on Us. Reforming Surveillance in the UK. September 2014. Available at: https://www.openrightsgroup.org/assets/files/pdfs/reports/DSOU_Reforming_surveillance_old.pdf</p>
<p style="text-align: justify; ">[<a href="#fr86" name="fn86">86</a>].</p>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance'>https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-11-24T06:09:01ZBlog EntryBig Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011
https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011
<b>Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.This blog provides an initial evaluation of how Big Data could impact India's current data protection standards.</b>
<p>Experts and regulators across the globe are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.</p>
<p>Below is an initial evaluation of how Big Data could impact India's current data protection standards.</p>
<p style="text-align: justify; ">India currently does not have comprehensive privacy legislation - but the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 formed under section 43A of the Information Technology Act 2000<a href="#_ftn1" name="_ftnref1">[1]</a> define a data protection framework for the processing of digital data by Body Corporate. Big Data practices will impact a number of the provisions found in the Rules:</p>
<p style="text-align: justify; "><b>Scope of Rules: </b>Currently the Rules apply to Body Corporate and digital data. As per the IT Act, Body Corporate is defined as <i>"Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities."</i></p>
<p style="text-align: justify; ">The present scope of the Rules excludes from its purview a number of actors that do or could have access to Big Data or use Big Data practices. The Rules would not apply to government bodies or individuals collecting and using Big Data. Yet, with technologies such as IoT and the rise of Smart Cities across India – a range of government, public, and private organizations and actors could have access to Big Data.</p>
<p style="text-align: justify; "><b>Definition of personal and sensitive personal data: </b>Rule 2(i) defines personal information as <i>"information that relates to a natural person which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."</i></p>
<p>Rule 3 defines sensitive personal information as:</p>
<ul>
<li>Password,</li>
<li>Financial information,</li>
<li>Physical/physiological/mental health condition,</li>
<li>Sexual orientation,</li>
<li>Medical records and history,</li>
<li>Biometric information</li>
</ul>
<p style="text-align: justify; ">The present definition of personal data hinges on the factor of identification (data that is capable of identifying a person). Yet this definition does not encompass information that is associated to an already identified individual - such as habits, location, or activity.</p>
<p style="text-align: justify; ">The definition of personal data also addresses only the identification of 'such person' and does not address data that is related to a particular person but that also reveals identifying information about another person - either directly - or when combined with other data points.</p>
<p style="text-align: justify; ">By listing specific categories of sensitive personal information, the Rules do not account for additional types of sensitive personal information that might be generated or correlated through the use of Big Data analytics.</p>
<p style="text-align: justify; ">Importantly, the definitions of sensitive personal information or personal information do not address how personal or sensitive personal information - when anonymized or aggregated – should be treated.</p>
<p style="text-align: justify; "><b>Consent</b>: Rule 5(1) requires that Body Corporate must, prior to collection, obtain consent in writing through letter or fax or email from the provider of sensitive personal data regarding the use of that data.</p>
<p style="text-align: justify; ">In a context where services are delivered with little or no human interaction, data is collected through sensors, data is collected on a real time and regular basis, and data is used and re-used for multiple and differing purposes - it is not practical, and often not possible, for consent to be obtained through writing, letter, fax, or email for each instance of data collection and for each use.</p>
<p style="text-align: justify; "><b>Notice of Collection: </b>Rule 5(3) requires Body Corporate to provide the individual with a notice during collection of information that details the fact that information is being collected, the purpose for which the information is being collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information. Furthermore body corporate should not retain information for longer than is required to meet lawful purposes.</p>
<p style="text-align: justify; ">Though this provision acts as an important element of transparency, in the context of Big Data, communicating the purpose for which data is collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information could prove to be difficult to communicate as they are likely to encompass numerous agencies and change depending upon the analysis being done.</p>
<p style="text-align: justify; "><b>Access and correction</b>: Rule 5(6) provides individuals with the ability to access sensitive personal information held by the body corporate and correct any inaccurate information.</p>
<p style="text-align: justify; ">This provision would be difficult to implement effectively in the context of Big Data as vast amounts of data are being generated and collected on an ongoing and real time basis and often without the knowledge of the individual.</p>
<p><b>Purpose Limitation:</b> Rule 5(5) requires that body corporate should use information only of the purpose which it has been collected.</p>
<p>In the context of Big Data this provision would overlook the re-use of data that is inherent in such practices.</p>
<p style="text-align: justify; "><b>Security:</b> Rule 8 states that any Body Corporate or person on its behalf will be understood to have complied with reasonable security practices and procedures if they have implemented such practices and have in place codes that address managerial, technical, operational and physical security control measures. These codes could follow the IS/ISO/IEC 27001 standard or another government approved and audited standard.</p>
<p style="text-align: justify; ">This provision importantly requires that data controllers collecting and processing data have in place strong security practices. In the context of Big Data – the security of devices that might be generating or collecting data and algorithms processing and analysing data is critical. Once generated, it might be challenging to ensure the data is being transferred to or being analysed by organisations that comply with such security practices as listed.</p>
<p style="text-align: justify; "><b>Data Breach</b> : Rule 8 requires that if a data breach occurs, Body Corporate would have to be able to demonstrate that they have implemented their documented information security codes.</p>
<p style="text-align: justify; ">Though this provision holds a company accountable for the implementation of security practices, it does not address how a company should be held accountable for a large scale data breach as in the context of Big Data the scope and impact of a data breach is on a much larger scale.</p>
<p style="text-align: justify; "><b>Opt in and out and ability to withdraw consent</b> : Rule 5(7) requires Body Corporate or any person on its behalf, prior to the collection of information - including sensitive personal information - must give the individual the option of not providing information and must give the individual the option of withdrawing consent. Such withdrawal must be sent in writing to the body corporate.</p>
<p style="text-align: justify; ">The feasibility of such a provision in the context of Big Data is unclear, especially in light of the fact that Big Data practices draw upon large amounts of data, generated often in real time, and from a variety of sources.</p>
<p style="text-align: justify; "><b>Disclosure of Information</b>: Rule 6 maintains that disclosure of sensitive personal data can only take place with permission from the provider of such information or as agreed to through a lawful contract.</p>
<p style="text-align: justify; ">This provision addresses disclosure and does not take into account the “sharing” of information that is enabled through networked devices, as well as the increasing practice of companies to share anonymized or aggregated data.</p>
<p style="text-align: justify; "><b>Privacy Policy</b> : Rule 4 requires that body corporate have in place a privacy policy on their website that provides clear and accessible statements of its practices and policies, type of personal or sensitive personal information that is being collected, purpose of the collection, usage of the information, disclosure of the information, and the reasonable security practices and procedures that have been put in place to secure the information.</p>
<p style="text-align: justify; ">In the context of Big Data where data from a variety of sources is being collected, used, and re-used it is important for policies to 'follow data' and appear in a contextualized manner. The current requirement of having Body Corporate post a single overarching privacy policy on its website could prove to be inadequate.</p>
<p style="text-align: justify; "><b>Remedy</b> : Section 43A of the Act holds that if a body corporate is negligent in implementing and maintain reasonable security practices and procedures which results in wrongful loss or wrongful gain to any person, the body corporate can be held liable to pay compensation to the affected person.</p>
<p style="text-align: justify; ">This provision will provide limited remedy for an affected individual in the context of Big Data. Though important to help prevent data breaches resulting from negligent data practices, implementation of reasonable security practices and procedures cannot be the only hinging point for determining liability of a Body Corporate for violations and many of the harms possible through Big Data are not in the form of wrongful loss or wrongful gain to another person. Indeed many harms possible through Big Data are non-economic in nature – including physical invasion of privacy, and discriminatory practices that can arise from decisions based on Big Data analytics. Nor does the provision address the potential for future damage that can result from a 'Big Data data breach'.</p>
<p style="text-align: justify; ">The safeguards noted in the above section are not the only legal provisions that speak to privacy in India. There are over fifty sectoral legislation that have provisions addressing privacy - for example provisions addressing confidentiality of health and banking information. The government of India is also in the process of drafting a privacy legislation. In 2012 the Report of the Group of Experts on Privacy provided recommendations for a privacy framework in India. The Report envisioned a framework of co-regulation - with sector level self regulatory organization developing privacy codes (that are not lower than the defined national privacy principles) and that are enforced by a privacy commissioner.<a href="#_ftn2" name="_ftnref2">[2]</a> Perhaps this method would be optimal for the regulation of Big Data- allowing for the needed flexibility and specificity in standards and device development. Though the Report notes that individuals can seek remedy from the court and the Privacy Commissioner can issue fines for a violation, the development of privacy legislation in India has yet to clearly integrate the importance of due process and remedy. With the onset of Big Data - this will become more important than ever.</p>
<h3></h3>
<h3>Conclusion</h3>
<p style="text-align: justify; ">The use and generation of Big Data in India is growing. Plans such as free wifi zones in cities<a href="#_ftn3" name="_ftnref3">[3]</a>, city wide CCTV networks with facial recognition capabilities<a href="#_ftn4" name="_ftnref4">[4]</a>, and the implementation of an identity/authentication platform for public and private services<a href="#_ftn5" name="_ftnref5">[5]</a>, are indicators towards a move of data generation that is networked and centralized, and where the line between public and private is blurred through the vast amount of data that is collected.</p>
<p style="text-align: justify; ">In such developments and innovations what is privacy and what role does privacy play? Is it the archaic inhibitor - limiting the sharing and use of data for new and innovative purposes? Will it be defined purely by legislative norms or through device/platform design as well? Is it a notion that makes consumers think twice about using a product or service or is it a practice that enables consumer and citizen uptake and trust and allows for the growth and adoption of these services?</p>
<p style="text-align: justify; ">How privacy will be regulated and how it will be perceived is still evolving across jurisdictions, technologies, and cultures - but it is clear that privacy is not being and cannot be overlooked. Governments across the world are reforming and considering current and future privacy regulation targeted towards life in a quantified society. As the Indian government begins to roll out initiatives that create a "Digital India" indeed a "quantified India", taking privacy into consideration could facilitate the uptake, expansion, and success of these practices and services. As the Indian government pursues the opportunities possible through Big Data it will be useful to review existing privacy protections and deliberate on if, and in what form, future protections for privacy and other rights will be needed.</p>
<hr />
<p><a href="#_ftnref1" name="_ftn1">[1]</a>Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf</p>
<p><a href="#_ftnref2" name="_ftn2">[2]</a>Group of Experts on Privacy. (2012). <i>Report of the Group of Experts on Privacy.</i> New Delhi: Planning Commission, Government of India. Retrieved May 20, 2015, from http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p><a href="#_ftnref3" name="_ftn3">[3]</a> NDTV. “Free Public Wi-Fi Facility in Delhi to Have Daily Data Limit. NDTV, May 25<sup>th</sup> 2015, Available at: <a href="http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857">http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p><a href="#_ftnref4" name="_ftn4">[4]</a>FindBiometrics Global Identity Management. “Surat Police Get NEC Facial Recognition CCTV System”. July 21<sup>st</sup> 2015. Available at: http://findbiometrics.com/surat-police-nec-facial-recognition-27214/</p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a>UIDAI Official Website. Available at: https://uidai.gov.in/</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011'>https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011</a>
</p>
No publisherelonnaiInternet GovernanceBig DataPrivacy2015-08-11T07:01:12ZBlog EntryA Review of the Policy Debate around Big Data and Internet of Things
https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things
<b>This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.</b>
<h3>Defining and Connecting Big Data and Internet of Things</h3>
<p style="text-align: justify; ">The Internet of Things is a term that refers to networked objects and systems that can connect to the internet and can transmit and receive data. Characteristics of IoT include the gathering of information through sensors, the automation of functions, and analysis of collected data.[1] For IoT devices, because of the <i>velocity</i> at which data is generated, the <i>volume</i> of data that is generated, and the <i>variety</i> of data generated by different sources [2] - IoT devices can be understood as generating Big Data and/or relying on Big Data analytics. In this way IoT devices and Big Data are intrinsically interconnected.</p>
<h3>General Implications of Big Data and Internet of Things</h3>
<p style="text-align: justify; ">Big Data paradigms are being adopted across countries, governments, and business sectors because of the potential insights and change that it can bring. From improving an organizations business model, facilitating urban development, allowing for targeted and individualized services, and enabling the prediction of certain events or actions - the application of Big Data has been recognized as having the potential to bring about dramatic and large scale changes.</p>
<p style="text-align: justify; ">At the same time, experts have identified risks to the individual that can be associated with the generation, analysis, and use of Big Data. In May 2014, the White House of the United States completed a ninety day study of how big data will change everyday life. The Report highlights the potential of Big Data as well as identifying a number of concerns associated with Big Data. For example: the selling of personal data, identification or re-identification of individuals, profiling of individuals, creation and exacerbation of information asymmetries, unfair, discriminating, biased, and incorrect decisions based on Big Data analytics, and lack of or misinformed user consent.[3] Errors in Big Data analytics that experts have identified include statistical fallacies, human bias, translation errors, and data errors.[4] Experts have also discussed fundamental changes that Big Data can bring about. For example, Danah Boyd and Kate Crawford in the article <i>"Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon"</i> propose that Big Data can change the definition of knowledge and shape the reality it measures.[5] Similarly, a BSC/Oxford Internet Institute conference report titled " <i>The Societal Impact of the Internet of Things</i>" points out that often users of Big Data assume that information and conclusions based on digital data is reliable and in turn replace other forms of information with digital data.[6]</p>
<p style="text-align: justify; ">Concerns that have been voiced by the Article 29 Working Party and others specifically about IoT devices have included insufficient security features built into devices such as encryption, the reliance of the devices on wireless communications, data loss from infection by malware or hacking, unauthorized access and use of personal data, function creep resulting from multiple IoT devices being used together, and unlawful surveillance.[7]</p>
<h3>Regulation of Big Data and Internet of Things</h3>
<p style="text-align: justify; ">The regulation of Big Data and IoT is currently being debated in contexts such as the US and the EU. Academics, civil society, and regulators are exploring questions around the adequacy of present regulation and overseeing frameworks to address changes brought about Big Data, and if not - what forms of or changes in regulation are needed? For example, Kate Crawford and Jason Shultz in the article <i>"Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms"</i>stress the importance of bringing in 'data due process rights' i.e ensuring fairness in the analytics of Big Data and how personal information is used.[8] While Solon Barocas and Andrew Selbst in the article <i>"Big Data's Disparate Impact"</i> explore if present anti-discrimination legislation and jurisprudence in the US is adequate to protect against discrimination arising from Big Data practices - specifically data mining.[9]</p>
<p><strong>The Impact of Big Data and IoT on Data Protection Principles</strong></p>
<p style="text-align: justify; ">In the context of data protection, various government bodies, including the Article 29 Data Protection Working Party set up under the Directive 95/46/EC of the European Parliament, the Council of Europe, the European Commission, and the Federal Trade Commission, as well as experts and academics in the field, have called out at least ten different data protection principles and concepts that Big Data impacts:</p>
<ol>
<li style="text-align: justify; "><strong>Collection Limitation:</strong> As a result of the generation of Big Data as enabled by networked devices, increased capabilities to analyze Big Data, and the prevalent use of networked systems - the principle of collection limitation is changing.[10]</li>
<li><strong>Consent: </strong>As a result of the use of data from a wide variety of sources and the re-use of data which is inherent in Big Data practices - notions of informed consent (initial and secondary) are changing.[11]</li>
<li><strong>Data Minimization:</strong> As a result of Big Data practices inherently utilizing all data possible - the principle of data minimization is changing/obsolete.[12]</li>
<li><strong>Notice:</strong> As a result of Big Data practices relying on vast amounts of data from numerous sources and the re-use of that data - the principle of notice is changing.[13]</li>
<li><strong>Purpose Limitation:</strong> As a result of Big Data practices re-using data for multiple purposes - the principle of purpose limitation is changing/obsolete.[14]</li>
<li><strong>Necessity: </strong>As a result of Big Data practices re-using data, the new use or re-analysis of data may not be pertinent to the purpose that was initially specified- thus the principle of necessity is changing.[15]</li>
<li><strong>Access and Correction:</strong> As a result of Big Data being generated (and sometimes published) at scale and in real time - the principle of user access and correction is changing.[16]</li>
<li><strong>Opt In and Opt Out Choices: </strong>Particularly in the context of smart cities and IoT which collect data on a real time basis, often without the knowledge of the individual, and for the provision of a service - it may not be easy or possible for individuals to opt in or out of the collection of their data.[17]</li>
<li><strong>PI:</strong> As a result of Big Data analytics using and analyzing a wide variety of data, new or unexpected forms of personal data may be generated - thus challenging and evolving beyond traditional or specified definitions of personal information.[18]</li>
<li><strong>Data Controller:</strong> In the context of IoT, given the multitude of actors that can collect, use and process data generated by networked devices, the traditional understanding of what and who is a data controller is changing.[19]</li>
</ol>
<h3 style="text-align: justify; ">Possible Technical and Policy Solutions</h3>
<p style="text-align: justify; ">In a Report titled "<i>Internet of Things: Privacy & Security in a Connected World</i>" by the Federal Trade Commission in the United States it was noted that though IoT changes the application and understanding of certain privacy principles, it does not necessarily make them obsolete.[20] Indeed many possible solutions that have been suggested to address the challenges posed by IoT and Big Data are technical interventions at the device level rather than fundamental policy changes. For example it has been proposed that IoT devices can be programmed to:</p>
<ul>
<li>Automatically delete data after a specified period of time [21] (addressing concerns of data retention)</li>
<li>Ensure that personal data is not fed into centralized databases on an automatic basis [22] (addressing concerns of transfer and sharing without consent, function creep, and data breach)</li>
<li style="text-align: justify; ">Offer consumers combined choices for consent rather than requiring a one time blanket consent at the time of initiating a service or taking fresh consent for every change that takes place while a consumer is using a service. [23] (addressing concerns of informed and meaningful consent)</li>
<li style="text-align: justify; ">Categorize and tag data with accepted uses and programme automated processes to flag when data is misused. [24] (addressing concerns of misuse of data)</li>
<li style="text-align: justify; ">Apply 'sticky policies' - policies that are attached to data and define appropriate uses of the data as it 'changes hands' [25] (addressing concerns of user control of data)</li>
<li style="text-align: justify; ">Allow for features to only be turned on with consent from the user [26] (addressing concerns of informed consent and collection without the consent or knowledge of the user)</li>
<li>Automatically convert raw personal data to aggregated data [27] (addressing concerns of misuse of personal data and function creep)</li>
<li>Offer users the option to delete or turn off sensors [28] (addressing concerns of user choice, control, and consent)</li>
</ul>
<p style="text-align: justify; ">Such solutions place the designers and manufacturers of IoT devices in a critical role. Yet some, such as Kate Crawford and Jason Shultz are not entirely optimistic about the possibility of effective technological solutions - noting in the context of automated decision making that it is difficult to build in privacy protections as it is unclear when an algorithm will predict personal information about an individual.[29]</p>
<p>Experts have also suggested that more emphasis should be placed on the principles and practices of:</p>
<ul>
<li>Transparency,</li>
<li> Access and correction,</li>
<li>Use/misuse</li>
<li>Breach notification</li>
<li>Remedy</li>
<li>Ability to withdraw consent</li>
</ul>
<p style="text-align: justify; ">Others have recommended that certain privacy principles need to be adapted to the Big Data/IoT context. For example, the Article 29 Working Party has clarified that in the context of IoT, consent mechanisms need to include the types of data collected, the frequency of data collection, as well as conditions for data collection.[30] While the Federal Trade Commission has warned that adopting a pure "use" based model has its limitations as it requires a clear (and potentially changing) definition of what use is acceptable and what use is not acceptable, and it does not address concerns around the collection of sensitive personal information.[31] In addition to the above, the European Commission has stressed that the right of deletion, the right to be forgotten, and data portability also need to be foundations of IoT systems and devices.[32]</p>
<h3>Possible Regulatory Frameworks</h3>
<p style="text-align: justify; ">To the question - are current regulatory frameworks adequate and is additional legislation needed, the FTC has recommended that though a specific IoT legislation may not be necessary, a horizontal privacy legislation would be useful as sectoral legislation does not always account for the use, sharing, and reuse of data across sectors. The FTC also highlighted the usefulness of privacy impact assessments and self regulatory steps to ensure privacy.[33] The European Commission on the other hand has concluded that to ensure enforcement of any standard or protocol - hard legal instruments are necessary.[34] As mentioned earlier, Kate Crawford and Jason Shultz have argued that privacy regulation needs to move away from principles on collection, specific use, disclosure, notice etc. and focus on elements of due process around the use of Big Data - as they say "procedural data due process". Such due process should be based on values instead of defined procedures and should include at the minimum notice, hearing before an independent arbitrator, and the right to review. Crawford and Shultz more broadly note that there are conceptual differences between privacy law and big data that pose as serious challenges i.e privacy law is based on causality while big data is a tool of correlation. This difference raises questions about how effective regulation that identifies certain types of information and then seeks to control the use, collection, and disclosure of such information will be in the context of Big Data – something that is varied and dynamic. According to Crawford and Shultz many regulatory frameworks will struggle with this difference – including the FTC's Fair Information Privacy Principles and the EU regulation including the EU's right to be forgotten.[35] The European Data Protection Supervisor on the other hand looks at Big Data as spanning the policy areas of data protection, competition, and consumer protection – particularly in the context of 'free' services. The Supervisor argues that these three areas need to come together to develop ways in which the challenges of Big Data can be addressed. For example, remedy could take the form of data portability – ensuring users the ability to move their data to other service providers empowering individuals and promoting competitive market structures or adopting a 'compare and forget' approach to data retention of customer data. The Supervisor also stresses the need to promote and treat privacy as a competitive advantage, thus placing importance on consumer choice, consent, and transparency.[36] The European Data Protection reform has been under discussion and it is predicted to be enacted by the end of 2015. The reform will apply across European States and all companies operating in Europe. The reform proposes heavier penalties for data breaches, seeks to provide users with more control of their data.[37] Additionally, Europe is considering bringing digital platforms under the Network and Information Security Directive – thus treating companies like Google and Facebook as well as cloud providers and service providers as a critical sector. Such a move would require companies to adopt stronger security practices and report breaches to authorities.[38]</p>
<h3>Conclusion</h3>
<p style="text-align: justify; ">A review of the different opinions and reactions from experts and policy makers demonstrates the ways in which Big Data and IoT are changing traditional forms of protection that governments and societies have developed to protect personal data as it increases in value and importance. While some policy makers believe that big data needs strong legislative regulation and others believe that softer forms of regulation such as self or co-regulation are more appropriate, what is clear is that Big Data is either creating a regulatory dilemma– with policy makers searching for ways to control the unpredictable nature of big data through policy and technology through the merging of policy areas, the honing of existing policy mechanisms, or the broadening of existing policy mechanisms - while others are ignoring the change that Big Data brings with it and are forging ahead with its use.</p>
<p style="text-align: justify; ">Answering the 'how do we regulate Big Data” question requires <strong>re-conceptualization of data ownership and realities</strong>. Governments need to first recognize the criticality of their data and the data of their citizens/residents, as well as the contribution to a country's economy and security that this data plays. With the technologies available now, and in the pipeline, data can be used or misused in ways that will have vast repercussions for individuals, society, and a nation. All data, but especially data directly or indirectly related to citizens and residents of a country, needs to be looked upon as owned by the citizens and the nation. In this way, data should be seen as a part of <strong>critical</strong> <strong>national infrastructure of a nation, </strong>and accorded the security, protections, and legal backing thereof to <strong>prevent the misuse of the resource by the private or public sectors, local or foreign governments</strong>. This could allow for local data warehousing and bring physical and access security of data warehouses on par with other critical national infrastructure. Recognizing data as a critical resource answers in part the concern that experts have raised – that Big Data practices make it impossible for data to be categorized as personal and thus afforded specified forms of protection due to the unpredictable nature of big data. Instead – all data is now recognized as critical.</p>
<p style="text-align: justify; ">In addition to being able to generate personal data from anonymized or non-identifiable data, big data also challenges traditional divisions of public vs. private data. Indeed Big Data analytics can take many public data points and derive a private conclusion. The use of Big Data analytics on public data also raises questions of consent. For example, though a license plate is public information – should a company be allowed to harvest license plate numbers, combine this with location, and sell this information to different interested actors? This is currently happening in the United States.[39] Lastly, Big Data raises questions of ownership. A solution to the uncertainty of public vs. private data and associated consent and ownership could be the creation a <strong>National Data Archive</strong> with such data. The archive could function with representation from the government, public and private companies, and civil society on the board. In such a framework, for example, companies like Airtel would provide mobile services, but the CDRs and customer data collected by the company would belong to the National Data Archive and be available to Airtel and all other companies within a certain scope for use. This 'open data' approach could enable innovation through the use of data but within the ambit of national security and concerns of citizens – a framework that could instill trust in consumers and citizens. Only when backed with strong security requirements, enforcement mechanisms and a proactive, responsive and responsible framework can governments begin to think about ways in which Big Data can be harnessed.</p>
<hr />
<p style="text-align: justify; ">[1] BCS - The Chartered Institute for IT. (2013). The Societal Impact of the Internet of Things. Retrieved May 17, 2015, from http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</p>
<p style="text-align: justify; "><i>[2] Sicular, S. (2013, March 27). Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused with Three “V”s. Retrieved May 20, 2015, from http://www.forbes.com/sites/gartnergroup/2013/03/27/gartners-big-data-definition-consists-of-three-parts-not-to-be-confused-with-three-vs/</i></p>
<p style="text-align: justify; ">[3] Executive Office of the President. “Big Data: Seizing Opportunities, Preserving Values”. May 2014. Available at: <a href="https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf">https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[4] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564</p>
<p style="text-align: justify; ">[5] Danah Boyd, Kate Crawford. <a href="http://www.tandfonline.com/doi/abs/10.1080/1369118X.2012.678878">CRITICAL QUESTIONS FOR BIG DATA</a>. In<a href="http://www.tandfonline.com/toc/rics20/15/5">formation, Communication & Society </a> Vol. 15, Iss. 5, 2012. Available at: <a href="http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878">http://www.tandfonline.com/doi/full/10.1080/1369118X.2012.678878</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[6] The Chartered Institute for IT, Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things” February 2013. Available at: <a href="http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf">http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[7] ARTICLE 29 Data Protection Working Party. (2014). <i>Opinion 8/2014 on the on Recent Developments on the Internet of Things.</i> European Commission. Retrieved May 20, 2015, from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</p>
<p style="text-align: justify; ">[8] Crawford, K., & Schultz, J. (2013). Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms (SSRN Scholarly Paper No. ID 2325784). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2325784</p>
<p style="text-align: justify; ">[9] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899</p>
<p style="text-align: justify; ">[10] Barocas, S., & Selbst, A. D. (2015). Big Data’s Disparate Impact (SSRN Scholarly Paper No. ID 2477899). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2477899</p>
<p style="text-align: justify; ">[11] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[12] Tene, O., & Polonetsky, J. (2013). Big Data for All: Privacy and User Control in the Age of Analytics. Northwestern Journal of Technology and Intellectual Property, 11(5), 239.</p>
<p style="text-align: justify; ">[13] Omer Tene and Jules Polonetsky, <i>Big Data for All: Privacy and User Control in the Age of Analytics</i>, 11 Nw. J. Tech. & Intell. Prop. 239 (2013).</p>
<p style="text-align: justify; ">[14] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[15] Information Commissioner's Office. (2014). Big Data and Data Protection. Infomation Commissioner's Office. Retrieved May 20, 2015, from https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf</p>
<p style="text-align: justify; ">[16] Article 29 Data Protection Working Party. “Opinion 8/2014 on the on Recent Developments on the Internet of Things”. September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">h</a><a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">ttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[17] The Chartered Institute for IT and Oxford Internet Institute, University of Oxford. “The Societal Impact of the Internet of Things”. February 14<sup>th</sup> 2013. Available at: <a href="http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf">http://www.bcs.org/upload/pdf/societal-impact-report-feb13.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[18] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[19] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16th 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[20] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[21] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[22] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[23] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[24] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commision. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[25] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[26] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[27] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[28] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[29] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1st 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2nd 2015.</p>
<p style="text-align: justify; ">[30] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[31] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[32] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[33] Federal Trade Commission. (2015). <i>Internet of Things: Privacy & Security in a Connected World.</i> Federal Trade Commission. Retrieved May 20, 2015, from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf</p>
<p style="text-align: justify; ">[34] Article 29 Data Protection Working Party “Opinion 8/2014 on the on Recent Developments on the Internet of Things” September 16<sup>th</sup> 2014. Available at: <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf">http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[35] Kate Crawford and Jason Shultz, “Big Data and Due Process: Towards a Framework to Redress Predictive Privacy Harms”. Boston College Law Review, Volume 55, Issue 1, Article 4. January 1<sup>st</sup> 2014. Available at: <a href="http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr">http://lawdigitalcommons.bc.edu/cgi/viewcontent.cgi?article=3351&context=bclr</a>. Accessed: July 2<sup>nd</sup> 2015.</p>
<p style="text-align: justify; ">[36] European Data Protection Supervisor. Preliminary Opinion of the European Data Protection Supervisor, Privacy and competitiveness in the age of big data: the interplay between data protection, competition law and consumer protection in the Digital Economy. March 2014. Available at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-03-26_competitition_law_big_data_EN.pdf</p>
<p style="text-align: justify; ">[37] SC Magazine. Harmonised EU data protection and fines by the end of the year. June 25<sup>th</sup> 2015. Available at: <a href="http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/">http://www.scmagazineuk.com/harmonised-eu-data-protection-and-fines-by-the-end-of-the-year/article/422740/</a>. Accessed: August 8<sup>th</sup> 2015.</p>
<p style="text-align: justify; ">[38] Tom Jowitt, “Digital Platforms to be Included in EU Cybersecurity Law”. TechWeek Europe. August 7<sup>th</sup> 2015. Available at: http://www.techweekeurope.co.uk/e-regulation/digital-platforms-eu-cybersecuity-law-174415</p>
<p style="text-align: justify; ">[39] Adam Tanner. Data Brokers are now Selling Your Car's Location for $10 Online. July 10<sup>th</sup> 2013. Available at: http://www.forbes.com/sites/adamtanner/2013/07/10/data-broker-offers-new-service-showing-where-they-have-spotted-your-car/</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things'>https://cis-india.org/internet-governance/blog/review-of-policy-debate-around-big-data-and-internet-of-things</a>
</p>
No publisherelonnaiInternet GovernanceBig Data2015-08-17T08:36:18ZBlog EntryComparison of the Human DNA Profiling Bill 2012 with: CIS recommendations, Sub-Committee Recommendations, Expert Committee Recommendations, and the Human DNA Profiling Bill 2015
https://cis-india.org/internet-governance/blog/comparison-of-the-human-dna-profiling-bill-2012-with-cis-recommendations-sub-committee-recommendations-expert-committee-recommendations-and-the-human-dna-profiling-bill-2015
<b>This blog a comparison of 1. The Human DNA Profiling Bill 2012 vs. the Human DNA Profiling Bill 2015, 2. CIS's main recommendations vs. the 2015 Bill 3. The Sub-Committee Recommendations vs. the 2015 Bill 4. The Expert Committee Recommendations vs. the 2015 Bill.</b>
<p style="text-align: justify; ">In 2013 the Expert Committee to discuss the draft Human DNA Profiling Bill was constituted by the Department of Biotechnology. The Expert Committee had constituted a Sub-Committee to modify the draft Bill in the light of invited comments/inputs from the members of the Committee</p>
<p style="text-align: justify; ">These changes were then deliberated upon by the Expert Committee. The Record Notes and Meeting Minutes of the Expert Committee and Sub-Committee can be found here. The Centre for Internet and Society was a member of the Expert Committee and sat on the Sub-Committee. In addition to input in meetings, CIS submitted a number of recommendations to the Committee. The Committee has drafted a 2015 version of the Bill and the same is to be introduced to Parliament.</p>
<p style="text-align: justify; ">Below is a comparison of 1. The 2012 Bill vs. the 2015 Bill, 2. CIS's main recommendations vs. the 2015 Bill 3. The Sub-Committee Recommendations vs. the 2015 Bill 4. The Expert Committee Recommendations vs. the 2015 Bill.</p>
<h2><strong>Introduction</strong></h2>
<ul>
<li><strong>CIS Recommendation:</strong> Recognition that DNA evidence is not infallible.</li>
<li><strong>Sub-Committee Recommendation: </strong>N/A</li>
<li><strong>Expert Committee Recommendation:</strong> N/A</li>
<li><strong>2015 Bill:</strong> No change from 2012 Bill</li>
<li><strong>CIS Recommendation:</strong></li>
</ul>
<h2><strong>Chapter I : Preliminary</strong></h2>
<p class="Textbody" style="text-align: justify; ">Inclusion of an 'Objects Clause' that makes clear that (i) the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times; (ii) DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity; (iii) all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA; (iv) centralized databases are inherently dangerous because of the volume of information that is at risk; (v) forensic DNA profiling is intended to have probative value; therefore, if there is any doubt regarding a DNA profile, it should not be received in evidence by a court; (vi) once adduced, the evidence created by a DNA profile is only corroborative and must be treated on par with other biometric evidence such as fingerprint measurements.</p>
<ul>
<li style="text-align: justify; "><strong>Sub Committee Recommendation:</strong> The Bill will not regulate DNA research. The current draft will only regulate use of DNA for civil and criminal purposes.</li>
</ul>
<ul>
<li style="text-align: justify; "><strong>Expert Committee Recommendation: </strong>The Bill will not regulate DNA research. The current draft will only regulate use of DNA for civil and criminal purposes.</li>
<li><strong>2015 Bill: </strong>No Change from the 2012 Bill</li>
</ul>
<p class="Standard"><strong> </strong></p>
<h2><strong><span>Chapter II : Definitions</span></strong></h2>
<p><strong>CIS Recommendation:</strong></p>
<ul>
<li>Removal of 2(1)(a) “analytical procedure”</li>
<li>Removal of 2(1)(b) “audit”</li>
<li>Removal of 2(1)(d) “calibration”</li>
<li>Re-drafting of 2(1)(h) “DNA Data Bank”</li>
<li>Re-naming of 2(1)(i) “DNA Data Bank Manager” to “National DNA Data Bank Manager”</li>
<li>Re-drafting of 2(1)(j) “DNA laboratory”</li>
<li>Re-drafting of 2(1)(l) “DNA Profile”</li>
<li>Re-drafting of 2(1)(o) “forensic material”</li>
<li>Removal of 2(1)(q) “intimate body sample”</li>
<li>Removal of 2(1)(v) “non-intimate body sample”</li>
<li>Removal of 2(1)(r) “intimate forensic procedure”</li>
<li>Removal of 2(1)(w) “non-intimate forensic procedure”</li>
<li>Removal of 2(1)(s) “known samples”</li>
<li>Re-drafting of 2(1)(y) “offender”</li>
<li>Removal of 2(1)(zb) “proficiency testing”</li>
<li>Re-drafting of 2(1)(zi) “suspect”</li>
</ul>
<ul>
<li><strong>Sub-Committee Recommendation</strong>: N/A</li>
<li><strong>Expert Committee Recommendation</strong>: N/A</li>
<li><strong>2015 Bill:</strong> No change from the 2012 Bill.</li>
</ul>
<h2><strong><span>Chapter III : DNA Profiling Board</span></strong></h2>
<ul>
<li><strong>CIS Recommendation:</strong></li>
</ul>
<ol>
<li>The board should be made up of no more than five members. The Board must contain at least one ex-Judge or senior lawyer since the Board will perform the legal function of licensing and must obey the tenets of administrative law. To further multi-stakeholder interests, the Board should have an equal representation from civil society – both institutional (e.g NHRC and the State Human Rights Commissions) and non-institutional (well-regarded and experienced civil society persons). The Board should also have privacy advocates. CIS also recommended that the functions of the board be limited to: licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. CIS also recommended a <a href="http://cis-india.org/internet-governance/blog/dna-bill-functions.pdf">'duty to consult'</a> with affected or impacted individuals, interested individuals, and the public at large.</li>
</ol>
<ul>
<li><strong>Sub-Committee Recommendation:</strong></li>
</ul>
<ol>
<li>Reduce the DNA Profiling Board (Section 4) from 16 members to 11 members and include civil society representation on the Board.</li>
<li>Include <span>either</span> clause 4(f) or (g) i.e. Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - <i>ex-officio Member</i> or Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- <i>ex-officio Member</i>;</li>
<li><span>Change</span> clause 4(i) i.e., <strong><span>to replace</span></strong> Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- <i>ex-officio Member</i> <strong>with</strong> Chairman, National Human Rights Commissions or his nominee.</li>
<li><span>Delete</span> Members mentioned in clause 4(l) i.e. Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- <i>Members</i>;</li>
<li>DPB Members with potential conflict of interest in matters under consideration should recuse themselves in deliberations in respect of such matters (Section 7), and they should be liable to be removed from the Board in case they are found to have not disclosed the nature of such interest.</li>
<li>With regards to the establishment of the DNA Profiling Board (clause 3) the committee clarified that the DNA Board needs to be a body corporate</li>
<li>The functions of the Board should be redrafted with fewer functions, and these should be listed in descending order of priority to sharpen this function – namely regulate process, regulate the labs, regulate databanks.</li>
</ol>
<ul>
<li><strong>Expert Committee Recommendation:</strong></li>
</ul>
<ol>
<li>Accepted sub-committee recommendation to reduce the Board from 16 to 11 members and the detailed changes.</li>
<li>Accepted sub-committee recommendation to include civil society on the Board.</li>
<li>Accepted sub-committee recommendation to reduce the functions of the Board.</li>
</ol>
<ul>
<li><strong>2015 Bill:</strong></li>
</ul>
<ol>
<li>Addition in 2015 Bill of Section 4 (b) – <i>“Chairman, National Human Rights Commission or his nominee – ex-officio Member” (2015 Bill) </i><strong><span>Note: This change represents incorporation of CIS's recommendation, sub-committee recommendation, and expert committee recommendation.</span></strong></li>
<li>Changing of Section 4 (h) from: <i>“Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member”</i> (2012 Bill) <strong>to</strong> “<i>Director cum – Chief Forensic Scientist, Directorate of Forensic Science Services, Ministry of Home Affairs, Government of India -ex-officio Member”(2015 Bill) </i><strong><span>Note: This change represents partial incorporation of the sub-committee recommendation and expert committee recommendation.</span></strong></li>
<li>Changing of Section 4 (j) from: <i>“Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- ex-officio Member”; (2012 Bill)</i> <strong>to</strong> <i>“</i><i>Director of a State Forensic Science Lab to be nominated by MHA ex-officio member” (2015 Bill)</i></li>
<li>Addition of section 11(4) and 11(5) “(4) <i>The Board shall, in carrying out its functions and activities, consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. (5) The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation.” </i><strong><span>Note: This change represents partial incorporation of CIS's recommendation and Expert Committee recommendation.</span></strong></li>
</ol>
<h2><strong><span>Chapter IV : Approval of DNA Laboratories</span></strong></h2>
<ul>
<li><strong>CIS Recommendation:</strong> N/A</li>
<li><strong>Sub-Committee Recommendation:</strong></li>
</ul>
<ol>
<li>Add in section 16 1(d), the words “including audit reports”</li>
<li>Include in section 16(1)(c) that if labs do not file their audit report on an annual basis, the lab will lose approval. If the lab loses their approval - all the materials will be shifted to another lab and the data subject will be informed.</li>
</ol>
<ul>
<li><strong>Expert Committee Recommendation: </strong>N/A</li>
<li><strong>2015 Bill:</strong> No change from the 2012 Bill.</li>
</ul>
<p class="Standard"><strong> </strong></p>
<h2><strong><span>Chapter V : Standards, Quality Control and Quality Assurance</span></strong></h2>
<ul>
<li><strong>CIS Recommendation:</strong> N/A</li>
<li><strong>Sub-Committee Recommendation:</strong></li>
</ul>
<ol>
<li>Section 19(2) DNA laboratory to be headed by person possessing a doctorate in a subject germane to molecular biology.</li>
<li>Clauses 20 and 30 should be merged into Clause 20 to read as:</li>
</ol>
<p class="Textbody"><i>“(1). The staff of every DNA laboratory shall possess such qualifications and experience commensurate with the job requirements as may be specified by the regulations.</i></p>
<p class="Textbody"><i>(2). Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations.</i></p>
<p class="Textbody"><i>(3). Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations.</i></p>
<p class="Textbody"><i>Accordingly, change the Title: “Qualification, Recruitment and Training of DNA lab personnel.”</i></p>
<ol>
<li>Require DNA labs to have in place an evidence control system (Clause 22) <strong><span>Note: </span></strong><strong><span>This existed in the DNA 2012 Bill</span></strong></li>
<li>Amend Clause 23(1) to read as ““Every DNA laboratory shall possess and <span>shall follow</span> a validation process as may be specified by the regulations.”</li>
<li>Paraphrase Clause 27 as, “Every DNA laboratory shall have audits conducted annually in accordance with the standards as may be specified by the regulations.” It was agreed that the audits of the DNA Laboratory (clause 27) do not need to be external. <strong><span>Note: </span></strong><strong><span>This existed in the DNA 2012 Bill.</span></strong></li>
<li>Bring sections 28-31 on infrastructure and training brought into Chapter V and thus new title of the chapter reads as “Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training”.</li>
</ol>
<ul>
<li><strong>Expert Committee Recommendation:</strong> N/A</li>
<li><strong>2015 Bill</strong></li>
</ul>
<ol>
<li>Changing of Section 20 (2) from <i>“</i><i>(2) Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations made by the Board.</i> (2012) <strong>to</strong> <i>Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations; (2015)” and </i>Addition in 2015 Bill of Section 20 (3)<i> - “Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA profiling and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations” (2015) </i><strong>Note: This is as per the Sub-Committee's recommendation.</strong></li>
<li>Amending of Clause 23(1) to read as ““Every DNA laboratory shall possess and <span>shall follow</span> a validation process as may be specified by the regulations.” <strong>Note: This is as per the Sub-Committee's recommendation.</strong></li>
<li>Changing of section 30 from:<i>“Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations made by the Board and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations made by the Board.” (2012) </i>to<i> “Every DNA laboratory shall have installed appropriate security system and system for safety of personnel as may be specified by the regulations.”</i></li>
</ol>
<ul>
<li>Sections 28-31 on infrastructure and training brought into Chapter V and thus new title of the chapter reads as “Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training”. <strong>Note: This is as per the Sub-Committee's recommendation.</strong></li>
<li><strong>CIS Recommendation:</strong></li>
</ul>
<h2><strong><span>Chapter VI : DNA Data Bank</span></strong></h2>
<ol>
<li>Removal of section 32(6) which requires the names of individuals to be connected to their profiles and recommended that DNA profiles once developed, should be anonymized and retained separate from the names of their owners.</li>
<li>Section 34(2) to be limited to containing only an offenders' index and a crime scene index</li>
<li>Removal of section 36 which allows for international dicslosures of DNA profiles of Indians.</li>
</ol>
<ul>
<li><strong>Sub-Committee Recommendation:</strong></li>
</ul>
<ol>
<li>Amend Clause 32(1) to reads as: “The Central Government shall, by notification, establish a National DNA Data Bank”.</li>
<li>Anonymize the volunteer's database.</li>
</ol>
<ul>
<li><strong>Expert Committee Recommendation:</strong> N/A</li>
<li><strong>2015 Bill:</strong> No change from 2012 Bill.</li>
</ul>
<h2><strong><span>Chapter VII : Confidentiality of and access to DNA profiles, samples, and records</span></strong></h2>
<ul>
<li><strong>CIS Recommendation:</strong></li>
</ul>
<ol>
<li>Re-drafting section 39 and 40 to specify that DNA can only be used for forensic purposes and specify the manner in which DNA profiles may be received in evidence.</li>
<li>Removal of section 40</li>
<li>Removal of section 43</li>
<li>Re-dreaft section 45 as it sets out a post-conviction right related to criminal procedure and evidence. This would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights. However, courts may re-try cases in certain narrow cases when fresh evidence is brought forth that has a nexus to the evidence upon which the person was convicted and if it can be proved that the fresh evidence was not earlier adduced due to bias. Any other fresh evidence that may be uncovered cannot prompt a new trial. Clause 45 is implicated by Article 20(2) of the Constitution of India and by 6 section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.]</li>
</ol>
<ul>
<li><strong>Sub-Committee Recommendation:</strong></li>
</ul>
<ol>
<li>Amend Clause 40 (f) to read as “-------to the concerned parties to the said civil dispute or civil matter, <span>with the concurrence of the court</span> and to the concerned judicial officer or authority”.Incorporated, but is now located at section 39</li>
<li>Include in Chapter VIII additional Sections: Clause 42A: “A person whose DNA profile has been created shall be given a copy of the DNA profile upon request”. <span>Clause 42B:</span> A person whose DNA profile has been created and stored shall be given information as to who has accessed his DNA profile or DNA information.</li>
</ol>
<ul>
<li><strong>Expert Committee: </strong>N/A</li>
<li><strong>2015 Bill:</strong></li>
</ul>
<ol>
<li>Addition of the phrase in section 39 “<span>with the concurrence of the court</span>”, thus the new clause reads as: “-------to the concerned parties to the said civil dispute or civil matter, with the concurrence of the court” and to the concerned judicial officer or authority”. <strong>Note: This as per the recommendations of the Sub-Committee.</strong></li>
</ol>
<h2><strong><span>Chapter VIII : Finance, Accounts, and Audit</span></strong></h2>
<ul>
<li><strong>CIS Recommendation: </strong>N/A</li>
<li><strong>Sub-Committee Recommendation: </strong>N/A</li>
<li><strong>Expert Committee Recommendation:</strong> N/A</li>
<li><strong>2015 Bill:</strong> No change from the 2012 Bill</li>
</ul>
<h2><strong><span>Chapter IX : Offences and Penalties</span></strong></h2>
<ul>
<li><strong>CIS Recommendation:</strong></li>
</ul>
<ol>
<li>The law prohibits the delegation of “essential legislative functions” [In re Delhi Laws, 1951]. The creation of criminal offences must be conducted by a statute that is enacted by Parliament, and when offences are created via delegated legislation, such as Rules, the quantum of punishment must be pre-set by the parent statute.</li>
<li>Since the listing of offences for DNA profiling will directly affect the fundamental right of personal liberty, it is an undeniable fact that the identification of these offences should be subject to a democratic process of the legislature rather than be determined by the whims of the executive.</li>
</ol>
<ul>
<li><strong>Sub-Committee Recommendation:</strong></li>
</ul>
<ol>
<li>Ensure a minimal jail term for any offence under the Act from DNA Data Banks without authorization is a period of one month (chapter 10 (53)) <strong>Note: This already existed in the 2012 Bill.</strong></li>
<li>Add to Section 56 the phrase “… or otherwise willfully neglects any other duty cast upon him under the provisions of this Act, shall be punishable …”.</li>
</ol>
<ul>
<li><strong>Expert Committee:</strong> N/A</li>
<li><strong>2015 Bill:</strong> No change from 2012 Bill</li>
<li><strong>CIS Recommendation:</strong> N/A</li>
<li><strong>Sub-Committee Recommendation:</strong> N/A</li>
<li><strong>Expert Committee Recommendation: </strong>N/A</li>
<li><strong>2015 Bill: </strong>No change from 2012 Bill</li>
</ul>
<h2><strong><span>Chapter X : Miscellaneous</span></strong></h2>
<p><strong><span>Schedule</span></strong></p>
<ul>
<li><strong>CIS Recommendation</strong></li>
</ul>
<p>The creation of a <a href="http://cis-india.org/internet-governance/blog/dna-list-of-offences.pdf">list of offenses </a>under which upon arrest under which DNA samples may lawfully be collected from the arrested person without his consent including:</p>
<ol>
<li>Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the Code of Criminal Procedure, 1973; [Alternatively, all cognizable offences under the Indian Penal Code may be listed here]</li>
<li>Every offence punishable under the Immoral Traffic (Prevention) Act, 1956;</li>
<li>Any cognizable offence under the Indian Penal Code, 1860 that is committed by a registered medical practitioner and is not saved under section 3 of the Medical Termination of Pregnancy Act, 1971; [Note that the ITP Act does not itself create or list any offences, it only saves doctors from prosecution from IPC offences if certain conditions are met]</li>
<li>Every offence punishable under the Pre-conception and Pre-natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994;</li>
<li>The offence listed under sub-section (1) of section 31 of the Protection of Women from Domestic Violence Act, 2005;</li>
<li>Every offence punishable under the Protection of Civil Rights Act, 1955;</li>
<li>Every offence punishable under the Scheduled Castes and the Scheduled Tribes (Prevention of Atrocities) Act, 1989.</li>
</ol>
<ul>
<li><strong>Sub-Committee Recommendation:</strong> N/A</li>
<li><strong>Expert Committee Recommendation:</strong> Incorporation of CIS's recommendation to the schedule regarding instances of when DNA samples can be collected without consent.</li>
<li><strong>2015 Bill:</strong></li>
</ul>
<ol>
<li>Addition in 2015 of “<i>Part II: List of specified offences - Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the Code of Criminal Procedure, 1973” (2015). </i><strong>Note: This represents partial incorporation of CIS's recommendation.</strong></li>
<li>Expansion of sources of samples for DNA profiling from <i>-</i><i> “(1) Scene of occurrence or crime (2) Tissue and skeleton remains (3) Clothing and other objects (4) Already preserved body fluids and other samples” (2012) </i><strong>to<i> </i></strong><i>“1. Scene of occurrence, or scene of crime 2. Tissue and skeleton remains 3. Clothing and other objects 4. Already preserved body fluids and other samples 5. Medical Examination 6. Autopsy examination 7. Exhumation” (2015)” and</i> Deletion of<i> “Manner of collection of samples for DNA: (1) Medical Examination (2) Autopsy examination (3) Exhumation “ (2012) </i></li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-the-human-dna-profiling-bill-2012-with-cis-recommendations-sub-committee-recommendations-expert-committee-recommendations-and-the-human-dna-profiling-bill-2015'>https://cis-india.org/internet-governance/blog/comparison-of-the-human-dna-profiling-bill-2012-with-cis-recommendations-sub-committee-recommendations-expert-committee-recommendations-and-the-human-dna-profiling-bill-2015</a>
</p>
No publisherelonnai2015-08-10T03:20:59ZBlog EntryAadhaar Number vs the Social Security Number
https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number
<b>This blog calls out the differences between the Aadhaar Number and the Social Security Number </b>
<p style="text-align: justify; ">In response to news items that reported the Government of India running pilot projects to enroll children at the time of birth for Aadhaar numbers - an idea that government officials in the news items claimed was along the lines of the social security number - this note seeks to point out the ways in which the Aadhaar number and the social security number are different.<a href="#_ftn1" name="_ftnref1">[1]</a></p>
<h2 style="text-align: justify; ">Governance</h2>
<p style="text-align: justify; "><b>SSN is governed by Federal legislation: </b> The issuance, collection, and use of the SSN is governed by a number of Federal and State legislation with the most pertinent being the Social Security Act 1935<a href="#_ftn2" name="_ftnref2">[2]</a> - which provides legal backing for the number, and the Privacy Act 1974 which regulates the collection, access, and sharing of the SSN by Federal Executive agencies.<a href="#_ftn3" name="_ftnref3">[3]</a></p>
<p style="text-align: justify; "><b>Aadhaar was constituted under the Planning Commission: </b> The UIDAI was constituted as an attached office under the Planning Commission in 2009.<a href="#_ftn4" name="_ftnref4">[4]</a> A Unique Identification Authority Bill has been drafted, but has not been enacted.<a href="#_ftn5" name="_ftnref5">[5]</a> Though portions of the Information Technology Act 2008 apply to the UID scheme, section 43A and associated Rules (India's data protection standards) do not clearly apply to the UIDAI as the provision has jurisdiction only over body corporate.</p>
<h2 style="text-align: justify; "></h2>
<h2 style="text-align: justify; ">Purpose<b> </b></h2>
<p style="text-align: justify; "><b>SSN was created as a number record keeping scheme for government services: </b> The Social Security Act provides for the creation of a record keeping scheme - the SSN. Originally, the SSN was used as a means to track an individuals earnings in the Social Security system.<a href="#_ftn6" name="_ftnref6">[6]</a> In 1943 via an executive order, the number was adopted across Federal agencies. Eventually the number has evolved from being a record keeping scheme into a means of identity. In 1977 it was clarified by the Carter administration that the number could act as a means to validate the status of an individual (for example if he or she could legally work in the country) but that it was not to serve as a national identity document.<a href="#_ftn7" name="_ftnref7">[7]</a> Today the SSN serves as a number for tracking individuals in the social security system and as one (among other) form of identification for different services and businesses. Alone, the SSN card does not serve proof of identity, citizenship, and it cannot be used to transact with and does not have the ability to store information. <a href="#_ftn8" name="_ftnref8">[8]</a></p>
<p style="text-align: justify; "><b>Aadhaar was created as a biometric based authenticator and a single unique proof of identity:</b> The Aadhaar number was established as a single proof of identity and address for any resident in India that can be used to authenticate the identity of an individual in transactions with organizations that have adopted the number. The scheme as been promoted as a tool for reducing fraud in the public distribution system and enabling the government to better deliver public benefits.<a href="#_ftn9" name="_ftnref9">[9]</a></p>
<h2 style="text-align: justify; ">Applicability</h2>
<p style="text-align: justify; "><b>SSN is for citizens and non-citizens authorized to work: </b> The social security number is primarily for citizens of the United States of America. In certain cases, non citizens who have been authorized by the Department of Homeland Security to work in the US may obtain a Social Security number.<a href="#_ftn10" name="_ftnref10">[10]</a></p>
<p style="text-align: justify; "><b> </b></p>
<p style="text-align: justify; "><b>Aadhaar is for residents: </b> The aadhaar number is available to any resident of India.<a href="#_ftn11" name="_ftnref11">[11]</a></p>
<p style="text-align: justify; "><b><span> </span></b></p>
<h2 style="text-align: justify; ">Storage, Access, and Disclosure</h2>
<p style="text-align: justify; "><b>SSN and applications are stored in the Numident:</b> The numident is a centralized database containing the individuals original SNN and application and any re-application for the same. All information stored in the Numident is protected under the Privacy Act. Individuals may request records of their own personal information stored in the Numident. With the exception of the Department of Homeland Security and U.S Citizenship and Immigration Services, third parties may only request access to Numident records with the consent of the concerned individual.<a href="#_ftn12" name="_ftnref12">[12]</a> Federal agencies and private entities that collect the SSN for a specific service store the number at the organizational level. The Privacy Act and various state level legislation regulates the disclosure, access, and sharing of the SSN number collected by agencies and organizations.</p>
<p style="text-align: justify; "><b><span> </span></b></p>
<p style="text-align: justify; "><b>Aadhaar and data generated at multiple sources is stored in the CIDR and processed in the data warehouse: </b> According to the report "Analytics, Empowering Operations", <i> "At UIDAI, data generated at multiple sources would typically come to the CIDR (Central ID Repository), UIDAIs Data centre, through an online mechanism. There could be certain exceptional sources, like Contact centre or Resident consumer surveys, that will not feed into the Data center directly. Data is then processed in the Data Warehouse using Business Intelligence tools and converted into forms that can be accessed and shared easily." </i> Examples of data that is stored in the CIDR include enrollments, letter delivery, authentication, processing, resident survey, training, and data from contact centres.<a href="#_ftn13" name="_ftnref13">[13]</a> It is unclear if organizations that authenticate individuals via the Adhaar number store the number at the organizational level. Biometrics are listed as a form of sensitive personal information in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) 2011, thus if any body corporate collects biometrics with the Aadhaar number - the storage, access, and disclosure of this information would be protected as per the Rules, but the Aadhaar number is not explicitly protected. <a href="#_ftn14" name="_ftnref14">[14]</a></p>
<h2 style="text-align: justify; ">Use by public and private entities</h2>
<p style="text-align: justify; "><b>Public and private entities can request SSN: </b> Public and private entities can request the SSN to track individuals in a system or as a form of identifying an individual. Any private business is allowed to request and use the SSN as long as the use does not violate federal or state law. Legally, an individual is only required to provide their SSN to a business if they are engaging in a transaction that requires notification to the Internal Revenue Service or the individual is initiating a transaction that is subject to federal Customer Identification Program rules.<a href="#_ftn15" name="_ftnref15">[15]</a> Thus, an individual can refuse to provide their SSN, but a private business can also refuse to provide a service.<a href="#_ftn16" name="_ftnref16">[16]</a></p>
<p style="text-align: justify; ">Any public authority requesting the SSN must provide a disclosure notice to the individual explaining if the provision of SSN is required or optional. According to the Privacy Act of 1974, no individual can be denied a government service or benefit for not providing the SSN unless Federal law specifically requires the number for a particular service.<a href="#_ftn17" name="_ftnref17">[17]</a> Thus, there are a number of Federal legislation in the U.S that specifically require the SSN. For example, the Social Security Independence and Program Improvements Act 1994 allows for the use of the SSN for jury selection and allows for cross matching of SSNs and Employer Identification Numbers for investigation into violation of Federal Laws. <a href="#_ftn18" name="_ftnref18">[18]</a></p>
<p style="text-align: justify; "><b>Public and private entities can request Aadhaar:<span> </span></b> The Aadhaar number can be adopted by any public or private entity as a single means of identifying an individual. The UIDAI has stated that the Aadhaar number is not mandatory,<a href="#_ftn19" name="_ftnref19">[19]</a> and the Supreme Court of India has clarified that services cannot be denied on the grounds that an individual does not have an Aadhaar number.<a href="#_ftn20" name="_ftnref20">[20]</a></p>
<h2 style="text-align: justify; "></h2>
<h2 style="text-align: justify; ">Verification</h2>
<p style="text-align: justify; "><b>The SSN can be verified only in certain circumstances: </b> The SSA will only respond to requests for SSN verification in certain circumstances:</p>
<p style="text-align: justify; "><b> </b></p>
<ul>
<li>Before issuing a replacement SSN, posting a wage item to the Master Earnings File, or establishing a claims record - the SSA will verify that the name and the number match as per their records.</li>
<li>When legally permitted, the SSA verification system will verify SSNs for government agencies.</li>
<li>When legally permitted the SSA verification system will verify a workers SSN for pre-registered and approved private employers.</li>
<li>If an individual has provided his/her consent, the SSA will verify a SSN request from a third party.</li>
</ul>
<p style="text-align: justify; ">For verification the SSN number must be submitted with an accompanying name to be matched to and additional information such as date of birth, fathers name, mothers name etc. When verifying submitted SSN's, the system will respond with either confirmation that the information matches or that it does not match. It is important to note that because SSN is verified only in certain circumstances, it is not guaranteed that the person providing an SSN number is the person whom the number was assigned.<a href="#_ftn21" name="_ftnref21">[21]</a></p>
<p style="text-align: justify; "><b>The Aadhaar number can be verified in any transaction: </b> If an organization, department, or platform has adopted the Aadhaar number as a form of authentication, they can send requests for verification to the UIDAI. The UIDAI will respond with a yes or no answer. When using their Aadhaar number as a form of authentication individuals can submit their number and demographic information or their number and biometrics for verification.<a href="#_ftn22" name="_ftnref22">[22]</a></p>
<p style="text-align: justify; "><b><span> </span></b></p>
<h2 style="text-align: justify; ">Lost or stolen</h2>
<p style="text-align: justify; "><b>SSN can be replaced: </b> If an individual loses his/her SSN card lost or their number is fraudulently used, they can apply for a replacement SSN card or a new SNN number. <a href="#_ftn23" name="_ftnref23">[23]</a></p>
<p style="text-align: justify; "><b>Aadhaar number can be replaced: </b> If an individual has lost their Aadhaar number, there is a process that they can follow to have their number re-sent to them. If the number cannot be located by the UIDAI , the individual has the option of re-enrolling for a new Aadhaar number.<a href="#_ftn24" name="_ftnref24">[24]</a> <b> </b>The UIDAI has built the scheme with the understanding the biometrics are a unique identifier that cannot be lost or stolen, and thus have not created a system to address the possibility of stolen or fraudulent use of biometrics.</p>
<h2 style="text-align: justify; ">Implementation</h2>
<p style="text-align: justify; "><b>Legislation and formal roll out: </b> The SSN program was brought into existence via the Social Security Act and officially rolled out while eventually being adopted across Federal Departments.</p>
<p style="text-align: justify; "><b>Bill and pilot studies:</b> The UID scheme has been envisioned as being brought into existence via the Unique Identification Authority Bill 2010 which has not been passed. Thus far, the project has been implemented in pilot phases across States and platforms.</p>
<p style="text-align: justify; "><b><span> </span></b></p>
<p style="text-align: justify; "><b><span>Enrollment</span></b></p>
<p style="text-align: justify; "><b>Social Security Administration: </b> The Social Security Agency is the soul body in the US that receives and processes applications for SSN and issues SSN numbers. <a href="#_ftn25" name="_ftnref25">[25]</a></p>
<p style="text-align: justify; "><b>UIDAI, registrars, and enrolling agencies: </b> The UIDAI is the soul body that issues Aadhaar numbers. Registrars (contracted bodies under the UIDAI_ - and enrolling agencies (contracted bodies under Registrars) are responsible for receiving and processing enrollments into the UID scheme.</p>
<h2 style="text-align: justify; ">Required supporting documents</h2>
<p style="text-align: justify; "><b>SSN requires proof of age, identity, and citizenship: </b> To obtain a SSN you must be able to provide proof of your age, your identity, and US citizenship. The application form requires the following information:</p>
<ul>
<li>Name to be shown on the card</li>
<li>Full name at birth, if different</li>
<li>Other names used</li>
<li>Mailing address</li>
<li>Citizenship or alien status</li>
<li>Sex</li>
<li>Race/ethnic description (SSA does not receive this information under EAB)</li>
<li>Date of birth</li>
<li>Place of birth</li>
<li>Mother's name at birth</li>
<li>Mother's SSN (SSA collects this information for the Internal Revenue Service (IRS) on an original application for a child under age 18. SSA does not retain these data.)</li>
<li>Fathers' name</li>
<li>Father's SSN (SSA collects this information for IRS on an original application for a child under age 18. SSA does not retain these data).</li>
<li>Whether applicant ever filed for an SSN before</li>
<li>Prior SSNs assigned</li>
<li>Name on most recent Social Security card</li>
<li>Different date of birth if used on an earlier SSN application.</li>
<li>Date application completed</li>
<li>Phone number</li>
<li>Signature</li>
<li>Applicant's relationship to the number holder.<a href="#_ftn26" name="_ftnref26">[26]</a></li>
</ul>
<p style="text-align: justify; "><b> </b></p>
<p style="text-align: justify; "><b>Aadhaar requires proof of age, address, birth, and residence and biometric information:</b> The application form requires the following information:</p>
<ul>
<li>Name</li>
<li>Date of birth</li>
<li>Gender</li>
<li>Address</li>
<li>Parent/guardian details</li>
<li>Email</li>
<li>Mobile number</li>
<li>Indication of consenting or not consenting to the sharing of information provided to the UIDAI with Public services including welfare services</li>
<li>Indication of if the individual wants the UIDAI to facilitate the opening of a bank account linked to the Aadhaar number and permits the sharing of information for this purpose</li>
<li>If the individual has no objection to linking their present bank account to the Aadhaar number and the relevant bank details</li>
<li>Signature<a href="#_ftn27" name="_ftnref27">[27]</a></li>
</ul>
<div style="text-align: justify; "><br clear="all" />
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> Sahil Makkar, "PM's idea to track kids from birth hits practical hurdles", Business Standard. April 11<sup>th</sup> 2015. Available at: http://www.business-standard.com/article/current-affairs/pm-s-idea-to-track-kids-from-birth-hits-practical-hurdles-115041100828_1.html</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> The Social Security Act of 1935. Available at: http://www.ssa.gov/history/35act.html</p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage</p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> Government of India Planning Commission "Notification". Available at: https://uidai.gov.in/images/notification_28_jan_2009.pdf</p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5">[5]</a> The National Identification Authority of India Bill 2010. Available at: http://www.prsindia.org/uploads/media/UID/The%20National%20Identification%20Authority%20of%20India%20Bill,%202010.pdf</p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6">[6]</a> History of SSA 1993 - 2000. Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html</p>
</div>
<div id="ftn7">
<p><a href="#_ftnref7" name="_ftn7">[7]</a> Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html</p>
</div>
<div id="ftn8">
<p><a href="#_ftnref8" name="_ftn8">[8]</a> History of SSA 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html</p>
</div>
<div id="ftn9">
<p><a href="#_ftnref9" name="_ftn9">[9]</a> UID FAQ: Aadhaar Features, Eligibility. Available at: https://resident.uidai.net.in/faqs</p>
</div>
<div id="ftn10">
<p><a href="#_ftnref10" name="_ftn10">[10]</a> Social Security Numbers for Noncitizens. Available at: http://www.ssa.gov/pubs/EN-05-10096.pdf</p>
</div>
<div id="ftn11">
<p><a href="#_ftnref11" name="_ftn11">[11]</a> Aapka Aadhaar. Available at: https://uidai.gov.in/aapka-aadhaar.html</p>
</div>
<div id="ftn12">
<p><a href="#_ftnref12" name="_ftn12">[12]</a> Program Operations Manual System. Available at: https://secure.ssa.gov/poms.nsf/lnx/0203325025</p>
</div>
<div id="ftn13">
<p><a href="#_ftnref13" name="_ftn13">[13]</a> UIDAI Analytics -Empowering Operations - the UIDAI Experience. Available at: https://uidai.gov.in/images/commdoc/other_doc/uid_doc_30012012.pdf</p>
</div>
<div id="ftn14">
<p><a href="#_ftnref14" name="_ftn14">[14]</a> Information Technology (Reasonable security practices and procedures and sensitive personal data or information rules 2011) available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf</p>
</div>
<div id="ftn15">
<p><a href="#_ftnref15" name="_ftn15">[15]</a> IdentityHawk, "Who can lawfully request my social security number?" Available at: http://www.identityhawk.com/Who-Can-Lawfully-Request-My-Social-Security-Number</p>
</div>
<div id="ftn16">
<p><a href="#_ftnref16" name="_ftn16">[16]</a> SSA FAQ " Can I refuse to give my social security number to a private business?" Available at: https://faq.ssa.gov/link/portal/34011/34019/Article/3791/Can-I-refuse-to-give-my-Social-Security-number-to-a-private-business</p>
</div>
<div id="ftn17">
<p><a href="#_ftnref17" name="_ftn17">[17]</a> The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage</p>
</div>
<div id="ftn18">
<p><a href="#_ftnref18" name="_ftn18">[18]</a> Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html</p>
</div>
<div id="ftn19">
<p><a href="#_ftnref19" name="_ftn19">[19]</a> Aapka Aadhaar. Available at: https://uidai.gov.in/what-is-aadhaar.html</p>
</div>
<div id="ftn20">
<p><a href="#_ftnref20" name="_ftn20">[20]</a> Business Standard, "Aadhaar not mandatory to claim any state benefit, says Supreme Court" March 17<sup>th</sup>, 2015. Available at: http://www.business-standard.com/article/current-affairs/aadhaar-not-mandatory-to-claim-any-state-benefit-says-supreme-court-115031600698_1.html</p>
</div>
<div id="ftn21">
<p><a href="#_ftnref21" name="_ftn21">[21]</a> Social Security History 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html</p>
</div>
<div id="ftn22">
<p><a href="#_ftnref22" name="_ftn22">[22]</a> Aapka Aadhaar. Available at: https://uidai.gov.in/auth.html</p>
</div>
<div id="ftn23">
<p><a href="#_ftnref23" name="_ftn23">[23]</a> SSA. New or Replacement Social Security Number Card. Available at: http://www.ssa.gov/ssnumber/</p>
</div>
<div id="ftn24">
<p><a href="#_ftnref24" name="_ftn24">[24]</a> UIDAI, Lost EID/UID Process. Available at: https://uidai.gov.in/images/mou/eiduid_process_ver5_2_27052013.pdf</p>
</div>
<div id="ftn25">
<p><a href="#_ftnref25" name="_ftn25">[25]</a> Social Security. Availabl at: http://www.ssa.gov/</p>
</div>
<div id="ftn26">
<p><a href="#_ftnref26" name="_ftn26">[26]</a> Social Security Administration, Application for a Social Security. Available at: http://www.ssa.gov/forms/ss-5.pdf</p>
</div>
<div id="ftn27">
<p><a href="#_ftnref27" name="_ftn27">[27]</a> Aadhaar enrollment/correction form. Available at: http://hstes.in/pdf/2013_pdf/Genral%20Notification/Aadhaar-Enrolment-Form_English.pdf</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number'>https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number</a>
</p>
No publisherelonnaiAadhaarInternet GovernancePrivacy2015-07-24T01:24:00ZBlog EntryA Dissent Note to the Expert Committee for DNA Profiling
https://cis-india.org/internet-governance/blog/dna-dissent
<b>The Centre for Internet and Society has participated in the Expert Committee for DNA Profiling constituted by the Department of Biotechnology in 2012 for the purpose of deliberating on and finalizing the draft Human DNA Profiling Bill and appreciates this opportunity. CIS respectively dissents from the January 2015 draft of the Bill.</b>
<p> </p>
<p>Click for <a href="https://cis-india.org/internet-governance/blog/dna-bill-functions.pdf" class="external-link">DNA Bill Functions</a>, <a href="https://cis-india.org/internet-governance/blog/dna-list-of-offences.pdf" class="external-link">DNA List of Offences</a>, and <a href="https://cis-india.org/internet-governance/blog/cis-note-on-dna-bill.pdf" class="external-link">CIS Note on DNA Bill</a>. A modified version was published by <a class="external-link" href="http://bangalore.citizenmatters.in/articles/dna-bill-problems-issues-inputs-from-bangalore">Citizen Matters Bangalore</a> on July 28.</p>
<hr />
<p>Based on the final draft of the Human DNA Profiling Bill that was circulated on the 13th of January 2015 by the committee, the Centre for Internet and Society is issuing this note of dissent on the following grounds:</p>
<p style="text-align: justify;">The Centre for Internet and Society has made a number of submissions to the committee regarding different aspects of the Bill including recommendations for the functions of the board, offences for which DNA can be collected, and a general note on the Bill. Though the Centre for Internet and Society recognizes that the present form of the Bill contains stronger language regarding human rights and privacy, we do not find these to be adequate and believe that the core concerns or recommendations submitted to the committee by CIS have not been incorporated into the Bill.</p>
<p style="text-align: justify;">The Centre for Internet and Society has foundational objections to the collection of DNA profiles for non-forensic purposes. In the current form the DNA Bill provides for collection of DNA for the following non forensic purposes:</p>
<ul>
<li style="text-align: justify;">Section 31(4) provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation. </li>
<li style="text-align: justify;">Section 38 defines the permitted uses of DNA profiles and DNA samples including: identifying victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases listed in Part I of the Schedule or for other purposes as may be specified by regulation.</li>
<li style="text-align: justify;">Section 39 defines the permitted instances of when DNA profiles or DNA samples may be made available and include: for the creation and maintenance of a population statistics Data Bank that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.</li>
<li style="text-align: justify;">Part I of the schedule lists laws, disputes, and offences for which DNA profiles and DNA samples can be used. These include, among others, the Motor Vehicles Act, 1988, parental disputes, issues relating to pedigree, issues relating to assisted reproductive technologies, issues relating to transplantation of human organs, issues relating to immigration and emigration, issues relating to establishment of individual identity, any other civil matter as may be specified by the regulations, medical negligence, unidentified human remains, identification of abandoned or disputed children. </li></ul>
<p style="text-align: justify;">While rejecting non-forensic use entirely, we have specific substantive and procedural objections to the provisions relating to forensic profiling in the present version of the Bill. These include:</p>
<ul>
<li style="text-align: justify;"><strong>Over delegation of powers to the board</strong>: The DNA Board currently has vast powers as delegated by Section 12 including:<br /><em>“authorizing procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies, establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies, specifying by regulations the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule, undertaking any other activity which in the opinion of the Board advances the purposes of this Act.” </em><br /><br />Section 65 gives the Board the power to make regulations for a number purposes including: <em>“other purposes in addition to identification of victims of accidents, disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases lists in Part I of the Schedule for which records or samples may be used under section 38, other laws, if any, to be included under item (viii) of para B of Part I of the Schedule, other civil matters, if any, to be included under item (vii) of para C of Part I of the Schedule, and authorization of other persons, if any, for collection of non intimate body samples and for performance of non-intimate forensic procedures, under Part III of the Schedule.</em><br /><br />Ideally these powers would lie with the legislative or judicial branch. Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board and section 68 specifically states that <em>“no civil court shall have jurisdiction to entertain any suit or proceeding in respect to any matter which the Board is empowered by or under this Act to determine.” </em><br /><br />The above represents only a few instances of the overly broad powers that have been given to the Board. Indeed, the Bill gives the Board the power to make regulations for 37 different aspects relating to the collection, storage, use, sharing, analysis, and deletion of DNA samples and DNA profiles. As a result, the Bill establishes a Board that controls the entire ecosystem of DNA collection, analysis, and use in India without strong external oversight or accountability. </li>
<li style="text-align: justify;"><strong>Key terms undefined</strong>: Section 31 (5) states that the “indices maintained in every DNA Data Bank will include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 1 of the Act, and of records relating thereto, in accordance with the standards as may be specified by the regulations.”<br /><br />The term’ DNA analysis’ is not defined in the Act, yet it is a critical term as any information based on such an analysis and associated records can be included in the DNA Database. </li>
<li style="text-align: justify;"><strong>Low standards for sharing of information</strong>: Section 34 empowers the DNA Data Bank Manager to compare a received DNA profile with the profiles stored in the databank and for the purposes of any investigation or criminal prosecution, communicate the information regarding the received DNA profile to any court, tribunal, law enforcement agencies, or DNA laboratory which the DNA Data Bank Manager considers is concerned with it.<br /><br />The decision to share compared profiles and with whom should be made by an independent third party authority, rather than the DNA Bank Manager. Furthermore, this provision isvague and although the intention seems to be that the DNA profiles should be matched and the results communicated only in certain cases, the generic wording could take into its ambit every instance of receipt of a DNA profile. For eg. the regulations envisaged under section 31(4)(g) may prescribe for a DNA Data Bank for medical purposes, but section 34 as it is currently worded may include DNA profiles of patients to be compared and their information released to various agencies by the Data Bank Manager as an unintentional consequence.</li>
<li style="text-align: justify;"><strong>Missing privacy safeguards</strong>: Though the Bill refers to security and privacy procedures that labs are to follow, these have been left to be developed and implemented by the DNA Board. Thus, except for bare minimum standards and penalties addressing the access, sharing, and use of data – the Bill contains no privacy safeguards. <br /><br />In our interactions with the committee we have asked that the Bill be brought in line with the nine national privacy principles established by the Report of the Group of Experts on Privacy submitted to the Planning Commission in 2012. This has not been done.<br /><br /><br /><br /></li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/dna-dissent'>https://cis-india.org/internet-governance/blog/dna-dissent</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2016-07-21T11:01:44ZBlog EntrySecurity, Governments and Data: Technology and Policy
https://cis-india.org/internet-governance/blog/security-governments-datat-technology-and-policy
<b>On January 8, 2015, the Centre for Internet and Society, in collaboration with the Observer research foundation, hosted the day long conference "Security, Governments, and Data: Technology and Policy" The conference discussed a range of topics including internet governance, surveillance, privacy, and cyber security. </b>
<p>The full report written and compiled by Lovisha Aggarwal and Nehaa Chaudhari and edited by Elonnai Hickok <a href="https://cis-india.org/internet-governance/blog/security-governments-data-technology-policy.pdf" class="internal-link">can be accessed here</a>.</p>
<hr />
<p style="text-align: justify; ">The conference was focused on the technologies, policies, and practices around cyber security and surveillance. The conference reached out to a number of key stakeholders including civil society, industry, law enforcement, government, and academia and explored the present scenario in India to reflect on ways forward. The conference was a part of CIS’s work around privacy and surveillance, supported by Privacy International.</p>
<h3 style="text-align: justify; ">Welcome Address</h3>
<p style="text-align: justify; ">The welcome address opened with a reference to a document circulated by CIS in 2014 which contained hypothetical scenarios of potential threats to Indian cyber security. This document highlighted the complexity of cyber security and the challenges that governments face in defending their digital borders. When talking about cyber security it is important that certain principles are upheld and security is not pursued only for the sake of security. This approach allows for security to be designed and to support other rights such as the right of access, the right to freedom of expression, and the right to privacy. Indeed, the generation, use, and protection of communications data by the private sector and the government are a predominant theme across the globe today. This cannot be truer for India, as India hosts the third largest population on the internet in the world.</p>
<p style="text-align: justify; ">During the welcome, a brief introduction to the Centre for Internet and Society was given. It was noted that CIS is a 6.5 half year old organization that is comprised of lawyers, mathematicians, sociologists, and computer scientists and works across multiple focus areas including accessibility, internet governance, telecom, openness, and access to knowledge. CIS began researching privacy and surveillance in 2010, and has recently begun to expand their research into cyber security. The purpose of this is to understand the relationship between privacy, surveillance, and security and is the beginning of a learning process for CIS. In 2013 CIS undertook a process to attempt to evolve a legal regime to intelligently and adequately deal with privacy in India. Industry specific requirements are key in the Indian context and this process was meant to try and evolve a consensus on what a privacy law in India should look like by bringing together key stakeholders for roundtables. CIS is now in the final stages of preparing individual legal proposals that will be sent to the Government – to hopefully have an informed Privacy Law in India. This event represents CIS’s first attempt to have a simultaneous dialogue on surveillance, cyber security, and privacy. As part of this event and research CIS is trying to understand the technology and market involved in surveillance and cyber security as these are important factors in the development of policy and law.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/security-governments-datat-technology-and-policy'>https://cis-india.org/internet-governance/blog/security-governments-datat-technology-and-policy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-04-04T05:59:19ZBlog EntryExport and Import of Security Technologies in India: Q&A
https://cis-india.org/internet-governance/blog/export-and-import-of-security-technologies-in-india.pdf
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/export-and-import-of-security-technologies-in-india.pdf'>https://cis-india.org/internet-governance/blog/export-and-import-of-security-technologies-in-india.pdf</a>
</p>
No publisherelonnai2015-03-14T02:41:05ZFileGSMA Research Outputs
https://cis-india.org/internet-governance/blog/gsma-research-outputs
<b>This is a collection of research under our GSMA project that we have undertaken in collaboration with Privacy International. The research has sought to understand different legal and regulatory aspects of security and surveillance in India and consists of blog entries and reports. Any feedback or comment is welcome. </b>
<h3>Indian Law and the Necessary Proportionate Principles</h3>
<p style="text-align: justify; ">The presentation shows that there are no comprehensive provisions for the principles of legitimate aim, competent judicial authority, proportionality, transparency, etc. whereas these are partially present for the principles of legality, necessity, adequacy, public oversight, safeguards for international cooperation, etc. The presentation also looks at the Indian intelligence agencies and shows us that there are nine agencies authorized to intercept communications along with at least eleven additional agencies. It further dwelves into the establishment and structure of Indian intelligence agencies and whom they report to, the sharing of information internationally as well as nationally. It shows us that India has MLAT agreements with 36 countries and request to CBI can be initiated informally or formally through court order. It then lists out the various regulatory and important bodies responsible for national security. Some cases of unlawful interception / leaks have been discussed along with examples of arrests based on digital evidence. The various government schemes, the telecommunication companies in India, telecom licenses requirements, government developed security and surveillance solutions, private security companies, security expos, export, import and selling of security and surveillance equipment, and the way forward are also discussed.</p>
<p><a href="https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf" class="external-link">Click to download the PDF</a></p>
<h3>Security, Surveillance and Data Sharing Schemes and Bodies in India</h3>
<p style="text-align: justify; ">Following the 2008 Mumbai terrorist attacks, India had implemented a wide range of data sharing and surveillance schemes. Though developed under different governments the purpose of these schemes has been to increase public safety and security by tackling crime and terrorism. As such, two data sharing schemes have been proposed - the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & Systems (CCTNS), as well as several surveillance systems, such as the Lawful Intercept and Monitoring (LIM) system, the Network Traffic Analysis system (NETRA), state Internet Monitoring Systems and the Central Monitoring System (CMS). This chapter details the various schemes and provides policy recommendations for their improvement, with regards to the protection of the right to privacy and other human rights.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/security-surveillance-and-data-sharing.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">Export and Import of Security Technologies in India: QA</h3>
<p style="text-align: justify; ">The write-up examines in question-answer format the standards regulating the export of technologies that can be used for surveillance purposes, the department and legislation that governs exports and imports of security technologies in India, the procedure for obtaining an export licence for the export of SCOMET items, what is ITC (HS) and why is it important, and examples of ITC codes for technologies that can facilitate security or surveillance. The research finds answers to all these queries.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/export-and-import-of-security-technologies-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">Regulation of CCTV’s in India</h3>
<p style="text-align: justify; ">In light of the increasing use and installation of CCTV’s in cities across India, and the role that CCTVs play in the Home Ministry's plans for implementing "Mega Policing Cities", this blog seeks to review various attempts to regulate the use of CCTV's in India, review international best practices, and provide preliminary recommendations for the regulation of CCTV's in India.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/regulation-of-cctvs-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3>Mutual Legal Assistance Treaties (MLATs) and Cross Border Sharing of Information in India</h3>
<p style="text-align: justify; ">It is unclear the exact process that intelligence agencies in India share information with other agencies internationally. India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training is designated as the National Central Bureau of India.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/mlats-and-cross-border-sharing-of-information-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3>Composition of Service Providers in India</h3>
<p style="text-align: justify; ">Telecom, at present, is one of the fastest-growing industries in India. As of January 2014, according to the Telecom Regulatory Authority of India (TRAI) there are 922 million wireless and over the wire subscribers in India, and 56.90 million broadband subscribers including wired, wireless and wimax subscribers. India’s overall wireless teledensity was quoted as having 893.31million subscribers, with a 0.79% (7.02 million) monthly addition.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/composition-of-service-providers-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">The Surveillance and Security Industry in India - An Analysis of Indian Security Expos</h3>
<p style="text-align: justify; ">The ‘Spy Files’, a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world – a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals. These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/surveillance-and-security-industry-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3>An Analysis of News Items and Cases on Surveillance and Digital Evidence in India</h3>
<p style="text-align: justify; ">In a technologically advanced era, with preponderance of electronic communications in both professional and social interactions and the ability to store such information in digital form, digital evidence has gained significance in civil as well as criminal litigation in India. In order to match the pace with the progressive technology, the Indian Courts have embarked on placing more and more reliance on the digital evidence and a portion of such digital evidence is obtained through electronic surveillance.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/analysis-of-news-items-and-cases-on-surveillance-and-digital-evidence-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">Policy Recommendations for Surveillance Law in India and an Analysis of Legal Provisions on Surveillance in India and the Necessary & Proportionate Principles</h3>
<p style="text-align: justify; ">The Government of India has created a legal framework which supports the carrying out of surveillance by authorities through its various laws and license agreements for service providers. The Centre for Internet and Society (CIS) acknowledges that lawful, warranted, targeted surveillance can potentially be a useful tool in aiding law enforcement agencies in tackling crime and terrorism. However, current Indian laws and license agreements appear to overextend the Government's surveillance capabilities in certain cases, while inadequately safeguarding individuals' right to privacy and data protection.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/policy-recommendations-for-surveillance-law-in-india-and-analysis-of-legal-provisions-on-surveillance-in-india-and-the-necessary-and-proportionate-principles.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">The Surveillance Industry in India</h3>
<p style="text-align: justify; ">India has the world's second largest population, an expanding middle class and undoubtedly a huge market which attracts international investors. Some of the world's largest corporations have offices in India, such as Google Incorporated and BlackBerry Limited. In the Information Age, the market revolves around data and companies which produce technologies capable of mining such data are on the rise. Simultaneously, companies selling surveillance technologies appear to be on the peak too, especially since the global War on Terror requires law enforcement agencies around the world to be equipped with the latest surveillance gear.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/surveillance-industry-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">State of Cyber Security and Surveillance in India: A Review of the Legal Landscape</h3>
<p style="text-align: justify; "><br />The issue of cyber security and surveillance, especially unauthorised surveillance, though traditionally unprioritised, has recently gained much traction due to the increasing number of news reports regarding various instances of unauthorised surveillance and cyber crimes. In the case of unauthorised surveillance, more than the frequency of the instances, it is their sheer magnitude that has shocked civil society and especially civil rights groups. In the background of this ever increasing concern regarding surveillance as well as increasing concerns regarding cyber security due to the increased pervasiveness of technology in our society, this paper tries to discuss the legal and regulatory landscape regarding surveillance as well as cyber security.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/state-of-cyber-security-and-surveillance-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/gsma-research-outputs'>https://cis-india.org/internet-governance/blog/gsma-research-outputs</a>
</p>
No publisherelonnaiGSMA ResearchInternet GovernancePrivacy2015-04-06T14:18:18ZBlog EntryIndian Law and the Necessary Proportionate Principles
https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf'>https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf</a>
</p>
No publisherelonnai2015-03-14T02:15:32ZFileThe Centre for Internet and Society joins Worldwide Campaign to Discover Depth of GCHQ's Illegal Spying
https://cis-india.org/internet-governance/blog/cis-joins-worldwide-campaign-to-discover-depth-of-gchq-illegal-spying
<b>The Centre for Internet and Society has joined an international campaign to allow anyone in the world to request whether Britain’s intelligence agency GCHQ has illegally spied on them.</b>
<p style="text-align: justify; ">The platform and campaign has been developed in response to a recent court ruling that GCHQ unlawfully obtained millions of private communications from the NSA up until December 2014. This decision allows not only British citizens, but anyone in the world, to ask GCHQ if the individual’s records were unlawfully shared by the NSA.</p>
<p>Individuals who wish to take part in this process can sign up here: https://www.privacyinternational.org/illegalspying</p>
<p style="text-align: justify; ">Privacy International intends to collate the inquiries from around the world and submit them to the UK Investigatory Powers Tribunal. Those who have been found to have been illegally spied on can then seek the deletion of their records, including emails, phone records, and internet communications. Given the mass surveillance capabilities of the NSA and GCHQ, and that the agencies “share by default” the information they collect, an unlimited number of people could have been affected by the unlawful spying.</p>
<p style="text-align: justify; ">The Investigatory Powers Tribunal, the UK court solely responsible for overseeing intelligence agencies, ruled on 6 February that intelligence sharing between the United States and the United Kingdom was unlawful prior to December 2014, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. It was only due to revelations made during the course of this case, which relied almost entirely on documents disclosed by Edward Snowden, that the intelligence sharing relationship became subject to public scrutiny.</p>
<p>The decision was the first time in the Tribunal’s history that it had ruled against the actions of the intelligence and security services.</p>
<p style="text-align: justify; ">According to the Centre for Internet and Society – this is a great example of transparency and the ability for individuals to access information held by the government. It is also an important step towards government accountability with respect to state surveillance.</p>
<p>Eric King, Deputy Director of Privacy International, said:</p>
<p style="text-align: justify; ">“We have known for some time that the NSA and GCHQ have been engaged in mass surveillance, but never before could anyone explicitly find out if their phone calls, emails, or location histories were unlawfully shared between the US and UK. The public have a right to know if they were illegally spied on, and GCHQ must come clean on whose records they hold that they should never have had in the first place.</p>
<p style="text-align: justify; ">There are few chances that people have to directly challenge the seemingly unrestrained surveillance state, but individuals now have a historic opportunity finally hold GCHQ accountable for their unlawful actions.”</p>
<hr />
<h2>Brief on “Did GCHQ Spy on You Illegally?”</h2>
<p style="text-align: justify; ">Privacy International on Monday February 16th 2015 launched a campaign and platform allowing people to ask the UK’s surveillance court, the Investigatory Powers Tribunal, if GCHQ spied on people illegally. This comes on the heels of our recent legal victory in the IPT, who found that all intelligence sharing from the NSA to GCHQ prior to December 2014 was unlawful.<br /><br />As on February 17th night, we had over 10,000 signatures, and at the end of today we expect to have more updated figures. <br /><br />While this has been successful thus far, we need your help!<br /><br />We need the support of other organisations to truly make this work, and we want your organisation to join as a partner. Being a partner in this can look a few different ways: you can send out emails to your organisation's members, tweet out the links to the platform, or send out a press release to your media contacts telling them you joined the effort.<br /><br />We hope you can join, and below we try to address some questions we've been getting about the campaign. There's also an additional FAQ more specifically addressing the campaign itself.</p>
<h3>What is PI doing?</h3>
<p style="text-align: justify; ">Simply put: Giving people the chance to remedy illegal government activity and hold intelligence agencies accountable. When someone submits their information through this platform, they are allowing us to go to the IPT on their behalf to find out if they were illegally spied on by GCHQ. <br /><br />People could have gone directly to the IPT to ask, but that process is difficult to engage in. We wanted to create a simple, low-barrier way to give people the chance to find out if they were victims of illegal spying.</p>
<h3>Why are you doing this?</h3>
<p style="text-align: justify; ">This action is not just about satisfying curiosity. Sure, lots of us are interested in knowing whether our emails have been caught in the NSA and GCHQ’s dragnet surveillance operations, and hopefully through this platform we’ll be able to find out. But, this campaign is about much more than that. <br /><br />It is about making GCHQ understand the very personal and individual implications of mass surveillance. And it is about ending the feeling of powerlessness that many of us have felt since discovering, thanks to Edward Snowden, the reality of the almost total surveillance that we’re under. <br /><br />We have never done a public campaign like this, but we felt that this ruling was too important to pass up. People have a right to know if they were illegally spied on, and if so, request that their records are deleted. We want to help them assert those rights, and we think you can help too.</p>
<h3>Why should my organisation join?</h3>
<p style="text-align: justify; ">We don't get many victories in this space, but we have a rare opportunity to give people the chance to do something! Not just sign a petition, but directly hold intelligence agencies accountable and challenge proven illegal government activity. <br /><br />Numbers are important too, not just important to brag about. The greater number of people who sign up actually increases our likelihood of success. That's because when we submit people's details to the IPT, one of the possible outcomes could be that the court tests a sample to see if/where illegality occurred. <br /><br />The more people who sign up, the greater chance there is we can prove that people were illegally spied on. If that's the case, we could request that GCHQ delete ALL the records they obtained from NSA prior to December to 2014.</p>
<p style="text-align: justify; ">To do that, we need as many people to join. We are not merely interested in building a list, this is not a stunt, and we have no interest in poaching your members. It's simple – more people means greater chance of success.<br /><br />Also, this is going to be a long fight on our front. We are going to be dealing with this campaign for the next few months if not few years. As each turn comes along the way, we are going to need your help to keep pressure up and keep people involved. Nothing good comes easy!</p>
<h3>Is it only for British citizens?</h3>
<p style="text-align: justify; ">No. This literally affects everyone who has ever used a phone or computer prior to December 2014, which is pretty much every single person.<br /><br />So, anyone around the world is eligible to join this petition! No matter where you are, you’re entitled under British law to bring a claim in the courts to find out whether you were illegally spied on. Given the degree of intelligence collection by the NSA and its close relationship with the British intelligence services, it’s entirely possible that your communications have been scooped up and unlawful handed over to the UK. <br /><br />So, what can you do?</p>
<h2>Four actions you can do:</h2>
<ul>
<li style="text-align: justify; "><b>Declare your organisation’s support for the campaign!</b> Email <a href="mailto:mike@privacyinternational.org">mike@privacyinternational.org</a> and we'll add your name to the partner section on the petition page.</li>
<li><b>Tweet the link for the petition to your followers</b>: <a href="http://www.privacyinternational.org/illegalspying">www.privacyinternational.org/illegalspying</a> using the hashtag #DidGCHQSpyOnYou</li>
<li style="text-align: justify; "><b>Email your supporters and members and encourage them to join the campaign</b> - if you need further information you can point them to the FAQ on our website or included in this pack: https://www.privacyinternational.org/?q=node/495</li>
<li style="text-align: justify; "><b>Tweet at or contact notable people in your city or country</b> - we’ve been tweeting Members of Parliament, influential journalists, movie stars, whomever!</li>
</ul>
<h2>FAQ on action</h2>
<p>URL: <a class="external-link" href="https://privacyinternational.org/?q=node/495">https://privacyinternational.org/?q=node/495</a></p>
<h3>Who is able to join?</h3>
<p style="text-align: justify; ">EVERYONE! The implications of our recent legal victory against GCHQ in the Investigatory Powers Tribunal means that all intelligence sharing from the NSA to GCHQ was unlawful. Because people located all over the world are affected by illegal intelligence sharing, not only British citizens, but anyone in the world, can ask if their records collected by the NSA were unlawfully shared with GCHQ.</p>
<h3>Why are we doing this?</h3>
<p style="text-align: justify; ">Intelligence agencies' culture of secrecy have allowed them, for too long, to avoid public accountability. Whether it’s secret hearings in closed court rooms or committees equipped only with rubber stamps, intelligence agencies like GCHQ have never been forced to answer to the public for their actions.</p>
<p style="text-align: justify; ">We think you have a right to know whether you have been caught up in GCHQ and NSA's illegal intelligence sharing. If so, you have a right to demand that data be deleted. Privacy International wants to help you assert those rights.</p>
<h3>Wait what? Why do I have to give GCHQ my data?</h3>
<p style="text-align: justify; ">We know it sounds absurd but it's the only way! The Tribunal can't act by itself, so it needs people to come forward to file complaints. We've kept information needed to a minimum, but the IPT requires more than your name to attempt to find your communications in GCHQ’s massive databases. If they do locate your data, you can ask them to delete it. Hopefully, if enough people sign up, we can show just how widespread Five Eyes mass surveillance and intelligence sharing is, and get the reform we all need!</p>
<h3>Will this tell me if GCHQ are currently spying on me?</h3>
<p style="text-align: justify; ">No. This campaign will only tell you if NSA shared your communications with GCHQ before December 2014. It won't tell you if GCHQ shared communications with NSA. It also won't tell you if GCHQ intercepted your communications by themselves. Should Privacy International be successful in our appeal to the European Court of Human Rights maybe this will change, but for now, this is limited to just whether NSA shared your communications with GCHQ before December 2014.</p>
<h3>What will happen once I have entered my details?</h3>
<p style="text-align: justify; ">After you hit submit, you'll receive an email asking you to confirm your participation. Make sure you click that link, otherwise your submission won't go through. While these few details are all we need from you now, we may need more information from you in the future. By entering your details, you authorise Privacy International and their legal team to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your rights under Article 8 and Article 10 of the UK Human Rights Act have been violated and to request your records be deleted.</p>
<h3>How will I know my communications were illegal shared with GCHQ?</h3>
<p style="text-align: justify; ">If the IPT find that your communications were illegally shared with GCHQ, they have to tell you. The Investigatory Powers Tribunal has a statutory obligation to investigate any complaint made against GCHQ. When they receive a complaint, if they think they have all the information required to make a determination, then they will do so, and inform you of the outcome. If not, the IPT can demand more information, a meeting or inspection of files held by GCHQ.</p>
<h3>Do I get anything if I have been spied on?</h3>
<p style="text-align: justify; ">Yes. If the IPT is able to establish that you have been illegally spied on, they have to tell you. You will receive a declaration that your privacy rights have been violated and you can request that any information unlawfully obtained be deleted.</p>
<h3>WiIl GCHQ hold onto my details when they are handed over to them?</h3>
<p style="text-align: justify; ">No. GCHQ are only allowed to keep your details for the purposes of establishing whether or not they spied on you illegally and for the duration of the investigation by the IPT.</p>
<h3>How soon will I receive an answer to whether I was caught up in NSA and GCHQ's illegal spying?</h3>
<p>It might be a while. This is the first time that such a large group action has been mounted against GCHQ so count on it being many months, and likely years before this action is completed. Nothing worth doing is easy!</p>
<h3>Is this for all of NSA and GCHQ's programmes?</h3>
<p style="text-align: justify; ">This legal campaign deals with information collected by the NSA and shared with GCHQ before December 2014, specifically PRISM and UPSTREAM. It doesn't deal with GCHQ initiated interception, but if we're successful with our appeal with the European Court of Human Rights, maybe that could change!</p>
<h3>Is my email address and phone number enough for GCHQ to find all records?</h3>
<p style="text-align: justify; ">No. Unfortunately, we imagine many of GCHQ's databases are unindexed or indexed by a "selector" which could be an IP address, a cookie, a hardware address or almost anything else. For people who want the most comprehensive records searched, much more personal information would have to be provided. Currently we are asking for only your email address and phone number to enable the greatest number of people access to this campaign. If you want to provide more detailed information and a range of selectors to GCHQ, consider submitting your own individual complaint here. We hope to have a detailed guide on how to do so in the next few days.</p>
<h3>What are Privacy International going to do with this data?</h3>
<p style="text-align: justify; ">By entering your details you are authorising Privacy International to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your privacy rights have been violated. We will provide you with updates on the case and won't use the information for any other purpose. We will only share it with our lawyers, GCHQ and the Investigatory Powers Tribunal.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-joins-worldwide-campaign-to-discover-depth-of-gchq-illegal-spying'>https://cis-india.org/internet-governance/blog/cis-joins-worldwide-campaign-to-discover-depth-of-gchq-illegal-spying</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-03-01T06:13:03ZBlog EntrySecurity and Surveillance – Optimizing Security while Safeguarding Human Rights
https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights
<b>The Centre for Internet and Society (CIS) on December 19, 2014 held a talk on “Security and Surveillance – Optimizing Security while Safeguarding Human Rights.</b>
<p style="text-align: justify; ">The talk focused on a project that is being undertaken by CIS in collaboration with Privacy International, UK. Initiated in 2014, the project seeks to study the regulatory side of surveillance and related technologies in the Indian context. The main objective of the project is to initiate dialogue on surveillance and security in India, government regulation, and the processes that go into the same. The talk saw enthusiastic participation from civil society members, policy advisors on technology, and engineering students.</p>
<p style="text-align: justify; ">During the event it was highlighted that requirements of judicial authorization, transparency and proportionality are currently lacking in the legal regime for surveillance in India and at the same time India has a strong system of ‘security’ that service providers must adhere to – which works towards enhancing cyber security in the country.</p>
<p style="text-align: justify; ">Discussions played out with regard to how most of the nine intelligence agencies that are authorized to intercept information in India are outside the ambit of parliamentary oversight, the RTI and the CAG, making them virtually unaccountable to the Indian public.</p>
<p style="text-align: justify; ">Another conversation focused on the sharing of information between various intelligence agencies within the country, and the fact that this area is virtually unregulated. The discussion then steered to cyber-security in general, emerging technologies used by the Government of India for surveillance, cooperative agreements for surveillance technologies that India has with other countries, the export and import of such technologies from India, and most importantly, the role of service providers in the surveillance debate, and the regulations they are subject to.</p>
<p style="text-align: justify; ">A common theme seemed to be emerging from the discussion was that the agencies responsible for regulating information interception and surveillance in the country are shockingly unaccountable to the Indian public. As an active civil society member noted today - <i>“There is no oversight/monitoring of the agencies themselves, so there’s no way anyone would even know of how many instances of surveillance or unauthorized interception have actually occurred.”</i></p>
<p style="text-align: justify; ">The talk successfully concluded with inputs from members of the audience, and a broad consensus on the fact that the Government of India would have to adhere to stronger regulatory standards, harmonized surveillance standards, stronger export and import certification standards, etc., in order to make surveillance in India more transparent and accountable. As was stated at the talk, <i>“We don’t have a problem with the concept of surveillance per se, - it has more to do with its problematic implementation”.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights'>https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-02-13T02:41:46ZBlog EntrySecurity, Governments, and Data: Technology and Policy
https://cis-india.org/internet-governance/events/security-governments-data-technology-policy
<b>The Centre for Internet & Society and the Observer Research Foundation invite you to a one day conference on January 8, 2015 in New Delhi. </b>
<h3 style="text-align: justify; "></h3>
<h3 style="text-align: justify; "></h3>
<h3 style="text-align: justify; ">About the Conference</h3>
<p style="text-align: justify; ">The conference will focus on the technologies, policies, and practices around cyber security and surveillance. The conference will reach out to a number of key stakeholders including civil society, industry, government, and academia and explore the present scenario in India to reflect on ways forward.</p>
<h3 align="left" class="western"><strong>Conference </strong><strong>Context</strong></h3>
<p align="justify"><span>Ensuring the security of the India’s cyber space is a complex, challenging, and ever changing responsibility that the government is tasked with. Doing so effectively requires a number of factors to come together in a harmonized strategy including: laws & policies, technical capabilities, markets, and a skilled workforce. It also requires collaboration on multiple levels including with foreign governments, domestic and foreign industry, and law enforcement. The first of these is particularly important given the ability of attackers to penetrate across borders and the global nature of data. Any strategy developed by India must be proactive and reactive – evolving defences to prevent a potential threat and applying tactics to respond to a real time threat. To do so, the government of India must legally have the powers to take action and must have the technical capability to do so. Yet, many of these powers and technical capabilities require a degree of intrusion into the lives of citizens and residents of India through means such as surveillance. Thus, such measures must be considered in light of principles of proportionality and necessity, and legal safeguards are needed to protect against the violation of privacy. Furthermore, a principle of optimization must be considered i.e, how much surveillance achieves the most amount of security and how can this security be achieved with the optimal mix of technology, policy and enforcement.</span></p>
<h3 align="left" class="western">Panel Descriptions</h3>
<p align="left"> </p>
<p align="left"><strong>Challenges & Present Scenario</strong></p>
<p align="left"><strong> </strong><span>Protecting and enhancing the cyber security of India is a complex and dynamic responsibility. The challenge of securing cyber space is magnified by the demarcated nature of the internet, the multiplicity of vulnerabilities that can be exploited at the national level, the magnitude of infrastructure damage possible from a cyber attack, and the complexity of application of a jurisdiction’s law to a space that is technologically borderless. A comprehensive ‘cyber security’ ecosystem is required to address such challenges – one that involves technology, skills, and capabilities – including surveillance capabilities. The Government of India has taken numerous steps to address and resolve such challenges. In July 2013, the National Cyber Security Policy was published for the purpose of creating an enabling framework for the protection of India’s cyber security. In February 2014, the 52</span><sup>nd</sup><span> Standing Committee on Information Technology issued a report assessing the implementation of this policy – in which they found that a number of areas needed strengthening. The Government of India has also proposed the establishment of a number of centres focused on cyber security – such as the National Cyber Coordination Center and the National Critical Information Infrastructure Protection Centre. CERT-IN, under the Department of Electronics and Information Technology is presently the body responsible for overseeing and enforcing cyber security in India, while other bodies such as the Resource Centre for Cyber Forensic and TERM cells under the Department of Telecommunications play critical roles in overseeing and undertaking capabilities related to cyber security.</span></p>
<p align="justify"><strong>Law & Policy</strong></p>
<p align="justify"><span>India has five statutes regulating the collection and use of data for surveillance purposes. These laws define circumstances on which the government is justified in accessing and collecting real time and stored data as well as procedural safeguards they must adhere to when doing so. The Department of Telecommunications has also issued the Unified Access License which, among other things, mandates service providers to provide technical support to enable such collection. The Indian judicial system has also provided a number of Rulings that set standards for the access, collection, and use of data as well as defining limitations and safeguards that must be respected in doing so. The draft Privacy Bill 2011, released by the Department of Personnel and Training, also contained provisions addressing surveillance in the context of interception and the use of electronic video recording devices. In the Report of the Group of Experts on Privacy, the AP Shah Committee found that the legal regime for surveillance in India was not harmonized and lacked safeguards. Furthermore, in the era where the direct collection of large volumes of data is easily possible, there is a growing need to re-visit questions about the legitimate and proportionate collection and use (particularly as evidence) of such data. Questions are also arising about the applicability of standards and safeguards to the state. At a global level, catalyzed by the leaks by Edward Snowden, there has been a strong push for governments to review and structure their surveillance regimes to ensure that they are in line with international human rights standards.</span></p>
<p align="justify"><strong>Architecture & Technology</strong></p>
<p align="justify"><span>India is in the process of architecting a number of initiatives that seek to enable the collection and sharing of intelligence such as the CMS, NATGRID, and NETRA. At a regional level, the Ministry of Home Affairs is in the process of implementing ‘Mega Policing Cities’ which include the instalment of CCTV’s and centralized access to crime related information. Globally, law enforcement and governments are beginning to take advantage of the possibilities created by ‘Big Data’ and ‘open source’ policing. The architecture and technology behind any surveillance and cyber security initiative are key to its success. Intelligently and appropriately designed projects and technology can also minimize the possibility of intrusions into the private lives of citizens. Strong access controls, decentralized architecture, and targeted access are all principles that can be incorporated into the architecture and technology behind a project or initiative. At the same time, the technology or process around a project can serve as the ‘weakest link’ – as it is vulnerable to attacks and tampering. Such possibilities raise concerns about the use of foreign technology and dependencies on foreign governments and companies.</span></p>
<p align="justify"><strong>International and Domestic Markets</strong></p>
<p align="justify"><strong> </strong><span>Globally, the security market is growing – with companies offering a range of services and products that facilitate surveillance and can be used towards enhancing cyber security. In India, the security market is also growing with studies predicting that it will reach $1.06 billion by 2015. Recognizing the potential threat posed by imported security and telecom equipment, India also develops its own technologies through the Centre for Development of Telematics –attached to the Department of Telecommunications, and the Centre for Development of Advanced Computing – attached to the Department of Electronics and Information Technology. At times India has also imposed bans on the import of technologies believed to be compromised. Towards this end, the Government of India has a number of bodies responsible for licensing, auditing, and certifying the use of security and telecommunication equipment. Though India has recognized the security vulnerabilities posed by these technologies, as of yet it has not formally recognized the human rights violations that are made possible. Indeed, though India has submitted a request to be a signing member of the </span><span>Wassenaar agreement, they have yet to be accepted.</span></p>
<h3 style="text-align: justify; ">Agenda</h3>
<table class="plain">
<tbody>
<tr>
<td>11.00</td>
<td>Registration & Tea</td>
</tr>
<tr>
<td>11.30</td>
<td>Key Note Speech</td>
</tr>
<tr>
<td>12.00</td>
<td>Challenges & Present Scenario</td>
</tr>
<tr>
<td>13.00</td>
<td>Law & Policy</td>
</tr>
<tr>
<td>14.00</td>
<td>Lunch</td>
</tr>
<tr>
<td>15.00</td>
<td>Architecture & Technology</td>
</tr>
<tr>
<td>16.00</td>
<td>International & Domestic Markets</td>
</tr>
<tr>
<td>17.00</td>
<td>Tea</td>
</tr>
<tr>
<td>17.30</td>
<td>Conclusion & Closing Remarks</td>
</tr>
</tbody>
</table>
<h3></h3>
<ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/security-governments-data-technology-policy'>https://cis-india.org/internet-governance/events/security-governments-data-technology-policy</a>
</p>
No publisherelonnaiEventInternet Governance2014-12-24T08:06:59ZEvent