The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 41 to 55.
CIS and International Coalition Calls upon Governments to Protect Privacy
https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy
<b>The Centre for Internet and Society (CIS) along with the International Coalition has called upon governments across the globe to protect privacy.</b>
<p style="text-align: justify; ">On September 20 in Geneva, CIS joined a huge international coalition in calling upon countries across the globe, including India to assess whether national surveillance laws and activities are in line with their international human rights obligations.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has endorsed a set of international principles against unchecked surveillance. The 13 Principles set out for the first time an evaluative framework for assessing surveillance practices in the context of international human rights obligations.</p>
<p style="text-align: justify; ">A group of civil society organizations officially presented the 13 Principles this past Friday in Geneva at a side event attended by Navi Pillay, the United Nations High Commissioner for Human Rights and the United Nations Special Rapporteur on Freedom of Expression and Opinion, Frank LaRue, during the 24th session of the Human Rights Council. The side event was hosted by the Permanent Missions of Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary.</p>
<p style="text-align: justify; ">Elonnai Hickok, Programme Manager at the Centre for Internet and Society has noted that "the 13 Principles are an important first step towards informing governments, corporates, and individuals across jurisdictions, including India, about needed safeguards for surveillance practices and related policies to ensure that they are necessary and proportionate."</p>
<p style="text-align: justify; ">Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the Human Rights Council stated in her opening statement on September 9:</p>
<blockquote class="quoted" style="text-align: justify; ">"Laws and policies must be adopted to address the potential for dramatic intrusion on individuals’ privacy which have been made possible by modern communications technology."</blockquote>
<p style="text-align: justify; ">Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the event, said that:</p>
<blockquote class="quoted" style="text-align: justify; ">"technological advancements have been powerful tools for democracy by giving access to all to participate in society, but increasing use of data mining by intelligence agencies blurs lines between legitimate surveillance and arbitrary mass surveillance."</blockquote>
<p style="text-align: justify; ">Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion <a href="http://www.google.com/url?q=http%3A%2F%2Fwww.ohchr.org%2FDocuments%2FHRBodies%2FHRCouncil%2FRegularSession%2FSession23%2FA.HRC.23.40_EN.pdf&sa=D&sntz=1&usg=AFQjCNEwtpzwnl_1_j_UoSnoE048kX-LYA">made clear </a>the case for a direct relationship between state surveillance, privacy and freedom of expression in this latest report to the Human Rights Council:</p>
<blockquote class="quoted" style="text-align: justify; ">"The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other."</blockquote>
<p style="text-align: justify; ">Speaking at the event, the UN Special Rapporteur remarked that:</p>
<blockquote class="quoted" style="text-align: justify; ">"previously surveillance was carried out on targeted basis but the Internet has changed the context by providing the possibility for carrying out mass surveillance. This is the danger."</blockquote>
<p style="text-align: justify; ">Representatives of the Centre for Internet and Society, <a href="https://www.privacyinternational.org">Privacy International</a>, the <a href="https://eff.org">Electronic Frontier Foundation</a>,<a href="https://accessnow.org">Access</a>,<a href="http://www.hrw.org/">Human Rights Watch</a>,<a href="http://en.rsf.org/">Reporters Without Borders</a>, <a href="http://www.apc.org/">Association for Progressive Communications</a>, and the<a href="https://www.cdt.org/">Center</a><a href="https://www.cdt.org/"> for Democracy and Technology </a>all are taking part in the event.</p>
<p style="text-align: justify; ">Find out more about the Principles at <a href="https://necessaryandproportionate.org">https://NecessaryandProportionate.org</a></p>
<h3><b>Contacts</b></h3>
<p style="text-align: justify; ">NGOs currently in Geneva for the 24<sup>th</sup> Human Rights Council:</p>
<p><b>Access</b><br />Fabiola Carrion: <a class="mail-link" href="mailto:fabiola@accessnow.org">fabiola@accessnow.org</a></p>
<p><b>Association for Progressive Communication</b><br />Shawna Finnegan: <a href="mailto:shawna@apc.org">shawna@apc.org</a></p>
<p><b>Center for Democracy and Technology</b><br />Matthew Shears: <a href="mailto:mshears@cdt.org">mshears@cdt.org</a></p>
<p><b>Electronic Frontier Foundation</b><br />Katitza Rodriguez: <a href="mailto:katitza@eff.org">katitza@eff.org</a> - @txitua</p>
<p><b>Human Rights Watch</b><br />Cynthia Wong: <a class="mail-link" href="mailto:wongc@hrw.org">wongc@hrw.org</a></p>
<p><b>Privacy International</b><br />Carly Nyst: <a href="mailto:carly@privacy.org">carly@privacy.org</a></p>
<p><b>Reporters Without Borders</b><br />Lucie Morillon: <a href="mailto:lucie.morillon@rsf.org">lucie.morillon@rsf.org</a><br />Hélène Sackstein: <a href="mailto:helsack@gmail.com">helsack@gmail.com</a></p>
<p style="text-align: justify; "><b>Signatories</b></p>
<p><b>Argentina</b><br />Ramiro Alvarez: <a href="mailto:rugarte@adc.org.ar">rugarte@adc.org.ar</a><br />Asociación por los Derechos Civiles</p>
<p class="normal" style="text-align: justify; "><b>Argentina</b><br />Beatriz Busaniche<b>: </b><a class="mail-link" href="mailto:bea@vialibre.org.ar">bea@vialibre.org.ar</a><br />Fundación Via Libre</p>
<p class="normal" style="text-align: justify; "><b>Colombia</b><br />Carolina Botero: <a class="mail-link" href="mailto:carobotero@gmail.com">carobotero@gmail.com</a><br />Fundación Karisma</p>
<p><b>Egypt</b><br />Ahmed Ezzat: <a href="mailto:ahmed.ezzat@afteegypt.org">ahmed.ezzat@afteegypt.org</a><br />Afteegypt</p>
<p><b>Honduras</b><br />Hedme Sierra-Castro: <a href="mailto:hedme.sc@gmail.com">hedme.sc@gmail.com</a><br />ACI-Participa</p>
<p><b>India</b><br />Elonnai Hickok: <a href="mailto:elonnai@cis-india.org">elonnai@cis-india.org</a><br />Center for Internet and Society</p>
<p><b>Korea</b><br />Prof. Park: <a href="mailto:kyungsinpark@korea.ac.kr">kyungsinpark@korea.ac.kr</a><br />Open Net Korea</p>
<p><b>Macedonia</b><br />Bardhyl Jashari: <a href="mailto:info@metamorphosis.org.mk">info@metamorphosis.org.mk</a><br />Metamorphosis Foundation for Internet and Society</p>
<p><b>Mauritania, Senegal, Tanzania</b><br />Abadacar Diop: <a href="mailto:jonction_jonction@yahoo.fr">jonction_jonction@yahoo.fr</a><br />Jonction</p>
<p class="normal" style="text-align: justify; "><b>Portugal</b><br />Andreia Martins<b>: </b><a class="mail-link" href="mailto:andreia@coolpolitics.pt">andreia@coolpolitics.pt</a><br />ASSOCIAÇÃO COOLPOLITICS</p>
<p><b>Peru</b><br />Miguel Morachimo: <a href="mailto:morachimo@gmail.com">morachimo@gmail.com</a><br />Hiperderecho</p>
<p><b>Russia</b><br />Andrei Soldatov: <a href="mailto:soldatov@agentura.ru">soldatov@agentura.ru</a><br />Agentura.ru</p>
<p><b>Serbia</b><br />Djordje Krivokapic: <a href="mailto:krivokapic@gmail.com">krivokapic@gmail.com</a><br />SHARE Foundation</p>
<p><b>Western Balkans</b><br />Valentina Pellizer: <a href="mailto:valentina.pellizzer@oneworldsee.org">valentina.pellizzer@oneworldsee.org</a><br />Oneworldsee</p>
<p><b>Brasil</b><br />Marcelo Saldanha: <a href="mailto:instituto@bemestarbrasil.org.br">instituto@bemestarbrasil.org.br</a><br />IBEBrasil</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy'>https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-09-25T07:21:09ZBlog EntryAn Interview with Suresh Ramasubramanian
https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian
<b>Suresh Ramasubramanian is the ICS Quality Representative - IBM SmartCloud at IBM. We from the Centre for Internet and Society conducted an interview on cybersecurity and issues in the Cloud. </b>
<ol>
<li style="text-align: justify; "><b>You have done a lot of work around cybersecurity and issues in the Cloud. Could you please tell us of your experience in these areas and the challenges facing them?</b><br />a. I have been involved in antispam activism from the late 1990s and have worked in ISP / messaging provider antispam teams since 2001. Since 2005, I expanded my focus to include general cyber security and privacy, having written white papers on spam and botnets for the OECD, ITU and UNDP/APDIP. More recently, have become a M3AAWG special advisor for capacity building and outreach in India.<br /><br />In fact capacity building and outreach has been the focus of my career for a long time now. I have been putting relevant stakeholders from ISPs, government and civil society in India in touch with their counterparts around the world, and, at a small level, enabling an international exchange of ideas and information around antispam and security.<br /><br />This was a challenge over a decade back when I was a newbie to antispam and it still is. People in India and other emerging economies, with some notable exceptions, are not part of the international communities that have grown in the area of cyber security and privacy.<br /><br />There is a prevalent lack of knowledge in this area, which combined with gaps in local law and its enforcement. There is a tendency on the part of online criminals to target emerging and fast growing economies as a rich source of potential victims for various forms of online crime, and sometimes as a safe haven against prosecution.</li>
<li style="text-align: justify; "><b>In a recent public statement Google said "Cloud users have no legitimate expectation of privacy. Do you agree with this statement?</b><br />a. Let us put it this way. All email received by a cloud or other Internet service provider for its customers is automatically processed and data mined in one form or the other. At one level, this can be done for spam filtering and other security measures that are essential to maintain the security and stability of the service, and to protect users from being targeted by spam, malware and potential account compromises.<br /><br />The actual intent of automated data mining and processing should be transparently provided to customers of a service, with a clearly defined privacy policy, and the deployment of such processing, and the “end use” to which data mined from this processing is put, are key to agreeing or disagreeing with such a statement.<br /><br />It goes without saying that such processing must stay within the letter, scope and spirit of a company’s privacy policy, and must actually be structured to be respectful of user privacy.<br /><br />Especially where mined data is used to provide user advertising or for any other commercial purpose (such as being aggregated and resold), strict adherence to a well written privacy policy and periodic review of this policy and its implementation to examine its compliance to laws in all countries that the company operates in are essential.<br /><br />There is way too much noise in the media for me to usefully add any more to this issue and so I will restrict myself to the purely general comments above.</li>
<li style="text-align: justify; "><b>What ways can be privacy of an individual be compromised on the cloud? What can be done to prevent such instances of compromise?</b><br />a. All the recent headlines about companies mining their own users’ data, and yet more headlines about different countries deploying nationwide or even international lawful intercept and wiretap programs, aside, the single largest threat to individual privacy on the cloud is, and has been for years before the word “cloud” came into general use, the constant targeting of online users by online criminals with a variety of threats including scams, phish campaigns and data / account credential stealing malware.<br /><br />Poor device security is another threat – one that becomes even more of a serious problem when the long talked about “internet of things” seems set to become reality, with cars, baby monitors, even Bluetooth enabled toilets, and more dangerously, critical national infrastructure such as power plants and water utilities becoming accessible over the Internet but still running software that is basically insecure and architected with assumptions that date back to an era when there was no conception or need to connect these to the Internet.<br /><br />Someone in Bluetooth range with the appropriate android application being able to automatically flush your toilet and even download a list of the dates and times when you last used it is personally embarrassing. Having your bank account broken into because your computer got infected with a virus is even more damaging. Someone able to access a dam’s control panel over the internet and remotely trigger the dam’s gates to open can cause far more catastrophic damage.<br /><br />The line between security and privacy, between normal business practice and unacceptable, even illegal behaviour, is sometimes quite thin and in a grey area that may be leveraged to the hilt for commercial and/or national security interests. However, scams, malware, exploits of insecure systems and similar threats are well on the wrong side of the “criminal” spectrum, and are a clear and present danger that cause far more than an embarrassing or personally damaging loss of privacy.</li>
<li style="text-align: justify; "><b>How is the jurisdiction of the data on the cloud determined?</b><br />This is a surprisingly thorny question. Normally, a company is based in a particular country and has an end user agreement / terms of service that makes its customers / users accept that country’s jurisdiction.<br /><br />However, a cloud based provider that does business around the world may, in practice, have to comply to some extent at least, with that country’s local laws – at any rate, in respect to its users who are citizens of that country. And any cloud product sold to a local business or individual by a salesman from the vendor’s branch in the country would possibly fall under a contract executed in the country and therefore, subject to local law.<br /><br />The level of compliance for data retention and disclosure in response to legal processes will possibly vary from country to country – ranging from flat refusals to cooperate (especially where any law enforcement request for data are for something that is quite legal in the country the cloud provider is based in) to actual compliance.<br /><br />In practice this may also depend on what is at stake for the cloud vendor in complying or refusing to comply with local laws – regardless of what the terms of use policies or contract assert about jurisdiction. The number of users the cloud vendor has in the country, the extent of its local presence in the country, how vulnerable its resident employees and executives are to legal sanctions or punishment.<br /><br />In the past, it has been observed that a practical balance [which may be based on business economics as much as it is based on a privacy assessment] may be struck by certain cloud vendors with a global presence, based on the critical mass of users it stands to gain or lose by complying with local law, and the risks it faces if it complies, or conversely, does not comply with local laws – so the decision may be to fight lawsuits or prosecutions on charges of breaking local data privacy laws or not complying with local law enforcement requests for handover of user data in court, or worst case, pulling out of the country altogether.</li>
<li style="text-align: justify; "><b>Currently, big cloud owners are US corps, yet US courts do not extend the same privacy rights to non US citizens. Is it possible for countries to use the cloud and still protect citizen data from being accessed by foreign governments? Do you think a "National Cloud" is a practical solution?</b><br />a. The “cloud” in this context is just “the internet”, and keeping local data local and within local jurisdiction is possible in theory at any rate. Peering can be used to keep local traffic local instead of having it do a roundtrip through a foreign country and back [where it might or might not be subject to another country’s intercept activities, no comment on that].<br /><br />A national cloud demands local infrastructure including bandwidth, datacenters etc. that meet the international standards of most global cloud providers. It then requires cloud based sites that provide an equivalent level of service, functionality and quality to that provided by an international cloud vendor. And then after that, it has to have usable privacy policies and the country needs to have a privacy law and a sizeable amount of practical regulation to bolster the law, a well-defined path for reporting and redress of data breaches. There are a whole lot of other technical and process issues before having a national cloud becomes a reality, and even more before such a reality makes a palpable positive difference to user privacy.</li>
<li style="text-align: justify; "><b>What audit mechanisms of security and standards exist for Cloud Service Providers and Cloud Data Providers?</b><br />a. Plenty – some specific to the country and the industry sector / kind of data the cloud handles. The Cloud Security Alliance has been working for quite a while on CloudAudit, a framework developed as part of a cross industry effort to unify and automate Assertion, Assessment and Assurance of their infrastructure and service.<br /><br />Different standards bodies and government agencies have all come out with their own sets of standards and best practices in this area (this article has a reasonable list - <a class="external-link" href="http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html">http://www.esecurityplanet.com/network-security/cloud-security-standards-what-youshould-know.html</a>). Some standards you absolutely have to comply with for legal reasons.<br /><br />Compliance reasons aside, a judicious mix of standards, and considerable amounts of adaptation in your process to make those standards work for you and play well together.<br /><br />The standards all exist – what varies considerably, and is a major cause of data privacy breaches, are incomplete or ham handed implementations of existing standards, any attempt at “checkbox compliance” to simply implement a set of steps that lead to a required certification, and a lack of continuing initiative to keep the data privacy and securitymomentum going once these standards have been “achieved”, till it is time for the next audit at any rate.</li>
<li style="text-align: justify; "><b>What do you see as the big challenges for privacy in the cloud in the coming years?</b><br />a. Not very much more than the exact same challenges for privacy in the cloud over the past decade or more. The only difference is that any threat that existed before has always amplified itself because the complexity of systems and the level of technology and computing power available to implement security, and to attempt to breach security, is exponentially higher than ever before – and set to increase as we go further down the line.</li>
<li style="text-align: justify; "><b>Do you think encryption the answer to the private and public institutions snooping?</b><br />a. Encryption of data at rest and in transit is a key recommendation of any data privacy standard and cloud / enterprise security policy. Companies and users are strongly encouraged to deploy and use strong cryptography for personal protection. But to call it “the answer” is sort of like the tale of the blind men and the elephant.<br /><br />There are multiple ways to circumvent encryption – social engineering to trick people into revealing data (which can be mitigated to some extent, or detected if it is tried on a large cross section of your userbase – it is something that security teams do have to watch for), or just plain coercion, which is much tougher to defend against.<br /><br />As a very popular <a class="external-link" href="http://xkcd.com/538/">XKCD</a> cartoon that has been shared around social media and has been cited in multiple security papers says -<br /><br />“A crypto nerd’s imagination”<br /><br />“His laptop’s encrypted. Let us build a million dollar cluster to crack it”<br />“No good! It is 4096 bit RSA”<br />“Blast, our evil plan is foiled”<br /><br />“What would actually happen”<br />“His laptop’s encrypted. Drug him and hit him with this $5 wrench till he tells us the password”<br />“Got it”</li>
<li style="text-align: justify; "><b>Spam is now consistently used to get people to divulge their personal data or otherwise compromise a persons financial information and perpetuate illegal activity. Can spam be regulated? If so, how?</b><br />a. Spam has been regulated in several countries around the world. The USA has had laws against spam since 2003. So has Australia. Several other countries have laws that specifically target spam or use other statutes in their books to deal with crime (fraud, the sale of counterfeit goods, theft..) that happens to be carried out through the medium of spam.<br /><br />The problems here are the usual problems that plague international enforcement of any law at all. Spammers (and worse online criminals including those that actively employ malware) tend to pick jurisdictions to operate in where there are no existing laws on their activities, and generally take the precaution not to target residents of the country that they live in. Others send spam but attempt to, in several cases successfully, skate around loopholes in their country’s antispam laws.<br /><br />Still others fully exploit the anonymity that the Internet provides, with privately registered domain names, anonymizing proxy servers (when they are not using botnets of compromised machines), as well as a string of shell companies and complex international routing of revenue from their spam campaigns, to quickly take money offshore to a more permissible jurisdiction.<br /><br />Their other advantage is that law enforcement and regulatory bodies are generally short staffed and heavily tasked, so that even a spammer who operates in the open may continue his activities for a very long time before someone manages to prosecute him.<br /><br />Some antispam laws allow recipients of spam to sue the spammer in small claims courts – which, like regulatory action, has also previously led to judgements being handed out against spammers and their being fined or possibly imprisoned in case their spam has criminal aspects to it, attracting local computer crime laws rather than being mere violations of civil antispam laws.</li>
<li style="text-align: justify; "><b>There has been a lot of talk about the use of malware like FinFisher and its ability to compromise national security and individual security. Do you think regulation is needed for this type of malware - and if so what type - export controls? privacy regulation? Use control?</b><br />a. Malware used by nation states as a part of their surveillance activities is a problem. It is further a problem if such malware is used by nation states that are not even nominally democratic and that have long standing records of human rights violations.<br /><br />Regulating or embargoing their sale is not going to help in such cases. One problem is that export controls on such software are not going to be particularly easy and countries that are on software export blacklists routinely manage to find newer and more creative ways to attempt to get around these and try to purchase embargoed software and computing equipment of all kinds.<br /><br />Another problem is that such software is not produced just by legitimate vendors of lawful intercept gear. Criminals who write malware that is capable of, say, stealing personal data such as bank account credentials are perfectly capable of writing such software, and there is a thriving underground economy in the sale of malware and of “take” from malware such as personal data, credit cards and bank accounts where any rogue nation state can easily acquire products with an equivalent functionality.<br /><br />This is going to apply even if legitimate vendors of such products are subject to strict regulations governing their sale and national laws exist regulating the use of such products. So while there is no reason not to regulate / provide judicial and regulatory oversight of their sale and intended use, it should not be seen as any kind of a solution to this problem.<br /><br />User education in privacy and access to secure computing resources is probably going to be the bedrock of any initiative that looks to protect user privacy – a final backstop to any technical / legal or other measure that is taken to protect them.</li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian'>https://cis-india.org/internet-governance/blog/interview-with-suresh-ramasubramanian</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-09-06T09:37:47ZBlog EntryMore than a Hundred Global Groups Make a Principled Stand against Surveillance
https://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance
<b>For some time now there has been a need to update understandings of existing human rights law to reflect modern surveillance technologies and techniques.</b>
<p style="text-align: justify; ">Nothing could demonstrate the urgency of this situation more than the <a href="https://www.privacyinternational.org/blog/looking-at-prism-nsas-mass-surveillance-program">recent</a> <a href="https://www.eff.org/deeplinks/2013/06/spy-without-borders">revelations</a> confirming the mass surveillance of innocent individuals around the world.</p>
<p style="text-align: justify; ">To move toward that goal, today we’re pleased to announce the formal launch of the <a href="https://cis-india.org/internet-governance/blog/necessary-and-proportionate.pdf" class="internal-link">International Principles on the Application of Human Rights to Communications Surveillance</a>. The principles articulate what international human rights law – which binds every country across the globe – require of governments in the digital age. They speak to a growing global consensus that modern surveillance has gone too far and needs to be restrained. They also give benchmarks that people around the world can use to evaluate and push for changes in their own legal systems.</p>
<p style="text-align: justify; ">The product of over a year of consultation among civil society, privacy and technology experts, including the Centre for Internet and Society (read <a href="https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance">here</a>, <a href="https://www.eff.org/deeplinks/2012/12/tackling-state-surveillance-and-human-rights-protecting-universal-freedoms">here</a>, <a href="https://www.eff.org/issues/surveillance-human-rights">here</a> and <a href="https://www.privacyinternational.org/blog/pi-is-pleased-to-announce-a-public-consultation-on-the-international-principles-on">here</a>), the principles have already been co-signed by over hundred organisations from around the world. The process was led by <a href="https://www.privacyinternational.org/">Privacy International</a>, <a href="https://accessnow.org/">Access</a>, and the <a href="https://eff.org/">Electronic Frontier Foundation</a>. The process was led by <a href="https://www.privacyinternational.org/">Privacy International</a>, <a href="https://accessnow.org/">Access</a>, and the <a href="https://eff.org/">Electronic Frontier Foundation</a>.</p>
<p style="text-align: justify; ">The release of the principles comes on the heels of a <a href="https://www.privacyinternational.org/blog/un-report-the-link-between-state-surveillance-and-freedom-of-expression">landmark</a> <a href="https://www.eff.org/deeplinks/2013/06/internet-and-surveillance-UN-makes-the-connection">report</a> from the United Nations Special Rapporteur on the right to Freedom of Opinion and Expression, which details the widespread use of state surveillance of communications, stating that such surveillance severely undermines citizens’ ability to enjoy a private life, freely express themselves and enjoy their other fundamental human rights. And recently, the UN High Commissioner for Human Rights, Nivay Pillay, <a href="http://www.ohchr.org/EN/NewsEvents/Pages/Media.aspx?IsMediaPage=true&LangID=E">emphasised the importance</a> of applying human right standards and democratic safeguards to surveillance and law enforcement activities.</p>
<p style="text-align: justify; ">"While concerns about national security and criminal activity may justify the exceptional and narrowly-tailored use of surveillance programmes, surveillance without adequate safeguards to protect the right to privacy actually risk impacting negatively on the enjoyment of human rights and fundamental freedoms," Pillay said.</p>
<p style="text-align: justify; ">The principles, summarised below, can be found in full at <a class="external-link" href="http://necessaryandproportionate.org">necessaryandproportionate.org</a>. Over the next year and beyond, groups around the world will be using them to advocate for changes in how present laws are interpreted and how new laws are crafted.</p>
<p style="text-align: justify; ">We encourage privacy advocates, rights organisations, scholars from legal and academic communities, and other members of civil society to support the principles by adding their signature.</p>
<p style="text-align: justify; ">To sign, please send an email to <a class="mail-link" href="mailto:rights@eff.org">rights@eff.org</a>, or visit <a class="external-link" href="https://www.necessaryandproportionate.org/about">https://www.necessaryandproportionate.org/about</a></p>
<h3 style="text-align: justify; ">Summary of the 13 principles</h3>
<ul>
<li>Legality: Any limitation on the right to privacy must be prescribed by law.</li>
<li style="text-align: justify; ">Legitimate Aim: Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.</li>
<li style="text-align: justify; ">Necessity: Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a legitimate aim.</li>
<li style="text-align: justify; ">Adequacy: Any instance of communications surveillance authorised by law must be appropriate to fulfill the specific legitimate aim identified.</li>
<li style="text-align: justify; ">Proportionality: Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to users’ rights and to other competing interests.</li>
<li style="text-align: justify; ">Competent judicial authority: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent.</li>
<li style="text-align: justify; ">Due process: States must respect and guarantee individuals' human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public.</li>
<li style="text-align: justify; ">User notification: Individuals should be notified of a decision authorising communications surveillance with enough time and information to enable them to appeal the decision, and should have access to the materials presented in support of the application for authorisation.</li>
<li style="text-align: justify; ">Transparency: States should be transparent about the use and scope of communications surveillance techniques and powers.</li>
<li style="text-align: justify; ">Public oversight: States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance.</li>
<li style="text-align: justify; ">Integrity of communications and systems: States should not compel service providers, or hardware or software vendors to build surveillance or monitoring capabilities into their systems, or to collect or retain information.</li>
<li style="text-align: justify; ">Safeguards for international cooperation: Mutual Legal Assistance Treaties (MLATs) entered into by States should ensure that, where the laws of more than one State could apply to communications surveillance, the available standard with the higher level of protection for users should apply.</li>
<li style="text-align: justify; ">Safeguards against illegitimate access: States should enact legislation criminalising illegal communications surveillance by public and private actors.</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance'>https://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-07-31T14:26:38ZBlog EntryPrivacy Protection Bill, 2013 (With Amendments based on Public Feedback)
https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback
<b>In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.</p>
<p style="text-align: center; "><b><a href="https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-amendments.pdf" class="internal-link">Click to download the Privacy Protection Bill, 2013 with latest amendments</a></b> (PDF, 196 Kb).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback'>https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback</a>
</p>
No publisherelonnaiFeaturedSAFEGUARDSInternet GovernancePrivacy2013-07-12T10:50:22ZBlog EntryOpen Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation
https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation
<b>India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p style="text-align: justify; ">This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, <a href="https://cis-india.org/accessibility/blog/#fn1" name="fr1">[1]</a> and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.<a href="https://cis-india.org/accessibility/blog/#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<p style="text-align: justify; ">The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.<a href="https://cis-india.org/accessibility/blog/#fn3" name="fr3">[3]</a> In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. <a href="https://cis-india.org/accessibility/blog/#fn4" name="fr4">[4]</a> In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.<a href="#fn5" name="fr5">[5]</a> The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.<a href="#fn6" name="fr6">[6]</a> Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.<a href="#fn7" name="fr7">[7]</a> The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.</p>
<p style="text-align: justify; ">The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; ">We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. CII asks EU to accept India as 'Data Secure' nation: <a class="external-link" href="http://bit.ly/15Z77dH">http://bit.ly/15Z77dH</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. India threatens to stall trade talks with EU: <a class="external-link" href="http://bit.ly/1716aF1">http://bit.ly/1716aF1</a><a class="moz-txt-link-freetext" href="http://www.business-standard.com/article/economy-policy/india-threatens-to-stall-trade-talks-with-eu-113050900020_1.html"></a></p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. New privacy Bill: Data Protection Authority, jail term for offence: <a class="external-link" href="http://bit.ly/emqkkH">http://bit.ly/emqkkH</a></p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. The Report of the Group of Experts on Privacy <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Law Minister Seeks stand along privacy legislation, writes PM: <a class="external-link" href="http://bit.ly/16hewWs">http://bit.ly/16hewWs</a></p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Privacy Protection Bill 2013 drafted by CIS: <a class="external-link" href="http://bit.ly/10eum5d">http://bit.ly/10eum5d</a></p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. Privacy Roundtable: <a class="external-link" href="http://bit.ly/12HYoj5">http://bit.ly/12HYoj5</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: <a class="external-link" href="http://bit.ly/Z2FjX6">http://bit.ly/Z2FjX6</a></p>
<div id="_mcePaste"><b>Note: CIS sent the letters to Data Protection Commissioners across Europe.</b></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation'>https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T11:07:58ZBlog EntryUnique Identification Scheme (UID) & National Population Register (NPR), and Governance
https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note
<b>This post examines the UID, NPR and Governance as it exists in India. The background note gives a summary of what is the NPR, the legal grounding of NPR, its objectives, and the information which could be collected under the NPR. The post also throws light on the UID, its objectives, process of enrollment in UID, how UID is being adopted by different states in India, and finally the differences and controversies in UID and NPR.</b>
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h2 style="text-align: justify; ">Video</h2>
<p><iframe frameborder="0" height="315" src="http://www.youtube.com/embed/P1CdCkdKtcU" width="315"></iframe></p>
<p><i>The above video is from the "UID, NPR, and Governance" conference held on March 2, 2013 at TERI, Bangalore</i>.</p>
<hr />
<p style="text-align: justify; "><b>What is the NPR?<br /></b>In 2010, the Government of India initiated the NPR which entails the creation of the National Citizens Register. This register is being prepared at the local, sub-district, district, state and national level. The database will contain thirteen categories of demographic information and three categories of biometric data collected from all residents aged five and above. Collection of this information was initially supposed to take place during the House listing and Housing Census phase of Census 2011 during April 2010 to September 2010.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; "><b>What is the legal grounding of the NPR? </b><br />The NPR is legally grounded in the provisions of the Citizenship Act, 1955 and the Citizenship Rules 2003. It is <i>mandatory </i>for every usual resident in India to register in the NPR as per Section 14A of the Citizenship Act, 1955, as amended in 2004. The collection of biometrics is not accounted for in the statute or rules.</p>
<p style="text-align: justify; "><b>What are the objectives of the NPR? </b><br />The objectives of the NPR as stated by the Citizenship Act is for the creation of a National Citizen Register. The National Citizen Register is intended to assist in improving security by checking for illegal migration. Additional objectives that have been articulated include: providing services to the residents under government schemes and programmes, checking for identity frauds, and improving planning.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; "><b>What is the process of enrollment for the NPR?</b><br />NPR enrollment is being carried out through house to house canvassing. The Office of the Registrar General and Census Commissioner, India has assigned Department of Information Technology (DIT) the responsibility of collecting and digitizing demographic data in 17 states and 2 Union Territories of India.<a href="#fn2" name="fr2">[2]</a> Collected information will then be printed and <i>displayed in the local area </i>where it is scrutinized by local officers and vetted by local bodies called ´Gram Sabha/Ward Committees´.<a href="#fn4" name="fr4">[4]</a> This process of social audit is meant to bring in transparency, equity, and ensure accuracy.</p>
<p style="text-align: justify; "><b>What information will be collected under the NPR?</b><br />The NPR database will include thirteen categories of demographic information and three categories of biometrics. The collection biometrics has not been provided for in the text of the Citizenship Rules, and is instead appears to be authorized through guidelines,<a href="#fn5" name="fr5">[5]</a> which do not have statutory backing. Currently, two iris scans, ten fingerprints, and a photograph are being collected. According to a 2010 Committee note, only the photograph and fingerprints were initially envisioned to be collected.</p>
<p style="text-align: justify; "><b>What is the Resident Identity Card? </b><br />The proposed Resident Identity card is a smart card with a micro-processor chip of 6.4 Kb capacity; the demographic and biometric attributes of each individual will be personalized in this chip. The UID number will be placed on the card as well. Currently, the government is only considering the possibility of distributing smart cards to all residents over the age of 18.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; "><b>What is the UID?<br /></b>The Unique Identification Authority of India (UIDAI) was established in January 2009 and is part of the Planning Commission of India. UIDAI aims to provide a unique 12 digit ID number to all residents in India on a voluntary basis. The number will be known as AADHAAR. The UIDAI will own and operate a Unique Identification Number database which will contain biometric and demographic data of citizens.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; "><b>What is the objective of the UID?<br /></b>According to the UIDAI, the UID will provide identity for individuals. The scheme has been promoted by the UIDAI as enabling a number of social benefits including improving the public distribution system, enabling financial inclusion, and improving the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS). Despite these benefits, the UIDAI only guarantees identity, and does not guarantee rights, benefits or entitlement.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; "><b>What is the process for enrollment in the UID?</b><br />To enroll in the UID, individuals must go to enrollment centers with the appropriate documentation. Once documents are verified and biometrics taken, individuals will receive an acknowledgment slip and their UID number will be sent in the mail.<a href="#fn9" name="fr9">[9]</a> The UIDAI will enroll up to 600 million residents in 16 States and territories.<a href="#fn10" name="fr10">[10]</a> Online registration prior to enrollment at a Center is also now being offered.</p>
<p style="text-align: justify; "><b>How is UID being adopted by different States? </b><br />The adoption of the UID by different states and platforms has been controversial as the UID is not a mandatory number, yet with states and services adopting the number for different governmental services, the UID is becoming mandatory by default. Some ways in which states are using the UID include:</p>
<ul>
<li style="text-align: justify; "><i>Gas and vehicles</i>: The UPA Government has required that citizens have a UID number for services such as purchasing cooking gas, issuing a RTI request, and registering vehicles.<a href="#fn11" name="fr11">[11]</a></li>
<li style="text-align: justify; "><i>Education</i>: The Kerala government has required that all students must have UID number in order to be tracked through the system.<a href="#fn12" name="fr12">[12] </a>This mandate was questioned by the National Commission for Protection of Child Rights.</li>
<li style="text-align: justify; "><i>First Information Reports (FIR’s)</i>: The high court in Bombay has ordered the state home department to direct all police stations in Maharashtra to record the Unique Identification (UID) numbers of accused individuals and witnesses filing a FIR.<a href="#fn13" name="fr13">[13]</a> </li>
<li style="text-align: justify; "><i>Banks</i>: The National Payment Corporation of India has collaborated UIDAI and is issuing ‘RuPay cards’ (Dhan Aadhaar cards) which will serve as ATM/micro-ATM cards. In 2011 the Bank of India had issued 250 cards.<a href="#fn14" name="fr14">[14]</a></li>
<li style="text-align: justify; "><i>Railway</i>: Railways are proposing to use the UID database for bookings and validation of passengers.<a href="#fn15" name="fr15">[15]</a></li>
<li style="text-align: justify; "><i>Social Security</i>: Commencing January 1, 2013, MGNREGA, the Rajiv Gandhi Awas Yojana (RGAY), the Ashraya housing scheme, Bhagyalakshmi and the social security and pension scheme have included the UID in the Mysore district</li>
</ul>
<p><b>Has there been duplication of UID numbers?</b><br />According to news reports:</p>
<ul>
<li style="text-align: justify; ">The UIDAI has blacklisted an operator and a supervisor in Andhra Pradesh for issuing fake UID numbers.</li>
</ul>
<ul>
<li style="text-align: justify; ">The UIDAI is looking into six complaints regarding the misuse of personal data while issuing the UID numbers to individuals.</li>
</ul>
<ul>
<li>The UIDAI has received two received complaints regarding duplication of UID numbers.<a href="#fn17" name="fr17">[17]</a></li>
</ul>
<p><b>What are the differences between the UID and NPR?<br /></b></p>
<ul>
<li style="text-align: justify; "><i>Voluntary vs. Mandatory:</i> It is compulsory for <i>all </i>Indian residents to register with the NPR, while registration with the UIDAI is considered voluntary. However, the NPR will store individuals UID number with the NPR data and place it on the Resident Indian Card. In this way and others, the UID number is becoming compulsory by various means. </li>
<li style="text-align: justify; "><i>Number vs. Register:</i> UID will issue a number, while the NPR is the prelude to the National Citizens Register. Thus, it is only a Register. Though earlier the MNIC card was implemented along the coastal area, there has been no proposal to extend the MNIC to the whole country. The smart card that is proposed under the NPR has only been raised for discussion, and there has been no official decision to issue a card.</li>
<li style="text-align: justify; "><i>Statute vs. Bill:</i> The enrollment of individuals for the NPR is legally backed by the Citizenship Act, except in relation to the collection of biometrics, while the UID as proposed a bill which has not been passed for the legal backing of the scheme. </li>
<li style="text-align: justify; "><i>Authentication vs. Identification:</i> The UID number will serve as an authenticator during transactions. It can be adopted and made mandatory by any platform. The National Resident Card will signify resident status and citizenship. It is unclear what circumstances the card will be required for use in. </li>
<li style="text-align: justify; "><i>UIDAI vs. RGI:</i> The UIDAI is responsible for enrolling individuals in the UID scheme, and the RGI is responsible for enrolling individuals in the NPR scheme. It is important to note that the UIDAI is located in the Planning Commission, but its status is unclear, as the NIC had indicated that the data held is not being held by the government. </li>
<li style="text-align: justify; "><i>Door to door canvassing vs. center enrollment</i>: Individuals will have to go to an enrollment center and register for the UID, while the NPR will carry out part of the enrollment of individuals through door to door canvassing. Note: Individuals will still have to go to centers for enrolling their biometrics for the NPR scheme. </li>
<li style="text-align: justify; "><i>Prior documentation vs. census material:</i> The UID will be based off of prior forms of documentation and identification, while the NPR will be based off of census information.</li>
<li style="text-align: justify; "><i>Online vs. Offline:</i> For authentication of an individual’s UID number, the UID will require mobile connectivity, while the NPR can perform offline verification of an individual’s card. </li>
</ul>
<p><b>What is the controversy between the UID and NPR? </b></p>
<ul>
<li style="text-align: justify; "><i>Effectiveness:</i> There is controversy over which scheme would be more effective and appropriate for different purposes. For example, the Ministry of Home Affairs has argued that the NPR would be more suited for distributing subsidies than the UID, as the NPR has data linking each individual to a household.<a href="#fn18" name="fr18">[18]</a></li>
<li style="text-align: justify; "><i>Legality of sharing data</i>: Both the legality of the UID and NPR collecting data and biometrics has been questioned. For example, it has been pointed out that the collection of biometric information through the NPR, is beyond the scope of subordinate legislation. Especially as this appears to be left only to guidelines.<a href="#fn19" name="fr19">[19]</a> Collection of any information under the UID scheme is being questioned as the Bill has not been approved by the Parliament.</li>
<li style="text-align: justify; "><i>Accuracy</i>: The UIDAI's use of multiple registrars and enrolment agencies, the reliance on 'secondary information' via existing ID documents for enrollment in the UID, and the original plan to enroll individuals via the 'introducer' system has raised by Home Minister Chidambaram in January 2012 about how accurate the data collected by the UID is is that will be collected.<a href="#fn20" name="fr20">[20]</a> To this extent, the UIDAI has changed the introducer system to a ‘verifier’ system. In this system, Government officials verify individuals and their documents prior to enrolling them.</li>
<li style="text-align: justify; "><i>Biometrics</i>: Though biometrics are mandatory for the UID scheme, according to information on the NPR website, if an individual has already enrolled with the UID, they will not need to provide their biometrics again for the NPR. Application of this standard has been haphazard as some individuals have been required to provide biometrics for both the UID and the NPR, and others have not been required to provide biometrics for the NPR.<a href="#fn21" name="fr21">[21]</a></li>
</ul>
<p><b>What court cases have been filed against the UID?<br /></b>The following cases are currently filed in courts around the country:</p>
<ul>
<li><i>Supreme Court:</i></li>
</ul>
<p style="padding-left: 30px; text-align: justify; ">K S Puttaswamy, a retired judge of Karnataka High Court filed a Public Interest Litigation (PIL) in the Supreme Court challenging the legality of UIDAI.<a href="#fn22" name="fr22">[22]</a></p>
<ul style="text-align: justify; ">
<li><i>Chandigarh</i>: A petition was filed in Chandigarh by Sanjeev Pandey which sought to quash executive order passed in violation of the Motor Vehicles Act, 1988, and Central Motor Vehicle Rules, 1989 by which UID cards had been made mandatory for registration of vehicles and grant of learner/regular driving license.<a href="#fn23" name="fr23">[23]</a><span> </span></li>
<li style="text-align: justify; "><span><i>Karnataka:</i></span> <span>Mathew Thomas and Mr. VK Somasekhar have filed a civil suit in the Bangalore City Civil Courts (numbered 8181 of 2012) asking for the UID project to be stopped. The suit was dismissed, and they have appealed the case to the High Court (numbered 1780 and 1825 of 2013).</span></li>
<li style="text-align: justify; "><i>Chennai</i>: A PIL has been filed in the Madras High Court challenging the constitutional validity of the UIDAI and its issue of UID numbers.<a href="#fn24" name="fr24">[24]</a></li>
<li style="text-align: justify; "><i>Bombay</i>: In January 2012 a case was filed in the Mumbai high Court. The petitioners to the case are R. Ramkumar, G. Nagarjuna, Kamayani Mahabal, Yogesh Pawar and Vickram Crishna & Ors.</li>
</ul>
<p style="text-align: justify; "><b>What is the relationship between UID, NPR, and National Security<br /></b>The UID and the NPR have both stated improving security as an objective for the projects. To this extent, it is envisioned that the UID and the NPR could be used to track and identify individuals, and determine if they are residents of India. In the case of the NPR, a distinction will be made between residents and citizens. Yet, concerns have also been raised that these projects instead raise national security threats, given the size of the databases that will be created, the centralized nature of the databases, the sensitive nature of the information held in the databases, and the involvement of international agencies.<a href="#fn25" name="fr25">[25]</a></p>
<p style="text-align: justify; "><b>What is the relationship between UID and Big Data?<br /></b>Aspects of the UID scheme allow it to generate a large amount of data from a variety of sources. Namely, the UID scheme aims to capture 12 billion fingerprints, 1.2 billion photographs and 2.4 billion iris scans and can be adopted by any platform. This data in turn can be stored, analyzed, and used for a number of purposes by a number of stakeholders in both the government and the private sectors. This is already happening to a certain extent as in November 2012 the UID established a Public Data Portal for the UID project. According to UIDAI officials the data portal will allow for big data analysis using crowd sourcing models.<a href="#fn26" name="fr26">[26]</a></p>
<p style="text-align: justify; "><b>How is UID being used for BPL direct cash transfers?<br /></b>Registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BPL category and to provide transparency to the distribution of cash. In this way, the UID requirement is thought to prevent the leakage of social security benefits and subsidies to non-intended beneficiaries, as cash will only be made available to the person identified by the UID as the intended recipient. One of the main prerequisites of a below poverty line (BPL) direct cash transfer in India has become the registration with the UIDAI and the acquisition of a UID number. For example:</p>
<ul>
<li style="text-align: justify; ">The "Cash for Food" programme requires that individuals applying for aid have a bank account, and a UID number. The money is transferred, electronically and automatically, to the bank account and the beneficiary should be able to withdraw it from a micro-ATM using the UID number.<a href="#fn27" name="fr27">[27]</a> It is important to note that micro-ATMs are not actual ATMs, but instead are handheld machines which may give information on bank balance and such, but will not dispense or maintain privacy of transaction. Most importantly, the transaction is mediated though a banking correspondent.</li>
<li style="text-align: justify; ">The government plans to cover the target BPL families and deposit USD 570 billion per year in the bank accounts of 100 million poor families by 2014.<a href="#fn28" name="fr28">[28]</a></li>
<li style="text-align: justify; ">Currently, only beneficiaries of thirteen government schemes and LPG connection holders have been identified as being entitled to register for a UID number.<a href="#fn29" name="fr29">[29]</a> Though these schemes have been identified, as of yet, adoption has happened in very few districts. </li>
</ul>
<p style="text-align: justify; "><b>What are the concerns regarding the use of biometrics in the UID and NPR scheme? <br /></b>Both the UID and the NPR rely on biometrics as a way to identify individuals. Yet, many concerns have been raised about the use of biometrics in terms of legality, effectiveness, and accuracy of the technology. With regards to the accuracy and effectiveness of biometrics – the following concerns have been raised:</p>
<ul>
<li style="text-align: justify; "><i>Biometrics are not infallible:</i> Inaccuracies can arise from variations in individuals attributes and inaccuracies in the technology. </li>
<li style="text-align: justify; "><i>Environment matters</i>: An individual’s biometrics can change in response to a number of factors including age, environment, stress, activity, and illness.</li>
<li style="text-align: justify; "><i>Population size matters</i>: Because biometrics have differing levels of stability – the larger the population is the higher the possibility for error is. </li>
<li style="text-align: justify; "><i>Technology matters:</i> The accuracy of a biometric match also depends on the accuracy of the technology used. Many aspects of biometric technology can change including: calibration, sensors, and algorithms.</li>
<li style="text-align: justify; "><i>Spoofing:</i> It is possible to spoof a fingerprint and fool a biometric reader.<a href="#fn30" name="fr30">[30]</a></li>
</ul>
<ul>
</ul>
<ul style="text-align: justify; ">
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner. <a class="external-link" href="http://bit.ly/IiySDh">http://bit.ly/IiySDh</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. This is according to a 2010 Cabinet note and the official website of the NPR.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Department of Information Technology: http://ditnpr.nic.in/frmStatelist.aspx - These include: (1) Arunachal Pradesh (2) Assam (3) Bihar (4) Chhattisgarh (5) Haryana (6) Himachal Pradesh (7)Jammu & Kashmir (8) Jharkhand (9) Madhya Pradesh (10)Meghalaya (11)Mizoram (12)Punjab (13)Rajasthan (14)Sikkim (15)Tripura (16)Uttar Pradesh (17)Uttarakhand Union Territories:-(1) Dadra & Nagar Haveli (2) Chandigarh.</p>
<p>[<a href="#fr4" name="fn4">4</a>]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: <a class="external-link" href="http://bit.ly/IiySDh">http://bit.ly/IiySDh</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Department of Information Technology. National Population Register. Question 22. What are the procedures to be followed for creating the NPR? The procedures to be followed for creating the NPR have been laid down in the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003, and the guidelines being issued from time to time.</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Unique Identification Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://censusindia.gov.in/2011-Common/IntroductionToNpr.html Authority of India. <a class="external-link" href="http://uidai.gov.in/">http://uidai.gov.in/</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. Unique Identification Authority of India. <a class="external-link" href="http://uidai.gov.in/">http://uidai.gov.in/</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. The point was made by R. Ramachandran. How reliable is UID? Frontline. Volume 28- Issue 24: November 19- December 02, 2011. Available at:<a class="external-link" href="http://bit.ly/13UMiSv"> http://bit.ly/13UMiSv</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. For more information see: How to get an Aadhaar. <a class="external-link" href="http://bit.ly/R2jBOP">http://bit.ly/R2jBOP</a></p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Mazumdar. R. UIDAI targets 400 million enrolments by mid 2013, Aadhar hopes to give unique identity to some 1.2 bn residents. Economic Times. December 2012. Available at: <a class="external-link" href="http://bit.ly/ZC3Yv">http://bit.ly/ZC3Yv</a>e. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. Malu. B. The Aadhaar Card – What are the real intentions of the UPA Government? DNA. February 18<sup>th</sup> 2013. Available at: <a class="external-link" href="http://bit.ly/150BXRj">http://bit.ly/150BXRj</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Government of Kerala. General Education Department Circular No. 52957/G2?2012/G.Edn. Available at: <a class="external-link" href="http://bit.ly/15Oiq8J">http://bit.ly/15Oiq8J</a></p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn13">13</a>]. Plumber, M. Make UID numbers must in FIRs: Bombay HC. DNA. October 2011. Available at: <a class="external-link" href="http://bit.ly/tVsInl">http://bit.ly/tVsInl</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. Press Information Bureau. Government of India. Identity Card to Every Adult Resident of the Country under NPR; No Card being issued by UIDAI. December 2011. Available at: <a class="external-link" href="http://bit.ly/tJwZG1">http://bit.ly/tJwZG1</a></p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. TravelBiz. Railways to use Aadhar database for passenger validation. February 2013. Available at: <a class="external-link" href="http://bit.ly/YcW5wl">http://bit.ly/YcW5wl</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr16" name="fn16">16</a>]. Vombatkere. S.G. Questions for Mr. Nilekani. The Hindu. February 2013. Available at: <a class="external-link" href="http://bit.ly/YqPlK1">http://bit.ly/YqPlK1</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. Economic Times. UIDAI orders probe into duplication of Aadhaar numbers.<a class="external-link" href="http://bit.ly/ZORowg"> http://bit.ly/ZORowg</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Jain. B. Battle over turf muddies waters. Times of India. February 2013. Available at: <a class="external-link" href="http://bit.ly/16ud3gm">http://bit.ly/16ud3gm</a>. Last accessed: February 28th 2013</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. Rediff. Aadhaar’s allocation is Parliament’s contempt. February 2013. Available at: <a class="external-link" href="http://bit.ly/Y638JS">http://bit.ly/Y638JS</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr20" name="fn20">20</a>]. Ibid 17.</p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. Times of India. Confused over Aadhaar, Cabinet clears GoM. February 2013. Available at <a class="external-link" href="http://bit.ly/UTH2JS">http://bit.ly/UTH2JS</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. Times of India. Supreme Court notice to govt on PIL over Aadhar. December 2012. Available at: <a class="external-link" href="http://bit.ly/13UNs0i">http://bit.ly/13UNs0i</a>. Last accessed: February 2013.</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. The Indian Express. HC issues notice to Centre, UT over mandatory UID for license. January 2013. Available at: <a class="external-link" href="http://bit.ly/WJq43M">http://bit.ly/WJq43M</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr24" name="fn24">24</a>]. Economic Times. PIL seeks to scrap Nandan Nilekani’s Aadhar project. January 2012. Available at: <a class="external-link" href="http://bit.ly/zB1H07">http://bit.ly/zB1H07</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr25" name="fn25">25</a>]. Times of India. UID poses national security threat: BJP. January 2012. Available at:<a class="external-link" href="http://bit.ly/WeM6KA"> http://bit.ly/WeM6KA</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. Zeenews. UIDAI launches Public Data Portal for Aadhaar. November 8th 2012. Available at: <a class="external-link" href="http://bit.ly/T9NdX3">http://bit.ly/T9NdX3</a>. Last Accessed: November 12th 2012.</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. Punj, S. Wages of Haste: Implementing the cash transfer scheme is proving a challenge. January 2013. Available at: <a class="external-link" href="http://bit.ly/1024Dwo">http://bit.ly/1024Dwo</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. The International Business Times. India to Roll Out World’s Biggest Direct Cash Transfer Scheme for the Poor. November 2012. Available at: <a class="external-link" href="http://bit.ly/UYbtw4">http://bit.ly/UYbtw4</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. Mid Day. Do not register for Aadhaar card before March 15: UID in –charge. February 2013. Available at: <a class="external-link" href="http://bit.ly/Xymx9d.">http://bit.ly/Xymx9d.</a> Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. These points were raised in the following frontline article Ibid: Ramachandran, R. How reliable is UID? Frontline. Volume 28 – Issue 24 November 19th – December 2nd 2011. Available at: <a class="external-link" href="http://bit.ly/13UMiSv">http://bit.ly/13UMiSv</a>. Last accessed February 28th 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note'>https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note</a>
</p>
No publisherelonnaiVideoInternet GovernancePrivacy2014-04-30T05:03:51ZBlog EntryDraft Human DNA Profiling Bill (April 2012): High Level Concerns
https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012
<b>In 2007 the Draft Human DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, with the objective of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked. The February 2012 Bill was drafted by the Department of Biotechnology. Another working draft of the Bill was created in April 2012. The most recent version of the Bill seeks to create DNA databases at the state, regional, and national level. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Each database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of establishing identity in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and creating a DNA board for overseeing the carrying out of the Act. Though it is important to carefully regulate the use of DNA for criminal purposes, and such a law is needed in India, the present working draft of the Bill is lacking important safeguards and contains overreaching provisions, which could lead to violation of individual rights. The text of the 2012 draft is still being discussed and has not been finalized. Below are high level concerns that CIS has with the April 2012 draft Human DNA Profiling Bill.</p>
<h3 style="text-align: justify; ">Broad offences and instances of when DNA can be collected</h3>
<p style="text-align: justify; ">The schedule of the Bill lists applicable instances for human DNA profiling and addition to the DNA database. Under this list, the Bill lays out nine Acts, for example the Indian Penal Code and the Protection of Civil Rights Act, and states that offences under these Acts are applicable instances of human DNA profiling. This allows the scope of the database to be expansive, as any individual who has committed an offence found under any of these Acts to be placed on the DNA database, and might include offences for which DNA evidence is not useful.</p>
<p style="text-align: justify; ">In the schedule under section C <b>Civil disputes and other civil matters </b>the Bill lists a number of civil disputes and civil matters for which DNA can be taken and entered onto the database. For example:</p>
<ul style="text-align: justify; ">
<li><i>(v) Issues relating to immigration or emigration </i></li>
<li><i>(vi) Issues relating to establishment of individual identity </i></li>
<li><i>(vii) Any other civil matter as may be specified by the regulations of the Board </i></li>
</ul>
<p style="text-align: justify; ">In these instances no crime has been committed and there is no justification for taking the DNA of the individual without their consent. In cases of civil disputes</p>
<p style="text-align: justify; "><b>Recommendation:<i> </i></b>Offences for which DNA can be collected must be criminal and must be specified individually by the Bill. When DNA is used in civil cases, the consent of the individual must be taken. In civil cases a DNA profile should not be stored on the database. DNA profiling and storage on a database should not be allowed in instances like v, vi, vii listed above.</p>
<h3 style="text-align: justify; ">Inadequate level of authorization for sharing of information</h3>
<p style="text-align: justify; ">The Bill allows for the DNA Data Bank Manager to determine when it is appropriate to communicate whether the DNA profile received is already contained in the Data Bank, and any other information contained in the Data Bank in relation to the DNA profile received.</p>
<ul style="text-align: justify; ">
<li>Section 35 (1): “…<i>shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency, or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely (a) as to whether the DNA profile received is already contained in the Data Bank; and (b) any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.</i>”</li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: The Data Bank Manager should not be given the power to determine appropriate instances for the communication of information. Law enforcement agencies, DNA laboratories, etc. should be required to gain prior authorization, from the DNA Board, before requesting the disclosure of information from the DNA Data Bank Manager. Upon receiving proof of authorization, the DNA databank can share the requested information.</p>
<h3 style="text-align: justify; ">Inaccurate understanding of infallibility of DNA</h3>
<p>The preamble to the Bill inaccurately states:</p>
<p style="text-align: justify; "><i>The Dexoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any between two individuals, living or dead without any doubt.</i></p>
<p style="text-align: justify; "><b>Recommendation:<i> </i></b>The Bill should recognize that DNA evidence is not infallible. For example, false matches can occur based on the type of profiling system used, and that error can take place in the chain of custody of the DNA sample.</p>
<p style="text-align: justify; "><i>The “definition” of DNA profiling is too loose in the Bill. Any technology used to create DNA profiles is subject to error. The estimate of this error should be experimentally obtained, rather than being a theoretical projection.</i></p>
<h3 style="text-align: justify; ">Inadequate access controls</h3>
<p style="text-align: justify; ">The Bill only restricts access to information on the DNA database that relates to a victim or to a person who has been excluded as a suspect in relevant investigations.</p>
<p style="text-align: justify; "><i>Section 43: Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from a) a victim of an offence which forms or formed the object of the relevant investigation, or b) a person who has been excluded as a suspect in the relevant investigation.</i></p>
<p style="text-align: justify; "><b>Recommendation:</b> Though it is important that access is restricted in these instances, access should also be restricted for: volunteers, missing persons, and victims. Broad access to every index in the database should not be permitted when a DNA sample for a crime is being searched for a match. Ideally, a crime scene index will be created, and samples will only be compared to that specific crime scene. The access procedure should be transparent with regular information published in an annual report, minutes of oversight meetings taken, etc.</p>
<h3 style="text-align: justify; ">Lack of standards and process for collection of DNA samples</h3>
<p style="text-align: justify; ">In three places the Bill mentions that a procedure for the collection of DNA profiles will be established, yet no process is enumerated in the actual text of the Bill.</p>
<ul>
<li style="text-align: justify; "><i>Section 12 (w) “The Board will have the power to… specify by regulation, the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule. </i></li>
</ul>
<ul>
<li style="text-align: justify; "><i>Section 66(d) “The Central Government will have the power to make Rules pertaining to… The list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule under clause (w) of section 12. </i></li>
<li style="text-align: justify; "><i>Schedule: In the title “List of applicable instances of Human DNA Profiling and Sources and Manner of Collection of Samples for DNA Profiling”. But the schedule does not detail the manner of collection of samples for DNA profiling</i>.</li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: According to the Criminal Procedure Code, section 53 and 54, DNA samples can only be collected by certified medical professionals. This must be reflected by the Bill. The Bill should also state that the collection of DNA must take place in a secure location and in a secure manner. When DNA is collected, consent must be taken, unless the individual is convicted of a crime for which DNA evidence is directly relevant or the court has ordered the collection. When DNA is collected, personal identification information should not be sent with samples to laboratories, and all transfers of data (from police station to lab) must be secure. Upon collection, information regarding the collection of information and potential use and misuse of DNA information must be provided to the individual.</p>
<h3 style="text-align: justify; ">Inadequate appeal process</h3>
<p style="text-align: justify; ">The provisions in the Bill allow aggrieved individuals to bring complaints to the DNA Board. If the complaint is not addressed, the individual can take the complaint to the court. Though grievances can be taken to the Board and the court, it is not clear if the individual has the right to appeal the collection, analysis, sharing, and use of his/her DNA. The text of section 58 implies that the Board and the Central government will have the power to take action based on complaints. This power was not listed above in the sections where the powers of the board and the central government are defined, thus it is unclear what actions the Board or the Central Government would be able to take on complaint.</p>
<p style="text-align: justify; "><i>Section 58: No court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder save on a complaint made by the Central Government or its officer or Board or its officer or any other person authorized by them: Provided that nothing contained in this sub-section shall prevent an aggrieved person from approaching a court, if upon his application to the Central Government or the Board, no action is taken by them within a period of three months from the date of receipt of the application.</i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Individuals should be allowed to appeal a decision to collect DNA or share a DNA profile, and take any grievance directly to the court. If the Board or the Central Government will have a role in hearing complaints, etc. These must be enumerated in the provisions of the Act.</p>
<h3 style="text-align: justify; ">Inclusion of population testing</h3>
<p style="text-align: justify; ">Though the main focus of the Bill is for the use of DNA in criminal and civil cases, the provisions of the Bill also allow for population testing and research to be done on collected samples.</p>
<p style="text-align: justify; "><i>Section 4: The Board shall consist of the following Members appointed from amongst persons of ability, integrity, and standing who have knowledge or experience in DNA profiling including.. (m) A population geneticist to be nominated by the President, Indian National Science Academy, Den Delhi-Member. </i></p>
<p style="text-align: justify; "><i>Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely, (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, or the purposes of identification research, protocol development or quality control provide that it does not contain any personally identifiable information and does not violate ethical norms. </i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Delete these provisions. If DNA testing is going to done for population analysis purposes, regulations for this must be provided for in a separate legislation, stored in separate database, informed consent taken from each participant, and an ethics board must be established. It is not sufficient or ethical to conduct population testing only on DNA samples from victims, offenders, suspects, and volunteers.</p>
<h3 style="text-align: justify; ">Provisions delegated to regulation that need to be incorporated into text of Bill</h3>
<p style="text-align: justify; ">The Bill empowers the board to formulate regulations for, and the Central Government to make Rules to, a number of provisions that should be within the text of the Bill itself. By leaving these provisions to Regulations and Rules, the Bill is a skeleton which when enacted will only allow for DNA Labs to be certified and DNA databases to be established. Aspects that need to be included as provisions include:</p>
<p style="text-align: justify; "><i>Section 12: The Board shall exercise and discharge the following functions for the purposes of this Act namely </i></p>
<ul>
<li style="text-align: justify; "><i>Section 12(j) – authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.</i></li>
<li style="text-align: justify; "><i>Section 12(p) – making specific recommendations to (ii) ensure the accuracy, security, and confidentiality of DNA information, (iii) ensure the timely removal and destruction of obsolete, expunged or inaccurate DNA information (iv) take any other necessary steps required to be taken to protect privacy.</i></li>
<li style="text-align: justify; "><i>Section 12(w) – Specifying, by regulation, the list of applicable instances of human DNA profiling and the sources a manner of collection of samples in addition to the lists contained in the Schedule. </i></li>
<li style="text-align: justify; "><i>Section 12(u) – establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies.</i></li>
<li style="text-align: justify; "><i>Section 12(x) – Enumerating the guidelines for storage of biological substances and their destruction. </i></li>
</ul>
<p style="text-align: justify; "><i>Section 65(1) The Central Government may, by notification, make rules for carrying out the purposes of this Act</i></p>
<ul>
<li style="text-align: justify; "><i>Section 65 (c) – The officials who are authorized to receive the communication pertaining to information as to whether a person’s DNA profile is contained in the offenders’ index under sub-section (2) of section 35</i></li>
<li style="text-align: justify; "><i>Section 65 (d) – The manner in which the DNA profile of a person from the offenders’ index shall be expunged under sub-section (2) of section 37</i></li>
<li style="text-align: justify; "><i> Section 65 (e) – The manner in which the DNA profile of a person from the offender’s index shall be expunged under sub-section (3) of section 37 </i></li>
<li style="text-align: justify; "><i>Section 65 (h) – The manner in which access to the information in the DNA data Bank shall be restricted under section 43 </i></li>
<li style="text-align: justify; "><i>Section 65 (zg) – Authorization of other persons, if any, for collection of non-intimate forensic procedures under Part II of the Schedule. </i></li>
</ul>
<h3>Broad Language that needs to be specified or deleted</h3>
<p style="text-align: justify; ">There are a number of places in the Bill which use broad and vague language. This is problematic as it expands the potential scope of the Bill. Instances where broad language is used includes:</p>
<p>Preamble: <i>There is, thus, need to regulate the use of human DNA Profiles through an Act passed by the Parliament only for Lawful purposes of establishing identity in a criminal or civil proceeding and for other specified purposes.</i></p>
<ul>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (j) authorizing procedures for communications of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies. </i></li>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (y) undertaking any other activity which in the opinion of the Board advances the purposes of this Act. </i></li>
<li style="text-align: justify; "><i>Section 12: The Board may make regulations for (z) performing such other functions as may be assigned to it by the Central Government from time to time. </i></li>
<li style="text-align: justify; "><i>Section 32: The indices maintained under sub-section (4) shall include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 15 of the Act and of records relating thereto, in accordance with the standards as may be specified by the regulations made by the Board.</i></li>
<li style="text-align: justify; "><i>Section 35 (1) On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Data Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank and shall communication, for purposes of the investigation or prosecution in a criminal offence, the following information…(a) as to whether the DNA profile received is already contained in the Data Bank and (b) any information other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. (2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.</i></li>
<li style="text-align: justify; "><i>Section 39: All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule. Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part 1 of the Schedule for other purposes as may be specified by the regulations made by the board. </i></li>
<li style="text-align: justify; "><i>Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely (g) for any other purposes, as may be prescribed. </i></li>
<li style="text-align: justify; "><i>Schedule, C Civil disputes and other civil matters vii) any other civil matter as may be specified y the regulations made by the Board. </i></li>
</ul>
<p><b>Recommendation</b>: All broad and vague language should be deleted and replaced with specific language.</p>
<h3>Jurisdiction</h3>
<ul>
<li>Section 1(2) It extends to the whole of India.</li>
</ul>
<ul>
<li style="text-align: justify; ">Section 2(f) “Crime scene index” means an index of DNA profiles derived from forensic material found (i) at any place (whether within or outside of India) where a specified offence was, or is reasonably suspected of having been, committed. </li>
</ul>
<p style="text-align: justify; ">The validity of DNA profiles found outside of India is unclear as the Act only extends to the whole of India.</p>
<h3>Inconsistent provisions</h3>
<p style="text-align: justify; ">The Bill contains provisions that are inconsistent including:</p>
<ul>
<li style="text-align: justify; "><i>Preamble … from collection to reporting and also to establish a National DNA Data Bank and for matters connected therewith or incidental thereto. </i></li>
<li style="text-align: justify; "><i>Section 32 (1) The Central Government shall, by notification establish a National DNA Data Bank and as many Regional DNA Data Banks there under for every State or a group of States, as necessary. (2) Every State Government may, by notification establish a State DNA Data Bank which shall share the information with the National DNA Data Bank. The National DNA Data Bank shall receive DNA data from State DNA Data Banks…</i></li>
</ul>
<p style="text-align: justify; "><b>Recommendation</b>: The introduction to the Bill states that only a National DNA Data Bank will be established, yet in the provisions of the Bill it states that Regional and State level DNA databanks will also be established. It should be clarified in the introduction to the Bill that state level, regional level, and a national level DNA database will be created.</p>
<h3 style="text-align: justify; ">Inadequate qualifications of DNA Data Bank Manager</h3>
<p style="text-align: justify; ">Section 33: “<i>The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member –Secretary of the Board. The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics.</i>”</p>
<p style="text-align: justify; "><b>Recommendation</b>: This is not sufficient qualifications. The DNA Data Bank Manager needs to have experience and expertise handling, working with, and managing DNA for forensic purposes.</p>
<h3 style="text-align: justify; ">Lack of restrictions on labs seeking certification</h3>
<p style="text-align: justify; ">According to section 16(2), before withdrawing approval granted to a DNA laboratory...the Board will give time to the laboratory...for taking necessary steps to comply with such directions...and conditions.” <br /><b>Recommendation</b>: This section should specify that during the time period of gaining certification, the DNA laboratory is not allowed to process DNA.</p>
<h3 style="text-align: justify; ">Incomplete terms for use of DNA in courts</h3>
<p style="text-align: justify; ">Section 45 of the Bill allows any individual undergoing a sentence of imprisonment or under sentence of death to apply to the court which convicted him for an order for DNA testing. The Bill lists seven conditions that must be met for this DNA evidence to be accepted and used in court. <br /><b>Recommendation</b>: This section speaks only to the use of DNA in courts upon request by a convicted individual. This section should lay down standards for all instances of use of DNA in courts. Included in this, the provision should clarify that when DNA is used, corroborating evidence will be required in courts, and if confirmatory samples will be taken from defendants. Individuals should also have the right to have a second sample taken and re-analyzed as a check, and individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.</p>
<h3 style="text-align: justify; ">Inadequate privacy protections</h3>
<p style="text-align: justify; ">Besides section 38 which requires that all DNA profiles, samples, and records are kept confidential, the Bill leaves all other privacy protections to be recommended by the DNA profiling Board.</p>
<p style="text-align: justify; "><i>Section 12(o) The Board shall exercise and discharge the following functions…“Making recommendation for provision of privacy protection laws, regulations and practices relating to access to, or use of, store DNA samples or DNA analyses with a view to ensure that such protections are sufficient.” </i></p>
<p style="text-align: justify; "><b>Recommendation</b>: Basic privacy protections such as access, use, and storage of DNA samples should be written into the provisions of the Bill and not left as recommendations for the Board to make.</p>
<h2 style="text-align: justify; ">Missing Provisions</h2>
<ol> </ol><ol>
<li style="text-align: justify; "><b>Notification to the individual:</b> There are no provisions that ensure that notification is given to an individual if his/her information is legally accessed or shared. Notification to the individual would be appropriate in section 36, which allows for the sharing of DNA profiles with foreign states, and section 35, which allows for the sharing of information with a court, tribunal, law enforcement agency, or DNA laboratory. As part of the notification, an individual should be given the right to appeal the decision.</li>
<li style="text-align: justify; "><b>Consent: </b>There are no provisions which speak to consent being taken from individuals whose DNA is collected. Consent must be taken from volunteers, missing persons (or their families), victims, and suspects. DNA can be taken compulsorily from offenders after they have been convicted. If an individual refuses to provide a DNA sample, a judge can override the decisions and order that a DNA sample be taken. In all cases that DNA is collected without consent, it must be clear that DNA evidence is directly relevant to the case.</li>
<li style="text-align: justify; "><b>Right to request deletion of DNA profile from database: </b>There are no provisions which give volunteers (children volunteers when they become adults), victims, and missing persons the right to request that their profile be deleted from the DNA database. This could be provided in section 37 which speaks to the expunction of records of acquitted convicts. </li>
<li style="text-align: justify; "><b>Right of individuals to bring a private cause of action: </b>There are no provisions which give the individual the right to bring a privacy cause of action for the unlawful storage of private information in the national, regional, or state DNA database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database. </li>
<li style="text-align: justify; "><b>Right to review one's personal data: </b>There are no provisions that allow an individual to review his/her information contained on the state, regional, or national database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database. </li>
<li style="text-align: justify; "><b>Independence of DNA laboratories and DNA banks from the police: </b>There are no provisions which ensure that DNA laboratories and DNA data banks remain independent from the police. This is an important check in ensuring against the tampering of DNA evidence. </li>
<li style="text-align: justify; "><b>Established profiling standard: </b>The Bill does not mandate the use of one single profiling standard. This is important in order to minimize false matches occurring by chance and to ensure consistency across DNA testing and profiling. </li>
<li style="text-align: justify; "><b>Destruction of DNA samples: </b>There are no provisions mandating that original samples of DNA be deleted. DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them – allowing for sufficient time for quality assurance (six months). Furthermore, only a barcode and no identifying details should be sent to labs with samples for analysis.</li>
</ol>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul>
</ul>
<ul style="text-align: justify; ">
</ul>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012'>https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:36:59ZBlog EntrySurveillance Camp IV: Disproportionate State Surveillance - A Violation of Privacy
https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy
<b>This is the fourth in a series of posts mapping global surveillance challenges discussed at EFF's State Surveillance and Human Rights Camp in Rio de Janeiro, Brazil. This article has been co-written with Elonnai Hickok — Centre for Internet and Society India, and a speaker at EFF's Camp.</b>
<hr />
<p>This article by Katitza Rodriguez and Elonnai Hickok was originally <a class="external-link" href="https://www.eff.org/deeplinks/2013/02/disproportionate-state-surveillance-violation-privacy">published by the Electronic Frontier Foundation</a> on February 13, 2013.</p>
<hr />
<p style="text-align: justify; ">States around the world are faced daily with the challenge of protecting their populations from potential and real threats. To detect and respond to them, many governments surveil communication networks, physical movements, and transactional records. Though surveillance by its nature compromises individual privacy, there are exceptional situations where state surveillance is justified. Yet, if state surveillance is unnecessary or overreaching, with weak legal safeguards and a failure to follow due process, it can become disproportionate to the threat—infringing on people's privacy rights.</p>
<p style="text-align: justify; ">Internationally, regulations concerning government surveillance of communications vary in approach and effectiveness, often with <a href="https://www.eff.org/deeplinks/2012/12/2012-in-review-state-surveillance-around-globe" target="_blank">very weak or nonexistent legal safeguards</a>. Some countries have strong regulations for the surveillance of communications, yet these regulations may be largely ineffective or unenforceable in practice. Other countries have no legal safeguards or legal standards differing vastly according to the type of communication data targeted. This is why, EFF organized at the end of last year a <a href="https://www.eff.org/issues/surveillance-human-rights" target="_blank">State Surveillance and Human Rights Camp</a> in Brazil to build upon this discussion and focused on how states are facilitating unnecessary and disproportionate surveillance of communications in ways that lead to privacy violations.</p>
<h3 style="text-align: justify; ">State-Mandated Identity Verification</h3>
<p style="text-align: justify; ">In 2012 the Constitutional Court in South Korea <a href="https://www.nytimes.com/2012/08/24/world/asia/south-korean-court-overturns-online-name-verification-law.html?_r=1&" target="_blank">declared</a> that country's "real-name identification system" unconstitutional. The system had mandated that any online portal with more than 100,000 daily users had to verify the identity of their users.<a href="#fn1" name="fr1">[1]</a>This meant that the individual has to provide their real name before posting comments online. The legal challenge to this system was raised by <a href="https://en.wikipedia.org/wiki/People%E2%80%99s_Solidarity_for_Participatory_Democracy" target="_blank">People's Solidarity for Participatory Democracy</a> (PSPD)'s Public Law Center and <a href="https://en.wikipedia.org/wiki/Korean_Progressive_Network_%28Jinbonet%29%20" target="_blank">Korean Progressive Network</a>—Jinbonet among others.</p>
<p style="text-align: justify; ">Korea University professor Kyung-shin Park, Chair of PSPD's Law Center told EFF that portals and phone companies would disclose identifying information about six million users annually—in a country of only 50 million people. The South Korean Government was using perceived online abuses as a convenient excuse to discourage political criticism, professor Park told EFF:</p>
<p class="callout" style="text-align: justify; ">The user information shared with the police most commonly has been used by the government to monitor the anti-governmental sentiments of ordinary people. All this has gone on because the government, the legislature, and civil society have not clearly understood the privacy implications of turning over identifying information of individuals.</p>
<p style="text-align: justify; ">The decision by the South Korean Constitutional Court to declare the "real identification system" unconstitutional was a win for user privacy and anonymity because it clearly showed that blanket mandates for the disclosure of identifying information, and the subsequent sharing of that data without judicial authorization, are a disproportionate measure that violates the rights of individuals.<a href="#fn2" name="fr2">[2]</a></p>
<h3 style="text-align: justify; ">States Restrict Encryption and Demand Backdoors</h3>
<p style="text-align: justify; ">Some States are seeking to block, ban, or discourage the use of strong encryption and other privacy enhancing tools by requiring assistance in decrypting information. In India service providers are required to ensure that bulk encryption is not deployed. Additionally, no individual or entity can employ encryption with a key longer than 40 bits. If the encryption equipments is higher than this limit, the individual or entity will need prior written permission from the Department of Telecommunications and <a href="https://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf" target="_blank">must deposit</a> the decryption keys with the Department.<a href="#fn3" name="fr3">[3]</a>The limitation on encryption in India means that technically any encrypted material over 40 bits <a href="http://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf" target="_blank">would be accessible</a> by the State. Ironically, the Reserve Bank of India<b> </b><a href="http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0" target="_blank">issued security recommendations</a> that banks should use strong encryption as higher as 128-bit for securing browser.<a href="#fn4" name="fr4">[4]</a>In the United States, under the <a href="http://wiki.surveillancehumanrights.org/Background_on_lawful_interception_mandates_and_government_access_to_encryption_keys" target="_blank">Communications Assistance for Law Enforcement Act</a>, telecommunication carriers are required to provide decryption assistance only if they already possess the keys (and in many communications system designs, there's no reason carriers should need to possess the keys at all). In 2011, the <a href="https://www.eff.org/pages/legal-struggles-over-interception-rules-united-states" target="_blank">US Government proposed a bill</a> that would place new restrictions on domestic development or use of cryptography, privacy software, and encryption features on devices. The bill has not been adopted.</p>
<p style="text-align: justify; ">Allowing only low levels of encryption and requiring service providers to assist in the decryption of communications, facilitates surveillance by enabling States easier access to data and preventing individuals from using crypto tools to protect their personal communications.</p>
<h3 style="text-align: justify; ">States Establish Blanket Interception Facilities</h3>
<p style="text-align: justify; ">In Colombia, telecommunications network and service providers carrying out business within the national territory <a href="https://www.eff.org/pages/mapping-laws-government-access-citizens-data-colombia" target="_blank">must implement</a> and ensure that interception facilities are available at all times to state agencies as prescribed by law. This is to enable authorized state agencies to intercept communications at any point of time. In addition to providing interception facilities, service providers must also retain subscriber data for a period of five years, and provide information such as subscriber identity, invoicing address, type of connection on request, and geographic location of terminals when requested.</p>
<p style="text-align: justify; ">Though Colombia has put in place regulations for the surveillance of communications, these regulations allow for broad surveillance and do not afford the individual clear rights in challenging the same.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The examples above demonstrate that, although state surveillance of communications can be justified in exceptional instances, it leads to the violation of individual privacy when implemented without adequate legal safeguards. Clearly there is a need for international principles articulating critical and necessary components of due process for the surveillance of communications. Those strong legal safeguards are necessary not only in countries that don't have laws in place, but also in countries where laws are lacking and fail to adequately protect privacy. Last year, EFF <a href="https://www.eff.org/deeplinks/2012/12/tackling-state-surveillance-and-human-rights-protecting-universal-freedoms" target="_blank">organized the State Surveillance and Human Rights Camp</a> to discuss a set of <a href="http://necessaryandproportionate.net/" target="_blank">International Principles on State Surveillance of Communications</a>, a global effort led by EFF and Privacy International, to define, articulate, and promote legal standards to protect individual privacy when the state carries out surveillance of communications.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>].Constitutional Court's Decision 2010 Hunma 47, 252 (consolidated) announced August 28, 2012.</p>
<p>[<a href="#fr2" name="fn2">2</a>].The illegality of this practice was proved by a High Court decision handed down 2 months after the Constitutional Court's decision in August 2012. Seoul Appellate Court 2011 Na 19012, Judgment Announced October 18, 2012. This case <a href="http://www.peoplepower21.org/English/955480" target="_blank">was prepared and followed singularly</a> by PSPD Public Interest Law Center.</p>
<p>[<a href="#fr3" name="fn3">3</a>].<a href="http://www.dot.gov.in/isp/internet-licence-dated%2016-10-2007.pdf">License Agreement for Provision of Internet Services Section 2.2 (vii)</a></p>
<p>[<a href="#fr4" name="fn4">4</a>].Reserve Bank of India. <a href="http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0" target="_blank">Internet Banking Guidelines</a>. Section (f (2)).</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy'>https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-02-19T12:37:09ZBlog EntryThe Omnishambles of UID, shrouded in its RTI opacity
https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity
<b>The Centre for Internet & Society sponsored Colonel Mathew Thomas to hold a workshop at the fourth National Right to Information (RTI) organized by the National Campaign for People's Right to Information, held in Hyderabad from February 15 to 18, 2013. </b>
<p>Click below to see Colonel Mathew Thomas's presentation</p>
<h3><b><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1">Omnishambles of UID Shrouded in its Opacity</a></b></h3>
<p><iframe frameborder="0" height="421" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/16619783" width="512"> </iframe></p>
<p><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1"> </a></p>
<div><b><a class="external-link" href="http://www.slideshare.net/praskrishna/omnishambles-of-uid-shoruded-in-its-opacity-17-feb-2013-1"> </a><br /></b><b><a href="http://www.slideshare.net/praskrishna" target="_blank"></a></b></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity'>https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-02-19T11:04:30ZBlog Entry2012: Privacy Highlights in India
https://cis-india.org/internet-governance/privacy-highlights-in-india
<b>In this blog post, Elonnai Hickok summarizes the top privacy moments of 2012 in India. In doing so she lists out the major ones like the Report of Group of Experts on Privacy, the RIM Standoff, the Nira Radia controversy, the Centralized Monitoring System, Unmanned Aerial Vehicles, NATGRID, CCTNS, the growth of CCTVs, the leaked DNA Profiling Bill, and the UID project.</b>
<p style="text-align: justify; "><b>The Report of Group of Experts on Privacy:</b> In October 2012 the "Report of Group of Experts on Privacy" was published by a governmental committee chaired by Justice A.P. Shah. The report contains recommendations for comprehensive privacy legislation, including defining nine privacy principles, establishing a regulatory framework consisting of privacy commissioners at the regional and central level, and self regulatory organizations, and analyzing the present challenges to privacy in India.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Before the report was published, two draft privacy bills had been leaked to the public, and a concept paper drafted in 2010. The report received mixed reviews from the media, including questions about the relationship between the Right to Information and the Right to Privacy. Before the publishing of the Report, Prime Minister Manmohan Singh recognized that disclosures under the RTI Act could, in some instances, violate individual privacy. In a statement to the public, the Prime Minister stated <i>"citizens<ins cite="mailto:Author" datetime="2012-11-16T15:34">’</ins> right to know should definitely be circumscribed if disclosure of information encroaches upon someone's personal privacy. But where to draw the line is a complicated question"</i>.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">Three months before the report was published, the EU had publicly stated that current data protection provisions in India are not sufficient enough, and that India is not considered to be 'data secure'.<a href="#fn3" name="fr3">[3]</a> If the recommendations in the report are turned into legislation, among other things, individuals in India will have a right to privacy and a right to redress for violations of privacy.</p>
<p style="text-align: justify; "><b>Governmental Interception</b>: In early 2013 it was revealed that the Ministry of Home Affairs ordered interception of 10,000 phones and 1300 email ids during October 2012 to December 2012.<a href="#fn4" name="fr4">[4]</a> Continuing its efforts to access all communications, in May 2012, the Government of India gave service providers a month to develop a method for intercepting calls using VoIP services.<a href="#fn5" name="fr5">[5]</a> In February 2012 the Telecom Department proposed a new set of security guidelines that would allow for real time interception of communications and the tracking of the location of users. Among other things, the proposal establishes telecom security assurance and testing labs for the purpose of testing and certifying telecom equipment.<a href="#fn6" name="fr6">[6]</a> Additionally, in October of 2012, Bharti Airtel refused to wiretap telephones for RAW. The Department of Telecommunications eventually ordered Bharti Airtel to comply with the order, which they did.<a href="#fn7" name="fr7">[7]</a> The events around interception in 2012 show that the Indian government is still trying to gain access to as much information as possible. The constant push for real time access by the government is concerning, as many safeguards are missing from the Indian interception regime such as, penalty to security agencies for unauthorized interception and avenues of redress for the individual.</p>
<p style="text-align: justify; "><b>The RIM Standoff</b>: Since 2008, the Indian government has been negotiating with RIM access to BlackBerry communications. Over the years, a number of solutions have been proposed by RIM and the GoI, yet a final agreement was never reached. Continuing the negotiations, In October 2012, RIM agreed to set up a server in Mumbai, which would allow security agencies to access Blackberry Messenger services.<a href="#fn8" name="fr8">[8]</a> Blackberry also provided a solution that would allow access to Blackberry Internet Services.<a href="#fn9" name="fr9">[9]</a> Following this, the Government of India mandated that Telecom Service Providers must incorporate the Blackberry interception solution, or risk being forced to shut their service by December 31, 2012. In compliance with this order, many service providers have set time frames for incorporation of the interception solution including and installed the necessary software.<a href="#fn10" name="fr10">[10]</a> It is important to note that the lawful access solutions provided do not extend to the Blackberry Enterprise Server.<a href="#fn11" name="fr11">[11]</a> Though it seems that the BlackBerry controversy might be resolved, the solution does not appear to be a long term solution, as BES communications are still not accessible, and the solution is not universal for all international providers. Thus, the Indian government will have to negotiate individually with each provider and service that they currently cannot access communications of.</p>
<p style="text-align: justify; "><b>The Nira Radia Controversy:</b> Continuing the Nira Radia controversy, which began in 2008-2009, in September 2012 the Supreme Court ordered the Income Tax Department to transcribe the 5,831 recorded conversations that were originally intercepted by the department. In January this year, the Supreme Court of India ordered that a "random check" be run through the Radia Tapes to check for instances of possible criminality.<a href="#fn12" name="fr12">[12]</a> This case has become an important moment for privacy in India, as it intersects the dilemma between the right to privacy and public interest. Since 2010, Ratan Tata has been claiming that his right to privacy was violated by the publishing of the leaked tapes.<a href="#fn13" name="fr13">[13]</a> The Supreme Court’s final decision will be important for drawing another contour of how the right to privacy is shaped in India.</p>
<p style="text-align: justify; "><b>The Centralized Monitoring System</b>: In 2012 the Telecom Ministry set aside Rs. 400 crore for the Central Monitoring System, which is projected to be finished by August 2014.<a href="#fn14" name="fr14">[14]</a> The project, which first began in 2007, is envisioned to allow security agencies to bypass service providers and intercept communications on their own. The system is designed to have regional databases and a central database which will be accessible to law enforcement and security agencies. Privacy concerns related to the project include how the system will incorporate current legal regulations for interception in India, as a system that bypasses service providers essentially means that every communication can be read by law enforcement. Furthermore, it is not clear exactly who, and on what conditions will officials be allowed and authorized to access and use the system. The exact capabilities of the system have also not been identified. For example, will the CMS be able to intercept VoIP calls, will it be able to decrypt messages, and will it employ techniques such as Deep Packet Inspection.</p>
<p style="text-align: justify; "><b>Unmanned Aerial Vehicles (UAVs):</b> Since the late 90’s the Defense Research Development Organisation (DRDO) has been developing UAV’s for military purposes, and before this, India was acquiring UAV’s from Israel.<a href="#fn15" name="fr15">[15]</a> Since that time there has been an increase in domestic companies and institutes developing UAVs, and an increase in the procurement of the technology by state police for generic reasons purposes as crowd control, traffic management, and security. For example, in August of 2012 the city of Mumbai used the UAV "Netra", as part of their security protocol during the Raj Thackeray rally to capture and send real time images back to the police. Netra is manufactured by the company Idea Forge.<a href="#fn16" name="fr16">[16]</a> The Mumbai police also used the Netra in September 2012 after the Azad Maidan riots, and again on New Year’s Eve to monitor and track crime such as sexual harassment.<a href="#fn17" name="fr17">[17]</a> Similarly, Chennai city police are looking to procure from Anna University a UAV developed by the Madras Institute of Technology. The UAV will be used to assist in traffic monitoring and control.<a href="#fn18" name="fr18">[18]</a> The increased procurement and use of UAV’s by state police is concerning as there is no clear legal regulation over the deployment of the vehicles. Thus, they have shifted from being used as a tool by the military, and are being used for monitoring traffic, crowd monitoring, etc. Furthermore, the process for authorization for use of the vehicles is not clear, and it is not clear how the captured information is protected and handled. Though UAV’s are clearly a useful tool for the military, for military purposes, the permitted use of them by other actors should be defined and regulated. The use of UAV’s for generic purposes could place individual privacy at risk, because of the amount of information and the level of detail that the vehicles are able to capture without the knowledge of the individual.</p>
<p style="text-align: justify; "><b>The National Intelligence Grid (NATGRID):</b> Plans for the NATGRID project, which was first piloted after the Mumbai attacks, has been continuing forward through 2012 and is envisioned to be operational sometime in 2013. During 2012, a detailed project report was submitted for the project, and in June the government approved Rs. 1,100 crore for purchase of technological equipment.<a href="#fn19" name="fr19">[19]</a> NATGRID is a project that envisions networking 21 databases for purposes of crime investigation including tax, health, and travel information. The information will be accessible to 11 security agencies and law enforcement agencies. Though it has been clarified that NATGRID will ensure that privacy is protected, the design of NATGRID is one that could create potential risks – as it brings together large amounts of personal data for easy access by security agencies. In doing so it could potentially eliminate the steps security agencies must take currently to access information – such as submitting a request and obtaining permission for access. Furthermore, it is unclear how current legal protections such as secrecy clauses in banking legislation will be incorporated and upheld by the NATGRID system. Other questions that the project raises include – though currently there are only eleven agencies listed that will have access to NATGRID – will this list expand? Without a policy in place how will this standard and other standards be enforced?</p>
<p style="text-align: justify; "><b>The Crime and Criminal Tracking Network & System (CCTNS): </b>Though the CCTNS project has been in the works since 2009, a call for companies to develop the technology for the system was taken in early 2012, and pilot projects were launched later that year. The CCTNS is being headed by the National Crime Records Bureau, and will allow for the sharing of crime related information on a national level, in real time. In 2012, the system was allocated 2,000 crores by the government, and currently 2,000 police stations and other offices have been connected under the system.<a href="#fn20" name="fr20">[20]</a></p>
<p style="text-align: justify; ">For example, police in Chhattisgarh,<a href="#fn21" name="fr21">[21]</a> Uttarakhand<a href="#fn22" name="fr22">[22]</a> and Odisha have all been connected to the CCTNS system.<a href="#fn23" name="fr23">[23]</a> Though it will be beneficial for the police to have access to a networked system, it has not been made clear yet what type of security system the project will adopt to ensure that the information is not compromised or accessed without authorization. It has also not been clarified what information will be placed on the database, and will all records be accessible to any individual accessing the system. Because the project is still in pilot stages it is hard to tell if it could put individual privacy at risk. Hopefully, before the project is realized in its full, many of the details will be clarified.</p>
<p style="text-align: justify; "><b>The Growth of CCTVs:</b> Throughout 2012 the use of CCTV’s has continued to grow across India. For example, the Maharashtra government has undertaken a "CCTV surveillance project" in which it is in the process of taking bids for.<a href="#fn24" name="fr24">[24]</a> The state of Karnataka is also planning on installing CCTV cameras in Bangalore and other major cities to help detect incidents of crime.<a href="#fn25" name="fr25">[25]</a> While the Delhi Transport Department is contemplating installing CCTVs in buses,<a href="#fn26" name="fr26">[26]</a> and the Indian Rail Authorities have also decided to install CCTVs throughout stations to increase security.<a href="#fn27" name="fr27">[27]</a> There still does not exist regulation of the use of CCTV cameras, thus it is unclear who can operate a CCTV camera, which departments of the government can mandate for the installation of CCTVs, if public notice must be given that a CCTV camera is in use, and who can access the footage from a CCTV.</p>
<p style="text-align: justify; "><b>Study on Privacy Perceptions</b>: In a study that came out in December 2012 by Ponnurangam K, among other things, it was found that 75 per cent of participants never read the privacy policy on a website – including social networking sites, participants also thought that there was a privacy legislation in place in India, and that individuals in India are most concerned about financial privacy.<a href="#fn28" name="fr28">[28]</a></p>
<p style="text-align: justify; "><b>The National Counter Terrorism Centre (NCTC):</b> The NCTC was originally created in response to the Mumbai terror attacks, under the Unlawful Prevention Act, 1967. The NCTC was meant to be realized in 2012, but in March, plans for the Centre were put on hold, because of the controversial nature of the project.<a href="#fn29" name="fr29">[29]</a> The Centre was meant to bring Indian intelligence agencies under one umbrella, and analyze and store information related to terrorism. The proposed body has been highly controversial, as states object to the powers given to the Centre and see it as intruding on their powers and jurisdiction. If passed, the NCTC will have the powers of arrest, search and seizure, and the ability to access information from other intelligence agencies.<a href="#fn30" name="fr30">[30]</a></p>
<p style="text-align: justify; "><b>The Leaked DNA Profiling Bill:</b> In 2012, a version of the DNA Profiling Bill, originally drafted in 2007, was leaked to the public. The Bill is being piloted by the department of biotechnology, and seeks to establish DNA databases at the regional and central level for forensic purposes, yet the Bill does not establish strong protections for the privacy of DNA samples taken and important technical standards for ensuring that DNA samples are not misused or tampered with.<a href="#fn31" name="fr31">[31]</a> What will happen to the Bill in 2013 is yet to be seen, but hopefully it will not be passed without the appropriate safeguards incorporated into its provisions.</p>
<p style="text-align: justify; "><b>The Unique Identification Project and the National Population Registrar:</b> Throughout 2012, the UID has continued to carry out enrollments across the country, and sign MoU's with private sector companies for the adoption of the UID platform. Parallel to the UID project, the NPR project is also being implemented. The NPR seeks to provide every citizen of India with an identity that will be stored in an identity database maintained by the Registrar General and Census Commissioner of India.<a href="#fn32" name="fr32">[32]</a> According to the NPR scheme, individuals who had already enrolled with the UID and given their biometrics would not need to re-submit their biometrics with the NPR. Yet, this has not been the case, and instead individuals are now being required to provide their biometrics for enrollment with the UID and the NPR.<a href="#fn33" name="fr33">[33]</a></p>
<p style="text-align: justify; ">Privacy has been raised as a concern of the UID since the start of the project. For both the UID and the NPR now the transaction record will be stored by agencies, and whether it will be possible to track individuals across databases using their NPR or UID identity?</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. The Report of Group of Experts on Privacy. See <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Tikku, A., "RTI doesn’t trample upon privacy, says expert panel", Hindustan Times, October 29, 2012, available at <a class="external-link" href="http://bit.ly/TNAzRF">http://bit.ly/TNAzRF</a>, last accessed on January 8, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Sen, A. India protests European Union study of data laws. Economic Times. July 9, 2012, available at <a class="external-link" href="http://bit.ly/Y9ahHs">http://bit.ly/Y9ahHs</a>, last accessed on January 8, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. Harismran, J., Thomas, J. "Home Ministry ordered 10k wire taps in last 90 days, order tapping of 1300 email Ids", The Economic Times, January 3,<sup></sup> 2013, available at <a class="external-link" href="http://bit.ly/TKk7yN">http://bit.ly/TKk7yN</a>, last accessed on January 7th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>].The Economic Times, "Provide solution to intercept VoIP within a month: Govt", May 6, 2012, available at <a class="external-link" href="http://bit.ly/VQDQ4k">http://bit.ly/VQDQ4k</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Economic Times, "New policy for real time interception to security agencies", February 1, 2012, available at <a class="external-link" href="http://bit.ly/11DrlvB">http://bit.ly/11DrlvB</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. The Economic Times, "RAW irked as Airtel keeps its request for phone tapping on hold", October 21, 2012, available at <a class="external-link" href="http://bit.ly/12IujhF">http://bit.ly/12IujhF</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. Reyes, D., "RIM installs BlackBerry server in Mumbai", CrackBerry, February 23, 2012, available at <a class="external-link" href="http://bit.ly/yBQsSo">http://bit.ly/yBQsSo</a></p>
<p style="text-align: justify; ">[<a href="#fr9" name="fn9">9</a>]. Economic Times, "DoT makes telecom operators fall in line on Blackberry issue", December 30, 2012, available at <a class="external-link" href="http://bit.ly/1169ufn">http://bit.ly/1169ufn</a></p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Economic Times, "MTNL, BSNL fail to give dates for Blackberry interception", October 29, 2012, available at <a class="external-link" href="http://bit.ly/1169ufp">http://bit.ly/1169ufp</a>, last accessed on January 7, 2012.</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. The Economic Times, "Telecom companies agreed to provide real-time intercept facilities for BlackBerry smartphones", December 31, 2012, available at <a class="external-link" href="http://bit.ly/Y9gjYt">http://bit.ly/Y9gjYt</a>, last accessed on January 7, 2012.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Mahapatra, D., "SC to examine Radia tapes for criminality", Times of India, January 9, <sup></sup> 2013, available at <a class="external-link" href="http://bit.ly/VD7eWX">http://bit.ly/VD7eWX</a></p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn13">13</a>]. Times of India, "Ratan Tata softens stand on Radia tapes", August 23, 2012, available at <a class="external-link" href="http://bit.ly/158CZxl">http://bit.ly/158CZxl</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. The Economic Times, "Govt. to place phone tapping system worth Rs. 400 cr by 2014", March 21, 2012, available at <a class="external-link" href="http://bit.ly/V2P9q6">http://bit.ly/V2P9q6</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. Monsonis, G., "UAVs gaining currency with Indian Armed Forces", Indian Defence Review, October 30, 2012, available at <a class="external-link" href="http://bit.ly/KVYyIr">http://bit.ly/KVYyIr</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. Mumbai Mirror, "Raj Thackeray’s mega rally: Unmanned Aerial Vehicle kept an eye on Azed Maidan", Economic Times, August 22, 2012, available at <a class="external-link" href="http://bit.ly/PYTGAG">http://bit.ly/PYTGAG</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>].Ali, A. & Narayan. V., "Netra cameras to keep a close watch , over New Year’s Eve hotspots", Times of India, December 31, 2012, available at <a class="external-link" href="http://bit.ly/Z7orxt">http://bit.ly/Z7orxt</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Venugopal, V., "It flies, it swoops, it records and monitors", The Hindu, December 20, 2012, available at <a class="external-link" href="http://bit.ly/V89sLo">http://bit.ly/V89sLo</a>, last accessed January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. The Economic Times, "Cabinet Committee on Security approves Rs. 1,100 crore for NATGRID", June 14, 2012.</p>
<p style="text-align: justify; ">[<a href="#fr20" name="fn20">20</a>]. Mohan, V., "Centre launches pilot project to track criminals", The Times of India, January 5, 2013, available at <a class="external-link" href="http://bit.ly/UPk2fh">http://bit.ly/UPk2fh</a></p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. The Pioneer, "Civil Lines Police Station gets connected with CCTNS", January 2012, available at <a class="external-link" href="http://bit.ly/VRXKGJ">http://bit.ly/VRXKGJ</a></p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. CIOL Bureau, "CCTNS to be made public through internet: Dehradun DGP", January 4, 2012, available at <a class="external-link" href="http://bit.ly/X4JISx">http://bit.ly/X4JISx</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. The Hindu, "Odisha to launch CCTNS on January 12", January 7, 2013, available at <a class="external-link" href="http://bit.ly/Vd9Ay1">http://bit.ly/Vd9Ay1</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr24" name="fn24">24</a>]. Padmakshan, M., "Maharashtra plans to invite new bids for CCTV surveillance project", September 18, 2012, available at <a class="external-link" href="http://bit.ly/VRYrQm">http://bit.ly/VRYrQm</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr25" name="fn25">25</a>]. Ashoka, R., "Karnataka to install CCTV cameras in Bangalore, major cities", Economic Times. July 26, 2012, available at <a class="external-link" href="http://bit.ly/11Dxt6Z">http://bit.ly/11Dxt6Z</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. Economic Times, "Buses to come with CCTV cameras for safety of women: Delhi government", December 17, 2012, available at <a class="external-link" href="http://bit.ly/158Gtjo">http://bit.ly/158Gtjo</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. Economic Times, "Railways to step by security apparatus at stations", February 15, 2012, available at <a class="external-link" href="http://bit.ly/11DxSX8">http://bit.ly/11DxSX8</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. Times of India, "Most Indians ignorant about privacy issues on Facebook, Twitter: Study", December 10, 2012, available at <a class="external-link" href="http://bit.ly/X4KVt1">http://bit.ly/X4KVt1</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. Kumar, H., "Does India Need a National Counter Terrorism Center?", The New York Times, India Ink, February 28, 2012, available at <a class="external-link" href="http://nyti.ms/A5VU5P">http://nyti.ms/A5VU5P</a></p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. Times of India. CM to attend National Counter- Terrorism Centre Meet in Delhi. May 4, 2012, available at <a class="external-link" href="http://bit.ly/12IDoH9">http://bit.ly/12IDoH9</a>, last accessed on January 8, 2012.</p>
<p style="text-align: justify; ">[<a href="#fr31" name="fn31">31</a>]. Hickok, E., "Rethinking DNA Profiling in India", Economic Political Weekly, October 27, 2012, available at <a class="external-link" href="http://bit.ly/TUrH7j">http://bit.ly/TUrH7j</a>, last accessed on January 7, 2013.</p>
<p style="text-align: justify; ">[<a href="#fr32" name="fn32">32</a>]. Department of Information Technology, "National Population Register", available at <a class="external-link" href="http://bit.ly/12rzyOh">http://bit.ly/12rzyOh</a></p>
<p style="text-align: justify; ">[<a href="#fr33" name="fn33">33</a>]. Pandit, A., "NPR must even if you have Aadhar number", Times of India, October 31, 2012, available at <a class="external-link" href="http://bit.ly/Y9oXGq">http://bit.ly/Y9oXGq</a>, last accessed on January 8, 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/privacy-highlights-in-india'>https://cis-india.org/internet-governance/privacy-highlights-in-india</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2013-02-12T12:39:05ZBlog EntryA Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications
https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications
<b>This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: <a class="external-link" href="http://necessaryandproportionate.net/">http://necessaryandproportionate.net/</a></p>
<p>The Principles:</p>
<p style="text-align: justify; "><b>1. </b><b>Principle - Legality</b><b>:</b><i> Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.</p>
<li><b>The Indian Telegraph Act, 1885</b>
<ul>
<li style="text-align: justify; "> <i>The Indian Telegraph Amendment Rules 2007: </i>These<i> </i>Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL)</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Internet Services</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li><b>The Information Technology Act, 2000</b>
<ul>
<li style="text-align: justify; "><i>Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource. </li>
<li style="text-align: justify; "><i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.</li>
</ul>
</li>
</ul>
</li>
<p><i> </i></p>
<p><b>2. </b><b>Principle - Legitimate Purpose</b>:<i> Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.</p>
<p style="text-align: justify; ">Below are the circumstances for which access is allowed by each Act, Rule, and License:</p>
<li><b>The TA Rules 2007</b>: Interception is allowed in the following circumstances: <br />
<ul>
<li>On the occurrence of any public emergency</li>
</ul>
<ul>
<li>In the interest of the public safety</li>
</ul>
<ul>
<li>In the interests of the sovereignty and integrity of India</li>
</ul>
<ul>
<li>The security of the state</li>
</ul>
<ul>
<li>Friendly relations with foreign states</li>
</ul>
<ul>
<li>Public order</li>
</ul>
<ul>
<li>Preventing incitement to the commission of an offence</li>
</ul>
</li>
<li><b>ITA Interception and Monitoring Rules</b>: Interception, monitoring, and decryption of communications is allowed in the following circumstances:</li>
<ul>
<li>In the interest of the sovereignty or integrity of India, </li>
<li>Defense of India</li>
<li>Security of the state</li>
<li>Friendly relations with foreign states</li>
<li>Public order </li>
<li>Preventing incitement to the commission of any cognizable offence relating to the above </li>
<li>For investigation of any offence </li>
</ul>
<li style="text-align: justify; "><b>ITA Monitoring of Traffic Data Rules:</b> Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security: </li>
<ul>
<li>Forecasting of imminent cyber incidents </li>
<li>Monitoring network application with traffic data or information on computer resources </li>
<li>Identification and determination of viruses or computer contaminant </li>
<li>Tracking cyber security breaches or cyber security incidents </li>
<li>Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants </li>
<li style="text-align: justify; ">Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security. </li>
<li style="text-align: justify; ">Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.</li>
<li style="text-align: justify; ">Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.</li>
<li>Any other matter relating to cyber security. </li>
</ul>
<li><b>UASL License</b>: Assistance must be provided to the government for the following reasons and times: </li>
<ul>
<li>Reasons defined in the Telegraph Act. <b>(Section 41.20 (xix))</b></li>
<li>National Security. <b>(Section 41.20 (xvii))</b></li>
<li style="text-align: justify; ">To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)</li>
<li style="text-align: justify; ">Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. <b>(Section 40.4)</b></li>
<li>In the interests of security. <b>(Section 41.7)</b></li>
<li>For security reasons. <b>(Section 41.20 (iii))</b></li>
</ul>
<li><b>ISP License: </b>Assistance must be provided to the government for the following reasons and times:</li>
<ul>
<li>To counteract espionage, subversive act, sabotage, or any other unlawful activity. <b>(Section 34.1)</b></li>
<li>In the interests of security. <b>(Section 34.4)</b></li>
<li>For security reasons. <b>(Section 34.28 (iii))</b></li>
<li>Reasons defined in the Telegraph Act. <b>(Section 35.2)</b></li>
</ul>
<p style="text-align: justify; "><b>3. </b><b>Principle - Necessity</b>: <i>Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA <i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules</i>, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.</p>
<p>Below are summaries of the relevant provisions:</p>
<ul>
<li style="text-align: justify; "><b>TA Rules 2007</b>: Any order for interception issued by the competent authority must contain reasons for the direction <b>(Section 2).</b> While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means <b>(Section 3).</b></li>
<li style="text-align: justify; "><b>ITA Interception and Monitoring Rules: </b>Any direction issued by the competent authority must contain reasons for such direction <b>(Section 7). </b>The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means <b>(Section 8).</b></li>
<li style="text-align: justify; "><b>ITA Traffic Monitoring Rules:</b> Any direction issued by the competent authority must contain reasons for the direction <b>(Section 3(3)).</b></li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b></li>
</ul>
<p><b>4. </b><b><i>Principle - Adequacy</i></b><i>:</i> <i>Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure. </i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.</p>
<p style="text-align: justify; "><b>5. </b><b>Principle - Competent Authority</b>: <i>Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.</p>
<p>Below are summaries of relevant provisions:</p>
<li style="text-align: justify; "><b>The TA Rules 2007</b>: Under the Telegraph Act the authorizing authorities are:
<ul>
<li>The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level</li>
<li>The Secretary to the State Government in charge of the Home Department in the case of the State Government. </li>
<li>In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.</li>
<li>In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. <b>(Section 1(2))</b>. </li>
<li><b>ITA Interception and Monitoring Rules: </b>Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
<ul>
<li>The Secretary in the Ministry of Home Affairs in case of the Central Government.</li>
<li>The Secretary in charge of the Home Department, in case of a State Government or Union Territory. </li>
<li>In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority. </li>
<li>In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. <b>(Section 3)</b>.</li>
</ul>
</li>
<li><b>ITA Monitoring and Collecting Traffic Data Rules:</b> Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
<ul>
<li>The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. <b>(Section 2(d))</b>.</li>
<li>An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. <b>(Section 9 (2))</b>. </li>
</ul>
</li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b> </li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>6. </b><b>Principle - Proportionality</b>:<i> Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation. </i></p>
<p style="text-align: justify; "><b>Indian Legislation</b>: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA <i>Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA <i>Safeguards for Monitoring and Collecting Traffic Data or Information Rules</i>.</p>
<p style="text-align: justify; ">Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.</p>
<p>Below is a summary of the relevant provisions:</p>
<li><b>TA Rules 2007: </b>
<ul>
<li style="text-align: justify; ">Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. <b>(Section 19)</b>.</li>
<li style="text-align: justify; ">Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. <b>(Section 3)</b>.</li>
<li style="text-align: justify; ">The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. <b>(Section 4)</b>. </li>
<li style="text-align: justify; ">The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 6)</b>.</li>
<li><b> ITA Interception and Monitoring Rules:</b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 7)</b>.</li>
<li style="text-align: justify; ">The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. <b>(Section 8)</b>.</li>
<li style="text-align: justify; ">The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. <b>(Section 9)</b>. </li>
<li style="text-align: justify; ">The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 10)</b>.</li>
</ul>
</li>
<li><b>ITA Traffic and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 3(3))</b>.</li>
<li style="text-align: justify; ">Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. <b>(Section 8)</b>.</li>
</ul>
</li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>7. </b><b>Principle - Due process</b>:<i> Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.</p>
<li><b> TA Rules 2007:</b>
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
<li><b>ITA Interception and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules:</b>
<ul>
<li style="text-align: justify; ">The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>8. </b><b>Principle - User notification</b>:<i> Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>9. </b><b>Principle - Transparency about use of government surveillance</b>: <i>The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>10. </b><b><i>Principle - Oversight</i></b><i>:</i> <i>An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)</i><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are requirements for a review committee to be established.<i> </i>The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li><b>TA Rules 2007</b>:
<ul>
<li style="text-align: justify; ">A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. <b>(Section 17)</b>.<b> </b>Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. <b>(Section 2)</b>.</li>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 22)</b>. </li>
</ul>
</li>
<li><b>ITA Traffic Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 7)</b>.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>11. </b><b>Principles - Integrity of communications and systems</b>: <i>It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA<i> Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.</p>
<p><b> </b></p>
<p>Relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007</b>: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. <b>(Section 20, 20A 21, 23).</b></li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules: </b>The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 20)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules</b>: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 5&6)</b>.</li>
<li style="text-align: justify; "><b>UASL License:</b> The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. <b>(Section 39.1, Section 39.2, Section 41.4)</b>.</li>
<li style="text-align: justify; "><b>ISP License:</b> The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. <b>(Section 32.1)</b> The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. <b>(Section 32.2</b>) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. <b>(Section 32.3)</b>.</li>
<p>Provisions requiring the provision of facilities, assistance, and retention:</p>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction <b>(Section 13(2))</b>.</li>
<li style="text-align: justify; ">If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. <b>(Section 17)</b>. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. <b>(Section 4(7))</b>.</li>
</ul>
</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. <b>(Section 39.1)</b>. </li>
<li style="text-align: justify; ">The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.<b>(Section 40.4)</b>.<b> </b></li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 41.11)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. <b>(Section 41.14)</b>. The database of subscribers must also be made available to the licensor or its representatives. <b>(Section 41.16)</b>.</li>
<li style="text-align: justify; ">The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. <b>(Section 41.17)</b>.</li>
<li style="text-align: justify; ">Calling Line Identification must be provided and the network should also support Malicious Call Identification.<b> (Section 41.18)</b>.</li>
<li style="text-align: justify; ">Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis <b>(Section 41.19)</b>.</li>
<li style="text-align: justify; ">Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. <b>(Section 41.19(iv))</b>.</li>
<li style="text-align: justify; ">The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. <b>(41.20 (ix))</b>.</li>
<li style="text-align: justify; ">On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. <b>(41.20 (x))</b></li>
<li style="text-align: justify; ">Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(41.20 (xiv))</b>. </li>
<li>A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. <b>(Section 41.20 (xv))</b>.</li>
<li>For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. <b>(Section 41.20 (xx))</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. <b>(Section 2.2(vii))</b>. </li>
<li style="text-align: justify; ">The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. <b>(Section 9.1)</b>.</li>
<li style="text-align: justify; ">The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. <b>(Section 30.1)</b>.</li>
<li style="text-align: justify; ">The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. <b>(Section 34.1)</b>.</li>
<li style="text-align: justify; ">In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. <b>(Section 34.4)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. <b>(Section 34.6)</b>.</li>
<li style="text-align: justify; ">The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. <b>(Section 34.7)</b>.</li>
<li style="text-align: justify; ">ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. <b>(Section 34.8)</b>.<b> </b></li>
<li style="text-align: justify; ">The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 34.9)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. <b>(Section 34.12)</b>.</li>
<li style="text-align: justify; ">The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies.<b> (Section 34.13)</b>. </li>
<li style="text-align: justify; ">Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. <b>(Section 34.15)</b>.</li>
<li style="text-align: justify; ">The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. <b>(Section 34.22)</b>. </li>
<li style="text-align: justify; ">The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. <b>(Section 34.23)</b>.</li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
<li style="text-align: justify; ">Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. <b>(Section 34.27 (a(v))</b>.</li>
<li style="text-align: justify; ">The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. <b>(Section 34.27 (ix))</b>.</li>
<li style="text-align: justify; ">On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. <b>(Section 34.27 (x))</b>.</li>
<li style="text-align: justify; ">Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(Section 34.27 (xiv))</b>.</li>
<li style="text-align: justify; ">A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. <b>(Section 34.27 (xv))</b>.</li>
<li style="text-align: justify; ">ISPs must provide access of their network and other facilities, as well as books to security agencies. <b>(Section 34.27 (xx))</b>.</li>
</ul>
</li>
<p> </p>
<p><b> </b></p>
<p style="text-align: justify; "><b>12. </b><b>Principle - Safeguards for international cooperation</b>:<i> In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.</p>
<p>Below is a summary of the relevant provisions:</p>
<li style="text-align: justify; "><b>ITA 2000</b>: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. <b>(Section 1(2))</b> </li>
<li style="text-align: justify; "><b>UASL License:</b> The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. <b>(section (41.20 (viii))</b></li>
<li style="text-align: justify; "><b>ISP License:</b> For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. <b>(Section 34.28 (iii)) </b>ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) <b>(Section 34.28 (viii))</b></li>
<p style="text-align: justify; "><b>13. </b><b><i>Principle - Safeguards against illegitimate access</i></b><i>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007:</b> The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation<b>. (Section 20, 20A, 23, and 24 Indian Telegraph Act)</b>.</li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 21)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 6)</b>.</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. <b>(Section 41.20 (xix))</b>.</li>
<li style="text-align: justify; ">Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. <b>(Section 34.28 (xix))</b>.</li>
<li style="text-align: justify; ">The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. <b>(Section 8.4)</b>.</li>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
</ul>
</li>
<p style="text-align: justify; "><b>14. </b><b><i>Principle - Cost of surveillance</i></b><b><i>:</i></b><i> The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.</p>
<p>Below are summaries of relevant provisions:</p>
<li><b>UASL License</b>:
<ul>
<li style="text-align: justify; "> Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. <b>(Section 41.20 (xvi))</b>.</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. <b>(Section 34.7)</b>. </li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
</ul>
</li>
</ul>
</li>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications'>https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:40:51ZBlog EntryData Retention in India
https://cis-india.org/internet-governance/blog/data-retention-in-india
<b>As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h3>The Debate around Data Retention</h3>
<p style="text-align: justify; ">According to the EU, data retention <i>“refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”</i>.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or <i>a priori </i>data<i> </i>retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.<a href="#fn2" name="fr2">[2] </a>Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.</p>
<h3 style="text-align: justify; ">Data Retention vs. Data Preservation</h3>
<p style="text-align: justify; ">Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.<a href="#fn3" name="fr3">[3]</a> Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.<a href="#fn4" name="fr4">[4]</a> Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.<a href="#fn5" name="fr5">[5]</a> Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.<a href="#fn6" name="fr6">[6]</a></p>
<h3>Data Retention in India</h3>
<p style="text-align: justify; ">In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.</p>
<h3>ISP License</h3>
<p style="text-align: justify; ">According to the ISP License,<a href="#fn7" name="fr7">[7]</a> there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.</p>
<p>According to the ISP License, each ISP must maintain:<b><span> </span></b></p>
<p><span> </span></p>
<ul>
<span> </span>
<li><span><b><span>Users and Services</span></b></span>: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><span><b><span>Outward Logins or Telnet</span></b></span>: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Packets</span>:</span></b> Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Subscribers</span>:</span></b> A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).</li>
<li style="text-align: justify; "><b><span><span>Internet Leased Line Customers</span>:</span></b> A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).</li>
</ul>
<ul>
<li style="text-align: justify; "><b><span><span>Diagram Records and Reasons</span>:</span></b> A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span><span>Commercial Records</span>:</span></span></b><span> All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span><span>Location</span>:</span></span></b> The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).</p>
<span> </span></li>
<span> </span>
<li style="text-align: justify; "><span> </span><b><span><span><span>Remote Activities</span>:</span></span></b><span> A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).</span></li>
</ul>
<h3>UASL License</h3>
<p style="text-align: justify; ">According to the UASL License<a href="#fn8" name="fr8">[8]</a>, <span>there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept. </span></p>
<p style="text-align: justify; "><span>According to the license, service providers must maintain and make available: </span></p>
<p style="text-align: justify; "> </p>
<ul>
<li style="text-align: justify; "><span><span><span> </span></span></span><b><span><span>Numbers</span></span><span>: </span></b><span>Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).</span></li>
<li style="text-align: justify; "> <b><span><span>Interception records: </span></span></b><span>Time, date and duration of interception when required (Section 41.10).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span>All call records:</span></span></b><span> All call data records handled by the system when required (Section 41.10). This includes:</span><b><span><span><br /></span></span></b></p>
<ol>
<li><b><span><span>Failed call records:</span></span></b><span> Call data records of failed call attempts when required. (Section 41.10).</span></li>
<li><b><span><span>Roaming subscriber records</span></span></b><span>: Call data records of roaming subscribers when required. (Section 41.10)</span></li>
</ol></li>
<li style="text-align: justify; "><b><span><span>Commercial records: </span></span></b><span>All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).</span></li>
<li style="text-align: justify; "> <b><span><span>Outgoing call records: </span></span></b><span>A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).</span></li>
<li style="text-align: justify; "> <b><span><span>Calling line Identification:</span></span></b><span> A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).</span></p>
</li>
<li style="text-align: justify; "> <b><span><span>Remote access activities:</span></span></b><span><span> </span>Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section<span> </span>41.20 (xv)).</span></li>
</ul>
<h3>RTI Request to <a href="https://cis-india.org/internet-governance/blog/bsnl-rti" class="internal-link">BSNL</a> and <a href="https://cis-india.org/internet-governance/blog/mtnl-rti-request.pdf" class="internal-link">MTNL</a><span> </span></h3>
<p style="text-align: justify; "><span>On September 10,<sup></sup> 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices: </span></p>
<p style="text-align: justify; "> </p>
<ul type="disc">
<li class="MsoNormal"><span>Does MTNL/BSNL store the following information/data:</span></li>
<ul type="circle">
<li class="MsoNormal"><span>Text message detail (To and from cell numbers, timestamps)</span></li>
<li class="MsoNormal"><span>Text message content (The text and/or data content of the SMS or MMS)</span></li>
<li class="MsoNormal"><span>Call detail records (Inbound and outbound phone numbers, call duration)</span></li>
<li class="MsoNormal"><span>Bill copies for postpaid and recharge/top-up billing details for prepaid</span></li>
<li class="MsoNormal"><span>Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)</span></li>
</ul>
<li class="MsoNormal"><span>If it does store data then</span></li>
<ul type="circle">
<li class="MsoNormal"><span>For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?</span></li>
<li class="MsoNormal"><span>What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
</ul>
</ul>
<h3>BSNL Response</h3>
<p>BSNL replied by stating that it stores at least three types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li style="text-align: justify; "><span><span> </span>IP session information - connection start end time, bytes in and out (three years offline)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>MAC address of the modem/router/device (three years offline)</span></li>
<li class="MsoNormal"><span>Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).</span></li>
</ol>
<h3>MTNL Response</h3>
<p>MTNL replied by stating that it stores at least () types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li class="MsoNormal" style="text-align:justify; "><span>Text message details (to and from cell number, timestamps) in the form of CDRs<span> </span>(one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Call detail records including inbound and outbound phone numbers and call duration (one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Bill copies from postpaid (one year) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Recharge details for prepaid (three months) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)</span></li>
</ol>
<p class="MsoNormal" style="text-align:justify; "><span>It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.<span> </span></span></p>
<h3><span><span>Conclusion </span></span></h3>
<p> <span>The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:</span></p>
<ul>
<li><span><span><span> </span></span></span><span>What constitutes a ‘commercial record’ which must be stored for one year by service providers?</span><span> </span></li>
<li><span>How much data is retained by service providers on an annual basis?</span><span> </span></li>
<li><span>What is the cost involved in retaining data? For the service provider? For the public?</span><span> </span></li>
<li><span>How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?</span><span> </span></li>
<li><span>How many criminal and civil cases rely on retained data?</span><span> </span></li>
<li><span>What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?</span></li>
</ul>
<p class="MsoListParagraph" style="text-align:justify; "><span>Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation. </span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection, <span> </span></span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level.<span> </span>If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:</span></p>
<p></p>
<ul>
<li><span><span><span> </span></span></span><span>Any request for preservation and access to records must be legitimate and proportional</span></li>
<li><span>Accessed and preserved records must be used only for the purpose indicated </span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Accessed and preserved records can only be shared with authorized authorities</span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Any access to preserved records that do not pertain to an investigation must be deleted </span></li>
</ul>
<p></p>
<p> </p>
<p class="MsoListParagraph" style="text-align:justify; "><span>These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place. </span></p>
<p></p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>].<span><span><span> </span></span></span>European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21st 2013<br />[<a href="#fr2" name="fn2">2</a>].Draft International Principles on Communications Surveillance and Human Rights: <a class="external-link" href="http://bit.ly/UpGA3D">http://bit.ly/UpGA3D</a><br />[<a href="#fr3" name="fn3">3</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a><a href="http://europa.eu/rapid/press-release_IP-12-530_en.htm"></a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr4" name="fn4">4</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr5" name="fn5">5</a>]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: <a class="external-link" href="http://bit.ly/WOfzaX">http://bit.ly/WOfzaX</a>. Last Accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr6" name="fn6">6</a>]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: <a class="external-link" href="http://bit.ly/VoQxQ9">http://bit.ly/VoQxQ9</a>. Last accessed: January 21<sup>st</sup> 2013<br />[<a href="#fr7" name="fn7">7</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.<br />[<a href="#fr8" name="fn8">8</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3<sup>rd</sup> 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/data-retention-in-india'>https://cis-india.org/internet-governance/blog/data-retention-in-india</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:51:13ZBlog EntryDraft International Principles on Communications Surveillance and Human Rights
https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights
<b>These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications. The Centre for Internet and Society has been contributing feedback to the principles. </b>
<hr />
<p>The principles are still in draft form. The most recent version can be accessed <a class="external-link" href="http://necessaryandproportionate.net">here</a>. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Our goal is that these principles will provide civil society groups, industry, and governments with a framework against which we can evaluate whether current or proposed surveillance laws and practices are consistent with human rights. We are concerned that governments are failing to develop legal frameworks to adhere to international human rights and adequately protect communications privacy, particularly in light of innovations in surveillance laws and techniques.</p>
<p style="text-align: justify; ">These principles are the outcome of a consultation with experts from civil society groups and industry across the world. It began with a meeting in Brussels in October 2012 to address shared concerns relating to the global expansion of government access to communications. Since the Brussels meeting we have conducted further consultations with international experts in communications surveillance law, policy and technology.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">We are now launching a global consultation on these principles. Please send us comments and suggestions by January 3rd 2013, by emailing rights (at) eff (dot) org.</p>
<p style="text-align: justify; "><b>Preamble</b><br />Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and association, and is recognised under international human rights law.<a href="#fn2" name="fr2">[2]</a> Activities that infringe on the right to privacy, including the surveillance of personal communications by public authorities, can only be justified where they are necessary for a legitimate aim, strictly proportionate, and prescribed by law.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications generally limited access to personal communications by public authorities. In recent decades, those logistical barriers to mass surveillance have decreased significantly. The explosion of digital communications content and information about communications, or “communications metadata”, the falling cost of storing and mining large sets of data, and the commitment of personal content to third party service providers make surveillance possible at an unprecedented scale.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">While it is universally accepted that access to communications content must only occur in exceptional situations, the frequency with which public authorities are seeking access to information about an individual’s communications or use of electronic devices is rising dramatically—without adequate scrutiny. <a href="#fn5" name="fr5">[5]</a> When accessed and analysed, communications metadata may create a profile of an individual's private life, including medical conditions, political and religious viewpoints, interactions and interests, disclosing even greater detail than would be discernible from the content of a communication alone. <a href="#fn6" name="fr6">[6]</a> Despite this, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.</p>
<p style="text-align: justify; ">It is therefore necessary that governments, international organisations, civil society and private service providers articulate principles establishing the minimum necessary level of protection for digital communications and communications metadata (collectively "information") to match the goals articulated in international instruments on human rights— including a democratic society governed by the rule of law. The purpose of these principles is to:</p>
<ol>
<li style="text-align: justify; ">Provide guidance for legislative changes and advancements related to communications and communications metadata to ensure that pervasive use of modern communications technology does not result in an erosion of privacy.</li>
<li style="text-align: justify; ">Establish appropriate safeguards to regulate access by public authorities (government agencies, departments, intelligence services or law enforcement agencies) to communications and communications metadata about an individual’s use of an electronic service or communication media. </li>
</ol>
<p style="text-align: justify; ">We call on governments to establish stronger protections as required by their constitutions and human rights obligations, or as they recognize that technological changes or other factors require increased protection.</p>
<p style="text-align: justify; ">These principles focus primarily on rights to be asserted against state surveillance activities. We note that governments are required not only to respect human rights in their own conduct, but to protect and promote the human rights of individuals in general.<a href="#fn7" name="fr7">[7]</a> Companies are required to follow data protection rules and yet are also compelled to respond to lawful requests. Like other initiatives,<a href="#fn8" name="fr8">[8]</a> we hope to provide some clarity by providing the below principles on how state surveillance laws must protect human rights.</p>
<p><b>The Principles</b></p>
<p style="text-align: justify; "><b>Legality</b>: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process</p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow access to communications or communications metadata by authorised public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing access to communications or communications metadata by authorised public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.</p>
<p style="text-align: justify; "><b>Competent Authority</b>: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</p>
<p style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.</p>
<p style="text-align: justify; "><b>Due process</b>: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.<a href="#fn9" name="fr9">[9]</a>While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorisation by a competent authority, except when there is imminent risk of danger to human life. <a href="#fn10" name="fr10">[10]</a></p>
<p style="text-align: justify; "><b>User notification</b>: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations, and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</p>
<p style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at a minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. <a href="#fn11" name="fr11">[11]</a></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, <i>a priori</i> data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.</p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.</p>
<p style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</p>
<p><b>Signatories</b></p>
<p><b>Organisations</b></p>
<ul>
<li>Article 19 (International)</li>
<li>Bits of Freedom (Netherlands)</li>
<li>Center for Internet & Society India (CIS India)</li>
<li>Derechos Digitales (Chile)</li>
<li>Electronic Frontier Foundation (International)</li>
<li>Privacy International (International)</li>
<li>Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (Canada)</li>
<li>Statewatch (UK)</li>
</ul>
<p><b>Individuals</b></p>
<ul>
<li>Renata Avila, human rights lawyer (Guatemala)</li>
</ul>
<hr />
<p><b>Footnotes</b></p>
<ol>
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]For more information about the background to these principles and the process undertaken, see https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance<br />[<a href="#fr2" name="fn2">2</a>]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.<br />[<a href="#fr3" name="fn3">3</a>]Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” p11, available at <a href="http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf">http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf</a>. See also General Comments No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999, available at <a href="http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument">http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument</a>.<br />[<a href="#fr4" name="fn4">4</a>]Communications metadata may include information about our identities (subscriber information, device information), interests, including medical conditions, political and religious viewpoints (websites visited, books and other materials read, watched or listened to, searches conducted, resources used), interactions (origins and destinations of communications, people interacted with, friends, family, acquaintances), location (places and times, proximities to others); in sum, logs of nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.<br />[<a href="#fr5" name="fn5">5</a>]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies, who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011.<br />[<a href="#fr6" name="fn6">6</a>]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at <a href="http://www2.technologyreview.com/article/409598/tr10-reality-mining/">http://www2.technologyreview.com/article/409598/tr10-reality-mining/</a> and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 - 82.<br />[<a href="#fr7" name="fn7">7</a>]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at <a href="http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf">http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf</a><br />[<a href="#fr8" name="fn8">8</a>]The Global Network Initiative establishes standards to help the ICT sector protect the privacy and free expression of their users. See <a href="http://www.globalnetworkinitiative.org/">http://www.globalnetworkinitiative.org/</a><br />[<a href="#fr9" name="fn9">9</a>]As defined by international and regional conventions mentioned above.<br />[<a href="#fr10" name="fn10">10</a>]Where judicial review is waived in such emergency cases, a warrant must be retroactively sought within 24 hours.<br />[<a href="#fr11" name="fn11">11</a>]One example of such a report is the US Wiretap report, published by the US Court service. Unfortunately this applies only to interception of communications, and not to access to communications metadata. See <a href="http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx">http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx</a>. The UK Interception of Communications Commissioner publishes a report that includes some aggregate data but it is does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See <a href="http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top">http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top</a>.</p>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights'>https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:55:45ZBlog EntryState Surveillance and Human Rights Camp: Summary
https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary
<b>On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.</p>
<p style="text-align: justify; ">The camp also served as a platform for collaboration on the <i>Draft International Principles on Communications Surveillance and Human Rights</i>. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.</p>
<p>The draft principles were institutionalized for a number of reasons including:</p>
<ul>
<li style="text-align: justify; ">Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data. </li>
<li style="text-align: justify; ">Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated. </li>
<li style="text-align: justify; ">New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.</li>
<li style="text-align: justify; ">Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual. </li>
</ul>
<p style="text-align: justify; ">This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.</p>
<p>A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed <a class="external-link" href="http://necessaryandproportionate.net/">here</a><a href="http://necessaryandproportionate.net/">.</a></p>
<h2 style="text-align: justify; ">Summary of the Draft International Principles on Communications Surveillance and Human Rights</h2>
<p style="text-align: justify; "><b>Legality</b>: Any surveillance of communications undertaken by the government must be codified by statute. <b> </b></p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow surveillance of communications for legitimate purposes.<b> </b></p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes. <b> </b></p>
<p style="text-align: justify; "><b>Competent Authority</b>: Any authorization for surveillance of communications must be made by a competent and independent authority. <b> </b></p>
<p style="text-align: justify; "><b>Proportionality</b>: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose. <b> </b></p>
<p style="text-align: justify; "><b>Due process</b>: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.<b> </b></p>
<p style="text-align: justify; "><b>User notification</b>: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information. <b> </b></p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The governments ability to survey communications and the process for surveillance should be transparent to the public. <b> </b></p>
<p style="text-align: justify; "><b>Oversight</b>: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications. <b> </b></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.<b> </b></p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: When governments work with other governments across borders to fight crime, the higher/highest standard should apply. <b> </b></p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications. <b> </b></p>
<p><b>Cost of surveillance</b>: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.</p>
<h3>Types of Data</h3>
<p style="text-align: justify; ">The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.</p>
<h3 style="text-align: justify; ">Ways of Accessing Data</h3>
<p style="text-align: justify; ">Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.</p>
<h3 style="text-align: justify; ">Access and Technology</h3>
<p style="text-align: justify; ">In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).<a href="#fn4" name="fr4">[4]</a> Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.<a href="#fn5" name="fr5">[5]</a> With this information it is possible to read the actual content of packets, and identify the program or service being used.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".<a href="#fn8" name="fr8">[8]</a></p>
<h3 style="text-align: justify; ">Access and Legislation</h3>
<p style="text-align: justify; ">The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.</p>
<hr />
<p style="text-align: justify; "><a href="#fr1" name="fn1">1</a>]. EFF. Mandatory Data Retention: United States. Available at: <a class="external-link" href="https://www.eff.org/issues/mandatory-data-retention/us">https://www.eff.org/issues/mandatory-data-retention/us</a><br />[<a href="#fr2" name="fn2">2</a>].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. <a class="external-link" href="http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/">http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/</a><br />[<a href="#fr3" name="fn3">3</a>]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: <a class="external-link" href="http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0">http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0</a><br />[<a href="#fr4" name="fn4">4</a>]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: <a class="external-link" href="http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html">http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html</a><br />[<a href="#fr5" name="fn5">5</a>]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: <a class="external-link" href="http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works">http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works</a><br />[<a href="#fr6" name="fn6">6</a>]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: <a class="external-link" href="http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609">http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609</a><br />[<a href="#fr7" name="fn7">7</a>]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: <a class="external-link" href="http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&amp;_a=viewarticle&amp;kbarticleid=138">http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138</a><br />[<a href="#fr8" name="fn8">8</a>].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: <a class="external-link" href="http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/">http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary'>https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary</a>
</p>
No publisherelonnaiInternet GovernanceSAFEGUARDS2013-07-12T16:02:51ZBlog EntryInternet-driven Developments — Structural Changes and Tipping Points
https://cis-india.org/internet-governance/blog/internet-driven-developments
<b>A symposium on Internet Driven Developments: Structural Changes and Tipping Points was held in Cambridge, Massachusetts at Harvard University from December 6 to 8, 2012. The symposium was sponsored by the Ford Foundation and the MacArthur Foundation and was hosted by the Berkman Center for Internet & Society. In this blog post, I summarize the discussions that took place over the two days and add my own personal reflections on the issues.
</b>
<p style="text-align: justify; ">The symposium served as an inaugural event for the <i>Global Network of Interdisciplinary Centers</i>, which currently includes as its members:</p>
<ul>
<li>The Berkman Center for Internet and Society at Harvard University</li>
<li>The Alexander von Humboldt Institute for Internet & Society</li>
<li>The Centre for Internet and Society, Bangalore </li>
<li>The Center for Technology & Society at the Fundacao Getulio Vargas Law School, Keio University</li>
<li>The MIT Media Lab and its Center for Civic Media</li>
<li>The NEXA Center for Internet & Society at Politicnico di Torino. </li>
</ul>
<p style="text-align: justify; ">Individuals and researchers from the Centers focused on understanding the effects of internet and society. The participants were brought together to explore the past, present, and future tipping points of the internet, to identify knowledge gaps, and to find areas of collaboration and future action between institutes and individuals. Specifically, the symposium set out to examine fundamental questions about the internet, identify structural changes that are occurring because of the internet, and the forces that are catalyzing these changes. Questions asked and discussed included:</p>
<ul>
<li>What forces are changing production and service models? </li>
<li>What forces are influencing entrepreneurship and innovation? and </li>
<li>What forces are changing political participation?</li>
</ul>
<h2 style="text-align: justify; ">Production and Service Models</h2>
<h3>Discussion</h3>
<p style="text-align: justify; ">When participants discussed the changes that are happening to production and service models, concepts such as big data, algorithms, peer based models of production, and intermediaries were identified as actors and tools that are driving change in production and service models in the context of the internet. For example, big data and algorithms are being used to alter the nature, scope, and reach of business by allowing for the personalization and customization of services. To this end, many organizations have incorporated customer participation into business models, and provide platforms for feedback and input. The personalization of services has placed greater emphasis on the voice of the customer, allowing customers to guide and influence business by voicing preferences, satisfaction levels, etc. In this way, consumers can determine what type of service they want, and can also make political statements through their choices and feedback. In the process, however, such platforms generate and depend on large amounts of data and thus raise concerns about privacy.</p>
<p style="text-align: justify; ">Knowledge gaps that were identified during the conversation included how to predict what would make a participatory platform and peer based model successful, and how these platforms can be effectively researched. When looking at big data, a knowledge gap that was identified included how to ensure that data are collected ethically and accurately, as well as the related question: once large data sets are collected, how can the data be analyzed and used in a meaningful way?</p>
<p style="text-align: justify; ">There was also discussion about the increasingly critical and powerful role that intermediaries serve within the scope of the internet as they act as the platform provider and regulator for internet content. Intermediaries both allow for content to be posted on the internet, and determine what information is accessed through the filtering of web searches. Increasingly, governments are seeking to regulate intermediaries and create strict rules of compliance with governmental mandates. At the same time governments are placing the responsibility and liability of regulating what content is posted on internet on intermediaries, essentially placing them in the role of an adjudicator. This is one example of how the relationship between the private sector, the government, and the individual is changing, because it is only recently that private intermediaries have been held responsible first to governments, and only secondarily to customers.</p>
<p style="text-align: justify; ">Knowledge gaps identified in the discussion on intermediaries included understanding and researching how intermediaries decide to filter content found through searches. On what basis is each filter done? Are there actors influencing this process? And what are the economics behind the process?</p>
<h3 style="text-align: justify; ">Personal Thoughts</h3>
<p style="text-align: justify; ">When reflecting on how the internet is changing and influencing the production of goods and services, I personally would add to the points discussed in the meeting the fact that the internet has also impacted the job economy. Reports show that jobs in the extraction and manufacturing sector are decreasing, as the internet has created a mandatory new tech oriented skill set that often outweighs the need for other skill sets. This change is far reaching as the job economy influences what skills students choose to learn, why and for what purposes individuals migrate across borders for employment, and in what industries governments invest money towards domestic development. In addition to changing the nature of skills in demand, the nature of the services themselves is changing. Though services are becoming more personalized and tailored to the individual, this personalization is automated, and replacing the ‘human touch’ that was once prized in business. Whether customers care if the service they are given is generated by an algorithm or delivered by an individual may depend on a person’s preference, but the European Union has seen this shift as being significant enough to address automated decision making in Article 15 of the EU directive, which provides individuals the right to not be subject to a decision which legally impacts him/her which is based only on automated processing of data. This directive encompasses decisions such as evaluation of a person’s performance at work, creditworthiness, reliability, conduct, etc.</p>
<p style="text-align: justify; ">The internet has also increased the cost of small mistakes made by businesses, as any mistake will now potentially impact millions of customers. The impact of any mistake makes risk management much more important and difficult, as businesses must seek to anticipate and mitigate any and all mistakes. The internet has also created a new level of dependency on the network, as businesses shift all of their services and functions over to the internet. Thus, if the network goes down, businesses will lose revenue and customers. This level of dependency on the network that exists today is different from past reliance’s on technology — in the sense that in the past there was not one single type of technology that would be essential for many businesses to run. The closest analogue was transportation: if trucks, trains, or ships were unavailable, multiple industries would be impacted. The difference is that those who relied on rail could shift temporarily to ships or trucks. Those relying on the network have no alternatives. Furthermore, past technologies were constantly evolving in the resources they depended on — from coal to gas, etc, but for the internet, it seems that the resource is not evolving, so much as expanding as increased bandwidth and connectivity are the solution to allowing technological evolution and innovation through the internet.</p>
<p style="text-align: justify; ">As discussed above, intermediaries are becoming key and powerful players, but they also seem to be increasingly placed between a rock and a hard place, as governments around the world are asking national and multinational intermediaries to filter content that violates national laws in one context, but not another context. Furthermore, intermediaries are increasingly being asked to comply with law enforcement requests for access to data that is often not within the jurisdiction of the requesting country. The difficult position intermediaries are placed in demonstrates how the architecture of the internet is borderless but the regulation and use of the internet is still tied to borders and jurisdiction.</p>
<h2 style="text-align: justify; ">Entrepreneurship and Innovation</h2>
<h3>Discussion</h3>
<p style="text-align: justify; ">When discussing entrepreneurship and innovation it was pointed out by participants that grey markets and market failures are important indicators for possibilities of new business models and forms of innovation. Because of that, it is important to study what has failed and why when identifying new possibilities and trends. The importance of policies and laws that allow for innovation and entrepreneurship was also highlighted.</p>
<h3 style="text-align: justify; ">Personal Thoughts</h3>
<p style="text-align: justify; ">When thinking about entrepreneurship and innovation on the internet and forces driving them, it seems clear that tethering, conglomerating, and organizing information from multiple sources is one direction that innovation is headed. Services are coming out that have the ability to search the internet based on individual preferences and provide more accurate data quickly. This removes the need for individuals to search the internet at length to find the information or products they want. Along the same lines, it seems that there is a greater trend towards personalization. Services are finding new and innovative ways to bring individuals customized products. Another trend is the digitization of all services — from moving libraries online, to bookstores online, to grocery stores online. Lastly, there is a constant demand for new applications to be developed. These can range from applications enabling communication through social networking, to applications that act as personal financial consultants, to applications that act as personal trainers. The ability for concepts, trends, etc to go viral on the internet has also added another dimension to entrepreneurship and innovation as any individual can potentially become successful by something going viral. The ability for something to go viral on the internet does not just impact entrepreneurship and innovation, but also impacts political participation and production and service models.</p>
<h2 style="text-align: justify; ">Political Participation</h2>
<p style="text-align: justify; ">Discussions also centered on how political participation is changing as the internet is being used as a new platform for participation. For example, it is now possible for individuals to leverage their voice and message to local and global communities. Furthermore, this message can be communicated on a seemingly personal scale. Individuals from one community are able to connect to communities from another location — both local and abroad, and to work together to catalyze change. Messages and communications can be spread easily to millions of people and can go viral. This ability has changed and created new public spheres, where anyone can contribute to a dialogue from anywhere. Empowerment is shifting as well, because the internet allows for new power structures to be created by any actor who knows how to leverage the network. These factors allow for more voices to be heard and for greater citizen participation. The role of the youth in political movements was also emphasized in the discussions. On the other hand governments have responded by more heavily regulating speech and content on the internet when dissenting voices and campaigns are seen as a threat. It was also brought out that though emerging forms of online political participation have been heralded by many for achievements such as facilitating democracy, transparency, and bringing a voice to the silenced — many have warned that analysis of these political forms of participation overlook individual contributions and time. Other critiques that were discussed included the fact that digital revolutions also exclude individuals who do not have access to the internet or to platforms/applications and overlook actions and movements that take place offline.</p>
<p style="text-align: justify; ">Knowledge gaps that were identified included understanding the basics of the change that is happening in political participation through the internet. For example, it is unclear who the actors are that determine the conditions and scope for these changes, and like participatory forms of business, what enables and mobilizes change. Furthermore, it is unclear who specifically benefits from these changes and how, and who participates in the changes — and in what capacity. Additionally, much of the change has been quantified in the dialogue of the ‘global’ — global voices, global movements — but that dialogue ignores the local.</p>
<h3 style="text-align: justify; ">Personal Thoughts</h3>
<p style="text-align: justify; ">In addition to the discussions on political participation, I believe the internet has created the possibility for ‘social governance’. To address situations in which there is no particular law against an action, but individuals come together and speak out against actions that they see on the internet that they believe should be stopped or changed. Depending on the extent individuals choose to enforce these decisions, this can be potentially dangerous as individuals are essentially rewriting laws and social norms without subjecting them to the crucible of consensus decision-making or review. In addition, forms of political participation are not changing just in terms of how the individual engages politically with states and governments, but also in the ways that politicians are engaging with citizens. For example, politicians are using Facebook and Twitter as means to communicate and gather feedback from supporters. Politicians are also using technology to reach more individuals with their messages — from experimenting with 3D holograms, to web casting, to using technology like CCTV cameras to prove transparency. The impact of this could be interesting, as technology is becoming a mediating tool that works in both directions between citizens and governments. Is this changing the traditional understandings of the State and the relationship between the State and the citizen?</p>
<h2>Conclusion and ways forward</h2>
<p style="text-align: justify; ">The discussions also pulled out dichotomies that apply to the internet and illustrate tensions arising from different forces. These dichotomies can be shaped by individuals and actors attempting to regulate the internet, as for example with new models of regulation vs. old models of regulation, private vs. public, local vs. global, owned vs. unowned, and zoned vs. unzoned. These dichotomies can be shaped by how the internet is used. For example, fair vs. unfair, just vs. unjust, represented vs. silenced, and uniform vs. diverse.</p>
<p style="text-align: justify; ">Common questions being asked and areas for potential research that came out of these discussions included information communication and media, how to address different and at times contradictory policies and levels of development in different countries, and what is the impact of big data on different sectors and industries like e-health and journalism? What is the importance of ICT in creating economic progress? How is the Internet changing the nature of democracy?</p>
<p style="text-align: justify; ">When discussing ways forward and areas for future collaboration it was brought out that exploring ways to leverage open data, ways to effectively use and build off of perspectives and experiences from other contexts and cultures, and ways to share resources across borders including funding, human presence, and expertise were important questions to answer. Common challenges that were identified by participants ranged from cyber security and the rise of state and non-state actors in cyber warfare, finding adequate funding to support research, sustaining international collaborations, ensuring that research is meaningful and can translate into useful resources for policy and law makers, and ensuring that projects are designed with a long-term objective and vision in mind.</p>
<p style="text-align: justify; ">The discussions, presentations, and contributions by participants during the two day symposium were interesting and important as they demonstrated just how multi-faced the internet is, and how it is never one dimensional. How the internet is researched, how it is used, and how it is regulated will be constantly changing. Whether this change is a step forward, or a re-invention of what has already been done, is up to all who use the internet including the individual, the corporation, the researcher, the policy maker, and the government.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/internet-driven-developments'>https://cis-india.org/internet-governance/blog/internet-driven-developments</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-12-28T15:34:51ZBlog Entry