Centre for Internet and Society

Gone in a flash

praskrishna — 2011-04-20T04:58:48Z

Net-savvy crowds gather in public places for moments of wacky fun, then vanish. This article by Neha Thirani was published in the Times of India Crest Edition on April 16, 2011.

It's an ordinary day at the MGF mall in Gurgaon, when a group of fifteen people suddenly appears carrying lanterns made from discarded plastic bottles and starts passing them along in relay fashion. Starting from the plaza in front of the mall, the crowd goes into the metro station nearby and back again, and then suddenly disperses, attracting amused stares from befuddled passersby. This lantern-wielding crowd is a flash mob, a global phenomenon that has now hit India.

So is this part of a mass social experiment? Political movement? Performance art? Pointless fun? Malini Kochupillai and Kanishka Prasad, both professors at the Sushant School of Art and Architecture in Gurgaon who orchestrated the event, say it's an effort to add a modicum of vibrancy to otherwise ignored public places, reclaiming the space for public use. Along with their students, the duo has organised about a dozen such 'flash mobs'.

For the uninitiated, a flash mob appears to be entirely random - a group of people, performing an unusual and seemingly pointless act and then dispersing. For those in the know, the flash mob is mobilised by an organiser, who brings together a crowd of people at a predefined location and time via social media, viral emails or mass texting. The crowd then carries out a scripted series of actions. The participants are typically strangers and the purpose is usually satire. Their actions transform a public place for the period of the performance, and engender discussion at the unexpected.

This rather quirky social phenomenon, popular in the US and Europe, originated in 2003 when Bill Wasik, senior editor of Harper's Magazine, organised the first successful flash mob in Macy's department store. Over a hundred people converged on the store, gathered over an expensive rug and pretended to be shopping for a 'love rug' for their shared apartment. Wasik's aim was apolitical. Through amusement, he wanted to question notions of conformity and the hipster culture of wanting to be a part of the 'next big thing'. Since then, there have been hugely successful flash mobs all over Europe and America. The biggest recorded flash mob has been the International Pillow Fight Day, which took place on March 22, 2008 in over 25 cities simultaneously. More recently, Egypt has seen a series of flash mobs who left security forces befuddled by their silent protests.

While the word was officially coined in 2003, the phenomenon can be traced back to 18th century England where workers in an assembly line would stitch secret messages into garments to plan a congregation of strangers.

Nishant Shah, research director for the Centre for Internet and Society in Bangalore, says the growth in places of globalised consumption parallels the formation of flash mobs. "We can call malls places of public consumption, but at the back of our minds is the uneasy thought that the sign reads - rights of entry reserved. The mall, then, is only for certain public, " says Shah. "What flash mobs do is abuse the space - subverting the intention of the space that they are orchestrated in. "

This social experiment that has now made its way to metros across the country has been loosely related to locations of consumerism. The first ever flash mob in India took place on October 4, 2003 when a group of over 60 people swarmed the then newly built Crossroads mall in Mumbai. The flash mobbers shocked the malls security guards when they inexplicably starting screaming into their cellphones vague directions such as: "Infosys becho ek hazaar, and SBI gheun tak don she. " This was followed by some frenzied dancing, and a moment later, they were gone.

New media professional Noel Braganza, 26, organised a flash mob in the main courtyard of Phoenix Mills, Mumbai on Independence Day last year. Along with his colleague Nicole, Braganza spread the message over social media entirely;"We didn't take any prior permission, and this was possible because we organised it around Independence Day - our concept was patriotic, not disruptive, " says Braganza. At 4 pm on August 15, 2010, a crowd of over one hundred people, dressed in tri-color, lined up in rows in the courtyard of Pheonix Mills, sang the national anthem and then dispersed. Though most were there by design, some of the shoppers present joined spontaneously. "There was a huge snaking queue outside Big Bazaar that stopped in its tracks and started singing. "

The Urban Gorillaz - as the Gurgaon group is called - has organised its events with a particular focus on reclaiming spaces that have largely been ignored, or usurped by private developers. "Most public spaces in Delhi are decrepit and in desperate need of refurbishment, " says Kochupillai. "Perhaps increased use of these spaces will push the authorities to look beyond roads, flyovers and parking lots and give pedestrians an equally deserving space in the public realm. " The group encourages people to engage with the spaces available to them so that they do not become unused and unsafe.

By studying what prevents or promotes the use of public space - such as movement patterns, active/ inactive zones and traffic interference in pedestrian areas - the group hopes to encourage architects and urban planners to create spaces where people can relax without feeling like they are trespassing or encroaching. "A flash mob says that you can create public spaces but we will decide how we will use them, " says Nishant Shah. "It gives a certain sense of power to the user who is no longer a consumer but an architect of the space. "

Started as an exercise in an architecture class at the Sushant School of Art and Architecture, the Urban Gorillaz facebook group has grown to over 400 members.

Up until now, they have orchestrated over ten flash mobs doing a variety of random acts from exercising in the main courtyard of Heritage city, flying paper planes in an office complex, sketching people passing by in a mall, creating installations for passersby to paint and building a canopy on a sidewalk with rope and bamboo. The one which attracted the most attention was during the Commonwealth Games, where they organised the 'Common Man Games' at Nehru Place to entertain Delhi citizens who were sidelined during the games. The games included track and field and pitthu.

"The first reaction of most people is what are you selling or promoting? And I reply that I am promoting public space, " says Kochupillai. "On occasions when guards have asked us to stop, we simply move into an area that is not under their jurisdiction. " The group has not encountered much antagonism, with most people amused rather than angry. Pragya Vig, 19, is a member of the group and a second year student at the college. "It set me thinking - why aren't we using the public spaces?" says Vig.

In the coming month, the Urban Gorillaz are planning flash mobs in the metro to raise awareness for a women's right to personal space.

Not all flash mobs have any apparent rationale. In the week after the death of Michael Jackson, Bangalore saw a spontaneous flash mob. At every red light signal, whenever the traffic would stop, people would suddenly come together and perform popular Michael Jackson dance moves. When the light changed, they would be gone in a flash.

Read the article in the Times of India

For more details visit https://cis-india.org/news/changing-tide

Iraq Delegation to Visit India for Study of E-Governance in Indian Cities ― Meetings in Bangalore and Delhi

praskrishna — 2011-08-02T07:13:52Z

An Iraqi Government delegation headed by HE Mr. Abdul Kareem Al-Samarai, Minister of Science & Technology, Government of Iraq will be in India on a e-governance tour. The study tour is organised by the United Nations Development Programme (UNDP) and the Economic and Social Commission for Western Asia (ESCWA).

The Building e-Iraq National e-Governance strategic plan clearly emphasizes the need for connecting services and citizens to better access of information and services using ICTs as a leading resource/innovative force and as a contributing factor to enhancing transparency and accountability as well as facilitate the effective and efficient provisioning of essential services. In this context, and as identified by the Iraqi e-governance ministerial steering committee, community service centers (CSCs) have been identified as having a direct bearing on sustainable social and economical changes consistent with the MDGs.

As agreed within the steering committee, the community based connectivity services centres will be hosted within existing community structures throughout Iraq in order to enhance penetration levels and provide for cost-effective strategies. Post offices and youth centres would henceforth represent the point of entry for the community centres, where the Iraqi government is rehabilitating the buildings and has already provided Internet access with the hope of introducing e-governance services. The centres will also be linked with the implementation of the pilot e-services to promote access to information resources and government programmes and services. Additionally, the centres will serve to address local issues and priorities.

UNDP in partnership with ESCWA is organizing a study tour to India that would expose senior Iraqi stakeholders to e-government and e-governance as a means to enhance the effectiveness and efficiency of the public sector in service provision, and make them learn from India's experience in:

Harnessing ICT technologies in service of community development, inclusiveness and empowerment, particularly at the local level;

Highlighting e-governance practices in connecting citizens to the state – at both the federal and local levels – and enhancing services;
Presenting success stories and lessons learned from India’s experience in instigating and operating CSCs; and
Providing the Government of India with a frame of reference in designing an appropriate, efficient and effective decentralized planning process and service delivery.

Dr. Samir Salim Raouf, Deputy Minister, Ministry of Science and Technology, Dr. Mahmood Kasim Sharief, Director General, Ministry of Science and Technology, Zagros Fattah Mohammed Mohammed, Director General, Ministry of Planning - KRG, Najwa Saeed Fathullah, Director General, Ministry of Finance, Majeed Hameed Jassim, Director General, Ministry of Communication, Dr. Kathim Mohammed Breesam, Director General, Ministry of Planning, Majed Sadoon Jasim, Director General, Ministry of Interior, Naeef Thamer Hussien, Director General, Ministry of Education, Ismael Khaleel Murad, Chief of Information, Ministry of Higher Education, Anwer Alwan Jassim, Ministry of Higher Education, Khalaf Muhammad Khalaf, Deputy Director General, Ministry of Education, Samer Noori Taqi, Chief of Information, Ministry of Municipalities and Public Works, Safaa Mohammed Kassar, Anbar Governorates, Abdulamer Abdulwahid Mubarak, Basra Governorates, Isam Hussein Ali, Ministry of Science and Technology, Sudipto Mukherjee, Head of Economic Recovery and Poverty Alleviation, UNDP, Abeer Fawaeer, E-Governance Specialist, UNDP and Dalia Zendi, Project Associate, UNDP will participate in the meetings.

Study tour structure

The delegation will hold meetings with Deepak Menon of India Water Portal, Ashok Kamath of Pratham Books, Srikanth Nadhamuni of E-governments foundation, Dr. Subbramanya of Geodesic, Parth Sarwate of Azim Premji Foundation, Abhay Singhavi of Narayana Hrydayalaya and MN Vidyashankar and DS Ravindran of Department of e-governance, Government of Karnataka.

In Delhi, the delegation will hold meetings in the Department of Information Technology, National Informatics Centre, National Institute for Smart Government, Ministry of Urban Development and Ministry of Panchayati Raj.

Expected outcomes

The study tour will be concluded in Delhi with a brainstorming session to discuss and explore the results achieved by the study tour, and ultimately formulate an integrated framework for identifying, establishing, operating and managing CSCs in Iraq with wider national and local e-governance development plan in line with overarching public sector and modernization programme and generate a list of pilots quick-win e-services applications that can be implemented in Iraq.

Other expected outputs are:

To identify critical and relevant lessons from the Indian e-governance models, with particular emphasis on linkages between ICT and broad-based development in the areas of education, health, water and social development of rural and urban areas;
To enhance awareness on the role and operation of CSCs at various levels and their pivotal role in facilitating access to essential services and reducing service costs;
To improve understanding of the challenges in the effective application of ICTs for development and the key factors in the design and implementation of ICT for development projects and programmes;
To enhance the understanding of the measures to be undertaken by the centre and the provinces to identify and put in place e-services;
To highlight the successes and lessons learned from the Indian decentralized and local area planning and development model;
To learn about the latest development in IT industry and the infrastructure required for CSCs and e-services; and
To explore working partnerships between the Government of India and the Indian IT companies.

This study tour is in furtherance to the e-Governance Action plan prepared by the Iraq Government. The Centre for Internet and Society is assisting the delegation for the meetings held in Bangalore.

For more details visit https://cis-india.org/internet-governance/blog/iraqi-e-governance-india-tour

Limits to Privacy

praskrishna — 2012-12-14T10:28:59Z

In this chapter we attempt to build a catalogue of these various justifications, without attempting to be exhaustive, with the objective of arriving at a rough taxonomy of such frequently invoked terms. In addition we also examine some the more important justifications such as “public interest” and “security of the state” that have been invoked in statutes and upheld by courts to deprive persons of their privacy.

For more details visit https://cis-india.org/internet-governance/publications/limits-privacy.pdf

How Web 2.0 responded to Hazare

praskrishna — 2011-04-11T10:38:03Z

Social media often fails to give us time to form critical opinions. ‘It mirrored the spectacle that we were being fed by TV channels', says Nishant Shah in an interview with Deepa Kurup. This news was published in the Hindu on April 11, 2011.

By Day Two of the protests at Jantar Mantar, where social activist Anna Hazare was leading a fast-unto-death against corruption, most commentators were drawing fierce parallels with Tahrir Square, and other pro-democracy revolutions in the Middle-East.

Soon enough, the social media angle raised its head. After a quiet Tuesday, when television channels began to “play up” the protests, Wednesday morning saw social media platforms abuzz with chatter. Initiated by campaign organisers, the India Against Corruption team, Facebook profile badges, missed call campaigns and petitions (most notably on online campaign site Avaaz (where over 6.17 lakh have registered support) entered the scene.

In 140 characters, #janlokpal, #annahazare and the less gracious #meranetachorhain began to trend on Twitter. YouTube shows up around 2,000 video results, a lot of which are amateur videos shot by participants.

‘Causes' application requests for “brandishing corruption”, ‘Like'-this-revolution requests and Tweets on how you can indeed weed out the corruption demon with a Re-Tweet, were abound.

But did this social media buzz translate into more people on the ground? Did the Tweets and chain e-mails, that were doing the rounds fairly early on, manage to drive public opinion, or outrage, as in this case? On this, the jury is divided.

Crunching numbers

Even in the Middle-East, where we saw dictators plug social media channels, experts have downplayed the pivotal role attributed to social media. A tool for sharing information, its standalone role in triggering a revolution has been dismissed by many.

In the current context, this is even more difficult to establish because efforts appear to be all too scattered, unlike in Egypt where the ‘We are all Khaled Said' page by Wael Ghonim, appeared to be a focal point of sorts.

In comparison, a simple search on Facebook reveals over 20 pages that all have around 25,000-30,000 users on-board. Mr. Hazare's Facebook profile page has over 1.3 lakh ‘Likes'.

Gaurav Mishra, social media analyst, pegs the total support at around 15 lakh. Drawing parallels with the citizen activism campaigns that emerged between the terrorist attacks in Mumbai in 2008 and the Lok Sabha elections of 2009 (the former being when social media arrived in India), Mr. Mishra also points out that corruption did go for a Six on Friday (the final day) with IPL4 dominating conversation online.

Nishant Shah, director (research) at the Centre for Internet and Society, points out that while during revolutions, the social media has proved to be a poignant and powerful tool to mobilise resources, last week it emerged that it can not only propagate dubious opinions, but also it often (because it relies on the temporal quality of making things viral) fails to give us time to form critical opinions.

He compares a platform like Avaaz, that mobilised people ‘against corruption', with long-term Ipaidabribe project (using the same digital tools) which actually leads to debate around why corruption is so endemic.

Mirrors TV

Interestingly, as Mr. Shah points out, the social media mirrored the spectacle that people were being fed by TV channels, instead of being a true discursive space of public dialogue. It's now getting clear that they are actually playing out an interesting traction as they supplement each other in bolstering of evidence and participation, he adds.

On the other hand, blogs too were abuzz. However, many did seek to provide deeper perspective, and provided more space for debate and dissent. In fact, progressive blogs even attempted to counter the one-sided commentary provided on traditional visual media.

Click here for the story in the Hindu

For more details visit https://cis-india.org/news/web2.0-responds-to-hazare

Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?

Prashant Iyengar — 2012-12-14T10:29:12Z

How do the provisions of the Information Technology Act measure up to the challenges of privacy infringement? Does it provide an adequate and useful safeguard for our electronic privacy? Prashant Iyengar gives a comprehensive analysis on whether and how the Act fulfils the challenges and needs through a series of FAQs while drawing upon real life examples.

What kinds of computer related activities impinge on privacy?

Although Information and Communications Technologies (ICTs) have greatly enhanced our capacities to collect, store, process and communicate information, it is ironically these very capacities of technology which make us vulnerable to intrusions of our privacy on a previously impossible scale. Firstly, data on our own personal computers can compromise us in unpleasant ways — with consequences ranging from personal embarrassment to financial loss. Secondly, transmission of data over the Internet and mobile networks is equally fraught with the risk of interception — both lawful and unlawful — which could compromise our privacy. Thirdly, in this age of cloud computing when much of "our" data — our emails, chat logs, personal profiles, bank statements, etc., reside on distant servers of the companies whose services we use, our privacy becomes only as strong as these companies’ internal electronic security systems. Fourthly, the privacy of children, women and minorities tend to be especially fragile in this digital age and they have become frequent targets of exploitation. Fifthly, Internet has spawned new kinds of annoyances from electronic voyeurism to spam or offensive email to ‘phishing’ — impersonating someone else’s identity for financial gain — each of which have the effect of impinging on one’s privacy.

Although there are a number of technological measures through which these risks can be reduced, it is equally important to have a robust legal regime in place which lays emphasis on the maintenance of privacy. This note looks at whether and how the Information Technology Act that we currently have in India measures up to these challenges of electronic privacy [1].

What provisions in the IT Act protect against violations of privacy?

At the outset, it would be pertinent to note that the IT Act defines a ‘computer resource’; expansively as including a “computer, computer system, computer network, data, computer database or software” [2]. As is evident, this definition is wide enough to cover most intrusions which involve any electronic communication devices or networks — including mobile networks. Briefly, then IT Act provides for both civil liability and criminal penalty for a number of specifically proscribed activities involving use of a computer — many of which impinge on privacy directly or indirectly. These will be examined in detail in the following sub-sections.

Intrusions into computers and mobile devices

accessing

downloading/copying/extraction of data or extracts any data

introduction of computer contaminant[3];or computer virus[4]

causing damage either to the computer resource or data residing on it

disruption

denial of access

facilitating access by an unauthorized person

charging the services availed of by a person to the account of another person,

destruction or diminishing of value of information

stealing, concealing, destroying or altering source code with an intention

The Act provides for the civil remedy of “damages by way of compensation” for damages caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently” does any of these specified acts is liable to be punished with imprisonment for a term of upto three years or with a fine which may extend to five lakh rupees, or with both[5].

Bangalore techie convicted for hacking govt site (2009, Deccan Herald)[6]

In November 2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G Arun Kumar, a techie from Bangalore to undergo a rigorous imprisonment for one year with a fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (hacking).

Investigations had revealed that Kumar was logging on to the BSNL broadband Internet connection as if he was the authorised genuine user and ‘made alteration in the computer database pertaining to broadband Internet user accounts’ of the subscribers.

The CBI had registered a cyber crime case against Kumar and carried out investigations on the basis of a complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of broadband Internet.

The complaint also stated that the subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore as also from Chennai and other cities, they said.

Children's privacy online

As computers and the Internet become ubiquitous children have increasingly become exposed to crimes such as pornography and stalking that make use of their private information. The newly inserted section 67B of the IT Act (2008) attempts to safeguard the privacy of children below 18 years by creating a new enhanced penalty for criminals who target children.

The section firstly penalizes anyone engaged in child pornography. Thus, any person who “publishes or transmits” any material which depicts children engaged in sexually explicit conduct, or anyone who creates, seeks, collects, stores, downloads, advertises or exchanges this material may be punished with imprisonment upto five years (seven years for repeat offenders) and with a fine of upto Rs. 10 lakh.

Secondly, this section punishes the online enticement of children into sexually explicitly acts, and the facilitation of child abuse, which are also punishable as above.

Viewed together, these provisions seek to carve out a limited domain of privacy for children from would-be sexual predators.

The section exempts from its ambit, material which is justified on the grounds of public good, including the interests of "science, literature, art, learning or other objects of general concern". Material which is kept or used for bona fide "heritage or religious purpose" is also exempt.

In addition, the newly released Draft Intermediary Due-Diligence Guidelines, 2011 [7]require ‘intermediaries’[8]to notify users not to store, update, transmit and store any information that is inter alia, “pedophilic” or “harms minors in any way”. An intermediary who obtains knowledge of such information is required to “act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity”. Further, the intermediary is required to inform the police about such information and preserve the records for 90 days.

Electronic Voyeurism

Although once regarded as only the stuff of spy cinema, the explosion in consumer electronics has lowered the costs and the size of cameras to such an extent that the threat of hidden cameras recording people’s intimate moments has become quite real. Responding to the growing trend of such electronic voyeurism, a new section 66E has been inserted into the IT Act which penalizes the capturing, publishing and transmission of images of the "private area" [9]of any person without their consent, "under circumstances violating the privacy" [10] of that person.

This offence is punishable with imprisonment of upto three years or with a fine of upto Rs. two lakh or both.

Phishing – or Identity Theft

The word 'phishing' is commonly used to describe the offence of electronically impersonating someone else for financial gain. This is frequently done either by using someone else’s login credentials to gain access to protected systems, or by the unauthorized application of someone else’s digital signature in the course of electronic contracts. Increasingly a new type of crime has emerged wherein sim cards of mobile phones have been ‘cloned’ enabling miscreants to make calls on others' accounts. This is also a form of identity theft.

Two sections of the amended IT Act penalize these crimes:

Section 66C makes it an offence to “fraudulently or dishonestly” make use of the electronic signature, password or other unique identification feature of any person. Similarly, section 66D makes it an offence to “cheat by personation” [11] by means of any ‘communication device’[12] or 'computer resource'.

Both offences are punishable with imprisonment of upto three years or with a fine of upto Rs. one lakh.

Mumbai Police Solves Phishing scam [13]

In 2005, a financial institute complained that they were receiving misleading emails ostensibly emanating from ICICI Bank’s email ID.

An investigation was carried out with the emails received by the customers of that financial institute and the accused were arrested. The place of offence, Vijaywada was searched for the evidence. One laptop and mobile phone used for committing the crime was seized.

The arrested accused had used open source code email application software for sending spam e-mails. He had downloaded the same software from the Internet and then used it as it is.

He used only VSNL to spam the e-mail to customers of the financial institute because VSNL email service provider does not have spam box to block the unsolicited emails.

After spamming e-mails to the institute customers he got the response from around 120 customers of which 80 are genuine and others are not correct because they do not have debit card details as required for e-banking."

The customers who received his e-mail felt that it originated from the bank. When they filled the confidential information and submitted it the said information was directed to the accused. This was possible because the dynamic link was given in the first page (home page) of the fake website. The dynamic link means when people click on the link provided in spam that time only the link will be activated. The dynamic link was coded by handling the Internet Explorer onclick () event and the information of the form will be submitted to the web server (where the fake website is hosted). Then server will send the data to the configured e-mail address and in this case the e-mail configured was to the e-mail of the accused. All the information after phishing (user name, password, transaction password, debit card number and PIN, mother’s maiden name) which he had received through the Wi-Fi Internet connectivity of Reliance.com was now available on his Acer laptop.

This crime was registered under section 66 of the IT Act, sections 419, 420, 465, 468 and 471 of the Indian Penal Code and sections 51, 63 and 65 of the Indian Copyright Act, 1957 which attract the punishment of three years imprisonment and fine upto Rs 2 lac which the accused never thought of.

Spam and Offensive Messages

Although the advent of e-mail has greatly enhanced our communications capacities, most e-mail networks today remain susceptible to attacks from spammers who bulk-email unsolicited promotional or even offensive messages to the nuisance of users. Among the more notorious of these scams is/was the so-called "section 409 scam" in which victims receive e-mails from alleged millionaires who induce them to disclose their credit information in return for a share in millions.

Section 66A of the IT Act attempts to address this situation by penalizing the sending of:

any message which is grossly offensive or has a menacing character
false information for the purpose of causing annoyance, inconvenience, danger, insult, criminal intimidation, enmity, hatred or ill-will
any electronic e-mail for the purpose of causing annoyance or inconvenience, or to deceive the addressee about the origin of such messages;

This offence is punishable with imprisonment upto three years and with a fine[14]

Hoax E-mails [15]

In 2009, a 15-year-old Bangalore teenager was arrested by the cyber crime investigation cell (CCIC) of the city crime branch for allegedly sending a hoax e-mail to a private news channel. In the e-mail, he claimed to have planted five bombs in Mumbai, challenging the police to find them before it was too late.

According to police officials, at around 1p.m. on May 25, the news channel received an e-mail that read: “I have planted five bombs in Mumbai; you have two hours to find it.” The police, who were alerted immediately, traced the Internet Protocol (IP) address to Vijay Nagar in Bangalore. The Internet service provider for the account was BSNL, said officials.

Minor Hoax Spells Major Trouble

Sixteen-year-old Rakesh Patel (name changed), a student from Ahmedabad, sent an e-mail to a private news channel on March 18, 2008, warning officials of a bomb on an Andheri-bound train. In the e-mail, he claimed to be a member of the Dawood Ibrahim gang. Three days later, the crime investigation cell (CCIC) of the city police arrested the boy under section 506 (ii) for criminal intimidation. He was charge-sheeted on November 28, 2008.
Status: Patel was given a warning by a juvenile court
A 14-year-old Colaba boy sent a hoax e-mail to a TV channel in Madhya Pradesh, three days after the July 26, 2008, Ahmedabad bomb blasts. He claimed that 29 bombs would go off in Jabalpur. He was picked up by officers of the anti-terrorism squad (ATS) who, with the help of the MP police, were able to trace the e-mail to a cyber café in Colaba.
Status: No FIR was registered. The Cuffe Parade police registered a non-cognizable (NC) complaint against him, and the boy was allowed to go home after the police gave him a “strict warning”.
Shariq Khan, 18, was arrested in Bhopal on July 26, 2006, for sending out three e-mails claiming to be a member of the terrorist organisation, which the police believed was behind the 7/11 train bombings. He was arrested by the Bhopal police. Later, the ATS brought the boy to Mumbai and also booked him for a five-year-old unsolved case where an unknown accused had sent e-mail warnings to the department of Atomic Energy (DAE) in 2001.
Status: The police filed a charge-sheet against Shariq who claimed that he had sent the e-mails for fun. Trial is pending in a juvenile court. Shariq is presently out on bail in Bhopal.
On February 26, 2006, a 17-yearold student from Jamnabai Narsee School called an Alitalia flight bound to Milan at 2 a.m. telling them there was a bomb on board. He wanted to stop his girlfriend from going abroad. She was one of the 12 students on their way to attend a mock United Nations session in Geneva.
Status: After being grilled by the police, he was arrested, but let out on bail.

Lawful Interception and monitoring of electronic communications under the IT Act

In addition to violations of privacy by criminal and the mischievous minded, electronic communications and storage are also a goldmine for governmental supervision and surveillance. This section provides a brief overview of the provisions in the IT Act which circumscribe the powers of the state to intercept electronic communications.

The newly amended IT Act completely rewrote its provisions in relation to lawful interception. The new section 69 dealing with “power to issue directions for interception or monitoring or decryption of any information through any computer resource” is much more elaborate than the one it replaced, In October 2009, the Central Government notified rules under section 69 which lay down procedures and safeguards for interception, monitoring and decryption of information (the “Interception Rules 2009”). This further thickens the legal regime in this context.

Unlawful Intercept

In August 2007, Lakshmana Kailash K., a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and detained for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages [16].

The incident highlights how minor privacy violations by ISPs and intermediaries could have impacts that gravely undermine other basic human rights [17].

In addition to section 69, the Government has been empowered under the newly inserted section 69B to "monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource".

"Traffic data" has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.” Rules have been issued by the Central Government under this section (the “Monitoring and Collecting Traffic Data Rules, 2009”) which are similar, although with important distinctions, to the rules issued under section 69.

Thus, there are two parallel interception and monitoring regimes in place under the Information Technology Act. In the paragraphs that follow, we provide an overview of the regime of surveillance under section 69 — since they are more targeted towards the individual, and consequently the threats to privacy are more severe — while highlighting important differences in the rules drafted under section 69.

Who may lawfully intercept?

Section 69 empowers the “Central Government or a state government or any of its officers specially authorised by the Central Government or the state government, as the case may be” to exercise powers of interception under this section.

Under the Interception Rules 2009, the secretary in the Ministry of Home Affairs has been designated as the "competent authority", with respect to the Central Government, to issue directions pertaining to interception, monitoring and decryption. Similarly, the respective state secretaries in charge of Home Departments of the various states and union territories are designated as "competent authorities" to issue directions with respect to the state government [18].

	Central Government	State/Union Territory
Ordinary Circumstances	Secretary in the Ministry of Home Affairs	Secretary in charge of Home Departments of State
Emergency	Head or second senior most officer of security and law enforcement	Authorized officer not below the rank of Inspectors General of Police

However, an exception is made in cases of emergency, either

in remote areas where obtaining prior directions from the competent authority is not feasible or

for ‘operational reasons’ where obtaining prior directions is not feasible.

In such cases it would be permissible to carry out interception after obtaining the orders of the Head or second senior most officer of security and law enforcement at the central level, and an authorized officer not below the rank of Inspector General of Police at the state or union territory level. The order must be communicated to the competent authority within three days of its issue, and approval must be obtained from the authority within seven working days, failing which the order would lapse.

Where a state/union territory wishes to intercept/monitor or decrypt information beyond its territory, the competent authority for that state must make a request to the competent authority of the Central Government to issue appropriate directions.

Under what circumstances a direction to intercept may be issued?

Purposes for which interception may be directed

Under section 69, the powers of interception may be exercised by the authorized officers “when they are satisfied that it is necessary or expedient” to do so in the interest of:

sovereignty or integrity of India,

defense of India,

security of the state,

friendly relations with foreign states or

public order or

preventing incitement to the commission of any cognizable offence relating to above or

for investigation of any offence.

Under section 69B, the competent authority may issue directions for monitoring for a range of “cyber security”[20] purposes including, inter alia, “identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security”.

Contents of direction

The reasons for ordering interception must be recorded in writing [21].

In the case of a direction under section 69, in arriving at its decision, the competent authority must consider alternate means of acquiring the information other than issuing a direction for interception [22]. The direction must relate to information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources [23]. The direction must specify the name and designation of the officer to whom information obtained is to be disclosed, and also specify the uses for which the information is to be employed [24].

Duration of interception and periodic review

Once issued, an interception direction issued under section 69 remains in force for a period of 60 days (unless withdrawn earlier), and may be renewed for a total period not exceeding 180 days [25]. A direction issued under section 69B does not expire automatically through the lapse of time and theoretically would continue until withdrawn.

Within seven days of its issue, a copy of a direction issued under either section 69 or section 69B must be forwarded to the review committee constituted to oversee wiretapping under the Indian Telegraph Act [26]. Every two months, the review committee is required to meet and record its findings as to whether the direction was validly issued in light of section 69(3) [27]. If the review committee is of the opinion that it was not, it can set aside the direction and order destruction of all information collected [28].

What powers of interception do they have?

The competent authority may, in his written direction “direct any agency of the appropriate government to intercept monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource”[29].

Accordingly, the subscriber or intermediary or any person in charge of the computer resource is must, if required by the designated government agency, extend all facilities, equipment and technical assistance to:

provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

intercept, monitor, or decrypt[30] the information, as the case may be; or

provide information stored in computer resource.

The intermediary must maintain records mentioning the intercepted information, the particulars of the person, e-mail account, computer resource, etc., that was intercepted, the particulars of the authority to whom the information was disclosed, number of copies of the information that were made, the date of their destruction, etc. [31]. This list of requisitions received must be forwarded to the government agency once every 15 days to ensure their authenticity [32].

In addition, a responsibility is cast on the intermediary to put in place adequate internal checks to ensure that unauthorized interception does not take place, and extreme secrecy of intercepted information is maintained [33].

How long can information collected during interception be retained?

Interception rules require all records, including electronic records pertaining to interception to be destroyed by the government agency “in every six months except in cases where such information is required or likely to be required for functional purposes”. In the case of the Monitoring and Collecting of Traffic Data Rules 2009, this period is nine months from the date of creation of record.

In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the intermediary within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings. In the case of Monitoring Rules, this period is six months from the date of discontinuance.

What penalties accrue to intermediaries and subscribers for resisting interception?

Section 69 stipulates a penalty of imprisonment upto a term of seven years and fine for any “subscriber or intermediary or any person who fails to assist the agency” empowered to intercept.

Data Protection under the IT Act

Data Retention Requirements of 'Intermediaries'

Section 67C of the amended IT Act mandates ‘intermediaries’[34] to maintain and preserve certain information under their control for durations which are to be specified by law.

Any intermediary who fails to retain such electronic records may be punished with imprisonment up to three years and a fine.

Liability for body-corporates under section 43A

The newly inserted section 43A makes a start at introducing a mandatory data protection regime in Indian law. The section obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which they would be liable to compensate those affected by any negligence attributable to this failure.

It is only the narrowly-defined ‘body corporates’ [35] engaged in ‘commercial or professional activities’ who are the targets of this section. Thus government agencies and non-profit organisations are entirely excluded from the ambit of this section [36].

“Sensitive personal data or information” is any information that the Central Government may designate as such, when it sees fit to.

The “reasonable security practices” which the section obliges body corporates to observe are restricted to such measures as may be specified either “in an agreement between the parties” or in any law in force or as prescribed by the Central Government.

By defining both “sensitive personal data” and “reasonable security practice” in terms that require executive elaboration, the section in effect pre-empts the courts from evolving an iterative, contextual definition of these terms.

Mphasis BPO Fraud: 2005 [37]

In December 2004, four call centre employees, working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the PINs.

In association with others, the call centre employees opened new accounts at Indian banks using false identities. Within two months, they used the PINs and account information gleaned during their employment at MphasiS to transfer money from the bank accounts of CitiGroup customers to the new accounts at Indian banks.

By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly identified the individuals involved in the scam. Arrests were made when those individuals attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount recovered was $230,000.

Draft Reasonable Security Practices Rules 2011 [38]

In February 2011, the Ministry of Information and Technology, published draft rules under section 43A in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold.

Sensitive Personal Information
Rule 3 of these Draft Rules designates the following types of information as ‘sensitive personal information’:

password;

user details as provided at the time of registration or thereafter;

information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users;

physiological and mental health condition;

medical records and history;(vi) Biometric information;

information received by body corporate for processing, stored or processed under lawful contract or otherwise;

call data records;

This however, does not apply to “any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005”.

They and “any person” holding sensitive personal information are forbidden from “keeping that information for longer than is required for the purposes for which the information may lawfully be used”[40]

Mandatory Privacy Policies for body corporates

Rule 4 of the draft rules enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” [41]. The policy must provide details of:

Type of personal or sensitive information collected under sub-rule (ii) of rule 3;
Purpose, means and modes of usage of such information;
Disclosure of information as provided in rule 6 [42].

Prior Consent and Use Limitation during Data Collection

In addition to the restrictions on collecting sensitive personal information, body corporate must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information”. The body corporate is required to “take such steps as are, in the circumstances, reasonable”[43] to ensure that the individual from whom data is collected is aware of :

the fact that the information is being collected; and
the purpose for which the information is being collected; and
the intended recipients of the information; and
the name and address of :
the agency that is collecting the information; and
the agency that will hold the information.

During data collection, body corporates are required to give individuals the option to opt-in or opt-out from data collection [44]. They must also permit individuals to review and modify the information they provide "wherever necessary" [45]. Information collected is to be kept securely [46], used only for the stated purpose [47] and any grievances must be addressed by the body corporate “in a time bound manner” [48].

Unlike "sensitive personal information" there is no obligation to retain information only for as long as is it is required for the purpose collected.

Limitations on Disclosure of Information

The draft rules require a body corporate to obtain prior permission from the provider of such information obtained either “under lawful contract or otherwise” before information is disclosed [49]. The body corporate or any person on its behalf shall not publish the sensitive personal information [50]. Any third party receiving this information is prohibited from disclosing it further [51]. However, a proviso to this sub-rule mandates information to be provided to ‘government agencies’ for the purposes of “verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences”. In such cases, the government agency is required to send a written request to the body corporate possessing the sensitive information, stating clearly the purpose of seeking such information. The government agency is also required to “state that the information thus obtained will not be published or shared with any other person” [52].

Sub-rule (2) of rule 6 requires “any information” to be “disclosed to any third party by an order under the law for the time being in force.” This is to be done “without prejudice” to the obligations of the body corporate to obtain prior permission from the providers of information [53].

Reasonable Security Practices

Rule 7 of the draft rules stipulates that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented security practices and standards which require:

a comprehensive documented information security program; and

information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.

In case of an information security breach, such body corporate will be “required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security program and information security policies”.

The rule stipulates that by adopting the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”, a body corporate will be deemed to have complied with reasonable security practices and procedures.

The rule also permits “industry associations or industry clusters” who are following standards other than IS/ISO/IEC 27001 but which nevertheless correspond to the requirements of sub-rule 7(1), to obtain approval for these codes from the government. Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of section 43A.

Penalties and Remedies for breach of Data Protection

Civil Liability for Corporates

As mentioned above, any body corporates who fail to observe data protection norms may be liable to pay compensation if:

it is negligent in implementing and maintaining reasonable security practices, and thereby

causes wrongful loss or wrongful gain to any person;[54]

Claims for compensation are to be made to the adjudicating officer appointed under section 46 of the IT Act. Further, details of the powers and functions of this officer are given in succeeding sections of this note.

Criminal liability for disclosure of information obtained in the course of exercising powers under the IT Act

Section 72 of the Information Technology Act imposes a penalty on “any person” who, having secured access to any electronic record, correspondence, information, document or other material using powers conferred by the Act or rules, discloses such information without the consent of the person concerned. Such unauthorized disclosure is punishable “with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

Criminal Liability for unauthorized disclosure of information by any person of information obtained under contract

Section 72A of the IT Act imposes a penalty on any person [55] (including an intermediary) who

has obtained personal information while providing services under a lawful contract and

discloses the personal information without consent of the person,

with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss [56]

Such unauthorised disclosure to a third person is punishable with imprisonment upto three years or with fine upto Rs five lakh, or both.

Whom to call? Adjudicatory Mechanism and Remedies under the IT Act

This section provides a brief outline of the mechanism installed by the IT Act to activate the various remedies and penalties prescribed in various sections of the Act. As a victim of online intrusion, how does one use the IT Act to seek redressal?

As mentioned above, the IT Act provides for both the civil remedy of damages in compensation (Chapter IX) as well as criminal penalties for offences such as imprisonment and fine (Chapter XI). In general, claiming a civil remedy does not bar one from seeking criminal prosecution and ideally both should be pursued together. For clarity, in the sections that follow, we will be discussing the two procedures separately.

Civil Damages and Compensation

Whom to approach?

Section 46 of the IT Act empowers the Central Government to appoint “adjudication officers” to adjudicate whether any person has committed any of the contraventions described in Chapter IX of the Act (See section 2.1 and 4.2 above) and to determine the quantum of compensation payable. Accordingly, the Central Government has designated the secretaries of the Department of Information Technology of each of the states or union territories as the “adjudicating officer” with respect to each of their territories [57].

However, a pecuniary limit has been placed on the powers of adjudicating officers, and they may only adjudicate cases where the quantum of compensation claimed does not exceed Rs. five crores. In cases where the compensation claimed exceeds this amount, jurisdiction would vest in the “competent court”, under the Code of Civil Procedure [58].

Section 61 of the Act bars ordinary civil courts from jurisdiction over matters which the adjudicating officers have been empowered to decide under this Act.

When must a complaint be filed?

The Limitation Act provides that a suit must be filed within three years from when the right to sue accrues [59].

What is the procedure?

Section 46 and the rules framed under that section provide elaborate guidelines on the procedure that is to be followed by the adjudicating officer. Thus, the adjudicating officer is required to give the accused person “a reasonable opportunity for making representation in the matter”. Thereafter, if , on an inquiry, “he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.”

In order to carry out their duties adjudicating officer have been invested with the powers of a civil court which are conferred on the cyber appellate tribunal [60]. Additionally, they have the power to punish for their contempt undert the Code of Criminal Procedure.

Rules framed under the section provide further details on the procedure that must be followed and provide for the issuance of a “show cause notice”, manner of holding enquiry, compounding of offences, etc. [61].

Section 47 provides that in adjudging the quantum of compensation, the adjudicating officer shall have due regard to the following factors, namely:—

the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;

the amount of loss caused to any person as a result of the default;

the repetitive nature of the default.

Where must a complaint be filed and in what format?

The complaint must be made to the adjudicating officer of the state or union territory on the basis of location of computer system, computer network. The complaint must be made on a plain paper in the format provided in the Performa attached to the rules [62].

In case the offender or computer resource is located abroad, it would be deemed, for the purpose of prosecution to be located in India [63].

How long does the process take?

The Rules direct that the whole matter should be heard and decided “as far as possible” within a period of six months [64].

How much does it cost?

The Rules stipulates a variable fee payable by a bank draft calculated on the basis of damages claimed by way of compensation

a) Upto Rs. 10,000	10% ad valorem rounded off to nearest next hundred
b) From 10001 to Rs.50000	Rs. 1000 plus 5% of the amount exceeding Rs.10,000 rounded off to nearest next hundred
c) From Rs.50001 to Rs.100000	Rs. 3000/- plus 4% of the amount exceeding Rs. 50,000 rounded off to nearest next hundred
d) More than Rs. 100000	Rs.5000/- plus 2% of the amount exceeding Rs. 100,000 rounded off to nearest next hundred

Appeals to the Cyber Appellate Tribunal and the High Court

The Act provides for the constitution of a cyber appellate tribunal to hear appeals from cases decided by the adjudicating officer.

Within 25 days of the copy of the decision being made available by the adjudicating officer, the aggrieved party may file an appeal before the cyber appellate tribunal.

Section 57 provides that the appeal filed before the cyber appellate tribunal shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. Section 62 gives the right of appeal to a high court to any person aggrieved by any decision or order of the cyber appellate tribunal on any question of fact or law arising out of such order. Such an appeal must be filed within 60 days from the date of communication of the decision or order of the cyber appellate tribunal.

Can contraventions be compounded (compromised) with the offender?

Except in the case of repeat offenders, contraventions may be compromised by the adjudicating officer or between the parties either before or after institution of the suit. Where any contravention has been compounded the IT Act provides that “no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded”[65].

Criminal Penalties

The process described above applies to “contraventions” under Chapter IX of the Act. In addition to being liable to pay compensation, in the cases falling under section 43, such offenders may also be liable for criminal penalties such as imprisonment and fines [66]. This sub-section of this paper deals with the procedure to be followed with respect to the criminal offences set out under Chapter XI of the Act (for example, see sections 2.2 to 2.5 above).

Whom to approach? Who can take cognizance of offences and investigate them?

Section 78 of the IT Act empowers police officers of the rank of Inspectors and above to investigate offences under the IT Act.

Many states have set up dedicated cyber crime police stations to investigate offences under this Act [67]. Thus, for example, the State of Karnataka has set up a special cyber crime police station responsible for investigating all offences under the IT Act with respect to the entire territory of Karnataka [68].

When must a complaint be lodged?

Although there is no time limit prescribed by the IT Act or the Code of Criminal Procedure with respect to when an FIR must be filed, in general, courts tend to take an adverse view when a significant delay has occurred between the time of occurrence of an offence and it’s reporting to the nearest police station.

The Code of Criminal Procedure forbids courts from taking cognizance of cases after three years “if the offence is punishable with imprisonment for a term exceeding one year but not exceeding three years”. Where either the commission of the offence was not known to the person aggrieved, or where it is not known by whom the offence committed, this period is computed from the date on which respectively the offence or the identity of the offender comes to the knowledge of the person aggrieved [69].

What is the procedure?

No special procedure is prescribed for the trial of cyber offences and hence the general provisions of criminal procedure would apply with respect to investigation, charge sheet, trial, decision, sentencing and appeal.

Can offences be compounded?

Offences punishable with imprisonment of upto three years are compoundable by a competent court. However, repeat offenders cannot have their subsequent offences compounded. Additionally, offences which “affect the socio-economic conditions of the country” or those committed against a child under 18 years of age or against women cannot be compounded [70].

Bibliography

[1].The IT Act is only one of the various laws which safeguard citizens from violations of online privacy. In addition, in the domain of finance, for instance, various RBI regulations mandate strong security protocols with respect to data held by financial institutions. Since this is the subject of a different dispatch on banking and privacy which we have brought out, these regulations are omitted from this discussion.

[2].Section 2(k) of the IT Act defines ‘computer’ as any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.

[3].Section 43 defines "computer contaminant" as any set of computer instructions that are designed— (a) to modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network;

[6].Section 66 of the IT Act. Anon, 2009. Bangalore techie convicted for hacking govt site. Deccan Herald. Available at: http://goo.gl/jCvAh. [Accessed March 29, 2011];

[7].The Information Technology (Due Diligence observed by Intermediaries Guidelines) Rules, 2011;

[8].‘Intermediary’ has been defined very expansively under section 2(w) of the Act to mean, with respect to any electronic record, “any person who on behalf of another person receives, stores or transmits that record, or provides any service with respect to that record and includes telecom service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes

[9].‘Private area’ has been defined in section 66E as “the naked or undergarment clad genitals, pubic area, buttocks or female breast”.

[10].Defined as “circumstances in which a person can have a reasonable expectation that (i) he or she could disrobe in privacy, without being concerned that an image of his or her private area was being captured or (ii) any part of his or her private area would not be visible to the public regardless of whether that person is in a public or private place”. See explanation to Section 66E

[11]."Cheating by personation" is a crime defined under section 416 the Indian Penal Code. According to that section, “a person is said to "cheat by personation" if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is." The explanation to the section adds that "the offence is committed whether the individual personated is a real or imaginary person". Two illustrations to the section further elaborate its meaning: (a) A cheats by pretending to be a certain rich banker of the same name. A cheats by personation (b) A cheats by pretending to be B, a person who is deceased. A cheats by personation.

[12].Communication device" has been defined to mean "cell phones, personal digital assistance (sic) or combination of both or any other device used to communicate send or transmit any text, video, audio or image".

[13].2005. Cyber Crime Cell, Mumbai: Case of Phishing. Mumbai Police. Available at: http://www.cybercellmumbai.com/case-studies/case-of-fishing [Accessed March 23, 2011].

[14]. Although no maximum limit is prescribed for the fine under this section, Section 63 of the Indian Penal Code declares that “Where no sum is expressed to which a fine may extend, the amount of fine to which the offender is liable is unlimited, but shall not be excessive”.

[15].Hafeez, M., 2009. Crime Line: Curiosity was his main motive, say city police. Crime Line. Available at: http://mateenhafeez.blogspot.com/2009/05/curiosity-was-his-main-motive-say-city.html [Accessed March 23, 2011].

[16]. Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article&sectid=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[18]. By contrast, rules framed under Section 69B designates only the Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and IT as the “competent authority” to issue orders of interception.

[19].It is unclear what these “operational reasons” could mean. The text of the rules provide no useful guidance.

[20].“Cyber security breach” is defined as meaning “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly acceptable security policy resulting in unauthorized access, denial of service, disruption, unauthorized use of a computer resource for processing or storage of information or changes to date, information without authorization”. Rule 2(f) of the Monitoring and Collecting of Traffic Data Rules 2009.

[21].Rule 7 of the Interception Rules 2009; Rule 3(3) of the Monitoring and Collecting of Traffic Data Rules 2009

[22].Rule 8 of the Interception Rules 2009

[23]. Rule 9 of the Interception Rules 2009

[24].Rule 10 of the Interception Rules 2009;

[25].Rule 11 of the Interception Rules 2009

[26].Rule 7 of the Interception Rules 2009

[27].Rule 22 of the Interception Rules 2009

[28]. Ibid

[29].Section 69 of the IT Act.

[30].The intermediary is required to assist in the decryption only to the extent that the intermediary has control over the decryption key. See Sub-Rule 13(3) of the Interception Rules 2009. Rule 17 enjoins the holder of a decryption key to provide decryption assistance when directed to by the competent authority.

[31].Rule 16 of the Interception Rules 2009

[32].Rule 18 of the Interception Rules 2009

[33]. Rule 20 of the Interception Rules 2009; Rules 10 & 11 of the Monitoring and Collecting of Traffic Data Rules 2009. Failure to maintain secrecy of data may attract punishment under Section 72 of the Information Technology Act.

[34].Supra n. 6 for definition

[35].Section 43A defines "'body corporate" as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

[36].This does not necessarily mean that these entitles are exempt from taking reasonable care to safeguard information that they collect, maintain or control – only that remedies against the government must be sought under general common law, rather than under the IT Act.

[37].Anon, 2005. The MphasiS Scandal – And How it Concerns U.S. Companies Considering Offshore BPO. Carretek. Available at: http://www.carretek.com/main/news/articles/MphasiS_scandal.htm [Accessed March 29, 2011]. See also Anon, 2005. MphasiS case: BPOs feel need to tighten security. Indian Express. Available at: http://www.expressindia.com/news/fullstory.php?newsid=44856 [Accessed March 29, 2011].

[38]. The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011. Available at http://www.mit.gov.in/sites/upload_files/dit/files/senstivepersonainfo07_02_11.pdf, last accessed February 15th, 2011.

[39].Rule 5 of the Draft Rules.

[40]. This is perhaps a bit vague, since the potential ‘lawful uses’ are numerous and could be inexhaustible. It is unclear whether “lawful usage” is coterminous with “the uses which are disclosed to the individual at the time of collection”. In addition, this rule is framed rather weakly since it does not impose a positive obligation (although this is implied) to destroy information that is no longer required or in use.

[41].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[42]. This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6.

[43].One wonders about the convoluted language used here when a simpler phrase like “take reasonable steps” alone might have sufficed - reasonableness has generally been interpreted by courts contextually. As the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.

[44].Sub-Rule 5(7).

[45].Sub-Rule 5(6). It is unclear what would count as a ‘necessary’ circumstance and who would be the authority to determine such necessity.

[46].Sub-Rule 5(8).

[47].Sub-Rule 5(5).

[48].Sub-Rule 5(9).

[49]. Sub-Rule 6(1) There are two problems with this rule. First, it requires prior permission only from the provider of information, and not the individual to whom the data pertains. In effect this whittles down the agency of the individual in being able to control the manner in which information pertaining to her is used. Second, it is not clear whether this information includes “sensitive personal information”. The proviso to this rule includes the phrase “sensitive information”, which would suggest that such information would be included. This makes it even more important that the rule require that prior permission be obtained from the individual to whom the data pertains and not merely from the provider of information.

[50].Sub-Rule 6(3).

[51].Sub-Rule 6(4).

[52].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?

[53].This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

[54]. “Wrongful loss” and “wrongful gain” have been defined by Section 23 of the Indian Penal Code. Accordingly, "Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled. "Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled.” The section also includes this interesting explanation “Gaining wrongfully, losing wrongfully- A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property”. Following this, it could be possible to argue that the retention of data beyond the period of its use would amount to a “wrongful gain”.

[55]. Section 3(39) of the General Clauses Act defines a person to include “any company or association or body of individuals whether incorporated or not”. An interesting question here would be whether the State can be considered “a person” so that it can be held liable for unauthorized disclosure of personal information. In an early case of Shiv Prasad v. Punjab State AIR 1957 Punj 150, the Punjab High Court had excluded this possibility. However, the case law on this point has not been consistent. In Ramanlal Maheshwari v.Municipal Committee, the MP High Court held that the Municipal Council could be treated as a ‘person’ for the purpose of levying a fine attached to a criminal offence. Statutory corporate bodies (such as the proposed UID Authority of India) have been held to be ‘persons’ for purposes of law . See Commissioners, Port of Calcutta v. General Trading Corporation, AIR 1964 Cal 290. Here under the Calcutta Port Act, Port Commissioners were declared to be a “body corporate”, and hence were held to be a ‘person’.

[56].See supra n. 44.

[57]. See G.S.R.240(E) New Delhi, the 25th March, 2003 available at < http://www.mit.gov.in/content/it-act-notification-no-240> .

[58].See Section 46(1A).

[59].Schedule I, Part X of the Limitation Act “Suits for which there is no prescribed period.”

[60].The powers of the Cyber Appellate Tribunal under Section 58 include the powers of (a) summoning and enforcing the attendance of any person and examining him on oath; (b) requiring the discovery and production of documents or other electronic records; (c) receiving evidence on affidavits; (d) issuing commissions for the examination of witnesses or documents; (e) reviewing its decisions; (f) dismissing an application for default or deciding it ex parte.

[61].Information Technology (Qualification and Experience of Adjudicating Officers and Manner of holding Enquiry) Rules, 2003 [GSR 220(E)] Available at <http://cca.gov.in/rw/resource/notification-gsr220e.pdf?download=true>.

[62]. Ibid Rule 4(b).

[63]. Section 75.

[64]. Ibid, Rule 4(k).

[65]. Section 63 of the Act.

[66].Prior to amendment in 2008, contraventions listed in Section 43 were only liable to be compensated by damages through civil proceedings. Thus in 2007, the Madras High Court annulled an FIR lodged in a police station which listed an activity mentioned in 43(g). See S. Sekar vs The Principal General Manager < http://indiankanoon.org/doc/182565/> This position has however been changed with the new Section 66 which makes all actions listed in Section 43 an offence when committed with dishonest or fraudulent intent. Thus an FIR can be lodged with respect to these activities as well.

[67].An incomplete list of cyber crime cells of police in different states can be viewed at <http://infosecawareness.in/cyber-crime-cells-in-india>.

[68]. Home and Transport3 Secretariat, Notification no. HD 173 POP 99 Bangalore, Dated 13th September 2001 Available at < http://cyberpolicebangalore.nic.in/pdf/notification_1.pdf>.

[69]. Sections 468 and 469 of the Code of Criminal Procedure, 1973.

[70]. Section 77A of the Information Technology Act.

Click below to download files of your choice:

PDF [347 kb]
Open Office [51 kb]
Word File [55 kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy

DIT's Response to RTI on Website Blocking

pranesh — 2011-08-02T07:13:47Z

For the first time in India, we have a list of websites that are blocked by order of the Indian government. This data was received from the Department of Information Technology in response to an RTI that CIS filed. Pranesh Prakash of CIS analyzes the implications of these blocks, as well as the shortcomings of the DIT's response.

Quick Analysis of DIT's Response to the RTI

Blocked websites

The eleven websites that the DIT acknowledges are blocked in India are:

Of the eleven blocked websites, one was still accessible on a Tata Communications DSL connection. Two of the blocked websites are grassroots news organizations connected to the Independent Media Centre: IndyBay (San Francisco Bay Area IMC) and the Arizona Indymedia website. The Bloggernews.net page that is on the blocked list is in fact an article by N. Vijayashankar (Naavi) from March 12, 2010 titled "Is E2 labs right in getting zone-h.org blocked?", criticising the judicial blocking of Zone-H.org by E2 Labs (with E2 Labs being represented by lawyer Pawan Duggal). The Zone-H.org case is still going through the judicial motions in the District Court of Delhi, but E2 Labs managed to get an ex parte (i.e., without Zone-H being heard) interim order from the judge asking Designated Officer (Mr. Gulshan Rai of DIT) to block access to Zone-H.org.

As has happened in the past, the government (or the court) accidentally ordered the blocking of all of website host webs.com, instead of blocking only http://donotdial100.webs.com (which subdomain apparently hosted 'defamatory' and 'abusive' information about mafia links within the Maharashtra police and political circles).

It is interesting to note that for most of the websites on most ISPs one gets a 'request timed out' error while trying to access the blocked websites, and not a sign saying: "site blocked for XYZ reason on request dated DD-MM-YYYY received from the DIT". On Reliance broadband connections, for some of the above websites an error message appears, which states: "This site has been blocked as per instructions from Department of Telecom".

Judicial blocking

As per the response of the government, all eleven seem to have been blocked on orders received from the judiciary. While they don't state this directly, this is the conclusion one is led to since the Department admits to blocking eleven websites and also notes that there have been eleven requests for blocking from the judiciary. Normally the judiciary is often thought of as a check on the executive's penchant for banning (seen especially in the recent book banning cases in Maharashtra, for instance, where the Bombay High Court has overturned most of the government's banning orders). However, in these cases the ill-informed lower judiciary seem to be manipulated by lawyers to suppress freedom of speech and expression, even going to the extent of blocking grassroots activist news organizations like the Independent Media Centre.

Websites not blocked by DIT

The DIT also notes that the blocks on Typepad.com was not authorized by it (nor, according to the RTI response received by Nikhil Pahwa of Medianama was the Mobango.com block authorised by the DIT). Typepad.com, Mobango.com, and Clickatell.com don't seem to be blocked currently. However, as was reported by Medianama, for a while when they were being blocked, some sites and ISPs (such as Typepad.com on Bharti Airtel DSL) showed a message stating that the website was blocked on request from the Department of Telecom, which we don't believe has the authority to order blocking of websites. While we still await a response from the Department of Telecom to the RTI we filed with them on this topic, in a letter to the Hindu, the Department of Telecom has clarified that it did not order any block on Typepad.com or any of the other websites. This leaves us unsure as to who ordered these blocks. Further, it points out a lacuna in our information policy that ISPs can suo motu block websites without justifications (such as violation of terms of use), proper notice to customers, or any kind of repercussions for wrongful blocking.

Insufficient information on Committee for Examination of Requests

All requests for websites blocking (except those directly from the judiciary) must be vetted by the Committee for Examination of Requests (CER) under Rule 8(4) of the Rules under s.69A of the IT Act. Given that the DIT admits that the Designated Officer (who carries out the blocking) has received 21 requests to date, there should be at least 21 recommendations of the CER. However, the DIT has not provided us with the details of those 21 requests and the 21 recommendations. We are filing another RTI to uncover this information.

Text of the DIT's Response

Government of India
Ministry of Communications & Information Technology
Department of Information Technology
Electronics Niketan, 6 CGO Complex,
New Delhi-110003

No : 14(3)/2011-ESD

Shri Pranesh Prakash
Centre for Internet and Society
194, 2-C Cross,
Domulur Stage II,
Bangalore- 560071.

Subject: Request for information under RTI Act,

Sir,
Reference your request dated 28lh February 2011 on the above subject.
The point wise information as received from the custodian of Information is enclosed for your reference and records.

sd/-
(A.K.Kaushik)
Additional Director & CPIO
Tel: 011-24364803

Subject : RTI on website blocking requested by Shri Pranesh Prakash

(i) Did the Department order Airtel to block TypePad under S.69A of the Information Technology Act ("IT Act"), 2000 read with the Information Technology (Procedures and Safeguards for Blocking Access of Information by Public) Rules, 2009 ("Rules") or any other law for the time being in force? If so, please provide a copy of such order or orders. If not, what action, if at all, has been taken by the Department against Airtel for blocking of websites in contravention of S.69A of the IT Act?

Reply - This Department did not order Airtel to block the said site.

(ii) Has the Department ever ordered a block under s.69A of the IT Act? If so, what was the information that was ordered to be blocked?

Reply - The Department has issued directions for blocking under section 69A for the following websites:
(a) www.zone-h.org.
(b) http://donotdial100.webs.com (IP 216.52.115.50)
(c) www.bloggernews.net/124029
(d) http://www.google.co.in/#h 1 =en&source=hp& biw=1276&bih=843&=dr+babasaheb+ambedkar+ wallpaper&aq=4&aqi=g10&aql =&oq=dr+ babas& gs_rfai=&fp=e791 fe993fa412ba
(e) http://www.cinemahd.net/desktop-enhancements/wallpaper/23945- wallpapers-beautiful-girl-wallpaper.html
(f) http://www.chakpak.com/find/images/ kamasutra-hindi-movie
(g) http://www.submitlink.khatana.net/2010/09/jennifer-stano-is-engaged- to.html
(h) http://www.result.khatana.net/2010/11/im-no-panty-girl-yana-gupta- wardrobe.html.
(i) http://www.facebook.com/pages/l-Hate-Ambedkar/172025102828076
(j) www.indybay.org
(k) www.arizona.indymedia.org

(iii) How many requests for blocking of information has the Designated Officer received, and how many of those requests have been accepted and how many rejected? How many of those requests were for emergency blocking under Rule 9 of the Rules?

Reply - Designated Officer received 21 request for blocking of information. 11 websites have been blocked on the basis of orders received from court of law. One request has been rejected. For other requests, additional input/information has been sought from the Nodal Officer.

No request for emergency blocking under rule 9 of the Rules have been received.

(iv) Please provide use the present composition of the Committee for Examination of Requests constituted under Rule 7 of the Rules.

Reply - The present composition of the Committee is :
(a) Designated Officer (Group Coordinator - Cyber Law)
(b) Joint Secretary, Ministry of Home Affairs
(c) Joint Secretary, Ministry of Information and Broadcasting
(d) Additional Secretary and Ministry of Law & Justice
(e) Senior Director, Indian Computer Emergency Response Team

(v) Please provide us the dates and copies of the minutes of all meetings held by the Committee for Examination of Requests under Rule 8(4) of the Rules, and copies of their recommendations.

Reply - The Committee had met on 24-08-2010 with respect to request for blocking of website www.betfair.com.

(vi) Please provide us the present composition of the Review Committee constituted under rule 419A of the Indian Telegraph Rules, 1951.
(vii) Please provide us the dates and copies of the minutes of all meetings held by the Review Committee under Rule 14 of the Rules, and copies of all orders issued by the Review Committee.

Reply - This Department do not have details for above. The said information may be available with Department of Telecommunications.

For more details visit https://cis-india.org/internet-governance/blog/rti-response-dit-blocking

Is Data Protection Enough?

elonnai — 2012-03-22T05:28:51Z

The following note looks briefly at different sides of the privacy debate, and asks the question whether a Data Protection law is enough privacy protection for India.

In a recent article, Rahul Matthan explained how many threats to personal privacy come from a lack of data protection laws – particularly in the context of the UID – and he thus urges India to pass a law that is focused on data protection. He said, “We don’t question this lack of personal space. It is part of the compromise we make when we choose to live in India.” Though his argument has a surface appeal, there are also many cases emerging in the news today that suggest that India is concerned with a much broader scope of privacy than just data protection. In the DNA, a news article covered a recent court decision that concluded that watching pornography at home is not an obscenity and does not qualify as a public exhibition, even when there are visitors to the home. In that case, police arrested persons who hosted a party under section 292 (obscenity) of the Indian Penal Code for watching pornography and housing strippers. The judge ruled that the activities that were taking place were done in private and thus did not amount to an offense under section 292. This is an important decision about the protections of spatial privacy being afforded to individuals. The bungalow was considered a private space, and the computer a private possession. In other words, India does have a greater understanding of privacy and the need for its protection, and it extends beyond data protection. In another news item, the Hindu reported that 5,000 to 6,000 phones are tapped on average daily. The article speculated that this number could increase in response to the 2G scam and other scams that are coming out. The type of privacy violation that wiretapping poses is likewise not a question of data protection, but of how a nation guards against an unwanted invasion of personal space and when security takes precedence over privacy. Are Indian citizens willing to subject themselves to phone taps to try to eliminate – or at least minimize – the number of scams that are occurring? In yet another news item, it was reported that in the North, councils are attempting to ban the sale of cell phones to unmarried women to help prevent unsolicited affairs with members from different castes. This again raises questions not of data protection or informational privacy, but of personal privacy. How will phone companies know that a woman is married? Will parents suddenly begin regulating their daughters’ phones? Does an existing legislation afford protection to women in this situation? Though data protection is a component of privacy, it is only one component. There are many definitions of privacy, and privacy in itself is somewhat of a difficult word to define, but India should recognize that there are privacy protections and privacy debates that extend beyond data protection. It is too easy to characterize India as large and communal and overlook these important questions.

Returning to Rahul Matthan’s article, Matthan says, “The vast majority of our country that remains under-served by the government will gladly exchange personal privacy for better public service.” I was particularly intrigued by this statement, because it suggests that privacy is an expendable right, and that government service cannot improve without privacy compromises. The logical extension of this concept is that privacy is not a fundamental right but only a consumer issue, and that policymakers can always trade off privacy in exchange for better public benefits, for better security, and for cheaper products. A legal system needs to address the case at hand, but it needs to be mindful of the larger consequences as well. There is no doubt that the UID project demands a data protection law, but India is facing questions of privacy that extend beyond data protection, and the steps that are being taken to answer those questions need to be applauded and brought into the current debate. If we legislate away rights, we must do so by weighing the cost and finding it acceptable.

Sources

http://www.thehindu.com/news/national/article905944.ece

http://is.gd/hJWD8 http://is.gd/hJWSX

http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage

Matthan, Rahul. The Mint:Technology. Nov. 24 2010

For more details visit https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough

Surveillance Technologies

elonnai — 2012-03-22T05:40:24Z

The following post briefly looks at different surveillance technologies, and the growing use of the them in India.

Surveillance...

New security technologies are constantly emerging that push the edge between privacy and a reasonable level of security. Society's tolerance level is constantly being tested by governments who use surveillance and monitoring technologies to protect the nation. Governments claim that they need absolute access to citizens life. They need to monitor phones, look through emails, peer into files – in-order to maintain security and protect against terrorism. Though as a side note, in an Economic Times article published on Nov. 4 2010 it was reported that government computers were being hacked into through viruses, and top secret documents were being stolen. The irony of the story is that the viruses were introduced to the computers through porn websites visited by officials.

...In a Car? On the Street? In an Airport?

Despite the fact that governmental monitoring might make the common man uncomfortable, the reality is that governments will always win the national security vs privacy fight. The story becomes more complicated when it moves from the government directly monitoring individuals, to security agencies monitoring individuals. For instance the use of full body scanners at airports, or trucks equipped with scatter x-ray machines used to control crime in neighborhoods - is a much more heated debate. There are other ways in which to check passengers for banned items, and other ways to keep crime off the streets without mandating that individuals submit themselves to invasive scans, or scanning unaware individuals.

...In the Movie Theater????..for Marketing Purposes????

Surveillance technology has now been taken even another step further. No longer is it being just used to prevent violent crimes or terrorist attacks. Today the movie industry is using controversial anti-piracy tools to protect the films they produce. For instance the security company Aralia Systems manufacturers products such as: CCTV cameras and anti-camcorder systems that shine infrared light beams on audiences as they watch a movie. The light beams reflect off camcorders and alerts the theater that there are camcorders present. Though this practice can be seen as invasive - individuals might be opposed to being probed by light beams throughout movies, the extent of potential privacy invasion does not stop there. Aralia Systems has partnered with Machine Vision Lab and has created a system that harvests audiences emotions and movements as they watch movies. The data can then be used by market researchers to better tailor their behavioral advertising schemes. Essentially movie theater monitoring has merged surveillance technologies with behavioral marketing technologies in a twisted invasion of movie watchers personal privacy.

Is this technology in India?

Though behavioral monitoring and piracy technologies such as ones produced by Aralia Systems are not yet used in Indian movie theaters – security measures against piracy are used. Movie theaters across India are equipped with metal detectors at the door, and security personel check your handbag or back pack for camcorders. According to a Indian Express article, the organization Allegiance Against Copyright Theft believes one of the reasons monitoring technology is not yet used in theaters is because there is no present Indian legislation that penalizes recording in halls. Once legislation is passed, they speculate there will be a push to use these technologies. Even though monitoring technology is not yet used in theaters, monitoring of consumers behavior is increasing. Recently in India the WPP owned research agency IMRB International has developed an online audience measurement system that uses tailored metering technology to track the sites that users visit. The Web Audience Measurement System has launched this technology in a sample size of 21,000 Indian households, covering 90,000 individuals. IMRB has said that the meters are capable of capturing usage data from multiple computers, and that they can then use the information to market to the individual. Does it seem ironic to anyone that companies now charge for a service – movie tickets, internet services, telephone services – and make an extra profit by data mining at the expense of a persons privacy?

Sources

http://economictimes.indiatimes.com/news/politics/nation/Govt-depts-asked-not-to-store-sensitive-info-on-Net-connected-computers/articleshow/6874631.cms
http://www.research-live.com/news/technology/imrb-unveils-web-measurement-service-for-indian-market/4003941.article
http://blogs.computerworld.com/17276/anti_piracy_tool_will_harvest_market_your_emotions?source=rss_blogs
http://www.indianexpress.com/news/antipiracy-unit-joins-hands-with-cinema-halls-to-curb-camcording/695439/2

For more details visit https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies

Privacy, By Design

praskrishna — 2011-04-12T06:45:36Z

The Centre for Internet and Society invites people and organizations in the business of 'privacy online' to engage with it in Privacy, By Design — an open space discussion that brings together coders, developers, users and entrepreneurs interested in the design of privacy online.

Is Privacy something we are born with or is it constructed for us? Different actors like governments, markets, cultural negotiators, are often attributed the responsibility of defining what it means to be 'private'. In our rapidly digitizing world, Internet and digital technologies have emerged as new factors that influence the design of privacy. Ranging from social networking systems to e-governance projects and economic transactions to interpersonal relationships, the design of privacy online has become a central concern.

Privacy, By Design is a part of The Identity Project (TIP), a collaboration between the Centre for Internet and Society and the Centre for the Study of Culture and Society. It is a research inquiry that hopes to consolidate multiple perspectives, and ideas in an attempt to initiate a dialogue between people who are in the business of designing platforms and applications that pivot around privacy. For instance: How do the platforms we use define our understanding of privacy? What does privacy in the cloud look like? What are the parameters by which privacy is defined within the digital world? What role do digital technologies play in producing the 'privacy effect?'

For more details visit https://cis-india.org/events/privacy-by-design

March 2011 Bulletin

praskrishna — 2012-07-30T10:59:46Z

Greetings from the Centre for Internet and Society! In this issue we are pleased to present you the latest updates about our research, upcoming events, and news and media coverage.

Researchers@Work

RAW is a multidisciplinary research initiative. CIS believes that in order to understand the contemporary concerns in the field of Internet and society, it is necessary to produce local and contextual accounts of the interaction between the Internet and socio-cultural and geo-political structures. To build original research knowledge base, the RAW programme has been collaborating with different organisations and individuals to focus on its three year thematic of Histories of the Internets in India. Monographs finalised from these projects are online for peer review.

New Blog Entry by Zainab Bawa in Transparency and Politics

A History of Transparency, Politics and Information Technologies in India

Digital Natives with a Cause?

Digital Natives with a Cause? is a knowledge programme initiated by CIS and Hivos, Netherlands. It is a research inquiry that seeks to look at the changing landscape of social change and political participation and the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who want to critically engage with the dominant discourse on youth, technology and social change, in order to look at the alternative practices and ideas in the Global South. It also aims at building new ecologies that amplify and augment the interventions and actions of the digitally young as they shape our futures.

Column on Digital Natives

A fortnightly column on ‘Digital Natives’ authored by Nishant Shah is featured in the Sunday Eye, the national edition of Indian Express, Delhi, from 19 September 2010 onwards. The following was published recently:

Watson knows the Question [Indian Express, March 6, 2011]

Blog Entries by Maesey Angelina

Maesey Angelina works as a programme officer at Hivos, Jakarta on gender, women and development while exploring research initiatives on Digital Natives in Indonesia. She spent one month in CIS, working on her dissertation, exploring the Blank Noise project under the Digital Natives with a Cause framework. She writes a series of blog entries. The new ones are:

Blog Entries by Samuel Tettner

Samuel Tettner is a Digital Natives Coordinator in CIS. He has written the following blog entries:

Accessibility

Estimates of the percentage of the world's population that is disabled vary considerably. But what is certain is that if we count functional disability, then a large proportion of the world's population is disabled in one way or another. At CIS we work to ensure that the digital technologies, which empower disabled people and provide them with independence, are allowed to do so in practice and by the law. To this end, we support web accessibility guidelines, and change in copyright laws that currently disempower the persons with disabilities.

Featured Research

Accessible Mobile Handsets in India: An Overview

Blog Entry

Note on the Authorities under the Working Draft of Persons with Disabilities Act, 2011 (9th February 2011)

Intellectual Property

CIS believes that access to knowledge and culture is essential as it promotes creativity and innovation and bridges the gaps between the developed and developing world positively. Hence, the campaigns for an international treaty on copyright exceptions for print-impaired, advocating against PUPFIP Bill, calls for the WIPO Broadcast Treaty to be restricted to broadcast, questioning the demonization of 'pirates', and supporting endeavours that explore and question the current copyright regime. Its latest endeavour has resulted into these:

Featured Research

Pirates, Plagiarisers, Publishers [ Written by Prashant Iyengar and originally published in the Economic & Political Weekly, February 26, 2011, Vol XLVI No 9]

Submission

Comments to the Ministry on WIPO Broadcast Treaty (March 2011)

Openness

Workshops organised

Design!publiC [Taj Vivanta, New Delhi, March 18, 2011]
Open Access to Scientific Information Indian International Centre [New Delhi, March 16, 2011]

Internet Governance

Although there may not be one centralized authority that rules the Internet, the Internet does not just run by its own volition: for it to operate in a stable and reliable manner, there needs to be in place infrastructure, a functional domain name system, ways to curtail cyber crime across borders, etc. The Tunis Agenda of the second World Summit on the Information Society (WSIS), paragraph 34 defined Internet governance as “the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.” CIS involvement in the field of Internet governance has taken the following shape:

Submissions

CIS is doing a project, ‘Privacy in Asia’. It is funded by Privacy International (PI), UK and the International Development Research Centre, Canada and is being administered in collaboration with the Society and Action Group, Gurgaon. The two-year project commenced on 24 March 2010 and will be completed as agreed to by the stakeholders. It was set up with the objective of raising awareness, sparking civil action and promoting democratic dialogue around challenges and violations of privacy in India. In furtherance of these goals it aims to draft and promote over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

Submission

Privacy and Governmental Database

Workshops organized

Privacy Matters - A Public Conference in Ahmedabad [Ahmedabad, March 26, 2011]
Public Talk by Dr. Ian Brown on Privacy, Trust and Biometrics [Centre for Contemporary Studies, IISc, Bangalore, March 21, 2011]
Electronication: Ragas and the Future [Jaaga, Bangalore, March 6, 2011]
Role of the Internet in Fostering Freedom of Expression and Strengthening Activism in India - A Workshop in Delhi [Constitution Club, New Delhi, March 4, 2011]
Global Challenges to Freedom of Expression [Constitution Club, New Delhi, March 4, 2011]

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions. Both require effective and efficient use of networks and resources, including spectrum. It is imperative to resolve these issues in the common interest of users and service providers. CIS campaigns to facilitate this:

Featured Research

India's untapped potential: Are a billion people losing out because of spectrum?

Column

Shyam Ponappa is a Distinguished Fellow at CIS. He writes regularly on Telecom issues in the Business Standard and these articles are mirrored on the CIS website as well.

Big-Bang Budgets? [published in the Business Standard on March 3, 2011]

Forthcoming Events

CIS is organising some conferences/workshops in the month of March/April:

Web Sites Accessibility Evaluation Methodologies: A New Imperative for State Parties to the Convention on the Rights of Persons with Disabilities[Hyderabad International Convention Centre, Hyderabad]
Shadow Search Project (SSP) in CIS [CIS, Bangalore]
Facebook Resistance Workshop [CIS, Bangalore]

News & Media Coverage

Networking its way to better governance (Hindu, March 28, 2011]
‘Learn from failed UK NIR project’ (Deccan Chronicle, March 22, 2011]
Design!publiC - News from Livemint (Livemint, March 18, 2011)
Muzzling the Internet (Outlook, March 17, 2011)
Battle for the Internet (Down to Earth, Issue: March 15, 2011)
Cause and effect Facebook-style (Hindustan Times, March 13, 2011)
Catch-all approach to Net freedom draws activist ire (Sunday Guardian, March 13, 2011)
Lives suspended in the Web (Indian Express, March 11, 2011)
Draft IT guidelines may gag internet freedom (Times of India, March 11, 2011)
Govt proposal to muzzle bloggers sparks outcry (Times of India, March 10, 2011)
New Indian Rules May Make Online Censorship Easier (Yahoo News, March 7, 2011)
Anti-Social Network (Mail Today, February 27, 2011)

Follow us elsewhere

Get short, timely messages from us on Twitter
Follow CIS on identi.ca
Join the CIS group on Facebook
Visit us at www.cis-india.org

CIS is grateful to Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/march%20-2011-bulletin

The Draft Electronic Delivery of Services Bill, 2011 – Comments by CIS

praskrishna — 2011-08-02T07:37:37Z

The Draft Electronic Delivery of Services Bill, 2011 (“Bill”) is a Bill to provide for delivery of government services manadatorily through electronic means by phasing out manual delivery of services. It is heartening to note that the Bill shifts the approach to electronic delivery of services by Government agencies to one as part of the citizens' right to service delivery through electronic means rather than a luxury or benefit doled out by the Government. The Bill introduces bodies exclusively accountable for ensuring that electronic delivery of services by the Government at the state and central levels. While this is a welcome move on the part of the Government there are a few comments we, at the Centre for Internet and Society, have on the present version of the Bill:

Accessibility
The Bill does not make it mandatory for all Government services to be accessible to all including persons with disabilities. The Bill refers to the term “access”, as defined in Section 2(1)(a) from the prespective of merely gaining physical access to the services or availability of such services1 rather than from the perspective of catering to the ability of a person with print (or other) disbilities from gaining access to the services in the normal format. It is very important that the electronic services are delivered in a format which is accessible to all persons including persons with disbilities, elderly persons etc. It should be mandatory for the Government to comply with Web Content Accessibility Guidelines (WCAG) and National Informatics Centre (NIC) guidelines for web accessibility. It is also important to ensure accessibility of all documents produced during service delivery by Government agencies.
Linguistic Accessibility
Section 5(2)(b) of the Bill requires the Government to prescribe a framework for all its agencies to ensure web presence or enablement which refers to rendering electronic services in the language chosen by the user. In pursuance of the same, it is important for delivery of services to be available in all national languages of India to begin with in addition to the content being encoded in Unicode font for all languages. It is important to note that there are not many open fonts available for Indian languages. Hence, it must be ensured that the Government allocates sufficient funds to ensure linguistic accessbility of the services delivered, while ensuring implementation of the provisions of the Bill.
Public Scrutiny
In order to ensure transparency of Government services and process of service delivery, it is essential that the Bill incorporates a provision to enable citizens to gain access to information provided by the Government as part of the service delivery process unless disclosing such information would amount to violation of any applicable law. Similarly, provision should be made for making public all RTI applications filed with the Government and responses to them.
Use of Free and Open Source Software
Considering that electronic service delivery by Government agencies is effected through public money, it is important that Governments are urged to use Free and Open Source Software (FOSS) for service delivery. This cuts costs to a great extent and also make the process more transparent and capable of customisation to varied needs of different departments. It is important to insert a provision requiring the Government to use FOSS as far as possible and in the event of any use of proprietary software, the Government should clearly explain the reason for such use, the costs incurred for the same, the additional benefit derived out of its use and other relevant details.
Open Standards
The Bill must stress on use of open standards for all computer resources and service delivery systems by Government agencies. As is the case with FOSS, such use brings down operation costs drastically and makes the service delivery process transparent and available for all to use. Use of ODF formats for documents, HTML for websites, ISA standards for hardware is recommended. It is also useful to ensure compliance with W3C guidelines by the concerned Government departments during implementation of the Bill.
Whistleblower Exception
The Bill does not contain any safeguards to ensure free and fearless disclosure of any wilful violation of the law impacting larger public interest. It is important to include a provision protecting any person exposing any violation of the provisions of the Bill or blowing the cover off any scam or farudulent activity decieving the public committed by service providers under the Bill. Such protection can be given by ensuring that the actions of such whistleblower, to the extent required for the exposure, does not constitute an offence under the provisions of the Bill.
Penalties for Offences
- Chapter 4 of the Bill gives a detailed list of acts constituting an offence under the Act including Section 15 which specifically relates to offences by companies. It is critical to ensure that the punishment and penalities for offences extend not only to citizens and companies but also to Government officials who misuse information they are privy to under the provisions of the Bill. In fact, a separate provision specifically applicable to the various offences which could be committed by Government officials under the Bill can reduce misuse of its provisions by the Government.
- It is to be noted that several provisions listed under Chapter 4 of the Bill covering offences and penalties are a reproduction of the provisions for the same under the Information Technology Act, 2000 (“IT Act”). Such reprodution is unnecessary and acts which are already deemed to be offences and have punishments prescribed for them under the IT Act (or any other legislation for the time being in force in India) need not be covered again in the Bill. This will avoid duplication and confusion in the legislations.
- Section 19(1) of the Bill provides that no alleged offence under the Bill can be tried in a court of law unless the Central Electronic Delivery of Services Commissioner (“Central Commissioner”) or the State Electronic Delivery of Services Commissioner (“State Commissioner”) authorises the same by issuing a complaint in this regard to the relevant court. This provision directly conflicts with a citizen's constitutional right to seek legal redress since it takes away his freedom to approach a court of law for redressal of his grievance without the permission of the Commissioners. It is recommended that the provision be either deleted or suitably modify so that it is not in violation of this constitutional right.
Bottoms up Approach
A decentralised approach should be adopted along the lines of the Panchayati Raj system giving the citizen a greater say in the framework and implementation of service delivery by Government agencies. Implementation can be at the Panchayat and District levels apart from State levels. Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent, access control to their information. This will automatically make them eligible or ineligible for various government services.
Charges for service delivery
Section 4 of the Bill authorises the Government to allow service providers to collect charges for electronic service delivery while Section 3(2) provides for the Government to regulate the manner and method of payment of such charges. It is critical to ensure that such charges levied under the provisions of the Bill do not exceed the charges levied by the Government agency for manual delivery of services. Charges for manual service delivery may include charges for photocopy, printing, paper, postage etc., all of which are totally eliminated during service delivery through electronic means. Thus, levying the same charges, let alone greater charges for electronic service delivery is totally unnecessary and places an additional burden on the citizen ultimately defeating the very purpose of the Bill.
Security in payment of charges
Section 3(2) of the Bill provides for the Government to regulate the manner and method of payment of charges for delivery of services.It is important that each transaction that takes place is done securely and without the exposure of an individuals confidential details. There are many ways to structure the transaction of payment of fees to achieve this goal. We reccommend that the SCOSTA smart card structure is used for completing and processing a transaction.
Data Security and Privacy
Section 5(1)(e) of the Bill requires the Government to ensure integrity, security and confidentiality of data collected, preserved and retained. We recommend that in addition to this, the Government also ensures integrity, security and confidentiality of data or information that is transferred, accessed or deleted. We also recommend that the Bill requires the Government to prescribe a framework under Section 5(2) for agency privacy policies to ensure that they are interoperable and consistent between different departments of the Government.
Functions of the Central Commissioner
Section 8 of the Bill grants the Central Commissioner the power to perform any or all of the functions listed in the provision including Section 8(f) which refers to the power of the State Commissioner in conducting the work of the State Government agencies. A Central Government authority may not have a say in all matters under the purview of the State Governments. This aspect has been left out for consideration while drafting this provision and hence it needs to be relooked at.
Cut-off Date for Implementation
While the Bill mandates a cut off period of 180 days for the Government to finalise on the scope, framework and manner of service delivery under its provisions, it states that the Government “may” prescribe a framework for implementation of the provisions. It is recommended, for the purpose of ensuring speedy implementation of the provisions, that the term “may” in Section 5(2) be replaced by “shall”.
Transparency of Government Agencies
Transparency and accountability of the Government towards the citizen is as important as the transparency of the citizen towards the Government. Therefore, the provisions of the Bill must ensure that the Government activities are transparent to the citizens by making available to the citizens, details of the responsible officials under the Bill, manner of service delivery and other relevant information in this regard.

For more details visit https://cis-india.org/internet-governance/blog/draft-electronic-delivery-services

Second Expert Meeting on Human Rights and the Internet

praskrishna — 2011-06-08T10:01:55Z

The second expert meeting on human rights and the Internet is being organised by the Swedish Ministry for Foreign Affairs and the UN Special Rapporteur on Freedom of Opinion and Expression on 30 and 31 March 2011 in Stockholm (Sweden). Anja Kovacs will participate in this meeting.

List of Participants (draft)

Alison LeClaire Christie alison.leclairechristie@international.gc.ca	Minister-Counsellor and Deputy Permanent Representative, Canadian mission to UN in Geneva
Anabella Rivera libert.expresion@gmail.com	Executive Director, DEMOS, Guatemala
Anja Kovacs anja@cis-india.org	Fellow, The Centre for Internet and Society, Bangalore
Anna Nawrot anna.nawrot@rwi.lu.se	Researcher, Raoul Wallenberg Institute of Human Rights, Lund, Sweden
Annie Game agame@cjfe.org	Executive Director, CJFE-IFEX
Anriette Esterhuysen anriette@apc.org	Executive Director, Association for Progressive Communications, South Africa
Arthit Suriyawongkul arthit@gmail.com	Thai Neitzen Network, Centre for Popular Media Reform
Brett Solomon brett@accessnow.org	Executive Director, Access Now
Charlotta Bredberg charlotta.bredberg@sida.se	Thematic Coordinator for Democracy, Human Rights, Peace and Security, Global Programme Unit, Department for Global Cooperation, Sida
Cynthia Wong cynthia@cdt.org	Director, Project on Global Internet Freedom, Center for Democracy and Technology, Washington DC
Daniel Westman Daniel.Westman@juridicum.su.se	Researcher and Teacher, Faculty of Law, Stockholm University
Danny Aerts danny.aerts@iis.se	CEO, The Internet Infrastructure Foundation (.SE)
David Mothander davidmothander@google.com	Nordic Policy Counsel, Google, Stockholm
Dunja Mijatovic pm-fom@osce.org	OSCE Representative on Freedom of the Media
Eduardo Bertoni eberto2@palermo.edu	Director, Center for Studies on Freedom of Expression and Access to Information, Palermo University School of Law, Argentina
Eric King eric@privacy.org	Human Rights and Technology Advisor, Privacy International
Grace Githaiga ggithaiga@hotmail.com	Kenya ICT Action Network (KICTANET)
Guy Berger G.Berger@ru.ac.za	Professor, School of Journalism & Media Studies, Rhodes University, South Africa
Helena Bjuremalm helena.bjuremalm@sida.se	Senior Policy Specialist, Democracy Assistance, Sida
Hossam Bahgat Hossam@eipr.org	Executive Director, Egyptian Initiative for Personal Rights, Cairo
Jan Kleijssen jan.kleijssen@coe.int	Director, Directorate General of Human Rights and Legal Affairs, Council of Europe
Jean-Luc Delvert Jean-luc.DELVERT@diplomatie.gouv.fr	Counsellor, Human Rights Division, Ministry for Foreign Affairs, France
Jean-Pierre Kempeneers, jem.kempeneers@minbuza.nl	Head of the Human Rights Division, Ministry of Foreign Affairs, The Netherlands
Jermyn P Brooks jermynbrooks@aol.com	Chair, Global Network Initiative
Joana Varon joana@varonferraz.com	Researcher, Centre for Technology and Society, Rio De Janeiro
Joe McNamee joe@mcnamee.eu	EU Advocacy Coordinator, European Digital Rights Initiative
Joy Liddicoat joy@liddicoatlaw.co.nz	Project Coordinator, Internet Rights are Human Rights, APC, South Africa
Kurt Erik Lindqvist kurtis@netnod.se	CEO, NETNOD, Stockholm
Lee Hibbard Lee.HIBBARD@coe.int	Coordinator for Internet Governance and Information Society, Council of Europe
Lisa Horner LisaH@global-partners.co.uk	Head of Research & Policy, Global Dialogue, London
Lise Bergh lise.bergh@amnesty.se	Director, Amnesty International, Swedish Section
Louise Bermsjö louise.bermsjo@sida.se	Programme Manager for Democracy and Human Rights, Global Programme Unit, Department for Global Cooperation, Sida
Lucille Morillon internet@rsf.org	Head, Bureau of New Media, Reporters sans frontières
Maciej TOMASZEWSKI maciej.tomaszewski@ec.europa.eu	European Commission DG INFSO, Unit A3 Internet; Network & Information Security
Maria Häll maria.hall@enterprise.ministry.se	Deputy Director, Division for Information Technology Policy, Ministry of Enterprise, Energy and Communications, Sweden
Mats Ringborg mats.ringborg@foreign.ministry.se	Ambassador of Sweden to OECD and UNESCO
Matthew Barzun BarzunMW@state.gov	US Ambassador to Sweden
Michael Camilleri MCamilleri@oas.org	Attorney, office of the Special Rapporteur for Freedom of Expression, OAS
Nicklas Lundblad nlundblad@google.com	Senior Policy Counsel, Public Policy and Government Affairs, Google
Nicole Gregory nicole.gregory@fco.gov.uk	Head of Human Rights Section, Human Rights and Democracy Department, Foreign and Commonwealth Office, UK
Orest Nowosad onowosad@ohchr.org	Director, Special Procedures of the Office of the UN High Commissioner for Human Rights
Patrik Fältström patrik@frobbit.se	Distinguished Consulting Engineer, Cisco
Patrik Hiselius Patrik.Hiselius@teliasonera.com	Senior Advisor, Public Affairs, Group Communications, Telia Sonera
Paula Uimonen paula@spidercenter.org	Director, The Swedish Program for ICT in Developing Regions, Stockholm
Richard Allan, ric@fb.com	Director of Policy in Europe, Facebook
Richard Esguerra gwen@eff.org	Senior Activist, Global Internet Freedom Policy, Electronic Frontier Foundation
Robert Guerra guerra@freedomhouse.org	Project Director, Internet Freedom, Freedom House
Robert Hårdh Robert.Hardh@civilrightsdefenders.org	Executive Director, Civil Rights Defenders, Stockholm
Sally Elkhodary sally.khodary@anhri.net	Programs Director, The Arabic Network for Human Rights Information, Cairo
Sarah Labowitz LabowitzSB@state.gov	Office of the Coordinator for Cyber Issues, US State Dept
Staffan Jonson staffan.jonson@iis.se	Policy Adviser, The Internet Infrastructure Foundation (.SE)
Sylvie Coudray s.coudray@unesco.org	Division for Freedom of Expression, Democracy and Peace, UNESCO
Thomas Hajnoczi, Thomas.HAJNOCZI@bmeia.gv.at	Ambassador, Permanent Representative of Austria to Council of Europe
Toby Mendel toby@law-democracy.org	Executive Director, Centre for Law and Democracy
Vilhelm Konnander vilhelm.konnander@gmail.com	Global Voices
Wolfgang Benedek wolfgang.benedek@uni-graz.at	Professor, Faculty of Law, Graz University, Austria
Yaman Akdeniz yaman.akdeniz@bilgi.edu.tr Ženet Mujić zenet.mujic@osce.org	Associate Professor of Law, Faculty of Law, Istanbul Bilgi University Senior Adviser, office of the OSCE Representative on Freedom of the Media

Organisers

Frank la Rue Co-Chair of the meeting libert.expresion@gmail.com	UN Special Rapporteur on Freedom of Opinion and Expression
Olof Ehrenkrona Co-Chair of the meeting olof.ehrenkrona@foreign.ministry.se	Ambassador, Political Adviser to Foreign Minister Carl Bildt, MFA, Sweden
Per Sjögren per.sjogren@foreign.ministry.se	Head, Dept of International Law, Human Rights and Treaty Law, MFA, Sweden
Hans Dahlgren hans.dahlgren@foreign.ministry.se	Ambassador for Human Rights, MFA, Sweden
Måns Molander mans.molander@foreign.ministry.se	Head of Human Rights Section, MFA, Sweden
Johan Hallenborg johan.hallenborg@foreign.ministry.se	Special Adviser, HR Section, MFA, Sweden
Maria Koliopanou maria.koliopanou@foreign.ministry.se	Assistant, HR Section, MFA, Sweden
Karin Keil Pettersson karin.keil-pettersson@foreign.ministry.se	Assistant, HR Section, MFA, Sweden
Pauline Etemad pauline.etemad@foreign.ministry.se	Intern, HR Section, MFA Sweden
Rolf Ring rolf.ring@rwi.lu.se	Deputy Director, Raoul Wallenberg Institute of Human Rights and Humanitarian Law, Lund, Sweden
Gordana Jankovic Gordana.Jankovic@osf-eu.org	Director, Open Society Foundation Media Program
Vera Franz vfranz@osf-eu.org	Senior Program Manager, Information Program, Open Society Foundations
Stewart Chisholm Stewart.Chisholm@osf-eu.org	Senior Manager for Freedom of Expression, Open Society Media Program

For more details visit https://cis-india.org/notices/second-expert-meeting

India Should Watch Its Internet Watchmen

praskrishna — 2011-05-06T05:08:05Z

The month after terrorists attacked Mumbai in 2008, India's government initiated legislation enabling it to eavesdrop on electronic communication and block websites on grounds of national security. There was no public debate before the bill in question was introduced, and hardly any debate inside parliament itself before it passed in 2009. In the law, there were no guidelines about the extent to which an individual's right to privacy would be breached. And there was certainly no mention, and therefore, reassurance, that due process would be followed when it came to restricting access to websites. This article by Rahul Bhatia was published in the Wall Street Journal on March 28, 2011.

It's taken about two years for the first signs of misuse to show up. And there may be many more, as the government uses vague discretion instead of firm rules to police India's Internet. Various groups can exploit these discretionary powers to their own ends.

Earlier this month, the Indian Computer Emergency Response Team (CERT-In), the body appointed by the government to protect India's information infrastructure, blocked a text-message provider that sends out advertisements in bulk over mobile phone. It also blocked Typepad.com, a publishing platform used frequently by bloggers. Both restrictions have now been lifted.

Most contentiously, a Delhi court ordered CERT-In to block access to Zone-H.org, an Italian security giant that acts as a repository of hacked websites—that is, it collects screen grabs of sites that are infiltrated, which later proves valuable for studying the cyber crime in question. A representative of this website accused an Indian cyber security firm, E2 Labs, of using Zone-H's logo and images to promote its own cyber security school courses. E2 Labs dragged Zone-H to court in 2009 and, on grounds of defamation, had Zone-H's website blocked. What muddies the waters is that E2 Labs claims to work for the government.

Nobody knows what threat, if any, these websites posed to national security. Users who tried accessing them simply received a one-line message from their service providers that the sites had been blocked due to "instructions from the Department of Telecom." That message later disappeared, replaced by the standard error message: "Page Not Found."

Many bloggers immediately started comparing this case to the situation they found themselves in 2006, when the government banned Blogspot.com right after Mumbai's suburban train system was hit by bomb blasts. The Department of Telecom then did not offer an official reason, leaving people guessing that this was some kind of response to that terrorist attack.

That's happening again. The guidelines under which CERT-In operates say that all information related to website blocking is classified. Moreover, its mandate does not include communicating with the public. Which is why everyone is in the dark. Nobody even knows how widespread the blockade is. There's no hint of the process involved. There's no course for redress for those who own the affected sites.

Inquiries from journalists about the Department of Telecom's method of functioning have gone unanswered. When cornered by the press this month, India's Information Technology minister Kapil Sibal, who oversees this department, passed responsibility to the ministry of home affairs, which manages the nation's internal security.

Perhaps there are legitimate reasons for blocking these websites. India has faced its share of terrorist attacks that have, in the last decade, begun to affect the country's urban centers. Terrorists have gotten more sophisticated. The 2008 Mumbai assault especially put pressure on security personnel to be electronically vigilant, because the terrorists used satellite phones and internet technology to communicate. Since then, the government has ramped up its scrutiny of the Internet, including getting into a high-profile dispute last year with Blackberry-maker Research in Motion. Blogs are fair game, too, seeing as how terrorist groups have been known to use them for recruiting and communication. But if there are good reasons this time for blocking the sites in question, they're unknown and unexplained.

That lack of explanation is cause for alarm. First, there's the impact on businesses. Intermediary guidelines proposed by the Department of Information Technology put the onus on service providers to remove any material that, in addition to endangering national security, "causes inconvenience or annoyance," is "grossly offensive or menacing in nature," or "belongs to another person." These open-ended guidelines mean service providers have to spend a good chunk of their time dealing with government officials to determine, say, what is offensive.

The larger impact is on the rule of law. The clumsiness with which New Delhi has blocked these sites undermines any legitimacy the laws have. Lawyers I've spoken with already say that the guidelines, which are open to wide interpretation, violate the country's constitution.

This legal debacle has implications beyond any immediate security concerns. Despite being a democracy with a vigorous free press, India can't afford to take freedom of speech for granted. The concern here is that a statute intended to protect the country from terrorism may also give new legal cover to people trying to restrict speech for other reasons.

Already, thanks in part to the lack of political support for free speech, varied groups hijack cracks or loopholes in the legal framework to their populist ends. For instance, a colonial-era law against religious insults was used in 2007 to appease Hindu nationalists who wanted the government to punish Muslim painter M.F. Hussain for depicting "Mother India" in the nude. That case suggests that the new ill-considered and badly implemented rules for online policing could be exploited by political or business interests.

India undoubtedly faces a serious terrorism problem. But New Delhi needs to defend itself through laws that don't end up impinging on free speech in damaging, undemocratic ways.

Mr. Bhatia is a writer with Open Magazine in Mumbai.

Read the original story here

For more details visit https://cis-india.org/news/internet-watchmen

Networking its way to better governance

praskrishna — 2011-04-01T15:13:04Z

New policy to regulate Government presence on social media. This article by Deepa Kurup was published in the Hindu on March 28, 2011.

The official Facebook page of the Karnataka Criminal Investigation Department, “DGPCIDKARNATAKA”, is a string of one-sided comments punctuated with official-ese, or newspaper links of some prominent crime or an article by the officials.

The Twitter account, also started around June 2010, has all of 38 tweets, and barely any interaction with “common” men/women. Started with much fanfare, these are among the very few State Government agencies that took to social media, but haven't taken it beyond mere formalities. On the brighter side, blogs by a few Ministers — most prominently, Higher Education Minister V.S. Acharya and Minister for Law and Parliamentary Affairs S. Suresh Kumar — are lively and even interactive, in spurts. A few government departments too have blogs, but none remarkable.

Though the Indian Government's tryst with social media is fairly new — it took a few Twitter controversies, courtesy former Minister @ShashiTharoor, to make the government sit up and take note — some departments such as IndiaPost, the Delhi Traffic Police, Census India and even the Planning Commission, have been able to take it beyond mere posturing and have interacted with citizens, even tried to solve problems. IndiaPost's Twitter page is a good example of how agencies can engage with stakeholders, at least to an extent.

A draft policy

Twitter recently hit headlines again when foreign secretary Nirupama Sen logged on with an official ID and interacted with Indians stranded in Libya looking to make their way back. All these examples, that have earned these departments accolades, has prompted the Indian Government to come up with a new policy for social media.

The e-governance group of the Department of Information Technology (DIT) held a meeting this week to draw up guidelines to “regulate” Government presence on social media sites.

Speaking to The Hindu, a DIT official said this had been on the Government's agenda because efforts in this direction had been all too scattered, and some of the success stories had convinced them that it could be a good platform for interaction. The official added that the feedback they got on the 12th Planning Commission's Facebook page was seen as a good example of how these tools could be leveraged.

But why regulate at all? Regulating social media use by government officials is imperative mainly to ensure that use of information or data is compliant with existing laws.

Consistency needed

Sunil Abraham, director of the Centre for Internet and Society, a Bangalore-based non-governmental organisation, points out that with no general rules in place, the use of Twitter or Facebook account varies according to the bureaucrats heading the departments. “This cannot be the case as the channel of communication has to be a continuous thing, and the data shared with citizens has to be accurate; which means the same standards need to be applied to online sharing of data as is applied to offline data handling. Departments should also be obliged to back-up online data periodically,” he says.

For instance, a traffic police department announced that citizens could share pictures of traffic rule offenders on Facebook or on its website, to facilitate tracking of offenders. “Such a move could have huge privacy implications, and may also lead to vigilante activism,” warns Mr. Abraham, adding that we need a policy so that all activity, however casual it may seem, is compliant with existing law governing data protection and privacy.

With the Government jumping on to the 2.0 bandwagon (often under pressure like in Mumbai where citizens created a Facebook page for the police forcing them to create a real one), it is time to really make it official. So, while the idea of giving a face to government agencies and pushing for transparency and greater interaction with citizens, standardisation of social media use is indeed the way forward.

Read the original article in the Hindu here

For more details visit https://cis-india.org/news/networking-better-governance

‘Learn from failed UK NIR project’

praskrishna — 2011-04-01T15:12:12Z

The new government in the UK recently scrapped its decade-long work spending millions of pounds on establishing the National Identity Registration (NIR) number simply because it realised it wasn't workable. This article by Madhumita was published in the Deccan Chronicle on March 22, 2011.

There might just be a lesson in this for India that has begun the ambitious Unique Identification (UID) project. The fact, experts says, is that the technology to make this project work successfully in India, that is attempting to cover the largest biometric registry in the world so far, does not exist, at the moment.

According to Dr Ian Brown, senior research fellow at the Oxford Internet Institute, University of Oxford, there was very little evidence that the NIR in UK met the objectives it laid for the initiative. Dr Brown, who has worked extensively on privacy with regard to biometrics, asserted that in the area of privacy and trust there was already a lot of distrust among citizens concerning identity registration. Additionally the UK government losing the CDs that contained information of 25 million people, led to the debate of data breach, a major issue for India concerning the UID.

“The reasons behind the need for the card included politically popular goals that varied depending on the demands of that political moment. From anti-terrorism to reducing social security fraud, identification fraud, illegal immigration and creating a sense of community, the UK government's response was thin when it came to checking for evidence on the project successfully meeting these objectives. If it was for the largest argument of fitting into the wider perspective of criminal justice and security, then studies have shown that cost-effective measures such as streetlights managed to reduce crime by 30 per cent as against surveillance cameras that reduced crime a mere three per cent in the UK,” stated Dr Brown during a lecture at IISc.

India too has argued the same reasons of terrorism and security along with literacy and eradicating poverty. But where is the evidence that one cannot breach this system? Asked advocate Malavika Jayaram.

Prashant Iyengar of the Centre for Internet and Society (CIS) reiterating this stated that there was no guarantee that an individual's information would be safeguarded. The general consensus was that nobody is opposed to the UID, just its current form.

UK’s NIR disaster

The introduction of the UK’s National Identity Register (NIR) scheme was much debated, and various degrees of concern about the scheme were expressed by human rights lawyers, activists, security professionals and IT experts, as well as politicians.

Many of the concerns focused on the databases which underlie the identity cards rather than the cards themselves.

Biometrics consists of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In computer science, in particular, biometrics is used as a form of identity access management and access control.

It is also used to identify individuals in groups that are under surveillance. India is undertaking an ambitious mega project (the Multipurpose National Identity Card) to provide a unique identification number to each of its 1.25 billion people.

Read the original in the Deccan Chronicle here

For more details visit https://cis-india.org/news/failed-uk-nir-project