Blog

by kaeru — last modified Mar 25, 2013 11:14 AM

Consultation Paper on Media Law

by Prasad Krishna last modified Sep 30, 2014 06:47 AM

PDF document icon Consultation Paper on Media Law.pdf — PDF document, 385 kB (394966 bytes)

Overview of Responses

by Prasad Krishna last modified Sep 30, 2014 06:49 AM

PDF document icon (National Consultation on Media Law)- Overview of Responses.pdf — PDF document, 453 kB (464301 bytes)

List of Useful Sources

by Prasad Krishna last modified Sep 30, 2014 06:51 AM

PDF document icon (National Consultation on Media Law)- List of Useful Sources.pdf — PDF document, 271 kB (277547 bytes)

Big Data and Positive Social Change in the Developing World: A White Paper for Practitioners and Researchers

by Nishant Shah last modified Oct 01, 2014 03:52 AM
I was a part of a working group writing a white paper on big data and social change, over the last six months. This white paper was produced by a group of activists, researchers and data experts who met at the Rockefeller Foundation’s Bellagio Centre to discuss the question of whether, and how, big data is becoming a resource for positive social change in low- and middle-income countries (LMICs).
Big Data and Positive Social Change in the Developing World: A White Paper for Practitioners and Researchers

Participants at the Rockefeller Foundation Bellagio Centre conference, May 2014


Bellagio Big Data Workshop Participants. (2014). “Big data and positive social change in the developing world: A white paper for practitioners and researchers.” Oxford: Oxford Internet Institute. Available online: http://ssrn.com/abstract=2491555.

Summary

Our working definition of big data includes, but is not limited to, sources such as social media, mobile phone use, digitally mediated transactions, the online news media, and administrative records. It can be categorised as data that is provided explicitly (e.g. social media feedback); data that is observed (e.g. mobile phone call records); and data that is inferred and derived by algorithms (for example social network structure or inflation rates). We defined four main areas where big data has potential for those interested in promoting positive social change: advocating and facilitating; describing and predicting; facilitating information exchange and promoting accountability and transparency.

In terms of advocating and facilitating, we discussed ways in which volunteered data may help organisations to open up new public spaces for discussion and awareness-building; how both aggregating data and working across different databases can be tools for building awareness, and howthe digital data commons can also configure new communities and actions (sometimes serendipitously) through data science and aggregation. Finally, we also looked at the problem of overexposure and howactivists and organisations can protect themselves and hide their digital footprints. The challenges we identified in this area were how to interpret data correctly when supplementary information may be lacking; organisational capacity constraints around processing and storing data, and issues around data dissemination, i.e. the possible negative consequences of inadvertently identifying groups or individuals.

Next, we looked at the way big data can help describe and predict, functions which are particularly important in the academic, development and humanitarian areas of work where researchers can combine data into new dynamic, high-resolution datasets to detect new correlations and surface new questions. With data such as mobile phone data and Twitter analytics, understanding the data’s comprehensiveness, meaning and bias are the main challenges, accompanied by the problem of developing new and more comprehensive ethical systems to protect data subjects where data is observed rather than volunteered.

The next group of activities discussed was facilitating information exchange. We looked at mobile-based information services, where it is possible for a platform created around a particular aim (e.g. agricultural knowledge-building) to incorporate multiple feedback loops which feed into both research and action. The pitfalls include the technical challenge of developing a platform which is lean yet multifaceted in terms of its uses, and particularly making it reliably available to low-income users. This kind of platform, addressed by big data analytics, also offers new insights through data discovery and allows the provider to steer service provision according to users’ revealed needs and priorities.

Our last category for big data use was accountability and transparency, where organisations are using crowdsourcing methods to aggregate and analyse information in real time to establish new spaces for critical discussion, awareness and action. Flows of digital information can be managed to prioritise participation and feedback, provide a safe space to engage with policy decisions and expose abuse. The main challenges are how to keep sensitive information (and informants) safe while also exposing data and making authorities accountable; how to make the work sustainable without selling data, and how to establish feedback loops so that users remain involved in the work beyond an initial posting. In the crowdsourcing context, new challenges are also arising in terms of how to verify and moderate real-time flows of information, and how to make this process itself transparent.

Finally, we also discussed the relationship between big and open data. Open data can be seen as a system of governance and a knowledge commons, whereas big data does not by its nature involve the idea of the commons, so we leaned toward the term ‘opening data’, i.e. processes which could apply to commercially generated as much as public-sector datasets. It is also important to understand where to prioritise opening, and where this may exclude people who are not using the ‘right’ technologies: for example, analogue methods (e.g. nailing a local authority budget to a town hall door every month) may be more open than ‘open’ digital data that’s available online.

Our discussion surfaced many questions to do with representation and meaning: must datasets be interpreted by people with local knowledge? For researchers to get access to data that is fully representative, do we need a data commons? How are data proprietors engaging with the power dynamics and inequalities in the research field, and how can civil society engage with the private sector on its own terms if data access is skewed towards elites? We also looked at issues of privacy and risk: do we need a contextual risk perspective rather than a single set of standards? What is the role of local knowledge in protecting data subjects, and what kinds of institutions and practices are necessary? We concluded that there is a case to be made for building a data commons for private/public data, and for setting up new and more appropriate ethical guidelines to deal with big data, since aggregating, linking and merging data present new kinds of privacy risk. In particular, organisations advocating for opening datasets must admit the limitations of anonymisation, which is currently being ascribed more power to protect data subjects than it merits in the era of big data.

Our analysis makes a strong case that it is time for civil society groups in particular to become part of the conversation about the power of data. These groups are the connectors between individuals and governments, corporations and governance institutions, and have the potential to promote big data analysis that is locally driven and rooted. Civil society groups are also crucially important but currently underrepresented in debates about privacy and the rights of technology users, and civil society as a whole has a responsibility for building critical awareness of the ways big data is being used to sort, categorise and intervene in LMICs by corporations, governments and other actors. Big data is shaping up to be one of the key battlefields of our era, incorporating many of the issues civil society activists worldwide have been working on for decades. We hope that this paper can inform organisations and
individuals as to where their particular interests may gain traction in the debate, and what their contribution may look like.


Click to download the full white paper here. (PDF, 1.95 Mb)

Big Data and Positive Social Change in the Developing World

by Prasad Krishna last modified Oct 01, 2014 03:49 AM

PDF document icon BigDataSocialChange.pdf — PDF document, 2004 kB (2052814 bytes)

CIS@IGF 2014

by Geetha Hariharan last modified Oct 08, 2014 10:31 AM
The ninth Internet Governance Forum (“IGF2014”) was hosted by Turkey in Istanbul from September 2 to 5, 2014.

A BestBits pre-event, which saw robust discussions on renewal of the IGF mandate, the NETmundial Initiative and other live Internet governance processes, flagged off a week of many meetings and sessions. At IGF2014, the ICANN-led processes of IANA transition and ICANN accountability found strong presence. Human rights online, access and net neutrality were also widely discussed. Centre for Internet and Society, India participated in multiple workshops and panels.

Workshops and Panel Discussions

WS206: An evidence-based framework for intermediary liability
CIS organized a workshop on developing an evidence-based framework for intermediary liability in collaboration with the Stanford Center for Internet and Society.  By connecting information producers and consumers, intermediaries serve as valuable tool for growth and innovation, and also a medium for realisation of human rights. The workshop looked to a concerted approach to understanding intermediaries’ impact on human rights demands our urgent attention. Jyoti Panday of CIS was contributed to the workshop’s background paper and organisation. Elonnai Hickok of CIS was a speaker.  At this workshop, a zero-draft of international principles for intermediary liability was released. The zero-draft is the interim outcome of an ongoing, global intermediary liability project, undertaken by CIS in collaboration with Article 19 and Electronic Frontier Foundation. See the video.

WS112: Implications of post-Snowden Internet localization proposals
Organised by ISOC and Center for Democracy and Technology, this panel questioned the distinctions between Internet-harmful and Internet-beneficial Internet and data localization. As a speaker at this workshop, Sunil Abraham of CIS identified state imperatives for Internet localization, such as taxation, network efficiency and security. See video.

WS63: Preserving a universal Internet: Costs of fragmentation
Internet and Jurisdiction Project organized this workshop to explore potential harms to Internet architecture, universality and openness as a result of Internet balkanisation. Sunil Abraham was one of the speakers.

WS2: Mobile, trust and privacy
Organised by GSMA, this panel discussed methods, benefits and harms of use of mobile transaction generated information and data. Sunil Abraham was a speaker. See video.

WS188: Transparency reporting as a tool for Internet governance
This GNI workshop examined transparency reporting by Internet intermediaries and companies, and sought to identify its strengths and shortcomings as a tool for Internet governance. Pranesh Prakash of CIS was a speaker. See video.

WS149: Aligning ICANN policy with the privacy rights of users
This Yale ISP panel examined ICANN’s obligations for data protection, in light of international standards and best practices. This discussion is particularly relevant as ICANN’s WHOIS policy, Registrar Accreditation Agreement, and other policies have attained the status of a global standard for the handling of personal data. Pranesh Prakash moderated this panel.

Other Participation

Launch of the GISWatch Report

Association for Progressive Communications (APC) and the Humanist Institute for Cooperation with Developing Countries (Hivos) released the Global Information Society Watch Report (GISWatch) on national and global mass surveillance. The report “explores the surveillance of citizens in today's digital age by governments with the complicity of institutions and corporations”. Elonnai Hickok of CIS contributed a thematic chapter on Intermediary Liability and Surveillance to this report.

WSIS +10 High Level Event: Open Consultation Process Multistakeholder Preparatory Platform: Phase Six: Fifth Physical Meeting

by Jyoti Panday last modified Oct 12, 2014 05:31 AM
The fifth physical meeting of the Multistakeholder Preparatory Platform (MPP-WSIS+10), was held from 28-31 May 2014 in Geneva as part as part of the sixth phase of the WSIS +10 High Level Event Open Consultation process. The meeting was aimed at developing draft agreed texts for the WSIS+10 Statement on Implementation on WSIS Outcomes and the Vision Beyond 2015.

Stakeholders including governments, private sector, civil society and international organizations participated in the meeting, which was chaired by Prof. Dr. V.Minkin (Russian Federation), Chairman of the Council Working Group on WSIS and the Vice Chairs of the meeting were Egypt, Switzerland and Saudi Arabia.

ITU Deputy Secretary General, Mr Houlin Zhao highlighted that WSIS+10 High Level Event as a joint effort of the UN family and re-emphasized on the commitment and hard work from all UN Agencies and the Secretariat that has processed up to 500 contributions till date. He further reiterated that this preparatory process builds upon several inputs including deliberations at WSIS Forums (2012 and 2013), WSIS+10 Visioning Challenge Initiative, 2013 WSIS+10 Multistakeholder Meeting in Paris, as well as outcomes of ITU Regional Development Forums held in six regions and led by BDT. Almost 500 multistakeholder contributions were processed by secretariat up to now.

Mr. C.Wachholz representing UNESCO and Ms. M. Kultamaa representing the CSTD Secretariat underlined the importance of the process being an important effort leading towards the Overall Review of the implementation of the WSIS outcomes by 2015. Ms. Kultamaa informed the meeting on the status of the discussions taking place at the UN General Assembly regarding the modalities of the Overall Review. She underlined that for the time being there is no consensus and discussions on this subject will continue.It is important to note that all UN organizations serve as secretariat to the preparatory process which is being coordinated by the ITU. All the Action Line Facilitators including, ITU, UNESCO, UNCTAD, UNDP, UNDESA, WMO, UNEP, WHO, UPU, ITC, ILO, FAO, and UN Regional Commissions,as well as WIPO, UN Women contributed towards the development of the Action line documents in the Vision, within their respective mandates. The meeting concluded with final agreed drafts for the WSIS+10 Statement and final agreed draft for WSIS+10 Vision Chapter A and B, with some pending issues in C.

Jyoti Panday representing CIS, participated in the meeting and intervened in the negotiations over the final agreed text. CIS made interventions on text related to increasing women's participation, freedom of expression, media rights, data privacy, network security and human rights. CIS also endorsed text on action line 'Media' which reaffirmed commitment to freedom of expression, data privacy and media rights offline and online including protection of sources, publishers and journalists.

WSIS+10 Statement on the Implementation of WSIS Outcomes

Ø Preamble, Chapter A (Agreed)

Ø Overview of the implementation of Action Lines, Chapter B (Agreed)

Ø Challenges-during implementation of Action Lines and new challenges that have emerged, Chapter C (Agreed)

WSIS+10 Vision for WSIS beyond 2015

Ø Preamble, Chapter A (Agreed)

Ø Priority areas to be addressed in the implementation of WSIS Beyond 2015, Chapter B (Agreed)

Ø Action Lines, Chapter C

С1. The role of public governance authorities and all stakeholders in the promotion of ICTs for development (Agreed)

С2. Information and communication infrastructure (Agreed)

C3. Access to information and knowledge (Agreed)

C4. Capacity building (Agreed)

C5. Building confidence and security in the use of ICTs (pending para g)

g) Continue to promote greater cooperation [among the governments and all other stakeholders,] at the United Nations andwith all stakeholders at all other appropriate forafora, respectively at the national, regional and international levels to enhance user confidence, build trust,and protect both data and network integrity as well as consider existing and potential threats to ICTs ; and address other information security and network security issues.]

Alt 1 : [ Continue to promote cooperation [among the governments [at the United Nations ]and with all other stakeholders at the United Nations and other appropriate forafor a] to enhance user confidence, build trust, and protect both data, and network integrity and critical infrastructures; consider existing and potential threats to ICTs; security in the use of ICTs and address other information security and network security issues, while stressing the need to address [cybercrime and]cybersecurity issues. at appropriate forums, together with all stakeholdersncluding cybersecurity, [and cybercrime]]

Alt 2 : [Continue to promote cooperation among the governments at the United Nations and other international organizations and with all other stakeholders at all appropriate fora to enhance user confidence, build trust, protect data, network integrity and critical infrastructures; consider existing and potential threats to ICTs; security in the use of ICTs [and address other information security ]and network security issues, while stressing the need to address cybersecurity issues. ]

Alt 3: [Continue to promote cooperation among the[ governments [at the United Nations]] and with all other stakeholders at other the United Nations and other appropriate fora to enhance user confidence, build trust, and protect both data and network integrity and critical infrastructure; consider existing and potential threats to ICTs; security in the use of ICTs and address other [information security] and network security issues, while stressing the need to address cybercrime and cybersecurity issues. [at appropriate forums, together with all stakeholders], including cybersecurity, [and cybercrime]]

[including cybercrime] [including cybercrime and cybersecurity .][ including ICT aspects of cybercrime and cybersecurity]

[Cybercrime [and cybersecurity] should continue to be dealt with,[at the United Nations and other appropriate fora] [in appropriate forums , ]

C6. Enabling environment (Agreed)

C7. ICT Applications: (Agreed)

E-government

E-business

E-learning

E-health

E-employment

E-environment

E-agriculture

E-science

C8. Cultural diversity and identity, linguistic diversity and local content (agreed but pending para f)

f) [Reinforce [and [enhance] implement at the national level] the recommendations concerning the promotion and use of multilingualism [and universal access to cyberspace]].

C9. Media (meeting has developed three proposals that were requested to be reflected in the documents in a table format)

Discussion at the MPP Plenary meeting:

UK proposal, discussed with and supported by: Sweden, Australia, Spain, Germany, UNESCO, European Broadcasting Union, Switzerland, APIG, Centre for Internet and Society (India), Austria, Tunisia, IDEA, Cisco Systems, Mexico, United States, Japan, Canada, ICC BASIS, Intel, Internet Society, Health and Environment Program (HEP), Netherlands, and Microsoft.

It was later supported by The Center for Democracy & Technology, Hungary, Czech Republic. International Federation of Library Associations, Portugal, Association for Progressive Communications, auDA (the ccTLD manager for Australia), Finland, Internet Democracy Project (India)

Proposal: Rwanda and Russia

Media will benefit from the broader and expanded role of ICTs that can enhance media’s contribution to the development goals of the post-2015 Sustainable Development Agenda.

[The principles of freedom of expression and the free flow of information, ideas and knowledge are essential for the information and knowledge societies and beneficial to development with recognizing that the same rights that people have offline must also be protected online, including the right to privacy.]

Media will benefit from the broader and expanded role of ICTs that can enhance media's contribution to the development goals of the post-2015 Sustainable Development Agenda. The right to freedom of expression and the free flow of information, ideas and knowledge, and the protection of privacy, are essential for the information and knowledge societies and beneficial to development. The same rights that people have offline must also be protected online.

We reaffirm the continued relevance of all issues highlighted under action line C9 on Media (Geneva 2003) and the need for continued implementation of this action line.

1. 1. [Develop and update national ICT-Media legislation that guarantees the independence, objectivity, social responsibility, neutrality and plurality of the media according to international standards as well as the domestic needs.]

1. Develop and update national ICT-Media legislation that guarantees the independence, diversity and plurality of the media according to international standards.

2. [Continue to take appropriate measures — consistent with [international law][freedom of expression]— to combat illegal [content and to protect vulnerable groups , in particular children, from harmful content in media content] and harmful media content.]

2. Continue to take appropriate measures, consistent with international human rights law, to combat illegal media content.

3. Ensure that women and men equally access, participate and contribute to the media sector, including to decision-making processes.

Alt: Work towards ensuring that women and men equally access, participate and contribute to the media sector, including to decision-making processes.

Alt: Encourage that women and men access, participate and contribute on equal basis to the media sector, including to decision-making processes.

[Alt: [Encourage][Ensure] [Strive] [ to leverage the potential of ICTs] to provide full and effective [equal ]opportunities to women and men to access, participate and contribute to the media sector, [including to decision-making processes]]

3. Encourage equal opportunities and the active participation of women in the media sector.

4. [Continue to encourage [independent] tradition [neutral, objective, responsible] nal media to bridge the knowledge divide and to facilitate [the freedom of expression] the flow of cultural content, particularly in rural and remote areas.]

4. Continue to encourage traditional media to bridge the knowledge divide and to facilitate the flow of cultural content, particularly in rural areas.

5. Encourage online and offline mass media to play a more substantial role in capacity building for the information society.

5. Ensure the [safety[ and responsibility] of all journalists and media workers [and their accountability], [taking into account the provisions of article 19 of the International Convention on Civil and Political Rights (ICCPR)]. ,[ including [bloggers] social media producers, and their sources and facilitate the implementation of the UN Plan of action on the safety of journalists and the issue of impunity.]

[To ensure the safety of journalists and address the issue of impunity in accordance to UNGA Resolution (A/RES/68/163)]

6. Ensure the safety of all journalists and media workers, including social media producers and bloggers, and their sources and facilitate the implementation of the UN Plan of Action on the safety of journalists and address the issue of impunity

6. We reaffirm our commitment to the principles of freedom of the press and freedom of information, as well as those of the independence, pluralism and diversity of media, which are essential to the Information Society. Freedom to seek, receive, impart and use information for the creation, accumulation and dissemination of knowledge is important to the Information Society. We call for the responsible use and treatment of information by the media in accordance with the highest ethical and professional standards. Traditional media in all their forms have an important role in the Information Society and ICTs should play a supportive role in this regard. Diversity of media ownership should be encouraged, in conformity with national law, and taking into account relevant international conventions. We reaffirm the necessity of reducing international imbalances affecting the media, particularly as regards infrastructure, technical resources and the development of human skills.

C10. Ethical dimensions of the Information Society (Agreed)

C11. International and regional cooperation (Agreed)

The Chapter C, Part III: The paras highlighted in yellow below did not receive consensus.

III [Action Lines beyond 2015: Looking to the Future

[We reaffirm that effective cooperation among governments, private sector, civil society and the United Nations and other international organizations, according to their different roles and responsibilities and leveraging on their expertise, is essential, taking into account the multifaceted nature of building the Information Society.]

[We emphasize great importance of continuation of the multistakeholder implementation at the international level, following the themes and action lines in the Geneva Plan of Action, and moderated/facilitated by UN agencies. The coordination of multistakeholder implementation activities would help to avoid duplication of activities. This should include, inter alia, information exchange, creation of knowledge, sharing of best practices, and assistance in developing multi-stakeholder and public-private partnerships.]

[We reaffirm importance of the United Nations Group on the Information Society (UNGIS) created by the UN-Chief Executives Board (CEB) upon guidance by Tunis Agenda (Para 103), as an efficient and effective inter-agency mechanism with the main objective to coordinate substantive and policy issues facing the United Nations’ implementation of the outcomes of the World Summit on the Information Society (WSIS).](HEP – delete)

We welcome holding of the annual WSIS Forum, which has become a key forum for multi-stakeholder debate on pertinent issues related to the Geneva Plan of Action and note that the Forum’s inclusiveness, openness, and thematic focus have strengthened responsiveness to stakeholders and contributed to increased physical and remote participation. [agreed]

We encourage all stakeholders to contribute to and closely collaborate with the Partnership on Measuring ICT for Development as an international, multi-stakeholder initiative to improve the availability and quality of ICT data and indicators, particularly in developing countries. [agreed]

[We emphasize/ recognize that the commitments to advance gender equality perspectives and undertake the necessary actions throughout the WSIS outcomes, as called for in Para 3 of Preamble under this document, should also be implemented, reviewed and monitored, consistent with other Action Lines, by UN Women in cooperation with other Action Line Facilitators.](HEP – delete)

We encourage all WSIS stakeholders to continue to contribute information on their activities to the public WSIS stocktaking database maintained by ITU. In this regard, we invite all countries to gather information at the national level with the involvement of all stakeholders, to contribute to the stocktaking. [agreed]

We also welcome continuation of the WSIS Project Prizes initiative that has been launched by ITU with involvement of all Action line facilitators as a competition that recognizes excellence in the implementation of projects and initiatives which further the WSIS goals of improving connectivity to ICTs), particularly within underserved communities, and provide a high-profile, international platform for recognizing and showcasing success stories and models that could be easily replicated. In this regard, the WSIS Stocktaking Database is of utmost importance in sharing best practices amongst WSIS Stakeholders. [agreed]

We emphasize on the importance of 17 May as World Information Society Day to help to raise awareness, on an annual basis, of the importance of this global facility, on the issues dealt with in the WSIS especially the possibilities that the use of ICTs can bring for societies and economies, as well as of ways to bridge the digital divide. [agreed]]

Vision Beyond 2015 Document

1. During the meeting, the participants agreed to replace Chapter E with the following three paragraphs and include them in Chapter B of the Vision:

34. Developing agreed goals and time-based measurable targets data and indicators along with enhanced monitoring and reporting. [agreed]

35. Encourage the ongoing assessment of progress towards the information society, as envisaged in the WSIS Outcomes, including through efforts such as the Partnership on Measuring ICT for Development which has been essential for evaluating the implementation of WSIS Action Lines. [agreed]

36. In this respect, it is necessary to continue to develop appropriate ways and means to make such measurements. [agreed]

2. A long discussion was held on the way forward. Some of the delegates expressed views that if text on WSIS Action Line C9 is not agreed, all Chapter C should not be considered as agreed, and refused to consider other items without reaching agreement on WSIS Action Line C9, while others were open to discuss further with the understanding that Chapter C is essential for the outcomes of the WSIS+10 High Level Event.

3. Some of the delegates requested for reflecting their statements in the Chairman’s Report (See Annex).

4. In conclusion the Chairman informed the meeting that the full text with all brackets will be reflected on the website and possibly forwarded to the consideration of the WSIS+10 High Level Event. He offered his availability on 9th June 2014 for the meeting, if needed, with the aim of finalization of the text. He encouraged all stakeholders to conduct consultations to reach consensus for pending items prior to the Event.

Link to Documentation:

· Results of the pre-agreed Chapters during the Fifth Physical meeting: http://www.itu.int/wsis/review/mpp/pages/consolidated-texts.html


Annex

Statement by the Association for Proper Internet Governance
Regarding the 28-31 May Multistakeholder Preparatory Platform meeting
3 June 2014

The Association for Proper Internet Governance (APIG)[1] requests that this statement be annexed to the Chairman’s report of the Multistakeholder Preparatory Platform (MPP).

Introduction

APIG has attended all of the preparatory meetings and made numerous written and verbal submissions. Its representative has actively made constructive suggestions in order to help achieve consensus and APIG has withdrawn various proposals that it considered important when they were challenged by other participants, and this in order to find consensus. Some examples of such compromises made by APIG are presented below.

APIG is pleased that full consensus was reached regarding the Statement and parts A and B of the Vision, and that consensus was reached regarding most of part C of the Vision. However, APIG is disappointed that the rigid positions taken by some participants prevented full consensus from being reached regarding Action Lines C5 (Building confidence and security in the use of ICTs) and C9 (Media) in part C.

It must be recalled that the purpose of the discussions regarding part C was to identify action line items that would supplement the agreed action line items of the 2003 Geneva Plan of Action. The world has changed since 2003 and indeed the action lines need to be revisited and supplemented.

Agreement was reached on many supplements to the action lines. Action line C9 is related to the media, which has undergone dramatic changes since 2003. Many supplements to this action line are surely needed, but, given the complexity of the discussions, in particular regarding freedom of speech, it was not possible to reach consensus. Some participants took the view that, absent consensus on C9, none of the other supplements to the action lines could be considered to have been approved by consensus.

This is correct from a procedural point of view: nothing is agreed until everything is agreed. However, APIG is of the view that the supplements to all action lines except C9 and one item in C5 are acceptable as agreed and can be considered independently of C9 and the unresolved item in C5, while recognizing that important issues regarding C5 and C9 remain open and must continue to be discussed.

We present here the following:

1. Considerations on the multi-stakeholder process used during these preparatory meeting

2. Compromises made by APIG

3. Proposals for C5 and C9

3. Considerations on the multi-stakeholder process used during MPP meetings

The Multistakeholder Preparatory Platform (MPP) meetings were conducted on the basis of equal rights for all stakeholder and no restrictions on participation (except for registration). This allowed a wide variety of views to be heard and resulted in many valuable and diverse proposals being presented for consideration.

The leadership team (chairman and vice-chairmen) was very experienced and skilled, as was the secretariat.

Given the volume and diversity of the submitted inputs, it was APIG’s view that the leadership team should have been requested, already after the first MPP meeting, to propose compromise text. APIG regrets that many participants objected to this, and that the leadership team was tasked with proposing compromise text only at a very late state. This is particularly to be regretted because all participants agreed that the compromise text that was presented by the leadership at the end was excellent and formed an appropriate basis for further discussion and refinement. It is likely that progress would have been more rapid, and that full consensus might have been achieved, if the compromise proposals prepared by the leaderhsip had been presented at the earlier meetings of the MPP.

The meeting was conducted on the basis of unanimity. That is, no text was considered to have achieved consensus unless no participant objected to it. While this appears appealing at first sight, it can result in a small minority blocking progress towards a compromise text. And indeed this happened for some portions of the text of part C of the Vision.

If meetings are fully open, and all stakeholders have equal decision-making rights, then any stakeholder can block any proposal that, in its view, threatens its interests. Thus it will be difficult or impossible to reach consensus on delicate issues at such meetings, and this is indeed what happened at the MPP. Allowing private companies (which are stakeholders) to have the same power as other stakeholders with respect to public policy issues is problematic, see the Preamble of our submission[2] to the open consultation conducted by the ITU Council Working Group on International Internet-related Public Policy Issues (CWG-Internet). It is also problematic to allow a small number of participants, even if they are governments, to block progress.

Thus, it should be recognized that multi-stakeholder meetings in which public policy decisions are made by unanimity are not appropriate if the goal is to reach consensus on difficult issues.

An alternative would be to apply “rough consensus” rather than unanimity. But this gives a great deal of power to the leadership team, and thus makes the selection of the leadership team a very delicate matter. Such “rough consensus” cannot be held to be democratic.

APIG is of the view that multi-stakeholder process must be democratic, again, see the Preamble of our cited submission to CWG-Internet.

2. Compromises made by APIG

3. APIG would have preferred that paragaph 2 of the Preambles of both the Statement and the Vision read as follows in order to recognize recent UN Resolutions that highlight the relevance of specific human rights in the context of the evolution of ICTs since 2005, recognizing the well-known legal principle that offline rights apply equally online (our additions are shown as revision marks):

We reaffirm the human rights and fundamental freedoms enshrined in the Universal Declaration of Human Rights and relevant international human rights treaties, including the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights; and we also reaffirm paragraphs 3, 4, 5 and 18 of the Geneva Declaration ; and we reaffirm the human rights mentioned in relevant UN Resolutions, including, but not limited to:

  • A/RES/68/147 . Rights of the child
  • A/RES/68/163. The safety of journalists and the issue of impunity
  • A/RES/68/167. The right to privacy in the digital age
  • A/RES/68/227 . Women in development
  • A/HRC/20/8. The promotion, protection and enjoyment of human rights on the Internet
  • A/HRC/RES/21/24. Human rights and indigenous People
  • A/HRC/RES/22/6 . Protecting human rights defenders
  • A/HRC/RES/ 23/2 . The role of freedom of opinion and expression in women’s empowerment
  • A/HRC/RES/23/3. Enhancement of international cooperation in the field of human rights
  • A/HRC/RES /23/10. Cultural rights and cultural diversity
  • A/HRC/RES/24/5 . The rights to freedom of peaceful assembly and of association
  • A/HRC/RES/25/11. Question of the realization in all countries of economic, social and cultural rights

APIG is disappointed that one participant (representing business) objected to inclusion in Action Line C2 (Information and Communication Infrastructure) of the following item, which is based on text agreed at the G20 St. Petersburg meeting[3]:

e) There is a need to identify the main difficulties that the digital economy poses for the application of existing international tax rules and develop detailed options to address these difficulties.

APIG would have preferred that the WSIS+10 recognize the dysfunctional nature of the current copyright regime for what concerns online issues and that an explicit call be included to reform that unworkable regime[4]. In particular, APIG would have preferred that item (f) of action line C6 (Enabling Environment) read as follows (changes with respect to the agreed version are shown as revision marks):

f) Foster an intellectual property rights framework that balances the interests of creators, implementers and users , by drastically reducing the length of copyright, by legalizing non-commercial downloads of copyright material, and by restricting what can be patented .

APIG would have preferred that the WSIS+10 explicitly call for the globalization of the IANA fundtion, by adding the following:

In section B (Priority areas) of the Vision, adding 37:

37) Accelerating the globalization of ICANN and IANA functions.

In action line C1 of the Vision, adding (f):

(f) Agree a formal framework that provides for all governments to participate, on an equal footing, in the governance and supervision of the ICANN and IANA functions, and that provides for effective supervision and accountability of these functions in accordance with paragraphs 29, 35, 36, 61 and 69 of the Tunis Agenda.

APIG would have preferred that (b) and (d) of C10 (Ethical Dimensions of the Information Society) read as follows (changes with respect to the agreed version are shown as revision marks):

(b) Promote respect of the fundamental ethical values in the use of ICTs and prevent their abusive usage , and in particular prevent mass surveillance.

(d) Continue to enhance the protection of privacy and personal data. Recognize that, i n the absence of the right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy. Any violations of privacy and any restrictions on the protection of personal data must be held to be necessary and proportionate by an independent and impartial judge.

See 11 of our submission[5] to the open consultation conducted by the ITU Council Working Group on International Internet-related Public Policy Issues (CWG-Internet) and recall that, as stated by the President of Brazil, DilmaRousseff, in her speech at the UN General Assembly on 24 September 2013:

“In the absence of the right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy.”

3. Proposals for C5 and C9

APIG would prefer the following texts for (a) of C5 and for C9.

С5. Building confidence and security in the use of ICTs

a) Continue to promote cooperation among governments at the United Nations and other appropriate intergovernmental forums, and with all stakeholders at other appropriate forums, to enhance user confidence, build trust, and protect both data and network integrity; consider existing and potential threats to ICTs, in particular threats created by weakening or compromising encryption standards; and address other information security (this being understood as defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction) and network security issues, in particular mass surveillance.

abis) Address cybersecurity and cybercrime in appropriate forums.

In the interests of compromise, APIG could accept deletion of the parts highlighted in yellow above. It should be noted that the text in parenthesis after “information security” was not present in the 2003 version of this text, found in 12(a) of the Geneva Plan of Action. It has been added in order to make it clear that the term “information security” is used in its ordinary sense[6], and not in other senses.

C9. Media

Media will benefit from the broader and expanded role of ICTs that can enhance media’s contribution to the development goals of the post-2015 Sustainable Development Agenda.

The principles of freedom of expression and the free flow of information, ideas and knowledge, and the protection of privacy, are essential for the information and knowledge societies and beneficial to development, recognizing that the same rights that people have offline must also be protected online.

1. Develop and update national ICT-Media legislation that guarantees the independence, and plurality of the media according to international standards as well as the domestic needs.

2. Continue to take appropriate measures — consistent with freedom of expression— to combat media content that is both illegal and harmful. Any such measures must be held to be necessary and proportionate by an independent and impartial judge.

3. Continue to encourage traditional media to bridge the knowledge divide and to facilitate the flow of cultural content, particularly in rural areas.

4. Ensure the safety of all journalists and media workers, including social media producers and bloggers, and their sources (in particular whistle-blowers) and facilitate the implementation of the UN Plan of action on the safety of journalists and the issue of impunity.

5. Ensure the privacy of all media and the secrecy all communications, including E-Mail. Any violations of privacy or secrecy shall take place only if they are held to be necessary and proportionate by an independent and impartial judge. The privacy of all media and the secrecy of all communications shall be respected in accordance with the national laws of all concerned parties.

In the interests of compromise, APIG could accept deletion of the parts highlighted in yellow above. The first part, “recognizing that the same rights that people have offline must also be protected online”, is not necessary, since it affirms a well-known legal principle and since human rights are individible.

It should be noted that the text proposed for 2 clarifies the text of 24 (c)) of the Geneva Plan of Action. That text could be misunderstood to imply that one could combat content that is harmful but not illegal. But such is not the case, since content can only be restricted if it is illegal, pursuant to article 29(2) of the Universal Declaration of Human Rights and article 19(3) of the International Covenant on Civil and Political Rights. That is, the Geneva Plan of Action already enshrined the principle that there should be fewer restrictions on online freedom of speech than on offline freedom of speech, because the online content can be restricted only if it is “illegal and harmful”. In this respect, see 7.1 of our submission [7] to the open consultation conducted by the ITU Council Working Group on International Internet-related Public Policy Issues (CWG-Internet).

Regarding 4 above, whistle-blowers are sources for journalists, so they are already included and their explicit mention can be omitted.

Regarding 5 above, see 11 of our cited submission to CWG-Internet.

We have omitted an action line regarding gender equality in media because we believe that a strong statement regarding gender equality should apply to all action lines and thus should appear as a chapeau before action line C1. We propose the following for this chapeau (the language is that proposed by UN Women for a potential new action line, slightly modified since it is not proposed here as an action line):

We commit to promote progress in implementing gender commitments enshrined in the WSIS outcome documents and forward-looking recommendations by pursuing practical and joint measures to advance women’s empowerment within the Information Society. The goal is to realize women’s meaningful access to ICTs and full integration of women’s needs and perspectives, and their equal participation as active agents, innovators and decision-makers. Also critical are connecting and heightening understanding of online and offline realities and addressing underlying factors that hinder women’s engagement in the Information society. Finally, we seek to develop more coherent approaches, as well as increase investments, attention and accountability measures.

1. Gender Analysis: Promote the use of “gender analysis” and associated tools and methodologies in the development of national, regional and related global frameworks, strategies and policies and their implementation, as well as better connect with women’s empowerment communities and frameworks.

2. Holistic Approaches and Structural Issues: Address underlying women’s empowerment issues in the information society, such as gender stereotypes, specific or pronounced threats to women, such as online violence, as well as provide analysis and actionable recommendations on gender issues that cut across action lines.

3. Support to Action Lines and Stakeholders: Work with and across Action Lines and specific stakeholder groups (e.g. private sector) to accelerate integration of gender equality within their remits through identification of overarching issues, programmatic opportunities, requisite investments, policy interventions, case studies and learning, and promote participation of women and gender equality stakeholders.

4. Data and Monitoring Progress: Prepare scorecards on Action Line and National level reporting on women’s empowerment. Support and promote the work of the Partnership on the Measurement of the Information Society Working Group on Gender.

Report on ICANN 50

by Jyoti Panday last modified Oct 12, 2014 05:42 AM
Jyoti Panday attended ICANN 50 in London from 22-26 June. Below are some of the highlights from the meeting.

From 22- 26 June, ICANN hosted its 50th meeting in London, the largest congregation of participants, so far. In the wake of the IANA transition announcement, Internet governance was the flavor of the week. ICANN’s transparency and accountability measures emerged as much contested notions as did references to NETmundial. This ICANN meeting clearly demonstrated that questions as to the role of ICANN in internet governance need to be settled.

ATLAS II

Coinciding with ICANN meeting was the 2nd At-Large Summit, or ATLAS II, bringing together a network of regionally self organized and self supporting At-Large structures, representing individual Internet users throughout the world. The goal of the meeting was to discuss, reach consensus and draft reports around five issues organized around five issues organized around thematic groups of issues of concerns to the At-Large Community.

The subjects for the thematic groups were selected by the representatives of ALSes, each summit participant was allocated to thematic groups according to his/her preferences. The groups included were:

  • Future of Multistakeholder models
  • The Globalization of ICANN
  • Global Internet: The User perspective
  • ICANN Transparency and Accountability
  • At-Large Community Engagement in ICANN

Fahad Chehade Five Point Agenda

ICANN President, Mr Chehade in his address to the ICANN community covered five points which he felt were important for ICANN in planning its future role.  The first topic was the IANA Stewardship and transition, and he stated that ICANN is committed to being a transparent organization and seeks to be more accountable to the community as the contract with the US government ends. Regarding the IANA transition, he remarked that ICANN had received thousands of comments and proposals regarding the transition of IANA stewardship and understood there would be much more discussion on this subject, and that a coordination group has been proposed of 27 members representing all different stakeholders in order to plot the course forward for IANA transition.

His second topic was about ICANN globalization and hardening of operations. He said that ICANN has about 2-3 years to go before he is comfortable that ICANN operations are where they need to be. He applauded the new service channels which allows customer support in many different languages and time zones, and mentioned local language support that would add to the languages in which ICANN content is currently available. Chehade spent a few minutes discussing the future of WHOIS "Directory" technology and highlighted the initial report that a working group had put together, led by Jean-Francois Poussard.

Next he covered the GDD, the Global Domains Division of ICANN and an update from that division on the New gTLD program. He mentioned the ICANN Auction, the contracts that had been signed, and the number of New gTLDs that had already been delegated to the Root. Internet Governance was Chehade's 4th topic of discussion, he applauded the NETmundial efforts, though he stressed that internet governance is one of the things that ICANN does and it will not be a high priority. He ended his speech with his last point, calling for more harmony within the ICANN community.

High Level Government Meeting

During ICANN London, UK government hosted a high-level meeting, bringing together representatives from governments of the world to discuss Internet Governance and specifically the NTIA transition of the IANA contract.  Government representatives recognized that the stewardship of IANA should be a shared responsibility between governments and private sector groups, while other representatives stressed giving governments a stronger voice than other stakeholders. The consensus at the meeting held that the transition should not leave specific governments or interest groups with more control over the Internet, but that governments should have a voice in political issues in Internet Governance.

GAC Communiqué

GAC Communique, is a report drafted by the Governmental Advisory Committee, advising the ICANN board on decisions involving policy and implementation. Highlights from the communiqué include:

  • The GAC advises the Board regarding the .africa string, saying it would like to see an expedited process, especially once the Independent Review Panel comes to a decision regarding the two applicants for the string. They reaffirm their decision that DotConnectAfrica's application should not proceed.
  • The GAC mentioned the controversy surrounding .wine and .vin, where some European GAC representatives strongly felt that the applications for these strings should not proceed without proper safeguards for geographic names at the second level. However, the GAC was unable to reach consensus advice regarding this issue and thus did not relay any formal advice to the Board.
  • The GAC requested safeguards in the New gTLDs for IGO (Inter-Governmental Organization) names at the second level, and specifically related such advice for names relating to Red Cross and Red Crescent.

Civil Society in ICANN and Internet Governance

NCUC, or the Noncommercial Users Constituency www.ncuc.org,  voice of civil society in ICANN’s policy processes on generic top level domain names and related matters, as well as other civil society actors from the ICANN community organized a workshop to provide an opportunity for open and vigorous dialogue between public interest advocates who are active both within and outside the ICANN community.

CYFY 2014 Event Programme

by Prasad Krishna last modified Oct 13, 2014 06:59 AM

PDF document icon CYFY14-Event-Booklet-Programme-1-1.pdf — PDF document, 625 kB (640972 bytes)

CYFY 2014 Brochure

by Prasad Krishna last modified Oct 13, 2014 07:03 AM
The brochure of the event.

PDF document icon CYFY 2014 Brochure.pdf — PDF document, 452 kB (463325 bytes)

DNA Database for Missing Persons and Unidentified Dead Bodies

by Vipul Kharbanda last modified Nov 04, 2014 03:46 PM
This blog discusses the possible implications of the public interest litigation that has been placed before the Supreme Court petitioning for the establishment of a DNA database in respect to unidentified bodies.

In the year 2012 Lokniti, a Non Governmental Organization filed a public interest litigation in the Supreme Court of India asking the government to establish a DNA database in respect of unidentified dead bodies as well as for those individuals for whom missing persons reports have been filed so that DNA of unidentified dead bodies can be matched against missing persons - arguing that the right to be identified is a part of the right to dignity, and that such systems have been adopted across the globe. The case has come up a few times since 2012 and parties have been given time to file their replies in these instances. Prior to the 2012 Public Interest Litigation filed by Lokniti, in 2009 a Public Interest Litigation was filed by a Haryana based doctor. The PIL petitioned for the DNA profiling of unidentified bodies to be made mandatory - arguing that thousands of individuals die with their identity being unknown. During the hearing the Bench asked a number of questions including why the Ministry of Health was not brought into the case, given the fact that a number of labs that conduct DNA profiling function under the ministry.

While the case is still pending, the Supreme Court on 22nd September 2014 gave another interim order which was a little more detailed. On this date the Ministry of Science and Technology of the Government of India, through the Department of Biotechnology stated that they are piloting a DNA profiling Bill that would establish a DNA Profiling Board and a National DNA Data Bank. The National DNA Data Bank is envisaged to maintain the following indices for various categories of data:

I. a crime scene index;

II. a suspects' index;

III. an offenders' index;

IV. a missing persons' index;

V. unknown deceased persons' index

VI. a volunteers' index; and

VII. such other DNA indices as may be specified by regulations made by the Board.

One of the Ministry's plans under this Bill is to create DNA profiles of individuals whose relatives have gone missing, on a voluntary basis to help the relatives identify missing persons and unidentified dead bodies. They also stated that cross-matching of DNA profiling data in the database would require specialized software and the CDFB, Hyderabad is in the process of acquiring the same from the Federal Bureau of investigation, USA.

The advocate for Lokniti responded to this saying that the DNA profiling Bill has been pending for a long time and has not seen the light of day for the last seven years. To this the response of the government was that it was a complex Bill involving a number of issues which take a long time to resolve.

At this point the Supreme Court, without going into the details of the Bill asked the advocate for the Union of India to obtain instructions regarding the following two aspects:

(1) Whether pending the Bill coming into force the concerned Department can constitute a Data Bank in respect of dead persons who are not identifiable; and

(2) when there are missing reports in respect of persons to collect the DNA from the permissible sources like siblings or others so that in case any unidentified dead body is found to match the DNA to arrive at the conclusion about the missing persons who are dead; or as an ancillary the missing person who is a victim of the crime of kidnapping or where any child, who is not able to find out his parents, can be in a position to find out through the DNA.

Thus it seems that the Supreme Court, recognizing its limitations in directing the legislature to pass a law and the fact that the passing of the DNA profiling Bill may take a long time to become law, has tried to find a way out in which the concerns of the petitioner regarding a DNA Databank for missing persons and unidentified dead bodies could be addressed without the passage of the DNA profiling Bill. However since the case is still pending in the Supreme Court no final directions have been given in this regard. Thus, the Court has left the government with the responsibility to address the question of whether a DNA Databank can be established without the passing of a legislation providing legal basis for the collection, profiling, databasing, and use of DNA samples.


http://indianexpress.com/article/india/india-others/sc-wants-centre-to-create-dna-data-bank/#sthash.7zqU0Ill.dpuf

http://indianexpress.com/article/india/india-others/sc-seeks-govt-response-on-making-dna-profiling-mandatory/

The order dated September 22, 2014 can be found at http://courtnic.nic.in/supremecourt/temp/wc%2049112p.txt

Subbiah Arunachalam

by Prasad Krishna last modified Oct 23, 2014 05:08 AM

Subbiah Arunachalam (known to friends as Arun) started his career as a research chemist, but found his calling in information science. In the past four decades, he has been a student of chemistry, a laboratory researcher (at the Central Electrochemical Research Institute and the Indian Institute of Science), an editor of scientific journals (at the Publications and Information Directorate of the Council for Scientific and Industrial Research and the Indian Academy of Sciences), the secretary of a scholarly academy of sciences (IASc), a teacher of information science (at the Indian National Scientific Documentation Centre), and a development researcher (at the M.S. Swaminathan Research Foundation and the Indian Institute of Technology Madras). While working with M.S. Swaminathan Research Foundation, he initiated the South-South Exchange Traveling Workshop to facilitate hands on cross-cultural learning for knowledge workers from Africa, Asia and Latin America engaged in ICT-enabled development.

Arun has been on the editorial boards of six international refereed journals including Journal of Information Science, Scientometrics, Journal of Community Informatics, and Current Contents; till recently he was  a member of the international advisory board of IICD, The Hague, and a Trustee of the Voicing the Voiceless Foundation. Currently he is a trustee of the Electronic Publishing Trust for Development.  Improving information access both for scientists and for the rural poor; scientometrics, ICT-enabled development and open access are among his current research interests.

Lawrence Liang

by Prasad Krishna last modified Oct 23, 2014 05:41 AM

Lawrence Liang is a graduate of the National Law School. He subsequently pursued his Masters degree in Law and Development at Warwick, on a Chevening Scholarship. His key areas of interest are law, technology and culture, the politics of copyright and he has been working closely with Sarai, New Delhi on a joint research project Intellectual Property and the Knowledge/Culture Commons. A keen follower of the open source movement in software, Lawrence has been working on ways of translating the open source ideas into the cultural domain. He has written extensively on these issues and is the author of The Public is Watching: Sex, Laws and Videotape and A Guide to Open Content Licenses. Lawrence has taught at NLS, the Asian College of Journalism, Nalsar, etc., and is currently working on a Ph.D. on the idea of cinematic justice at Jawaharlal Nehru University.

The Gujarat High Court Judgment on the Snoopgate Issue

by Vipul Kharbanda last modified Oct 27, 2014 04:40 AM

Pranlal N. Soni v. State of Gujarat, C/SCA/14389/2014

In the year 2013 the media widely reported that a female civil services officer was regularly spied upon in 2009 due to her acquaintance with the then Chief Minister of Gujarat (and current Prime Minister of India) Mr. Narendra Modi. It was reported that the surveillance was being supervised by the current president of the BJP, Mr. Amit Shah at the behest of Mr. Modi. The case took another twist when the officer and her father said that they had no problems with such surveillance, and had repeatedly conveyed to various statutory authorities including the National Commission for Women, the State Commission for Women, as also before the Hon’ble Supreme Court of India, that they never felt that their privacy was being interfered with by any of the actions of the State Authorities. Infact, para 3.5 of the petition indicated that it was at the behest of the father of the female officer that the State government had carried out the surveillance on his daughter as a security measure.

Inspite of the repeated claims of the subject of surveillance and her father, the Gujarat Government passed a Notification under the Commissions of Inquiry Act, 1952 appointing a two member Commission of Inquiry to enquire into this incident without jeopardizing the identity or interest of the female officer. This Notification was challenged in the Gujarat High Court by the very same female officer and her father on the ground that it violated their fundamental right to life and liberty. The petitioners claimed that they had to change their residential accommodation four times in the preceding few months due to the constant media glare. The print, electronic and social media, so called social workers and other busybodies constantly intruded into the private life of the petitioners and their family members. The petitioner's email accounts were hacked and scores of indecent calls were received from all over. Under the guise of protecting the petitioner's privacy, every action undertaken by the so called custodians for and on behalf of the petitioners resulted into a breach of privacy of the petitioners, making life impossible for them on a day to day basis.

After hearing the arguments of the petitioners, including arguments on technical points the Court struck down the Notification issued by the State government to enquire into the issue of the alleged illegal surveillance. However the Court also briefly touched upon the issue of violation of the privacy of the female officer in this whole episode. However, instead of enquiring into whether there was any breach of privacy in the facts of the case, the Court relied upon the statement made by the female officer that whatever surveillance was done did not cause any invasion into her privacy, rather it was the unwelcome media glare that followed the revelations regarding the surveillance which had caused an invasion of her privacy.

Thus we see that even though the whole snoopgate episode started out as one of “alleged” unwarranted and illegal surveillance this particular judgment is limited only to challenging the validity of the Inquiry Commission appointed by the State Government. In order to challenge the Notification in a PIL the female officer had to show that some fundamental right of hers was violated and in such circumstances privacy is the most obvious fundamental right which was violated.

Although this judgment talks about privacy, it does not have enough legal analysis of the right to privacy to have any significant ramifications for how privacy is interpreted in the Indian context. The only issue that could possibly be of some importance is that the we could interpret the Court’s reliance on the statement of the female officer that there was no breach of privacy rather than its own examination of facts to mean that in cases of breach of privacy, if the person whose privacy has been breached did not feel his or her privacy to have been invaded then the Courts would rely on the person’s statements rather than the facts. However this is only an interpretation from the facts and it does not seem that the Court has spent any significant amount of time to examine this issue, therefore it may not be prudent to consider this as establishing any legal principle.

Note: The details of the case as well as the judgment can be found at http://gujarathc-casestatus.nic.in/gujarathc/tabhome.jsp

India Draft Resolution - ITU's Role in Securing Information Society

by Geetha Hariharan last modified Oct 28, 2014 06:55 AM
India's new draft resolution introduced at ITU PP14, Busan.

PDF document icon [India] [NEW] 98E - ITU's role in realising secure information society.pdf — PDF document, 77 kB (78953 bytes)

Good Intentions, Recalcitrant Text - I: Why India’s Proposal at the ITU is Troubling for Internet Freedoms

by Geetha Hariharan last modified Nov 02, 2014 03:13 PM
The UN's International Telecommunications Union (ITU) is hosting its Plenipotentiary Conference (PP-14) this year in South Korea. At PP-14, India introduced a new draft resolution on ITU's Role in Realising Secure Information Society. The Draft Resolution has grave implications for human rights and Internet governance. Geetha Hariharan explores.

 

At the 2014 Plenipotentiary Conference (‘PP-14’ or ‘Plenipot’) of the International Telecommunications Union (ITU), India has tabled a draft proposal on “ITU’s Role in Realising Secure Information Society” [Document 98, dated 20 October 2014] (“Draft Resolution”). India’s proposal has incited a great deal of concern and discussion among Plenipot attendees, governments and civil society alike. Before offering my concerns and comments on the Draft Resolution, let us understand the proposal.

Our Draft Resolution identifies 3 security concerns with exchange of information and resource allocation on the Internet:

  • First, it is troubling for India that present network architecture has “security weaknesses” such as “camouflaging the identity of the originator of the communication”;[1] random IP address distribution also makes “tracing of communication difficult”;[2]
  • Second, India is concerned that under the present allocation system of naming, numbering and addressing resources on the Internet, it is impossible or at the very least, cumbersome to identify the countries to which IP address are allocated;[3]
  • Third, India finds it insecure from the point of view of national security that traffic originating and terminating in the same country (domestic traffic) often routes through networks overseas;[4] similarly, local address resolution also routes through IP addresses outside the country or region, which India finds troubling.[5]

In an effort to address these concerns, the Draft Resolution seeks to instruct the ITU Secretary General:

  • First, to develop and recommend a ‘traffic routing plan’ that can “effectively ensure the traceability of communication”;[6]
  • Second, to collaborate with relevant international and intergovernmental organisations to develop an IP address plan which facilitates identification of locations/countries to which IP addresses are allocated and coordinates allocation accordingly;[7]
  • Third, to develop and recommend “a public telecom network architecture” that localizes both routing[8] as well as address resolution[9] for local/domestic traffic to “within the country”.

Admittedly, our Draft Resolution is intended to pave a way for “systematic, fair and equitable allocation” of, inter alia, naming, numbering and addressing resources,[10] keeping in mind security and human rights concerns.[11] In an informal conversation, members of the Indian delegation echoed these sentiments. Our resolution does not, I was told, raise issues about the “concentration of control over Internet resources”, though “certain governments” have historically exercised more control. It also does not, he clarified, wish to make privacy or human rights a matter for discussion at the ITU. All that the Draft Resolution seeks to do is to equip the ITU with the mandate to prepare and recommend a “roadmap for the systematization” of allocation of naming, numbering and addressing resources, and for local routing of domestic traffic and address resolution. The framework for such mandate is that of security, given the ITU’s role in ‘building confidence and security in the use of ICTs’ under Action Line C5 of the Geneva Plan of Action, 2003.

Unfortunately, the text of our Draft Resolution, by dint of imprecision or lack of clarity, undermines India’s intentions. On three issues of utmost importance to the Internet, the Draft Resolution has unintended or unanticipated impacts. First, its text on tracing communication and identity of originators, and systematic allocation of identifiable IP address blocks to particular countries, has impacts on privacy and freedom of expression. Given Edward Snowden’s NSA files and the absence of adequate protections against government incursions or excesses into privacy,[12] either in international human rights law or domestic law, such text is troublesome. Second, it has the potential to undermine multi-stakeholder approaches to Internet governance by proposing text that refers almost exclusively to sovereign monopolies over Internet resource allocation, and finally, displays a certain disregard for network architecture and efficiency, and to principles of a free, open and unified Internet, when it seeks to develop global architecture that facilitates (domestic) localization of traffic-routing, address resolution and allocation of naming, numbering and addressing.

In this post, I will address the first concern of human rights implications of our Draft Resolution.

Unintended Implications for Privacy and Freedom of Expression:

India’s Draft Resolution has implications for individual privacy. At two different parts of the preamble, India expresses concerns with the impossibility of locating the user at the end of an IP address:

  • Pream. §(e): “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”;
  • Pream. §(h): “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.

The concerns here surround difficulties in tracking IP addresses due to the widespread use of NATs, as also the existence of IP anonymisers like Tor. Anonymisers like Tor permit individuals to cover their online tracks; they conceal user location and Internet activity from persons or governments conducting network surveillance or traffic analysis. For this reason, Tor has caused much discomfort to governments. Snowden used Tor while communicating with Laura Poitras. Bradley (now Chelsea) Manning of Wikileaks fame is reported to have used Tor (page 24). Crypto is increasingly the safest – perhaps the only safe – avenue for political dissidents across the world; even Internet companies were coerced into governmental compliance. No wonder, then, that governments are doing all they can to dismantle IP anonymisers: the NSA and GCHQ have tried to break Tor; the Russian government has offered a reward to anyone who can.

Far be it from me to defend Tor blindly. There are reports suggesting that Tor is being used by offenders, and not merely those of the Snowden variety. But governments must recognize the very obvious trust deficit they face, especially after Snowden’s revelations, and consider the implications of seeking traceability and identity/geolocation for every IP address, in a systematic manner. The implications are for privacy, a right guaranteed by Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Privacy has been recognized by the UN General Assembly as applicable in cases of surveillance, interception and data collection, in Pream. §4 of its resolution The Right to Privacy in the Digital Age. But many states do not have robust privacy protections for individuals and data. And while governments may state the necessity to create international policy to further effective criminal investigations, such an aim cannot be used to nullify or destroy the rights of privacy and free speech guaranteed to individuals. Article 5(1), ICCPR, codifies this principle, when it states that States, groups or persons may not “engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms recognized herein…”.

Erosion of privacy has a chilling effect on free speech [New York Times v. Sullivan, 376 U.S. 254], so free speech suffers too. Particularly with regard to Tor and identification of IP address location and users, anonymity in Internet communications is at issue. At the moment, most states already have anonymity-restrictions, in the form of identification and registration for cybercafés, SIM cards and broadband connections. For instance, Rule 4 of India’s Information Technology (Guidelines for Cyber Cafe) Rules, 2011, mandates that we cannot not use computers in a cybercafé without establishing our identities. But our ITU Draft Resolution seeks to dismantle the ability of Internet users to operate anonymously, be they political dissidents, criminals or those merely acting on their expectations of privacy. Such dismantling would be both violative of international human rights law, as well as dangerous for freedom of expression and privacy in principle. Anonymity is integral to democratic discourse, held the US Supreme Court in McIntyre v. Ohio Elections Commission [514 U.S. 334 (1995)].[13] Restrictions on Internet anonymity facilitate communications surveillance and have a chilling effect on the free expression of opinions and ideas, wrote Mr. Frank La Rue, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (¶¶ 48-49).

So a law or international policy for blanket identification and traceability of IP addresses has grave consequences for and prima facie violates privacy, anonymity and freedom of speech. But these rights are not absolute, and can be validly restricted. And because these human rights are implicated, the ITU with its lack of expertise in the area may not be the adequate forum for discussion or study.

To be valid and justified interference, any law, policy or order interfering with privacy and free speech must meet the standards of reasonableness and proportionality, even if national security were the government’s legitimate aim, laid down in Articles 19(3) and 17 of the Covenant on Civil and Political Rights (CCPR) [Toonen v. Australia, Communication No. 488/1992, U.N. Doc CCPR/C/50/D/488/1992 (1994), ¶6.4]. And as the European Court of Human Rights found in Weber & Saravia v. Germany [Application no. 54934/00, 29 June 2006 (ECHR), ¶95], law or executive procedure that enables surveillance without sufficient safeguards is prima facie unreasonable and disproportionate. Re: anonymity, in Delfi AS v. Estonia [Application no. 64569/09, 17 February 2014, ¶83], while considering the liability of an Internet portal for offensive anonymous comments, the ECHR has emphasized the importance of balancing freedom of expression and privacy. It relied on certain principles such as “contribution to a debate of general interest, subject of the report, the content, form and consequences of the publication” to test the validity of government’s restrictions.

The implications of the suggested text of India’s Draft Resolution should then be carefully thought out. And this is a good thing. For one must wonder why governments need perfect traceability, geolocation and user identification for all IP addresses. Is such a demand really different from mass or blanket surveillance, in scale and government tracking ability? Would this not tilt the balance of power strongly in favour of governments against individuals (citizens or non-citizens)? This fear must especially arise in the absence of domestic legal protections, both in human rights, and criminal law and procedure. For instance, India’s Information Technology Act, 2000 (amended in 2008) has Section 66A, which criminalizes offensive speech, as well as speech that causes annoyance or inconvenience. Arguably, arrests under Section 66A have been arbitrary, and traceability may give rise to a host of new worries.

In any event, IP addresses and users can be discerned under existing domestic law frameworks. Regional Internet Registries (RIR) such as APNIC allocate blocks of IP addresses to either National Internet Registries (NIR – such as IRINN for India) or to ISPs directly. The ISPs then allocate IP addresses dynamically to users like you and me. Identifying information for these ISPs is maintained in the form of WHOIS records and registries with RIRs or NIRs, and this information is public. ISPs of most countries require identifying information from users before Internet connection is given, i.e., IP addresses allocated (mostly by dynamic allocation, for that is more efficient). ISPs of some states are also regulated; in India, for instance, ISPs require a licence to operate and offer services.

If any government wished, on the basis of some reasonable cause, to identify a particular IP address or its user, then the government could first utilize WHOIS to obtain information about the ISP. Then ISPs may be ordered to release specific IP address locations and user information under executive or judicial order. There are also technical solutions, such as traceroute or IP look-up that assist in tracing or identifying IP addresses. Coders, governments and law enforcement must surely be aware of better technology than I.

If we take into account this possibility of geolocation of IP addresses, then the Draft Resolution’s motivation to ‘systematize’ IP address allocations on the basis of states is unclear. I will discuss the implication of this proposal, and that of traffic and address localization, in my next post.

 


[1] Pream. §(e), Draft Resolution: “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”.

[2] Pream. §(h), Draft Resolution: “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.

[3] Op. §1, Draft Resolution: “instructs the Secretary General… to collaborate with all stakeholders including International and intergovernmental organizations, involved in IP addresses management to develop an IP address plan from which IP addresses of different countries are easily discernible and coordinate to ensure distribution of IP addresses accordingly”.

[4] Pream. §(g), Draft Resolution: “recognizing… that communication traffic originating and terminating in a country also many times flows outside the boundary of a country making such communication costly and to some extent insecure from national security point of view”.

[5] Pream. §(f), Draft Resolution: “recognizing… that even for local address resolution at times, system has to use resources outside the country which makes such address resolution costly and to some extent insecure from national security perspective”.

[6] Op. §6, Draft Resolution: “instructs the Secretary General… to develop and recommend a routing plan of traffic for optimizing the network resources that could effectively ensure the traceability of communication”.

[7] Op. §1, Draft Resolution; see note 3.

[8] Op. §5, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures that effectively the traffic meant for the country, traffic originating and terminating in the country remains within the country”.

[9] Op. §4, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures effectively that address resolution for the traffic meant for the country, traffic originating and terminating in the country/region takes place within the country”.

[10] Context Note to Draft Resolution, ¶3: “Planning and distribution of numbering and naming resources in a systematic, equitable, fair and just manner amongst the Member States…”

[11] Context Note to Draft Resolution, ¶2: “…there are certain areas that require critical attention to move in the direction of building the necessary “Trust Framework” for the safe “Information Society”, where privacy, safety are ensured”.

[12] See, for instance, Report of the Office of the High Commission for Human Rights (“OHCHR”), Right to Privacy in the Digital Age, A/HRC/27/37 (30 June 2014), ¶34-35, http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf. See esp. note 30 of the Report, ¶35.

[13] Many thorny political differences exist between the US and many states (including India and Kenya, who I am told has expressed preliminary support for the Draft Resolution) with regard to Internet governance. Irrespective of this, the US Constitution’s First Amendment and judicial protections to freedom of expression remain a yardstick for many states, including India. India, for instance, has positively referred to the US Supreme Court’s free speech protections in many of its decisions; ex. see Kharak Singh v. State of Uttar Pradesh, 1963 Cri. L.J. 329; R. Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264.

Good Intentions, Recalcitrant Text – II: What India’s ITU Proposal May Mean for Internet Governance

by Geetha Hariharan last modified Nov 03, 2014 07:07 AM
The UN's International Telecommunications Union (ITU) is hosting its Plenipotentiary Conference (PP-14) this year in South Korea. At PP-14, India introduced a new draft resolution on ITU's Role in Realising Secure Information Society. The Draft Resolution has grave implications for human rights and Internet governance. Geetha Hariharan explores.

 

Disclaimer and update (2 November 2014): India's Draft Resolution was discussed during the meeting of the Ad Hoc Working Group on Internet-related Resolutions at the ITU Plenipot on the evening of November 1, 2014 (KST). After the discussion, India revised the text of the resolution, seeking to address concerns raised by ITU member states. The revised resolution may be found here. However, this blog post was written with reference to the original text of India's Draft Resolution.

***

As I mentioned in my last post, India’s Draft Resolution on ‘ITU’s Role in Realising Secure Information Society’ raises security and equity concerns. The Draft Resolution has 3 security concerns: (i) security weaknesses in the network architecture that permit “camouflaging the identity of the originator of the communication” and make “tracing of communication difficult”; (ii) non-systematic, non-contiguous allocation of naming, numbering and addressing resources on the Internet, which makes it difficult to identify both the users and what states the IP addresses are located in; (iii) non-local routing and address resolution relating to traffic originating and terminating in the same country. Op. §§1, 3-7 seek to address these. It also identifies the present system of allocation of naming, numbering and addressing resources as inequitable, unfair, unjust and undemocratic (Op. §2 of the Draft Resolution offers a solution). I discussed some human rights implications of India’s Draft Resolution in my last post.

In this post, I explore the implications of the Draft Resolution for Internet governance and multi-stakeholder approaches (most notably, an equal footing model).[1] Given the uncertainties around defining multi-stakeholderism for Internet governance, this is rather ambitious. So I will try to point to concerns with certain textual interpretations of the Draft Resolution, map that against the positions India’s representatives have taken on Internet governance in the past, and the motivations/concerns that underlie the tabling of the Draft Resolution. This Resolution may not be the best way to allay India's concerns, for there are technical and rights implications. But the concerns it raises are worth discussion and knowledge, and at forums where concerns are heard, acknowledged and discussed collectively. The text of the Draft Resolution and its attendant implications are not, then, the sole subjects of this post.

The Draft Resolution and Internet governance:

The text of the Draft Resolution is problematic. Many of its clauses may be seen as taking positions against multi-stakeholder approaches to Internet governance. Introducing such a resolution at the ITU may itself bring back memories of the controversies surrounding Resolution 3 of the World Conference on International Telecommunications (WCIT), 2012.[2] In 3 ways, the text of the Draft Resolution has indications for multi-stakeholder approaches.

First, the Draft Resolution frames issues primarily from the perspective security. In its preamble, the Draft Resolution makes several references to security threats posed by and on the Internet. For instance, it points to the ability of the network to “camouflage the identity of the originator of the communication” (Pream. §(e) [recognizing]), as well as national security concerns in the present-day system of routing Internet traffic through multiple countries (Pream. §§(f) and (g), [recognizing]). The apparent difficulty in tracing IP addresses, due to their random allocation, is another concern (Pream. §(h), [recognizing]). Among the “significant public policy issues” identified in telecom/ICT management, “security and safety of the Telecom/ICTs” is specifically noted (Pream. §(i) [considering]). In the Context note to the Draft Resolution and in several places in the Preamble, there are references to ITU Resolution 130 (‘Strengthening the role of ITU in building confidence and security in the use of information and communication technologies’) and ITU’s Cyber-security Agenda. Given the (legitimate or otherwise) disproportionate involvement of governments and not other stakeholders in matters of cyber-security, the framing of issues from a security perspective may lend itself to worries for multi-stakeholderism. Specifically, the Draft Resolution notes: “ensuring security of ICT networks is sovereign right of Member States” (Pream. §(b) [recognizing]).

Second, the Draft Resolution emphasizes the sovereign right of states to regulate and control telecom/ICT. It says, for instance, “it is the sovereign right of each state to regulate its telecommunication” (Pream. §(b) [considering]). With regard to the Internet, the Context note to the Draft Resolution (page 1) considers the Internet to be synonymous with telecom/ICTs: “the Telecom/ICTs, which in common lexicon is used interchangeably many times as Internet…”. Public telecom networks managed by telecom service providers, interconnected with other networks, are necessary for  “proper functioning of a telecom network resources namely, among others, naming, numbering and addressing” (Pream. §(k) [considering]). It is worth noting that the sovereign authority of states over Internet public policy issues is settled text from §35 of the Tunis Agenda, though expressing it as synonymous with telecom may lead to possibilities of licensing and registration, which Bulgaria, for instance, does not do.

Third, the Draft Resolution identifies issues of equity and fairness in the allocation of Internet resources such as naming, numbering and addressing (Pream. §(g) [consdering], Op. §2). It states that to correct this inequity, “facilitation and collaboration among international, inter-governmental organizations and individual member states to ensure planning, implementation, monitoring and cooperation in its policies” is required (Pream. §(g) [considering]). In operative paragaphs, our Draft Resolution calls for collaboration with “all the concerned stakeholders including International and intergovernmental organizations to develop policies for allocation, assignment and management of IP resources including naming, numbering and addressing which is systematic, equitable, fair, just, democratic and transparent” (Op. §2). One may pay attention to the oversight over implementation and the necessity of inter-governmental involvement in planning and monitoring as problematic to iterations of multi-stakeholderism.

These concerns are valid and legitimate, and it is desirable that the text of the resolution be altered to address them. The text should also be altered to address the human rights concerns I point out in my previous post. But human rights enforcement or implementation is within the domain of states, though civil society may be a careful watchdog. The Draft Resolution's text, most certainly, will face certain oppositions: for instance, that it is outside the scope and mandate of the ITU. That the ITU does not deal with content regulation – and this issue touches upon content – will be mentioned. That Internet governance is already being discussed and performed in multiple other multi-stakeholder fora, such as ICANN, the NRO and RIRs, IGF and WSIS, will be emphasized. That the Draft Resolution implicates national security concerns will be mentioned as well. But as an aside, on national security: under international law, states always mention their prerogative over national security, and so as a matter of international custom, national security is outside the scope of agreements unless expressly surrendered.

At the same time, debates around the role of ITU in Internet governance are not new, and those familiar will remember the ITU’s views right before the creation of ICANN (also see Mueller, Ruling the Root 145-48 (2002)), Resolution 3 of the WCIT, and the constant tug-of-war since then. The new Secretary-General of the ITU, Mr. Houlin Zhao, wrote a note in October 2004, before the Tunis phase of the WSIS, justifying ITU’s involvement in Internet governance, advocating that IPv6 address blocks be allocated to countries. Mr. Zhao describes, with specific examples, ITU's role in the development and widespread growth of the Internet. He takes the examples of standards developed within the ITU and ITU's policy role in liberalisation and spread of telecommunications (such as Articles 4 & 9 of the 1988 ITRs).

Mr. Zhao’s concrete proposals are rendered inapplicable by the creation of the NRO and RIRs, and the growth and entrenchment of ICANN. But it may be argued that his principled justifications for ITU involvement remain. It is these that India hopes to highlight, I was told, along with the inequities in resource allocation (IPv4 was spoken of), and the disproportionate weight some states enjoy in Internet governance. Her concerns are, I am told, also shared by some other states. Given that the text exhibits a less-than-friendly approach to multi-stakeholderism, India's previous positions on the issue are of interest. While this would not correct the snags in the Draft Resolution's text, allaying these concerns may be ideal to craft an inclusive and transparent multi-stakeholder model for Internet governance.

India and Multi-stakeholderism in Internet Governance:

India’s position on multi-stakeholder models for Internet governance is a matter of some obscurity. Statements at various forums exhibit a certain disagreement – or at the least, lack of engagement – among India’s ministries on our position on multi-stakeholder approaches, particularly the Ministry of External Affairs (MEA), the Department of Telecommunications (DOT) and the Department of Electronics and Information Technology (DeitY), both within the Ministry of Communications and Information Technology (MCIT). While both the MEA and DOT have been cautious supporters of a diluted form of multi-stakeholderism (they have repeatedly emphasized §35 of the Tunis Agenda), DeitY has been more open in entertaining multi-stakeholder approaches for Internet governance.

At the 66th session of UN General Assembly, Mr. Dushyant Singh, Member of India’s Parliament from the Bharatiya Janata Party, presented our proposal for a Committee on Internet-related Policies. The proposal sought the establishment of a UN committee comprising 50 member-states, with advisory groups including the private sector and civil society, to deal with Internet-related matters.[3] Though India was not opposed to multi-stakeholder advisories in its CIRP proposal, it was less than inviting in this regard.

At NETmundial (April 2014), the Indian government’s contribution document highlighted §35 of the Tunis Agenda, which delineates ‘roles and responsibilities’ of ‘respective stakeholders’ – i.e., governments (with whom reside “sovereign policy authority”), the private sector (technical and economic development of the Internet) and civil society (grassroots participation). At NETmundial, Mr. Vinay Kwatra of the MEA echoed this, also noting the lack of consensus on what multi-stakeholderism means for Internet governance (page 64).

Admittedly, this is a legitimate concern. Internet governance at various fora does not seem to have a clear answer on what multi-stakeholderism means. The debate was/is alive, for instance, at NETmundial 2014, the ICANN-convened IANA transition process, the World Economic Forum’s new NETmundial Initiative, and in the many calls and suggestions (pages 38-46) made over the years on strengthening the IGF (see also, Malcolm, Multi-stakeholder Governance and the IGF (2008), chapter 6). It is hardly surprising then, that India and other states raise this as a concern.

With regard to multi-stakeholderism, the DeitY in India has been the outlier. Speaking at the 2014 IGF in Istanbul, Mr. R.S. Sharma, Secretary (DeitY), expressed “no doubt that Internet Governance mechanism require the involvement of all the stakeholders, since the evolution of Internet has been a product of many different diverse groups working together in a loosely coordinated manner”, advocating strengthening of the IGF and pointing to India’s proposed India-IGF as an example of multi-stakeholderism at home. Most interestingly, Mr. Sharma did not focus on international Internet-related policies being the “sovereign policy authority of states”. Also in the transcripts of the four meetings of the Working Group on Enhanced Cooperation under the Committee for Science, Technology and Development (CSTD), I have been unable to find outright rejections of multi-stakeholder approaches, though India has not advocated multi-stakeholderism unequivocally either.

But this – the emphasis on “sovereign policy authority of states” in Internet governance – has been a consistent position for India, especially the MEA and DOT. Here at the ITU PP-14 as well, members of the Indian delegation also emphasized states’ sovereign monopoly over policy matters. “Why not take this to the ITU”, I was asked, as “many governments are uncomfortable” with the way Internet governance is being conducted at other fora. There are grave concerns, I was told, about the possibility of excessive control some governments have over both user and government data of other states (government-speak, of course, for the Snowden revelations).

These are, of course, concerns similar to those of authoritarian governments, or those reluctant to open up to multi-stakeholderism and looking for excuses to retain/increase government control. But it is equally possible that these concerns need not be limited only to such states. Perhaps for developing countries as well, these are real concerns. In conversation with members of the Indian delegation at the ITU Plenipot, I was able to discern 3 broad concerns. First, the definition of multi-stakeholderism in Internet governance. India has not shown herself comfortable with an all-out endorsement of multi-stakeholderism. This is troubling. Civil society and the private sector in India will attest to the difficulties in engaging with our government at all levels. For instance, seeking a place on India's delegation for the Plenipot proved a disheartening exercise for some members of India's civil society.

But there are also conflicting indications. India is in the process of instituting an India-IGF, and CIS' Executive Director, Sunil Abraham, is on the MAG. India expressed agreement, at least in informal conversation, to opening up ITU documents to the public on grounds of public interest. The Law Commission of India  recently conducted a multi-stakeholder consultation on media laws in India, and Telecom Regulatory Authority of India (TRAI) regularly conducts consultations, though the private sector is more active there. What is lacking in India, however, is a set of clear procedures and processes for multi-stakeholder engagement, particularly on Internet issues. Clear, public, accessible, foreseeable and predictable set of rules or processes on participation from civil society, private sector and academia would make a world of difference to multi-stakeholderism within India. But this lack should not blind states or other stakeholders to the genuineness of privacy/security or equity concerns - for instance, of the protection of our information from mass surveillance or the feasibility and actual participation of developing countries at many Internet governance fora.

Second, members of the delegation expressed concern over inequalities in the allocation of naming, numbering and addressing resources. While I am uncertain how IPv6 allocation falls within this concern, the inequalities of IPv4 allocations are well documented. To gather a sense of this, it would be useful to read chapter 5 of Professor DeNardis’ Protocol Politics, and to glance at Figure 5.7 (page 173). Africa controls, for instance, a mere 1% of all available IPv4 addresses, while North America and Europe control about 63%. A study on engagement from the Asia-Pacific in Internet standards organisations shows, for instance, greater participation from Western countries and from some states like Japan.[4] India and other states from Asia and Africa have lesser participation. Even at ICANN, with efforts to increase participation, meaningful engagement is still from a majority of Western countries. Perhaps states and other stakeholders on the other side of the table can address these concerns through clear, inclusive, non-discriminatory commitments and implementation.

Third, India emphasized how the Draft Resolution does not propose that ITU be involved in content management or resources control, but only seeks to systematize allocation by asking the ITU Secretary General to collaborate and coordinate with other Internet governance organisations to create a set of principles for fair, equitable, transparent and democratic - as well as secure - allocation of resources. ITU Resolution 101 already instructs the Secretary General to collaborate with relevant Internet governance organisations, and the Draft Resolution merely seeks to spell out his tasks. However, as I pointed out in my previous post, the text of the Draft Resolution is at odds with this intention of India's. By dint of its drafting, it gravely implicates human rights, as well as touching upon resource allocation oversight ("needs to be adhere to" in Op. §2). To reflect the above stated intention, the Draft Resolution would need to be redrafted.

Finally, the text of the Draft Resolution exhibits, unfortunately, a certain disregard for existing network architecture and efficiency within the Internet, and to the principles of a free, open and inter-operable and unified Internet, when it seeks to develop a network architecture that facilitates (domestic) localization of traffic-routing, address resolution and allocation of naming, numbering and addressing. An argument may, of course, be made in favour of efficiency and costs, including reduced latency. But it is clear that this has the potential to increase domestic surveillance capabilities and government censorship of content. In any case, traffic localization (if not local address resolution) can be achieved without ITU coordination: through Internet Exchange Points, and through more efficient and better-negotiated peering and transit arrangements (pages 14-17). Internationally coordinated rules for localized traffic routing is not necessary; you just need to have a more efficient Internet Exchange Point. How to get more ISPs to interconnect through India’s National Internet Exchange (NIXI) is one of the very questions that India’s Telecom Regulatory Authority has taken up in its recent consultation on expanding broadband access (page 49). So it is possible that India's concerns could be addressed without ITU involvement, though I am unsure of its impact on the global Internet.

The Draft Resolution will be discussed at the ITU Plenipot today. The discussion will allow India and sympathetic countries to raise several of their concerns relating to the present system of Internet governance, and the direction of its progress. I will report on these discussions upon their completion.

A Note on Limitations:

The aim of this post is to clarify. I would caution against its being the last word on anything, much less India’s positions on Internet governance. An issue as important as this needs far greater access to and confirmation from India’s government – and a more in-depth understanding of the politics – than I do, at the moment.

At the same time, India has not been a model for civil society engagement, as illustratively, the Narmada Bachao Andolan and/or P. Sainath’s evaluation of government policies in Everybody Loves a Good Drought reveal. It has been harder to effectively engage with India’s government than in many states in North America, Latin America and Europe. But I believe the complex dynamics of that is not unique to India. The NSA and GCHQ revelations (as an example of governmental trust deficit of unmatched proportions) have shown that where governments want to keep everyone out and oblivious, they do it well.

I am not in favour of a purely multilateral approach to Internet governance. But at the same time, I share concerns over definition and the evolution of processes as well, as I am sure others in civil society also do. Particularly on the issue of Internet governance and multi-stakeholderism, evidence reveals inconsistency among India’s various ministries. Until this is addressed by our government (hopefully in consultation with all concerned stakeholders), an open mind would probably be the best thing we - including states - could keep.

 

Acknowledgements: I would like to thank Sunil Abraham, Pranesh Prakash, Rishabh Dara, Arun Sukumar, Anja Kovacs and Parminder Jeet Singh for the freedom to bounce ideas, feedback and the many discussions about multi-stakeholder approaches and Internet governance. I also wish to acknowledge Samir Saran’s article in CFR, which offers an interesting perspective on India’s Draft Resolution.


[1] For this post, I will use ‘multi-stakeholder approaches’ as an umbrella term, but would urge readers to keep in mind the many uncertainties and disagreements about defining multi-stakeholderism for Internet governance. These disagreements exist among and within all stakeholders, including government and civil society. In addition to various iterations of the ‘equal footing model’, the model proposed in §35 of the Tunis Agenda is also multi-stakeholder, albeit in a different – and for many in civil society, less desirable – sense.

[2] For those unacquainted with WCIT, see Mueller, ITU Phobia: Why WCIT was derailed, Internet Governance Blog (18 December 2012), http://www.internetgovernance.org/2012/12/18/itu-phobia-why-wcit-was-derailed/; Kleinwächter, WCIT and Internet governance: Harmless resolution or Trojan horse?, CircleID Blog (17 December 2012), http://www.circleid.com/posts/20121217_wcit_and_internet_governance_harmless_resolution_or_trojan_horse/.

[3] For a commentary, see Mueller, A United Nations Committee for Internet-related Policies? A Fair Assessment, Internet Governance Blog (29 October 2011), http://www.internetgovernance.org/2011/10/29/a-united-nations-committee-for-internet-related-policies-a-fair-assessment/.

[4] Contreras, Divergent Patterns of Engagement in Internet Standardization: Japan, Korea and China. I am unable to find this paper online. Please email me for information.

India ITU Resolution (Busan, 2014) - Revised

by Geetha Hariharan last modified Nov 02, 2014 03:08 PM
Text of revised resolution presented by India at ITU Plenipot, Busan 2014.

PDF document icon India ITU Resolution, Revised.pdf — PDF document, 99 kB (101825 bytes)

India's Statement at ITU Plenipotentiary Conference, 2014

by Geetha Hariharan last modified Nov 04, 2014 05:50 AM
India's Draft Resolution at the ITU Plenipot, which we have previously blogged about, was not passed following discussions at the Ad Hoc Working Group on Internet-related Resolutions. Subsequently, India made a statement at the Working Group of the Plenary, emphasizing the importance of the issues and welcoming further discussions. The statement was delivered by Mr. Ram Narain, DDG-IR, Department of Telecommunications and Head of India's Delegation at PP-14. The full text of the statement is provided below.

 

"Chairman of Working Group Plenary, Mr Musab Abdulla, Head of Delegations, delegates, ladies and gentlemen, good morning/afternoon to you all. I was indeed impressed with the camaraderie with which discussions were held inspite of the fact that delegates discussing the issues have different cultures, languages, nuances, impressions and sometime interests.

"Governance of packet-switched data telecom Networks based on Internet Protocol (IP), popularly known as Internet, has become an important and contentious issue due to several reasons known to all of us. We put up a draft resolution to address some of these key issues pertaining to IP based networks. When we put up the proposal, I had thought that the proposal would contribute in diminishing some of the differences. These issues and their probable solutions are given in our draft resolution, document 98, about which we were ready to take constructive inputs.

"Information is power these days. The wise Lord Acton said about hundred and fifty years ago that Power tends to corrupt and absolute power corrupts absolutely. The countries in modern times have become great on the principles of equality, liberty and justice. As and when these principles were compromised great powers lost their hold. Broadband penetration and connectivity has been the important running theme of this conference. We believe this, like great empires, can only be built on the principles of fairness, justice, and equality. No Telecom Network whether IP based or otherwise can function without naming and numbering, which is the lifeline of a network. Their availability in a fair, just and equitable manner, therefore, is an important public policy issue and need to be dealt that way. We believe that respecting the principle of sovereignty of information through network functionality and global norms will go a long way in increasing the trust and confidence in use of ICT.

"There are number of existing Internet related resolutions, but they only touch the issue in general and, therefore, without focus concrete action does not happen. Our Resolution was with a view to deal with the issues in a focused manner. Some countries supported our draft resolution, while some other were not able to support it. Some stated since the proposal is a comprehensive one, dealing with number of important issues, more time is needed for them to develop a view on it. Due to the number of proposals with Ad Hoc Group lined up before our draft resolution, there was no time left for detailed discussion on the proposal. Therefore, India agreed not to press the resolution for discussion due to paucity of time, with an understanding that for these issues of concerns for many Member States, contributions can be made in various fora dealing with development of IP based networks and future networks, including ITU. India would like that discussion should take place on these issues and look forward to these discussions. We would request that this Statement is included in the records of Plenipotentiary-14 meeting.

"We would like to thank for the cooperation extended by various Member States, particularly USA, for appreciating our concerns and all those who shared our concerns and supported the draft resolution. I would also like to thank Mr. Fabio Bigi, Chairman of Ad Hoc Working Group for giving patient hearing to all us and tolerating all our idiosyncrasies and still arriving at consensus. This is because of his wisdom, which comes with experience.

Thank you all."

Resources of Meeting

by Prasad Krishna last modified Nov 07, 2014 12:37 AM

application/rar icon Resources.rar — application/rar, 739 kB (756743 bytes)

White Paper on RTI and Privacy V1.2

by Vipul Kharbanda last modified Nov 09, 2014 02:53 AM
This white paper explores the relationship between privacy and transparency in the context of the right to information in India. Analysing pertinent case law and legislation - the paper highlights how the courts and the law in India address questions of transparency vs. privacy.

Introduction

Although the right to information is not specifically spelt out in the Constitution of India, 1950, it has been read into Articles 14 (right to equality), 19(1)(a) (freedom of speech and expression) and 21 (right to life) through cases such as Bennet Coleman v. Union of India,[1] Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd.,[2] etc. The same Articles of the Constitution were also interpreted in Kharak Singh v.State of U.P.,[3] Govind v. State of M.P., [4] and a number of other cases, to include within their scope a right to privacy. At the very outset it appears that a right to receive information -though achieving greater transparency in public life - could impinge on the right to privacy of certain people. The presumed tension between the right to privacy and the right to information has been widely recognized and a framework towards balancing the two rights, has been widely discussed across jurisdictions. In India, nowhere is this conflict and the attempt to balance it more evident than under the Right to Information Act, 2005 (the "RTI Act").

Supporting the constitutional right to information enjoyed by the citizens, is the statutorily recognized right to information granted under the RTI Act. Any potential infringement of the right to privacy by the provisions of the RTI Act are sought to be balanced by section 8 which provides that no information should be disclosed if it creates an unwarranted invasion of the privacy of any individual. This exception states that there is no obligation to disclose information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information. [5] The Act further goes on to say that where any information relating to or supplied by a third party and treated by that party as confidential, is to be disclosed, the Central Public Information Officer or State Public Information Officer has to give written notice to that party within five days of receiving such a request inviting such third party (within ten days) to make its case as to whether such information should or should not be disclosed.[6]

A plain reading of section 11 suggests that for the section to apply the following three conditions have to be satisfied, i.e. (i) if the PIO is considering disclosing the information (ii) the information relates to the third party or was given to a Public Authority by the third party in confidence; and (iii) the third party treated the information to be a confidential. It has been held that in order to satisfy the third part of the test stated above, the third party has to be consulted and therefore a notice has to be sent to the third party. Even if the third party claims confidentiality, the proviso to the section provides that the information cannot be withheld if the public interest in the disclosure outweighs the possible harm or injury that may be caused to the third party, except in cases of trade or commercial secrets.[7] The Courts have also held that section 11 should be read keeping in mind the exceptions contained in section 8 (discussed in detail later) and the exceptions contained therein. [8]

This principle of non disclosure of private information can be found across a number of common law jurisdictions. The United Kingdom's Freedom of Information Act, 2000 exempts the disclosure of information where it would violate the data protection principles contained in the Data Protection Act, 1998 or constitute an actionable breach of confidence.[9] The Australian Freedom of Information Act, 1982 categorizes documents involving unreasonable disclosure of personal information as conditionally exempt i.e. allows for their disclosure unless such disclosure would be contrary to public interest.[10] The Canadian Access to Information Act also has a provision which allows the authorities to refuse to disclose personal information except in accordance with the provisions of the Canadian Privacy Act. [11]

An overview of the RTI Act, especially sections 6 to 8 seems to give the impression that the legislature has tried to balance and harmonize conflicting public and private rights and interests by building sufficient safeguards and exceptions to the general principles of disclosure under the Act. [12] This is why it is generally suggested that section 8, when applied, should be given a strict interpretation as it is a fetter on not only a statutory right granted under the RTI Act but also a pre-existing constitutional right. [13] Logical as this argument may seem and appropriate in some circumstances, it does present a problem when dealing with the privacy exception contained in section 8(1)(j). That is because the right to privacy envisaged in this section is also a pre-existing constitutional right which has been traced to the same provisions of the Constitution from which the constitutional right of freedom of information emanates.[14] Therefore there is an ambiguity regarding the treatment and priority given to the privacy exception vs. the disclosure mandate in the RTI Act, as it requires the balancing of not only two competing statutory rights but also two constitutional rights.

The Privacy Exception

As discussed earlier, the purpose of the RTI Act is to increase transparency and ensure that people have access to as much public information as possible. Such a right is critical in a democratic country as it allows for accountability of the State and allows individuals to seek out information and make informed decisions. However, it seems from the language of the RTI Act that at the time of its drafting the legislature did realize that there would be a conflict between the endeavor to provide information and the right to privacy of individuals over the information kept with public authorities, which is why a privacy exception was carved into section 8(1)(j) of the Right to Information Act. The Act does not only protect the privacy of the third party who's information is at risk of being disclosed, but also the privacy of the applicant. In fact it has now been held that a private respondent need not give his/her ID or address as long as the information provided by him/her is sufficient to contact him/her.[15]

It is interesting to note that although the RTI Act gives every citizen a right to information, it does not limit this right with a stipulation as to how the information shall be used by the applicant or the reason for which the applicant wants such information. [16] This lack of a purpose limitation in the Act may have privacy implications as non sensitive personal information could be sought from different sources and processed by any person so as to convert such non-sensitive or anonymous information into identifiable information which could directly impact the privacy of individuals.

The exception in S. 8(1)(j) prohibits the disclosure of personal information for two reasons (i) its disclosure does not relate to any public activity or interest or (ii) it would be an unwarranted invasion into privacy. The above two conditions however get trumped if a larger public interest is satisfied by the disclosure of such information.

One interesting thing about the exception contained in section 8(1)(j) is that this exception itself has an exception to it in the form of a proviso. The proviso says that any information which cannot be denied to the central or state legislature shall not be denied to any person. Since the proviso has been placed at the end of sub-section 8(1) which is also the end of clause 8(1)(j), one might be tempted to ask whether this proviso applies only to the privacy exception i.e. clause 8(1)(j) or to the entire sub-section 8(1) (which includes other exceptions such as national interest, etc.). This issue was put to rest by the Bombay High Court when it held that since the proviso has been put only after clause 8(1)(j) and not before each and every clause, it would not apply to the entire sub-section 8(1) but only to clause 8(1)(j), thus ensuring that the exceptions to disclosure other than the right to privacy are not restricted by this proviso.[17]

Scope of Proviso to section 8(1)(j)
Though the courts have agreed that the proviso is applicable only to section 8(1)(j), the import of the proviso to section 8(1)(j) is a little more ambiguous and there are conflicting decisions by different High Courts on this point. Whereas the Bombay High Court has laid emphasis on the letter of the proviso and derived strength from the objects and overall scheme of the Act to water down the provisions of section 8(1)(j), [18] the Delhi High Court has disagreed with such an approach which gives "undue, even overwhelming deference" to Parliamentary privilege in seeking information. Such an approach would render the protection under section 8(1)j) meaningless, and the basic safeguard bereft of content.[19] In the words of the Delhi High Court:

" The proviso has to be only as confined to what it enacts, to the class of information that Parliament can ordinarily seek; if it were held that all information relating to all public servants, even private information, can be accessed by Parliament, Section 8(1)(j) would be devoid of any substance, because the provision makes no distinction between public and private information. Moreover there is no law which enables Parliament to demand all such information; it has to be necessarily in the context of some matter, or investigation. If the reasoning of the Bombay High Court were to be accepted, there would be nothing left of the right to privacy, elevated to the status of a fundamental right, by several judgments of the Supreme Court. "

The interpretation given by the Delhi High Court thus ensures that section 8(1)(j) still has some effect, as otherwise the privacy exception would have gotten steamrolled by parliamentary privilege and all sorts of information such as Income Tax Returns, etc. of both private and public individuals would have been liable to disclosure under the RTI Act.

Unfortunately, the RTI Act does not describe the terms "personal information" or "larger public interest" used in section 8(1)(j), which leaves some amount of ambiguity in interpreting the privacy exception to the RTI Act. Therefore the only option for anyone to understand these terms in greater depth is to discuss and analyse the case laws developed by the Hon'ble Supreme Court and the High Courts which have tried to throw some light on this issue.

We shall discuss some of these landmark judgments to understand the interpretations given to these terms and then move on to specific instances where (applying these principles) information has been disclosed or denied.

Personal Information
The RTI Act defines the term information but does not define the term "personal information". Therefore one has to rely on judicial pronouncements to understand the term a more clearly. Looking at the common understanding and dictionary meaning of "personal" as well as the definition of "information" contained in the RTI Act it could be said that personal information would be information, information that pertains to a person and as such it takes into its fold possibly every kind of information relating to the person. Now, such personal information of the person may, or may not, have relation to any public activity, or to public interest. At the same time, such personal information may, or may not, be private to the person. [20]

The Delhi High Court has tried to draw a distinction between the term "private information" which encompasses the personal intimacies of the home, the family, marriage, motherhood, procreation, child rearing and of the like nature and "personal information" which would be any information that pertains to an individual. This would logically imply that all private information would be part of personal information but not the other way round. [21] The term 'personal information' has in other cases, been variously described as "identity particulars of public servants, i.e. details such as their dates of birth, personal identification numbers",[22] and as including tax returns, medical records etc.[23] It is worth noting that just because the term used is "personal information" does not mean that the information always has to relate to an actual person, but may even be a juristic entity such as a trust or corporation, etc.[24]

Larger Public Interest
The term larger public interest has not been discussed or defined in the RTI Act, however the Courts have developed some tests to determine if in a given situation, personal information should be disclosed in the larger public interest.

Whenever a Public Information Officer is asked for personal information about any person, it has to balance the competing claims of the privacy of the third party on the one hand and claim of public interest on the other and determine whether the public interest in such a disclosure satisfies violating a person's privacy. The expression "public interest" is not capable of a precise definition and does not have a rigid meaning. It is therefore an elastic term and takes its colors from the statute in which it occurs, the concept varying with the time and the state of the society and its needs. This seems to be the reason why the legislature and even the Courts have shied away from a precise definition of "public interest". However, the term public interest does not mean something that is merely interesting or satisfies the curiosity or love of information or amusement; but something in which a class of the community have some interest by which their rights or liabilities are affected.[25]

There have been suggestions that the use of the word "larger" before the term "public interest" denotes that the public interest involved should serve a large section of the society and not just a small section of it, i.e. if the information has a bearing on the economy, the moral values in the society; the environment; national safety, or the like, the same would qualify as "larger public interest".[26] However this is not a very well supported theory and the usage of the term "larger public interest" cannot be given such a narrow meaning, for example what if the disclosure of the information could save the lives of only 10 people or even just 5 children? Would the information not be released just because it violates one person's right to privacy and there is not a significant number of lives at stake? This does not seem to be what all the cases on the right to privacy, right from Kharak Singh[27] all the way to Naz Foundation, [28] seem to suggest. Infact, in the very same judgment where the above interpretation has been suggested, the Court undermines this argument by giving the example of a person with a previous crime of sexual assault being employed in an orphanage and says that the interest of the small group of children in the orphanage would outweigh the privacy concerns of the individual thus requiring disclosure of all information regarding the employee's past.

In light of the above understanding of section 8(1)(j), there seem to be two different tests that have been proposed by the Courts, which seem to connote the same principle although in different words:

1. The test laid down by Union Public Service Commission v. R.K. Jain:

(i) The information sought must relate to „Personal information‟ as understood above of a third party. Therefore, if the information sought does not qualify as personal information, the exemption would not apply;

(ii) Such personal information should relate to a third person, i.e., a person other than the information seeker or the public authority; AND

(iii) (a) The information sought should not have a relation to any public activity qua such third person, or to public interest. If the information sought relates to public activity of the third party, i.e. to his activities falling within the public domain, the exemption would not apply. Similarly, if the disclosure of the personal information is found justified in public interest, the exemption would be lifted, otherwise not; OR (b) The disclosure of the information would cause unwarranted invasion of the privacy of the individual, and that there is no larger public interest involved in such disclosure. [29]

2. The other test was laid down in Vijay Prakash v. Union of India, but in the specific circumstances of disclosure of personal information relating to a public official:

(i) whether the information is deemed to comprise the individual's private details, unrelated to his position in the organization;

(ii) whether the disclosure of the personal information is with the aim of providing knowledge of the proper performance of the duties and tasks assigned to the public servant in any specific case; and

(iii) whether the disclosure will furnish any information required to establish accountability or transparency in the use of public resources. [30]

Constitutional Restrictions
Since there is not extensive academic discussion on the meaning of the term "larger public interest" or "public interest" as provided in section 8(1)(j), one is forced to turn to other sources to get a better idea of these terms. One such source is constitutional law, since the right to privacy, as contained in section 8(1)(j) has its origins in Articles 14,[31] 19(1)(a) [32] and 21[33] of the Constitution of India. The constitutional right to privacy in India is also not an absolute right and various cases have carved out a number of exceptions to privacy, a perusal of which may give some indication as to what may be considered as 'larger public interest', these restrictions are:

a) Reasonable restrictions can be imposed on the right to privacy in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence; [34]

b) Reasonable restrictions can be imposed upon the right to privacy either in the interests of the general public or for the protection of the interests of any Scheduled Tribe;[35]

c) The right to privacy can be restricted by procedure established by law which procedure would have to satisfy the test laid down in the Maneka Gandhi case.[36]

d) The right can be restricted if there is an important countervailing interest which is superior; [37]

e) It can be restricted if there is a compelling state interest to be served by doing so; [38]

f) It can be restricted in case there is a compelling public interest to be served by doing so; [39]

g) The Rajagopal tests - This case lays down three exceptions to the rule that a person's private information cannot be published, viz. i) person voluntarily thrusts himself into controversy or voluntarily raises or invites a controversy, ii) if publication is based on public records other than for sexual assault, kidnap and abduction, iii) there is no right to privacy for public officials with respect to their acts and conduct relevant to the discharge of their official duties. It must be noted that although the Court talks about public records, it does not use the term 'public domain' and thus it is possible that even if a document has been leaked in the public domain and is freely available, if it is not a matter of public record, the right to privacy can still be claimed in regard to it.[40]

Section 8(1)(j) in Practice

The discussion in the previous chapter regarding the interpretation of section 8(1)(j), though (hopefully) helpful still seems a little abstract without specific instances and illustrations to drive home the point. In this chapter we shall endeavor to briefly discuss some specific cases regarding information disclosure where the issue of violation of privacy of a third party was raised.

Private Information of Public Officials
Some of the most common problems regarding section 8(1)(j) come up when discussing information (personal or otherwise) regarding public officers. The issue comes up because an argument can be made that certain information such as income tax details, financial details, medical records, etc. of public officials should be disclosed since it has a bearing on their public activities and disclosure of such information in case of crooked officers would serve the interests of transparency and cleaner government (hence serving a larger public interest). Although section 8(1)(j) does not make any distinction between a private person and a public servant, a distinction in the way their personal information is treated does appear in reality due to the inherent nature of a public servant. Infact it has sometimes been argued that public servants must waive the right to privacy in favour of transparency.[41] However this argument has been repeatedly rejected by the Courts, [42] just because a person assumes public office does not mean that he/she would automatically lose their right to privacy in favour of transparency.

If personal information regarding a public servant is asked for, then a distinction must be made between the information that is inherently personal to the person and that which has a connection with his/her public functions. The information exempted under section 8(1)(j) is personal information which is so intimately private in nature that the disclosure of the same would not benefit any other person, but would result in the invasion of the privacy of the third party.[43] In short, the Courts have concluded that there can be no blanket rule regarding what information can and cannot be disclosed when it comes to a public servant, and the disclosure (or lack of it) would depend upon the circumstances of each case.

Although the earlier thinking of the CIC as well as various High Courts of the country was that information regarding disciplinary proceedings and service records of public officials is to be treated as public information in order to boost transparency,[44] however this line of thinking took almost a U-turn in 2012 after the decision of the Supreme Court in Girish Ramchandra Deshpande v. Central Information Commissioner,[45] and now the prevailing principle is that such information is personal information and should not be disclosed unless a larger public interest is would be served by the disclosure.

It would also be helpful to look at a list of the type of information regarding public servants which has been disclosed in the past, gleaned from various cases, to get a better understanding of the prevailing trends in such cases:

(i) Details of postings of public servants at various points of time, since this was not considered as personal information; [46]

(ii) Copies of posting/ transfer orders of public servants, since it was not considered personal information; [47]

(iii) Information regarding transfers of colleagues cannot be exempted from disclosure, since disclosure would not cause any unwarranted invasion of privacy and non disclosure would defeat the object of the RTI Act;[48]

(iv) Information regarding the criteria adopted and the marks allotted to various academic qualifications, experience and interview in selection process for government posts by the state Public Service Commission;[49]

(v) Information regarding marks obtained in written test, interview, annual confidential reports of the applicant as well as the marks in the written test and interview of the last candidate selected, since this information was not considered as personal information; [50]

(vi) Information relating to the appointment and educational certificates of teachers in an educational institution (which satisfies the requirements of being a public authority) was disclosed since this was considered as relevant to them performing their functions. [51]

The performance of an employee/officer in an organization is primarily a matter between the employee and the employer and normally those aspects are governed by the service rules which fall under the expression "personal information", the disclosure of which has no relationship to any public activity or public interest. To understand this better below is a brief list of the type of information that has been considered by the Courts as personal information which is liable to be exempt from disclosure under section 8(1)(j):

(i) (a) Salary details, (b) show cause notice, memo and censure, (c) return of assets and liabilities, (d) details of investment and other related details, (e) details of gifts accepted, (f) complete enquiry proceedings, (g) details of income tax returns;[52]

(ii) All memos issued, show cause notices and orders of censure/punishment etc. are personal information. Cannot be revealed unless a larger public interest justifies such disclosure;[53]

(iii) Disciplinary information of an employee is personal information and is exempt under section 8(1)(j); [54]

(iv) Medical records cannot be disclosed due to section 8(1)(j) as they come under "personal information", unless a larger public interest can be shown meriting such disclosure;[55]

(v) Copy of personnel records and service book (containing Annual Confidential Reports, etc.) of a public servant is personal information and cannot be disclosed due to section 8(1)(j);[56]

(vi) Information regarding sexual disorder, DNA test between an officer and his surrogate mother, name of his biological father and step father, name of his mother and surrogate step mother and such other aspects were denied by the Courts as such information was considered beyond the perception of decency and was an invasion into another man's privacy.[57]

It is not just the issue of disclosure of personal details of public officials that raises complicated questions regarding the right to information, but the opposite is equally true, i.e. what about seemingly "public" details of private individuals. A very complicated question arose with regard to information relating to the passport details of private individuals.

Passport Information of Private Individuals
The disclosure of passport details of private individuals is complicated because for a long time there was some confusion because of the treatment to be given to passport details, i.e. would its disclosure cause an invasion of privacy since it contains personally identifying information, specially because photocopies of the passport are regularly given for various purposes such as travelling, getting a new phone connection, etc. The Central Information Commission used a somewhat convoluted logic that since a person providing information relating to his residence and identity while applying for a passport was engaging in a public activity therefore such information relates to a public activity and should be disclosed. This view was rejected by the Delhi High Court in the case of Union of India v. Hardev Singh,[58] and the view taken inHardev Singh was later endorsed and relied upon in Union of India v. Rajesh Bhatia, [59] while hearing a number of petitions to decide what details of a third party's passport should be disclosed and what should be exempt from disclosure.

A list of the Courts conclusions is given below:

Information that can be revealed:

(i) Name of passport holder;

(ii) Whether a visa was issued to a third party or not;

(iii) Details of the passport including dates of first issue, subsequent renewals, dates of application for renewals, numbers of the new passports and date of expiry;

(iv) Nature of documents submitted as proof;

(v) Name of police station from where verification for passport was done;

(vi) Whether any report was called for from the jurisdictional police;

(vii) Whether passport was renewed through an agent or through a foreign embassy;

(viii) Whether it was renewed in India or any foreign country;

(ix) Whether tatkal facility was availed by the passport holder;

Information that cannot be revealed:

(i) Contents of the documents submitted with the passport application;

(ii) Marital status and name and address of husband;

(iii) Whether person's name figures as mother/guardian in the passport of any minor;

(iv) Copy of passport application form;

(v) Residential address of passport holder;

(vi) Details of cases filed/pending against passport holder;

(vii) Copy of old passport;

(viii) Report of the police and CID for issuing the passport;

(ix) Copy of the Verification Certificate, if any such Verification Certificate was relied upon for the issue of the passport.

Other Instances

Apart from the above two broad categories of information that has been the subject of intense judicial discussion, certain other situations have also arisen where the Courts have had to decide the issue of disclosure under section 8(1)(j), a brief summary of such situations is given below:

(i) names and details of people who received money as donations from the President out of public funds was considered as information which has a definite link to public activities and was therefore liable to be disclosed;[60]

(ii) information regarding the religion practiced by a person, who is alleged to be a public figure, collected by the Census authorities was not disclosed since it was held that the quest to obtain the information about the religion professed or not professed by a citizen cannot be in any event; [61]

(iii) information regarding all FIRs against a person was not protected under section 8(1)(j) since it was already a matter of public record and Court record and could not be said to be an invasion of the person's privacy;[62]

(iv) information regarding the income tax returns of a public charitable trust was held not to be exempt under section 8(1)(j), since the trust involved was a public charitable trust functioning under a Scheme formulated by the District Court and registered under the Bombay Public Trust Act as such due to its character and activities its tax returns would be in relation to public interest or activities.[63]

Conclusion

A discussion of the provisions of section 8 and 11 of the RTI Act as well as the case laws under it reveals that the legislature was aware of the dangers posed to the privacy of individuals from such a powerful transparency law. However, it did not want the exceptions carved out to protect the privacy of individuals to nullify the objects of the RTI Act and therefore drafted the legislation to incorporate the principle that although the RTI Act should not be used to violate the privacy of individuals, such an exception will not be applicable if a larger public interest is to be served by the disclosure. This principle is in line with other common law jurisdictions such as the U.K, Austalia, Canada, etc. which have similar exceptions based on privacy or confidentiality.

However it is disappointing to note that the legislature has only left the legislation at the stage of the principle which has left the language of the exception very wide and open to varied interpretations. It is understandable that the legislature would try to keep specifics out of the scope of the section to make it future proof. It is obvious that it would be impossible for the legislature or the courts to imagine every single circumstance that could arise where the right to information and the right to privacy would be at loggerheads. However, such wide and ambiguous drafting has led to cases where the Courts and the Central Information Commission have taken opposing views, with the views of the Court obviously prevailing in the end. This was illustrated by the issue of disclosure of passport details of private individuals with a large number of CIC cases taking different views till the High Court of Delhi gave categorical findings on the issue in the Hardev Singh and Rajesh Bhatia cases. Similar was the issue of service details of public officials since before the decision of the Supreme Court in the case of Girish Ramchandra Deshpande in 2012 the prevailing thinking of the CIC was that details of disciplinary proceedings against public officials are not covered by section 8(1)(j), however this thinking has now taken a U-turn as the Supreme Court's understanding of the right to privacy has taken stronger roots and such information is now outside the scope of the RTI Act, unless a larger public interest in the disclosure can be shown.

The ambiguity that arises in application when trying to balance the right to privacy against the right to information is a drawback in incorporating only a principle and leaving the language ambiguous in any legislation. This paper does not advocate that the legislature try to list out all the instances of this problem that are possibly imaginable, this would be too time consuming and may even be counterproductive. However, it is possible for the legislature to adopt an accepted practice of legislative drafting and list certain instances where there is an obvious balancing required between the two rights and put them as "Illustrations" to the section. This device has been utilised to great effect by some of the most fundamental legislations in India such as the Contract Act, 1872 and the Indian Penal Code, 1860. An alternative to this approach could be to utilize the approach taken in the Australian Freedom of Information Act, where the Act itself gives certain factors which should be considered to determine whether access to a particular document would be in the public interest or not.

List of References

Primary Sources

1. Australia Freedom of Information Act, 1982.

2. Bennet Coleman v. Union of India, AIR 1973 SC 106.

3. Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

4. Calcutta High Court, WP (W) No. 33290 of 2013, dated 20-11-2013.

5. Canadian Access to Information Act.

6. Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667

7. Constitution of India, 1950.

8. Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

9. Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

10. Jamia Millia Islamia v. Sh. Ikramuddin, Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

11. Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

12. Kharak Singh v. State of U.P., AIR 1963 SC 129.

13. Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978.

14. Naz Foundation Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

15. P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

16. Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82.

17. President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

18. Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

19. R. Rajagopal v. Union of India, Supreme Court of India, dated 7-10-1994.

20. Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

21. Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

22. Right to Information Act, 2005

23. Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

24. Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

25. Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

26. Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

27. Tata Press Ltd. v. Maharashtra Telephone Nigam Ltd., (1995) 5 SCC 139.

28. U.K. Freedom of Information Act, 2000.

29. UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

30. Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151

31. Union of India v. Hardev Singh WP(C) 3444 of 2012 dated 23-08-2013.

32. Union of India v. Rajesh Bhatia WP(C) 2232/2012 dated 17-09-2013.

33. Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

34. Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

Secondary Sources

1. "Country Report for U.K.", Privacy International, available at https://www.privacyinternational.org/reports/united-kingdom.

2. "Country Report for Australia", Privacy International, available at https://www.privacyinternational.org/reports/australia.

3. "Country Report for Canada", Privacy International, available at https://www.privacyinternational.org/reports/canada.


[1] AIR 1973 SC 106. This case held that the freedom of the press embodies in itself the right of the people to read.

[2] (1995) 5 SCC 139.

[3] AIR 1963 SC 129.

[4] Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[5] Section 8(1) in its entirety states as follows:

(1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,-

(a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence;

(b) information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;

(c) information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature;

(d) information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;

(e) information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;

(f) information received in confidence from foreign Government;

(g) information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;

(h) information which would impede the process of investigation or apprehension or prosecution of offenders;

(i) cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers:

Provided that the decisions of Council of Ministers, the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over:

Provided further that those matters which come under the exemptions specified in this section shall not be disclosed;

(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:

Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

[6] Section 11 of the RTI Act.

[7] The Registrar General v. A. Kanagaraj, (Madras High Court, 14 June 2013, available at http://www.indiankanoon.org/doc/36226888/.

[8] Arvind Kejriwal v. Central Public Information Officer, (Delhi High Court, 30 September 2011, available at http://www.indiankanoon.org/doc/1923225/.

[9] Sections 40 and 41 of the U.K. Freedom of Information Act, 2000.

[10] Section 11A read with section 47-F of the Australia Freedom of Information Act, 1982.

[11] Section 19 of the Canadian Access to Information Act.

[12] Public Information Officer v. Andhra Pradesh Information Commission,2009 (76) AIC 854 (AP).

[13] Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).

[14] Articles 14, 19(1)(a) and 21 of the Constitution of India, 1950.

[15] Calcutta High Court, WP(W) No. 33290 of 2013, dated 20-11-2013.

[16] Jitendra Singh v. State of U.P., 2008 (66) AIC 685 (All).

[17] Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom).

[18] Surup Singh Hyra Naik v. State of Maharashtra, 2007 (58) AIC 739 (Bom), para 14. Where the Court held that since the medical records of a convict cannot be denied to Parliament or State legislature therefore they cannot be exempted from disclosure under the Act.

[19] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[20] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[21] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[22] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[23] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

[24] Jamia Millia Islamia v. Sh. Ikramuddin , Delhi High Court, WP(C) 5677 of 2011 dated 22-11-2011.

[25] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[26] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 ( for stay), dated 13-07-2012.

[27] AIR 1963 SC 129.

[28] Delhi High Court, WP(C) No.7455/2001 dated 02-07-2009.

[29] Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012. This ruling was overturned by a Division Bench of the High Court relying upon a subsequent Supreme Court ruling, however, it could be argued that the Division Bench did not per se disagree with the discussion and the principles laid down in this case, but only the way they were applied.

[30] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[31] Right to equality.

[32] Freedom of speech and expression.

[33] Right to life.

[34] Article 19(2) of the Constitution of India, 1950.

[35] Article 19(5) of the Constitution of India, 1950.

[36] Maneka Gandhi v. Union of India, Supreme Court of India, WP No. 231 of 1977, dated 25-01-1978. The test laid down in this case is universally considered to be that the procedure established by law which restricts the fundamental right should be just, fair and reasonable.

[37] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[38] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975.

[39] Govind v. State of M.P., Supreme Court of India, WP No. 72 of 1970, dated 18-03-1975. However the Court later used phrases such as "reasonable restriction in public interest" and "reasonable restriction upon it for compelling interest of State" interchangeably which seems to suggest that the terms "compelling public interest" and "compelling state interest" used by the Court are being used synonymously and the Court does not draw any distinction between them. It is also important to note that the wider phrase "countervailing interest is shown to be superior" seems to suggest that it is possible, atleast in theory, to have other interests apart from public interest or state interest also which could trump the right to privacy.

[40] R. Rajagopal v. Union of India , Supreme Court of India, dated 7-10-1994. These tests have been listed as one group since they are all applicable in the specific context of publication of private information.

[41] Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[42] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010. Also see Vijay Prakash v. Union of India, 2009 (82) AIC 583 (Del).

[43] Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667. This case also held that information cannot be denied on the ground that it would be too voluminous.

[44] Union Centre for Earth Science Studies v. Anson Sebastian, AIR 2010 Ker. 151; Union Public Service Commission v. R.K. Jain, Delhi High Court W.P.(C) 1243/2011 & C.M. No. 2618/2011 (for stay), dated 13-07-2012

[45] 2012 (119) AIC 105 (SC).

[46] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[47] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[48] Canara Bank v. Chief Information Commissioner, 2007 (58) AIC Ker 667.

[49] Haryana Public Service Commission v. State Information Commission, AIR 2009 P & H 14.

[50] UCO Bank v. Central Information Commissioner and another, 2009 (79) AIC 545 (P&H).

[51] Surendra Singh v. State of U.P, AIR 2009 Alld. 106.

[52] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[53] Girish Ramchandra Deshpande v. Central Information Commissioner, 2012 (119) AIC 105 (SC).

[54] R.K. Jain v. Union Public Service Commission, Delhi High Court, LPA No. 618 of 2012, dated 12-11-2012.

[55] Secretary General, Supreme Court of India v. Subhash Chandra, Delhi High Court - Full Bench, LPA No.501/2009, dated 12-01-2010.

[56] Srikant Pandaya v. State of M.P., AIR 2011 MP 14.

[57] Paardarshita Public Welfare Foundation v. Union of India and others, AIR 2011 Del 82. It must be mentioned that this case was not exactly under the procedure prescribed under the RTI Act but was a public interest litigation although the courts relied upon the provisions of the RTI Act.

[58] WP(C) 3444 of 2012 dated 23-08-2013.

[59] WP(C) 2232/2012 dated 17-09-2013.

[60] President's Secretariat v. Nitish Kumar Tripathi, Delhi High Court, WP (C) 3382 of 2012, dated 14-06-2012.

[61] P.C. Wadhwa v. Central Information Commission, Punjab and Haryana High Court, LPA No. 1252 of 2009 dated 29-11-2010.

[62] Rajinder Jaina v. Central Information Commission, 2010 (86) AIC 510 (Del. H.C.).

[63] Rajendra Vasantlal Shah v. Central Information Commissioner, New Delhi, AIR 2011 Guj 70.

Introduction: About the Privacy and Surveillance Roundtables

by Manoj Kurbet last modified Nov 27, 2014 01:34 PM
The Privacy and Surveillance Roundtables is a Centre for Internet and Society (CIS) initiative, in partnership with the Cellular Operators Association of India (COAI), as well as local partners. The Roundtable will be closed-door deliberation involving multiple stakeholders. Through the course of these discussions we aim to deliberate upon the current legal framework for surveillance in India, and discuss possible frameworks for surveillance in India.

The provisions of the draft CIS Privacy Bill 2013, the International Principles on the Application of Human Rights to Communication Surveillance, and the Report of the Group of Experts on Privacy will be used as background material and entry points into the discussion. The recommendations and dialogue from each roundtable will be compiled and submitted to the Department of Personnel and training.

The third Privacy and Surveillance Roundtable was held in New Delhi at the India International Centre by the Centre for Internet and Society in collaboration with the Cellular Operators Association of India and Vahura, legal Partner on the 1st of September, 2014.

The aim of the discussion was to gain inputs on what would constitute an ideal surveillance regime in India working with theCIS Draft Privacy Protection Bill, the Report of the Group of Experts on Privacy prepared by the Justice Shah committee, and the International Principles on the Application of Human Rights to Communications Surveillance.

Background and Context: Privacy and Surveillance in India

The discussion began with the chair giving an overview of the legal framework that governs communications interception under Indian Law in the interest of the participants since many were there for the first time.

The legal system to govern the manner in which communications are intercepted in India are defined under three main acts

1. Interception of Telephonic Calls : The Telegraph Act 1885

2. Interception of Posts : The Indian Post Office Act,1898

3. Interception of Electronic communication like e-mails etc :The IT Act, 2000

While the interception of postal mail is governed by Section 26 of the Post Office Act, 1898, the interception of modern forms of communication that use electronic information and traffic data are governed under Sections 69 and 69B of the Information Technology Act, 2000, while interception of telephonic conversations are governed by section 5(2) of the Indian Telegraph Act 1885 and subsequent rules under section 419A.

The main discussion of the meeting revolved around the Telegraph Act since it is the main Act which covers the interception of telecommunications. In 1968 the 30th Law Commission Report studying Section 5(2) of this Act came to the conclusion that the standards in the Act may be unconstitutional given factors such as 'public emergency' & 'public safety' were too wide in nature and called for a relook at the provision.

Objective of Round Table Meetings

The objective of the round table meetings is to, be prepared with the proposals on the Privacy Bill which the new government intends to split into separate Bill for Surveillance and Data privacy. Thus these submissions once out in the public domain would further deliberate more discussion and shape the course of the Bill.

Discussion

Authorisation

The chair initiated the discussion continuing from the last meeting about the two models of authorisation for Interception 1. The Judiciary & 2. The Executive

The chair explained why the earlier proposed Judiciary based model, based on the efficient experience of separation of power, would not fit into the Indian context. The main reason for this being that the lower judiciary in India is not competent enough to take decisions of this nature. Providing examples, the chair explained how in many cases the lower Judiciary overlooks essential human rights in their decisions, and such rights are only addressed when the case is appealed in Higher courts. While participants felt that High Court judges would be favourable, it was expressed that the immense backlog at the High Court level and the lack of judges is a challenge and risks being inefficient. Thus an additional responsibility for the High Court would not be a feasible model. Furthermore, adopting a judicial based model would mean that the existing model of executive would need to be entirely replaced. Owing to these practical implementation issues consensus was built over adoption of the existing executive model, but with more safeguards.

Safeguards proposed:

1. A redressal tribunal: Establishing a tribunal for the redressal of interception complaints. The tribunal could be a non-active body. Such a model would be different from other models adopted around the world - for example e in UK a designated tribunal suo-motu reviews cases on a regular basis. The tribunal could also have judicial review authority, to which one of the participants raised an issue that the tribunals usually will not have the power of Judicial review, however the chair assured him that the delegation of Judicial review to a tribunal does exist in Indian law.

2. A review commission: Establishing a commission to review the interceptions carried out on the orders of home secretary. For such an overseeing body, the commissioner should be appointed independently. The commissioner must be a Judge or a senior Lawyer and should report to the Parliament.

Content data and Metadata

In the next session the chair explained the difference between content data and metadata while initiating discussion on provisions addressing them in the proposed Bill. Content data, also called as payload data, is the actual content of the communication which takes place between X and Y.

Example 1: In the VOIP call the voice is packetized and sent in different packets to the destination, the content of that packet is the content data whereas the information of this content i.e the header, footer and checksum of the packet is the metadata.

Example 2: In the serial communication of the normal phone call the content data will be what the communication happened between two or more people over the call and the metadata will be who were involved in the call, on what date and time the call was made from which place, and under which tower.

It was noted that generally it is easier to intercept metadata than content data. In the proposed bill, section 2 (C) refers to the definition of content data and section 2(E) to metadata.

Participants also pointed out that often it is with metadata that concerned governmental authorities are able to carry out tracking. Thus, when determining procedural safeguards for surveillance - and specifically for interception - the question of whether or not content data and meta data should be treated the same under law must be addressed. Participants suggested looking into German laws, which have procedure to deal with this question. Despite differences over the exact level of protection meta data should legally be afforded, participants agreed that a higher authority should be responsible for the interception, collection, and access to metadata and content data.

In India, because the existing legal framework in India has different standards for different modes of communication, it is proposed that a uniform legal framework be created by harmonizing the three Acts through amendments or overriding existing legislation regulating surveillance in India, and establishing a new framework under a Privacy legislation.

Big Data, Cloud & OTT

In this session a participant raised the issue of Big data and Cloud services, and asked whether the CIS Privacy Protection Bill or the draft Privacy Bill from the government addresses this issue. This question was of particular relevance because a number of the cloud data centres are located in locations outside India. Thus a question of jurisdiction arises. The participant opined that in the coming years and with the new government's vision to have space for every citizen in cloud and data localisation being priority, he stressed that the Bill should clearly address issues related to the cloud, big data, outsourcing, and questions of jurisdiction. Responding to this the chair was of the view that the crimes committed outside the territory of India come under Extra-territorial law, section 4 of IPC and Section 188 Cr. P.C. But it was noted that due to the fact that the crime is committed outside the territory of India, despite the provision, it is practically not implementable unless there is a contract between countries or a treaty signed. The solution could be data localisation, hosting the cloud servers in India, but that again has its own pros & cons. In response participants indicated that if a choice had to be made about data localization - the best option would be one that would be economical for Indian business and the government.

OTT (Over the Top) Services

Another participant brought to the notice of the meeting that most of the networks of service provider's are adopting IP (Internet Protocol). In the context of surveillance, this means that for an interception to take place, Deep Packet Inspection (DPI) must be adopted by service providers. This is currently placing a burden on service providers, as it is costly and the connection time of the calls for the number under surveillance increases - though not enough to be noticed by customers.

Telephone Tapping Process

In India the process of intercepting telephones can be broken down into the following three steps:

1. Authorization

a. The Home Secretary issues an authorization for an interception request.

b. The Authorization is handed over to Police Officer in charge of the investigation.

c. The Police Officer serves the order to the nodal officer in the relevant service provider.

2. The service provider conducts the interception.

3. The intercepted data is handed over to the Police officer.

Under Rule 419A, a committee to review the authorization exists, comprising of officials such as the Cabinet Secretary, Secretary of the Department of Telecommunications, Secretary of the Department of Law and Justice and the Secretary of Information Technology and Communication ministry at the Centre and the Chief Secretary, the Law Secretary and an officer not below the rank of a Principal secretary at the State level.

Since the current infrastructure of telecom and broadband is with private service providers, the government is dependent on service providers to carry out surveillance. As national security is a concern of the government and because in the past intercepted material has been leaked by various sources, the government has proposed to replace the existing system. In this regard the government has proposed to set up a Central Monitoring System (CMS) for the interception of voice and data communications.

It is proposed that the CMS infrastructure will be positioned at the service provider's facilities, and will allow governmental agencies to directly intercept traffic on the network of service providers - thus there would no longer be a need for the government to reply on service providers to carry out interception requests. During the meeting it was discussed how this system has pros & cons

Pros

1. For private companies it eliminates an entire level of compliance.

2. It will reduce the possibility of unlawful, extra legal, & fraudulent authorizations of interception requests.

3. The interception carried out would be maintained in a log, which would clearly recorded, making the interception process becomes accountable.

Cons

1. Even though the existing system gives room for leaks, ironically it is the only way through which a person who is tapped will come to know, hence accounting for some transparency eg: Nira Radia & Amar Singh phone Tap case.

2. CMS will be built upon an existing interception framework, which is not procedurally fair - because of issues such as Internal Authorization, Adhoc procedure, that it is not under the ambit of RTI etc. This will result in a system with no transparency and accountability.

To this last point the Chair noted that in 2011 there were 7.5 Lakh phone taps by a single agency which was reportedly illegal. In an attempt to minimize such brazen violations a Privacy Bill is mooted and the round table conference is a step towards making it possible.

Immunity to TSP's & ISP's

Participants also raised the issue of difficulties that TSPs face while engaged in the process of interception, as they are caught between the customers and government authorities and subjected to harassment sometimes. This places service providers in a position where they must often make a number of compromises as they are expected to store traffic data for a specified period of time, but sometimes a judge might ask for access to data that is dated past the specific retention period. In such a scenario, service providers must provide it by accessing backup data.

The question of who should be the custodian of intercepted data was raised by participants as well as who should be held accountable if intercepted data is leaked into the public domain. The chair responded that the officers investigating the case should be held accountable for the intercepted data. This would be analogous to the system under the Right to Information Act whereby the Information officer is named and held accountable for the data or information he provides. Similarly, for the case of intercepted material, an officer should be named and held accountable for the data and ensuring that it reaches those that it is legally intended to.

It was also expressed that a market regulator, responsible for the safeguarding the interest of communication service providers, could be appointed for handling the personal data. Such a role could be merged with the traditional role of a Data Protection Authority and could be the first step towards an information security and assurance regime.

Legal immunity given to service providers was also discussed, as there was a general concern about the position service providers find themselves in - being held legally liable for not complying with orders from the government and being taken to court by citizens.

Format of Interception Orders and Interception as a service

A question was also posed to participants about what information ideally - apart from the intended duration of the order - should be incorporated into interception orders. Participants suggested that the order should be as specific and precise as possible, which the existing format to a large extent confirms. On the topic, a participant noted that in some cases, despite DoPT guidelines, interception orders are issued in regional languages. This can pose as a problem as the nodal officer might not know the language, thus leading to possible ambiguity & misinterpretation of the order. Participants suggested that orders should be in English.

Participants also pointed out that in most European countries - like France and Italy - a fee for the compliance cost arising out of implementing an interception order is paid to service providers by the government. In India, huge costs are involved in carrying out interceptions which service providers presently have to bare. As law enforcement and security agencies ask for more and more accuracy in surveillance, the charges of carrying out surveillance. To address this, participants suggested that interception as a service should be accommodated in the proposed Bill.

Conclusion

The discussions in the Surveillance and Privacy Roundtable in New Delhi mainly revolved around the authorization model and the process of interception. Overall, participants agreed on an organised executive model with an established accountability and review system. Also discussed was how to ensure that service providers are legally protected from disproportionate and unwarranted penalties. Towards this, the interception process should be viewed as a service rather than an obligation.

DNA Profiling Bill Documents

by Prasad Krishna last modified Dec 04, 2014 11:54 PM

ZIP archive icon DNA Profiling Bill Meetings.zip — ZIP archive, 2698 kB (2763254 bytes)

Ground Zero

by Prasad Krishna last modified Dec 05, 2014 12:35 AM

PDF document icon g0s.pdf — PDF document, 1274 kB (1304726 bytes)

Technology, Gender Based Violence

by Prasad Krishna last modified Dec 07, 2014 03:07 AM

PDF document icon TechnologyandGenderBasedViolence-EventReport (1).pdf — PDF document, 102 kB (104607 bytes)

FY14 Customer Payments final version

by Geetha Hariharan last modified Dec 08, 2014 05:46 AM
ICANN's detailed list of revenues from domain names

PDF document icon FY14 Customer Payments final version.pdf — PDF document, 298 kB (305642 bytes)

FY14 Customer Payments summary

by Geetha Hariharan last modified Dec 08, 2014 05:48 AM
ICANN's FY14 domain name revenue summary

PDF document icon FY14 Customer Payments summary.pdf — PDF document, 65 kB (67104 bytes)

ICANN reveals hitherto undisclosed details of domain names revenues

by Geetha Hariharan last modified Dec 12, 2014 05:08 AM
Following requests from CIS, ICANN has shared a detailed list of its revenues from domain names for the fiscal year ending June 2014. Such level of detail has, until now, been unavailable. Historical data is still to be made available.

 

Five days ago, CIS received a detailed list of ICANN’s revenues from domain name sales and renewals for the fiscal year ending June 2014. The document, sent to us by ICANN’s India head Mr. Samiran Gupta, lists payments received by ICANN from registrars, registries, sponsors and other entities such as the NRO and Country Code TLD administrators. Such granular information is not available at the moment on ICANN’s website as part of its financial transparency disclosures. A summary has also been provided by ICANN.

This revenue disclosure from ICANN comes on the heels of public and email correspondence between CIS and ICANN staff. At the Asia Pacific Regional IGF (August 3-6, 2014), CIS’ Sunil Abraham sought granular data – both current and historical – on ICANN’s revenues from the domain name industry.

Again, at the ICANN Open Forum at IGF (4 September 2014), Sunil sought “details of a list of legal entities that give money to ICANN and how much money they give to ICANN every year”. In emails to Kuek Yu-Chuang (ICANN’s Asia Pacific head) and Xavier Calvez (ICANN CFO), CIS had asked for historical data as well.

The global domain name industry is a multi-billion dollar industry, and ICANN sits at the centre of the web. ICANN is responsible for the policy-making and introduction of new Top Level Domains (TLDs), and it also performs technical coordination and maintenance of the Internet’s unique identifiers (domain names and IP addresses). For each domain name that is registered or renewed, ICANN receives payment through a complex contractual network of registries and registrars. The domain name industry is ICANN’s single largest revenue source.

Given the impending IANA transition and accountability debates at ICANN, and the rapid growth of the global domain name industry, one would imagine that ICANN is held up to the same standard of accountability as laid down in the right to information mechanisms of many countries. At the ICANN Open Forum (IGF Istanbul), Sunil raised this very point. Had a Public Information Officer in India failed to respond to a request for information for a month (as ICANN had to CIS’ request for granular revenue data), the officer would have been fined and reprimanded. Since there are no sufficiently effective accountability or reactive transparency measures at ICANN, such penalties are not in place.

In any event, CIS received the list of ICANN’s current domain name revenues after continual email exchanges with ICANN staff. This is undoubtedly heartening, as ICANN has shown itself responsive to repeated requests for transparency. But it remains that ICANN has shared revenue data only for the fiscal year ending June 2014, and historical revenue data is still not publicly available. Neither is a detailed list (current and historical) of ICANN’s expenditures publicly available. Perhaps ICANN could provide the necessary information during its regular Quarterly Stakeholder Reports, as well as on its website. This would go a long way in ascertaining and improving ICANN’s accountability and transparency.

**

The documents:

  1. ICANN’s domain name revenues in FY14.
  2. Summary of revenue information.

The Socratic debate: Whose internet is it anyway?

by Pranesh Prakash last modified Dec 09, 2014 01:35 PM
In the US, President Obama recently spoke out on the seemingly arcane topic of net neutrality. What is more astounding is that the popular satire news show host John Oliver spent a 13-minute segment talking about it in June, telling Internet trolls to “focus your indiscriminate rage in a useful direction” by visiting the US Federal Communications Commission’s (FCC) website and submitting comments on its weak draft proposal on net neutrality.

The article was published in the Economic Times on November 18, 2014.


Due to the work of activists, popular media coverage, pro-net neutrality technology companies, and John Oliver, eventually the FCC received 1.1 million responses. Text analysis by the Sunlight Foundation using natural language processing found that only 1% of the responses were clearly opposed to net neutrality. So millions of people in the US are both aware and care about this issue. But the general response in India would be: what is net neutrality and why should I be concerned?

Net neutrality is commonly described as the principle of ensuring that there is no discrimination between the different ‘packets’ that an Internet service provider (ISP) carries. That means that the traffic from NDTV should be treated equally by Reliance Infocomm as the traffic from Network 18’s CNNIBN; that even if Facebook wants to pay Airtel to deliver Whatsapp’s packets faster than Viber’s, Airtel may not do so; that peer-to-peer traffic is not throttled; that Facebook will not be able to pay Airtel to keep its subscribers bound within its walled gardens; and also that Airtel can’t claim to be providing Internet access while restricting that to only Facebook or Whatsapp.

The counter to this by telecom companies the world over, which has little evidence backing it, is primarily two-fold: first, one of equity — that it is ‘unfair’ for the likes of YouTube to get a ‘free ride’ on Airtel networks, hogging up bandwidth but not paying them; and second, that of economic incentives — networks are bleeding money due to services like WhatsApp and Skype replacing SMS and voice, and not being able to charge them will lead to a decrease in profitability and network expansion. The first claim is based on a myth of the ‘free ride’, while the reality is that subscribers who download more also pay the ISP more, while contentemitting companies also have to pay their network providers as per the traffic they generate, and those network providers, in turn, have to enter into ‘transit’ or ‘peering’ agreements with the ISPs that eventually provide access to consumers. The second claim has little evidence to back it up. Efficient competition is the best driver of both profit as well as network expansion. VSNL complained about services like Net2Phone in the 1990s and even filtered all voice-over-IP (VoIP) traffic — and illegally blocked a number of VoIP websites — to preserve its monopoly over international telephony. Instead, removing VSNL’s monopoly only benefited our nation. As for network expansion, it is inability of networks to profit from sparsely populated rural areas that poses a major roadblock. Fixing those problems require smart pricing by telecom companies and intelligent regulation, including exploring policy options like shared spectrum, but they do not necessarily require the abandoning of net neutrality.

However, the fact that the reasons telecom companies often provide against net neutrality are bogus doesn’t mean that it’s easy to ensure net neutrality. The Trai has been exploring this issue by holding a seminar on OTT services. However, the main focus of the discussions were not whether and how India should ensure net neutrality: it was on whether the government should regulate services like WhatsApp and bring them under the licence Raj. Yes, the debate going around in the regulatory circles is whether India should implement rules to ensure net non-neutrality so as favour telecom companies! Net neutrality is a difficult issue in regulatory terms since there is no common understanding among academics and activists of what all should fall under its ambit: only the ‘last mile’ or interconnection as well?

The policy dialogue in India is far removed from this and from considering the nuanced positions of anti-net neutrality scholars, such as Christopher Yoo, who raise concerns about the harms to innovation and the free market that would be caused by mandating net neutrality. The situation in India is much more dire, since blatant violations of net neutrality — howsoever defined — are already happening with Airtel launching its ‘One Touch Internet’, a limited walled garden approach that lies about offering access to the ‘Internet’ while only offering access to a few services based on secretive agreements with other companies. Mark Zuckerberg, the founder of Facebook, recently toured India talking about his grand vision of providing connectivity to the bottom half of the pyramid yet did not talk about how that connectivity would not be to the Internet, but will be limited to only a few services — including Facebook.

Even if we had good laws in favour of net neutrality, without effective monitoring and forceful action by the government, they will amount to little. s. Undoubtedly the contours of the conversation that needs to happen in India over net neutrality will be different from that happening in more developed countries with higher levels of Internet penetration.

However it is a cause of grave concern that while net neutrality is being brutally battered by telecom companies in the absence of any regulation, they are also seeking to legitimize their battery through regulation. It is time the direction of the conversation changed. Perhaps we should invite John Oliver over.

Revolving Door Analysis: IANA Stewardship Transition Coordination Group

by Lakshmi Venkataraman — last modified Dec 16, 2014 05:44 AM
The IANA Stewardship Coordination Group (ICG) is the body that will accept and coordinate different proposals for IANA transition. It will make the global Internet community's final proposal for transition to the NTIA. Lakshmi Venkataraman finds that a majority of the ICG's membership have had longstanding affiliations with I-star organisations. What will this mean for IANA transition?

 

Following the NTIA’s announcement of its decision to not renew the IANA Functions contract, ICANN instituted a process in search of an alternative oversight mechanism. The IANA Stewardship Transition Coordination Group (ICG), comprising 30 individuals, is the body set up to accept and coordinate proposals for IANA transition, and after this, to make a final proposal to the NTIA. ICANN claims that the ICG comprises individuals representing 13 different communities and the interests of different stakeholders (direct and indirect), including those of governments, technical community and non-commercial users.

The communities represented in the ICG are as follows:

  • ALAC – At-Large Advisory Committee to ICANN
  • ASO – Policy making body of ICANN w.r.t. IP addresses
  • ccNSO – Policy making body of ICANN w.r.t. ccTLDs
  • GNSO – Makes recommendations on gTLDs to the ICANN Board
  • IAB – Deals with technical and engineering aspects of the ISOC
  • IETF – Deals with the development of standards under the ISOC
  • NRO – Policy Advisor to ICANN w.r.t. IP addresses
  • SSAC – Advisory body of ICANN, w.r.t. security of naming systems
  • RSSAC – Advisory body of ICANN, w.r.t. operation, security and integrity of the Internet’s Root Server System

 

Now, the ICG has been set up to devise and present to the NTIA, an IANA transition proposal that incorporates views and concerns of diverse stakeholders of the global Internet community. The composition of the ICG is, for this purpose, an indicator of the nature of proposals that may find final favour.

At CIS, we examined the affiliations of ICG members with this in mind. Our assumptions are two-fold: (1) greater the diversity in ICG membership, greater the chance of diverse views being heard and represented, including those departing from the status quo; (2) conversely, if the ICG members have histories of affiliations to existing centres of power in global Internet governance (say, the I* organisations), chances of status quo being maintained are greater.

Our findings are presented in tabular format below:

(X – Unknown number of years spent in the organization)

I-star Organisation

________________

Name of person

ICANNIETF IAB W3C ISOC AfriNICARIN APNICLACNICRIPE-NCC
Patrik Faltstrom 3 X X - 3 - - - - -
Paul Wilson X - - - X - - 16 - -
Lynn St. Amour - - 13 - 16 - - - - -
Jari Arkko - 8 1 - - - - - - -
Keith Davidson 4 - - - 2 - - - - -
Demi Getschko 4 - - - 11 - - - - -
Russell Housley - 6 1.5 - - - - - - -
Xiaodong Lee 2 X - - - - - - - -
Elise Gerich 4 - X - - - - - - -
Hartmut Glaser 14 - - - - - - - 2 -
Wolf Ulrich Knobben 4 - - - X - - - - -
Russ Mundy X X - - - - - - - -
Kuo-Wei Wu 15 - - - - - - 11 - -
Narelle Clark - - - - 4 - - - - -
Daniel Karrenberg - - - - 6 - - - - -
Mohamed el Bashir 8 - - - - - - - - -
Martin Boyle X - - - - - - - - -
Keith Drazek 3 - - - - - - - - -
Jean Jacques Subrenat 7 - - - - - - - - -
James Bladel

- - - - - - - - -

(† - To serve on the GNSO Council from November 2015.)

As you will have noticed, 20 out of 30 ICG members (66.67%) have occupied positions in seemingly different organizations, but in actuality, these are organisations with very close links to each other. We see not 13, but 2 organizations that all the communities seem to be affiliated to, i.e., ICANN and ISOC. It seems all too ironic that the body that has been allocated the task of the IANA functions’ transition, in line with the ‘multi-stakeholder’ model, is itself representative of only 2 organizations.

A prodding into the histories of these 30 members from ‘varied’ backgrounds reveals that most of them have rotationally served in the I-Star organizations. A close reading of their bio-data (from their ICANN and LinkedIn pages) reveals our findings on the number of years several of the members of the IANA Stewardship Transition Cooperation Group, have spent at the I-Star organizations.

It is not rocket science to recognise the power the I* organisations have over Internet governance today. Indeed, ICANN tells us that the I* run the Internet. They are the leaders of the status quo.

But the IANA transition is anything but an affirmation of the status quo. Stakeholders and participants in IANA transition (in the CWG, CRISP and IETF) have raised serious concerns about the desirability of IANA continuing within ICANN, and about ICANN’s (inadequate) accountability and transparency. True, ICANN has instituted processes to enable discussion on these issues, and the ICG is part of the process. It is entrusted with the momentous task of shifting from the status quo of the IANA Functions contract to a new mechanism of oversight. Given its composition, an assumption that the ICG may have vested interests in maintaining status quo is not out-of-the-way. In fact, some members of the ICG have previously made statements to the effect that Internet is not broken, and it does not need fixing. This poses a real danger to the IANA transition process and the global Internet community must demand safeguards.


Lakshmi Venkataraman performed the revolving door analysis on the ICG. She is a IV year at NALSAR University of Law and an intern at CIS during December 2014. Geetha Hariharan assisted in writing this post.

Is India’s website-blocking law constitutional? – I. Law & procedure

by Geetha Hariharan last modified Dec 11, 2014 11:02 AM
Section 69A of the Information Technology Act, 2000, along with its corresponding Rules, set out the procedure for blocking of websites in India. Over two posts, Geetha Hariharan examines the constitutional validity of Section 69A and the Blocking Rules.

 

Introduction:

The Information Technology Act, 2000 (“IT Act”) is no stranger to litigation or controversy. Since its enactment in 2000, the IT Act has come under stringent criticism, both for the alleged Constitutional infirmities of its provisions and Rules, as well as for the way it is implemented. In recent years, Sections 66A (re: criminal liability for offensive, annoying or inconveniencing online communications), 67A (re: obscene 69A (re: website-blocking) and 79 (re: intermediary liability) have all come under attack for these reasons.

Today, these Sections and several others have been challenged before the Supreme Court. A total of ten cases, challenging various Sections of the IT Act, are being heard together by the Supreme Court. This is a welcome occasion, for the IT Act desperately needs judicial review. Nikhil Pahwa over at Medianama provides an update and the list of cases.

Among the challenged provisions are Section 66A, Section 79 and Section 69A. Section 66A was and continues to be used wantonly by the State and police. A student was recently arrested for a Twitter comment regarding Cyclone Hudhud, while anti-Modi comments led to several arrests earlier in the year (see here, here and here). At CIS, we have previously subjected Section 66A to constitutional analyses. Pranesh Prakash traced the genealogy of the Section and its import in targeting offensive, annoying and inconveniencing communications and spam, while Gautam Bhatia examined the Section’s overbreadth and vagueness. The casual wording and potential for misuse of Section 79 and the Information Technology (Intermediaries Guidelines) Rules, 2011 led Ujwala Uppaluri to offer strong arguments regarding their violation of Part III of the Constitution.

Similar infirmities also handicap Section 69A and its Rules. This provision empowers the Central government and officers authorised by it to order the blocking of websites or webpages. Website-blocking is permissible for reasons enumerated in Section 69A, and in accordance with the process laid out in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public (sic)) Rules, 2009 (“Blocking Rules”). In our view, Section 69A and the Blocking Rules are also unconstitutional, and liable to be declared as such by the Supreme Court. We provide our analysis in this post and the next.

Section 69A, IT Act:

Section 69A and the Blocking Rules provide for website-blocking in accordance with enumerated reasons and process. The Section reads as follows:

69A. Power to issue directions for blocking for public access of any information through any computer resource.-
(1) Where the Central Government or any of its officer specially authorized by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-sections (2) for reasons to be recorded in writing, by order direct any agency of the Government or intermediary to block access by the public or cause to be blocked for access by public any information generated, transmitted, received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

As you will notice, the Central government may block any information that is “generated, transmitted, received, stored or hosted” in any computer. This will extend, clearly, to any webpage available and/or hosted in India. The Government can order website-blocks if it is satisfied of the necessity or expedience for this on the basis of (any of) six reasons. These reasons are:

  1. Sovereignty and integrity of India,
  2. Defense of India,
  3. Security of the State,
  4. Friendly relations with foreign states,
  5. Public order,
  6. Preventing incitement to the commission of any cognizable offence relating to above.

If the Central government is convinced it has a valid reason, then it must follow the blocking procedure set out in the Blocking Rules, which were notified on 27 October 2009. Before entering into an analysis of the Blocking Rules, let us understand the blocking procedure.

The Blocking Procedure:

I will explain the blocking procedure in 4 steps: (1) Relevant designations and committees; (2) Procedure to make and examine a blocking request, and issue blocking direction; (3) Blocking in special circumstances; and (4) Review of blocking directions.

(1) Relevant designations and committees:

Designated Officer (“DO”): The Central government notifies an officer not below the rank of Joint Secretary as the Designated Officer, who will issue the blocking direction ot the relevant intermediary or agency [Rule 3]. By a notification dated 20 January 2010, the DO is the Group Coordinator, Cyberlaw Division, Department of Information Technology (DIT). Unfortunately, I was unable to locate the Group Coordinator, Cyberlaw Division on the website of the Department of Electronics and Information Technology (DeitY, the name to which DIT was renamed in 2012). I am also unable to find a notification updating the designation of the DO. Presumably, Dr. Gulshan Rai, Director General (Cyberlaws & E-security), DeitY, continues to be the DO.

Nodal Officer (“NO”): Every organization designates one of its officers as a Nodal Officer, who will receive blocking requests and forward them to the DO [Rule 4]. ‘Organisation’ is defined in Rule 2(g) as Ministries or Departments of the Government of India, State governments and Union Territories, and any Agency of the Central government notified in the Official Gazette. I am unable to find on the DeitY website a notification explaining which government Agencies are ‘organisations’ under Rule 2(g).

Intermediary Contact: Every intermediary also designates one person to receive and handle blocking directions from the DO [Rule 13].

Committee for Examination of Request (“CER”): The 5-membered CER comprises the DO as Chairman, along with officers not below the rank of Joint Secretary from the Ministries of Law & Justice, Home Affairs, Information & Broadcasting and CERT-In [Rule 7]. The CER examines each blocking request, before issuing recommendations to the DO to block or not to block. Regrettably, I am unable to identify the current membership of the CER, as no document is available that gives this information. However, the CER’s composition in 2010 may be gleaned (see Annexure III).

Review Committee (“RC”): Rule 2(i) defines the RC as the body set up under Rule 419A, Indian Telegraph Rules, 1951. As per Rule 419A(16), the Central RC is constituted by the Cabinet Secretary, Secretary to the Government of India (Legal Affairs) and Secretary (Department of Telecom).

(2) Blocking procedure:

The Blocking Rules stipulate that the entire blocking procedure, from examining a blocking request to issuing a blocking direction, must be carried out within 7 days from the date on which the DO receives the blocking request from the NO [Rule 11].

(a) Making a blocking request: Any person may send a request for a website-block to an NO of any ‘organisation’ (“outside request”). Alternatively, the NO may himself raise a blocking request. The organization has to examine each outside request and be satisfied that it meets the requirements of Section 69A(1), IT Act. Once it is satisfied, the NO forwards the blocking request to the DO. Outside requests must be approved by the Chief Secretary of the State or Union Territory, before they are sent to the DO. [See Rule 6 for this procedure]

(b) Examining a blocking request: Once the DO receives a blocking request, he/she places it before the CER. The DO tries to identify the person/intermediary hosting the troubling information, and if identified, issues a notice seeking their representation before the CER. Foreign entities hosting the information are also informed over fax/email. The person/intermediary has 48 hours from the date of receiving the DO’s notice to make its representation.

After this, the CER will examine the blocking request. It will “consider whether the request is covered within the scope of Section 69A(1)”, and whether it is justifiable to block [Rule 8(4)].

(c) Blocking direction: The DO then places the CER’s recommendation to block or not to block before the Secretary (DeitY) for his/her approval. If and once approval is granted, the DO directs the relevant Agency or intermediary to block the website/page.

(3) Blocking in special circumstances:

(a) Emergencies [Rule 9]: In an emergency “when no delay is acceptable”, the DO passes over the blocking procedure described above. With written recommendations, the DO directly approaches the Secretary (DeitY) for approval of blocking request. If satisfied, the Secretary (DeitY) issues the blocking direction as an interim measure. Nevertheless, the DO is required to place the blocking request before the CER at the earliest opportunity (in any case, not later than 48 hours after blocking direction).

(b) Court orders [Rule 10]: If a court has ordered a website-block, the DO follows a procedure similar to an Emergency situation. He/she submits the certified copy of order to the Secretary (DeitY), and then initiates action as ordered by the court.

(4) Review of blocking directions:

The RC is to meet once in 2 months to evaluate whether blocking directions issued under the Blocking Rules are in compliance with Section 69A(1) [Rule 14]. No other review or appeal mechanism is provided under the Blocking Rules. Nor are aggrieved parties afforded any further opportunities to be heard. Also note that Rule 16 mandates that all requests and complaints received under the Blocking Rules are to the kept strictly confidential.

In the next post, I will subject Section 69A and the Blocking Rules to a constitutional analysis.

Blocking procedure poster:

CIS has produced a poster explaining the blocking procedure (download PDF, 2.037MB).

Identifying Aspects of Privacy in Islamic Law

by Vidushi Marda and Bhairav Acharya — last modified Jan 01, 2015 02:04 PM
This white paper seeks to identify aspects of privacy in Islamic Law and demonstrate that the notion of privacy was recognized and protected in traditional Islamic law.

I. Introduction

The nuances of privacy have been deliberated by numerous scholars till date, without arriving at a definite answer. It has been perceived as a right to be left alone, as mere secrecy, as the right to a legitimate area of seclusion and solitude. Privacy is a particularly nebulous concept, with a tendency of resting on intuitionist arguments. However, finding refuge in intuitionist arguments has not lent to a clear understanding of the term itself. This presents a peculiar predicament; while privacy is demanded, nobody seems to have a clear understanding of what it truly means. Daniel Solove opines that privacy is a concept in disarray, it is about everything and hence it seems to be about nothing. Solove finds agreement in a variety of literature, where privacy has been described as a "chameleon-like word", a term suffering from an "embarrassment of meanings", a "powerful rhetorical battle cry".

Traditional notions such as bodily privacy, privacy within one's home, or privacy resulting out of private property are received with far less scepticism than more recent aspects of privacy. With the burgeoning increase in information exchange, the ambit of privacy concerns is widened but not always understood. While earlier notions of privacy confined themselves to physical intrusions, it is now possible to invade a person's privacy without physically intruding on their space. As capabilities to intrude on privacy increase, the demand for respecting privacy grows stronger. In their historic article, Warren and Brandeis referred to privacy as an incorporeal notion, referring to cases of defamation, proprietary harms, contractual harms, breach of confidence to conclude that all such cases belonged to an umbrella principle of the right to privacy.

I.II Aspects of Privacy

William Prosser, a torts scholar, in 1860 attempted to classify privacy comprehensively. He contemplated four kinds of activities as impinging on a person's privacy. They were
1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs.
2. Public disclosure of embarrassing private facts about the plaintiff.
3. Publicity which places the plaintiff in a false light in the public eye.
4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.
While this classification lent some structure to the understanding of privacy, it restricted itself to only tort law.

A wider taxonomy was offered by Daniel Solove, imbibing concerns of digital privacy and information technology. Focussing on activities that invade privacy, Solove argued that information collection, aggregation of information, dissemination of such aggregated information and invasion into people's private affairs are the aspects integral to understanding the privacy concerns of a data subject.

In its policy paper on privacy in India, the Data Security Council of India (DSCI) recognised privacy issues in the context of e-commerce, transactional privacy, cyber crime, national security, and cross border data flows. Similarly the Department of Personnel and Training (DoPT) in 2011 focussed on understanding privacy in the context of data protection and surveillance. Subsequently, in 2012, the Planning Commission of India set up the A.P. Shah Committee to look into issues of data protection. This Committee classified the dimensions of privacy into four main categories; interception and access, audio and video recording, access and use of personal identifiers, and bodily and genetic material.

The classification of privacy for the purpose of this paper is under the heads of bodily privacy, informational and communications privacy, and territorial and locational privacy. Bodily privacy stems from the notion of personal autonomy and inviolate personality. Battery, rape, voyeurism are all examples of the recognition of the need to protect the privacy of one's body. Communications and informational privacy refers to the protection of sensitive personal information, specific communications and private conversations. Interception of messages, spying, hacking or tapping phone lines are all activities that impinge on privacy under this head. India's ambitious biometric project, Aadhar, has brought to the fore concerns surrounding personal information. Territorial privacy is developed from the notion of private property, the tort of trespass being ample recognition of the same.

I.III Is India a Private Nation?

In October, 2010, the government published an approach paper for legislation on privacy. In explaining the need for privacy legislation in India, the paper states,

"India is not a particularly private nation. Personal information is often shared freely and without thinking twice. Public life is organized without much thought to safeguarding personal data. In fact, the public dissemination of personal information has over time, become a way of demonstrating the transparent functioning of the government."

The notion of privacy being a foreign construct carves the argument that legislation on privacy would mean subjecting India to an alien cultural value. However, this ignores the possibility of privacy being culturally subjective. Cultures have exhibited different measurements by which they measure public and private realms. This paper aims to demonstrate that while the word "privacy" does not find explicit reference in traditional Indian law, the essence of privacy as we understand it today has existed in traditional Indian culture, specifically Indian Islamic culture, pre-dating colonialism in India and modernity in India's legal system.

I.IV Displacement of traditional Indian Law

Contemporary Indian law functions within a rubric that was constructed after the "expropriation" of traditional law. India's colonial legacy rendered the displacement of traditional Indian law with a unified modern legal system abounding in European ideas of modernity and legal systems, leaving it is a state of "fractured modernity". Before the British rule, Indians were governed by their personal laws and these laws did not aim to unify the nation in ways that Western legal systems did.. The decision to establish a modern legal system stemmed from the desire to administer the law as a function of the state, which would have been impractical at best in the absence of a unified legal system.

Edward Said eloquently states that the colonial experience does not end when the last European flag comes down or when the last white policeman leaves. One cannot help but agree with Said, as the understanding of law in contemporary India is constructed on the principles of the English common law and on ideas of a modern legal system. While the word "privacy" does not arise in traditional law, this paper argues that the notions of privacy as we perceive it today did exist hitherto the modernization of India's legal system.

I.V Structure of the paper

While Part I has laid down the foundation of this paper and the arguments it endeavours to make, Part II explains the sources of Islamic law and attempts at locating privacy in them. It also explains certain pervasive concepts that will enhance an understanding of privacy in Islamic law. This paper restricts itself to Sunni Islamic law. Part III gives an indication of privacy rights in India's neighbouring Islamic countries (both predominantly Sunni), Pakistan and Bangladesh; and highlights the legal framework for privacy in these countries.

II. Privacy in Islamic Law

II.I Sources of Islamic Law

Before locating aspects of privacy in Islamic Law, an understanding of its structure and sources will be helpful. Islamic Law is composed of Shariah, and fiqh. Shariah indicates the path a faithful Muslim must undertake to attain guidance in the present world and deliverance to the next. Fiqh, the jurisprudence of Islam, refers to the rational understanding of Shariah and human reasoning to appreciate the practical implications of Islam. While Shariah is divine revelation, fiqh is the human inference of Shariah.

The principle tenet of Islam is unwavering obedience to the teachings of God. According to Muslim belief, the Quran is the divine communication from Allah to the Prophet of Islam. It is the foremost record of the word of God, and for this reason is considered the apex source of Islamic law. It is in the Quran that basic norms of Shariah are found, and it embodies the exact words of God as was revealed to the Prophet over a period of 23 years. Fiqh, or the understanding of Shariah, also finds its origins in the holy Quran.

The Sunnah or Prophetic traditions are the ingredients for the model behaviour of a Muslim as demonstrated by the Prophet. It is a "way, course, rule, mode, or manner, of acting or conduct of life." The Sunnah were compiled through the communications of Prophet Muhammad in the form of Hadiths which are communications, stories or conversations; and may be religious or secular; historical or recent. The narrators of the Hadith are known as "isnad" who convey the "matn" or the substance of the Prophet's actions or words as narrated through oral communications through the years. Due to its very nature, the accuracy of the Sunnah came under considerable scrutiny, with concerns as to its possible fabrication and dilution. However, with a well devised system of recording and verifying sources, the Sunnah accompanies the imperative source of Islamic law, the Quran.

The other sources of Islam are found in human reasoning, or ijtihad. Ijtihad assumes a variety of secondary sources such as analogical reasoning (Qiyas), unanimous consensus (Ijma), decisions in favour of public interest (isthihsan), and presumption of continuity (istishab).
Ijtihad entails a resilient effort; an exertion in interpreting the primary sources in order to understand Shariah, to infer the law which is not explicit or evident. The legitimacy of Ijma is found in the Prophetic tradition, which states that the followers of Islam would never agree on an error, and will never unite on misguidance.

The Quran and Sunnah lie at the pinnacle of Islamic jurisprudence and their authoritativeness lends a ready inference of legal principles derived from them. In exploring the concept of Privacy in Islamic Law, this paper will focus mainly on the material available in the Quran and Sunnah.

II.II The Public and Private in Islam

According to the doctrine of Shariah, every aspect of life is deemed to be private unless shown otherwise. The public sphere is that in which governmental authority operates, making it both transparent and open to scrutiny and observation. Since its inception, Islam has considered the idea of governance with reasonable scepticism, ascribing to the view that there is no concept of a human ruler beyond reproach. This perhaps gave impetus to the idea of a private sphere as one that is inhabited exclusively by an individual and the divine, excluding any interference of the State; except with permission from religious law. In Islamic belief, a pious individual had submitted himself to God, and not the worldly State. Hence, all aspects of his life will align with the tenets of Islamic law and in pursuance with the will of God. Any failure to perform religious duties on the part of a Muslim is beyond the scope of another; it is only a consideration between him and the divine. It is believed that the Prophet said, "Those, who acknowledge God in words, and not at heart, do not find fault with their fellow Muslims. The wrongdoing of those who do so become the subject of God's scrutiny, and when God looks into someone's wrongdoing then all shall be truly exposed" The individual is bestowed with complete freedom of action in the private sphere, subject only to the will of the divine. To govern another is wholly beyond the capacity of any individual, and this forms a pervasive theme in Islamic jurisprudence.

Islamic Law recognizes that it is inevitable for every society to impose certain requirements on individuals both by the law and by societal norms. In respect of a public domain, Islam prescribes an amalgam of requirements of a Muslim community and the teachings of Islam. While committing sins in private is beyond the scope of public or governmental scrutiny, committing a sin in public amounts to a crime, meriting worldly punishment.

Islamic law provides for an individual's obligations to the divine at all times, and to the state in matters within the public domain. This is the most striking difference between Islamic law and modern law, as the function of enforcement of the law and punishment are forfeited to the state in a modern legal system, by virtue of the social contract. However, in Islamic societies, the concept of social contract does not exist. Instead, an individual's obligations lie to the state only if acts meriting worldly punishment occur in the public sphere. It is this distinction in the obligations of individuals that leads to conflicts between the application of Islamic law and modern law.

The Quran is replete with rules for all believers to ordain good and forbid evil (al-amrbi al-Ma'rufwa al-nahy 'an al-munkar'). This divine injunction is a restriction of freedom in the private sphere. The notion of privacy in the public sphere was tested through the office of the muhtasib, or compliance officer. These officers were appointed to ensure that the quality of life is preserved in Islamic societies. Personal or private matters which were visible in the public realm were liable to scrutiny from the muhtasib as well. However, this does not extend to matters such as surveillance and spying even on the authority of the state. The Prophet, according to the hadith of Amir Mu'awiyah remarked, " If you try to find out the secrets of the people, then you will definitely spoil them or at least you will bring them to the verge of ruin." In fact, modern jurists admonish the idea of surveillance as "exactly what Islam has called as the root cause of mischief in politics."

II.III. Privacy in Islamic Law

Bodily Privacy

The sanctity of one's bodily privacy is well recognised in Islamic Law. The Quran (24:58) demarcates certain periods in a day which are times of privacy for an individual, and indicates the need for prior permission before one may enter the private sphere of another. These periods are before the prayer at dawn, during the afternoon where one rests, and after the night prayer. This verse also calls upon children who have not yet reached the age of puberty to get accustomed to asking for permission before entering rooms apart from their own.

As far as bodily seizure of individuals accused of crimes goes, the Traditions indicate a general disinclination towards pre-adjudication restraint of individuals. The very occurrence of it appears to be a cause of discomfort as recorded in the Traditions. One of the Prophet's closest companions, Umar, is believed to have encourages officials to speed up adjudication processes so that the accused could not be deprived of the comfort of their homes and families.

bodily privacy and modesty

Although the Quran stipulates gender equality, the norms of bodily privacy and modesty applicable to men are far less rigorous than the rules of modesty that apply to women. While staring is not contemplated as a crime in modern jurisdictions, the Quran directs "believing men to lower their gaze and be modest." At the same time, it directs women to adhere to strict rules of clothing and conduct, with directions on how to conduct oneself both in private as well as public. Interestingly, with the use of full-body scanners at airports around the world, the bodily privacy of Muslims came to the forefront with several Muslim scholars opining that such use of scanners was in direct violation of the tenets of Islam. According to the Quran, the modesty of a Muslim woman is an indication of her faith.

Communication and Informational Privacy

Privacy is, in many ways, inextricably linked to the notions of personal autonomy, and inviolate personality. Privacy in matters apart from those concerned with proprietary interests was only developed as a legal idea around the ninth century, although the Quran made ample references to it. Whilst the term "privacy" is not directly alluded to in the Quran, it contains verses emphasizing the importance of respecting personal autonomy. The Quran (49:12) rebukes those who wish to pry into matters which do not concern them, or harbour suspicions in respect of others, conceding that some suspicions can even be considered crimes. This implies an injunction against investigation; which complements the prohibition of circulation of information pertaining to an individual's private sphere (24:19). According to this verse, publication of immorality is desirous of punishment. A reasonable conclusion from the reading of these verses is that the Quran mandates respect for the private sphere, guaranteeing that a faithful believer will not violate it. The Prophet is reported to have said that non interference of individuals in matters that do not concern them is a sign of their good faith. Interestingly, the injunction against unwarranted search is for all members of a Muslim community, not just followers of Islam. An extension of the concept of informational privacy is the privacy of one's opinion, which is believed to be beyond reproach regardless of its contents. Deeds in the public sphere can be subject to worldly punishment, but thoughts and opinions everywhere, are not subject to it.

The Sunnah have also emphasized on privacy in communications. The Prophet once said, "He, who looks into a letter belonging to his brother, looks into the Hellfire" , indicating that private communications shall enjoy their privacy even in the public domain. This is evident from another saying of the Prophet,"Private encounters result in entrustment", which entails a restriction on communications arising out of private meetings.

Territorial Privacy

Domestic privacy is considered an important facet of Islamic life and this idea pervades different aspects of Shariah. Privacy in regard to proprietary interests was in fact the first legal conception of privacy recognised by Muslim jurists. The Quran (24:27-8) forbids entering another's house in lieu of permission to do the same. It seeks to ensure that a person visiting another's house is welcome in that house; reminding individuals of their rights during such visits. Further, the Quran (2:189) envisions visits made to other's houses only through the front door, indicating respect and transparency in visiting another's dwelling place. Muslim scholars are of the opinion that such rules were laid down in order to safeguard one's private sphere; to allow people to modify their behaviour to accommodate a visitor in a private domain. Clarifying the reasons for such rules, a jurist offered the following explanation, "The first greeting is for the residents to hear the visitor, the second is for the residents to be cautious( fa-ya khudhu hidhrahum),and the third is for them to either welcome the visitor or send him away."

Privacy in the domestic sphere extends to both physical privacy as well as intangible privacy. The Prophet opined that if one's gaze has entered into a private home before his body does, permission to enter the home would be redundant. This follows from the idea that if a person curiously peeps into another's home, it is equivalent to him entering it himself. The right to privacy is extended to absolve the home owner of any guilt in the event of attack on the intruder. Curiously, the right to privacy within one's home is extended to privacy in respect of sinful behaviour within his private sphere; the accountability of a Muslim to his fellow humans is only to be discerned in respect of his public actions. This is illustrated by an interesting story in the Hadith of Umar ibn al-Khattab. Khattab climbed the wall of a house on the suspicion of wine being consumed within the premises. On his suspicion being confirmed, he chided them for their conduct. They then reminded him that while he pointed out their sins, he himself was guilty of three sins; spying on them, failing to greet them and also not approaching their house through the front door. He agreed with them and walked away.

The rationale behind recognising privacy in the domestic sphere is not just illegal intrusion into one's physical space; it is also intrusion into matters of sensitivity which widens the scope for privacy in Islamic Law.

III Privacy in Shariah Based States

Locating aspects of privacy is Shariah-based states is particularly challenging due to the duality of obligations that exists in their legal framework. While Islamic law focuses on obligations of individuals to the divine in all affairs and the state only in public matters, legal obligations in modern states are understood vis-à-vis the state only. The incorporation of Islam into these modern legal systems represents the attempt at reconciling two distinct sources of law. This Part will consider the legal frameworks for privacy in Pakistan and Bangladesh.

III.I Pakistan

Islamic law has had a profound impact on the legal system of Pakistan. This Islamic Republic integrates Shariah law into its common law system, as is evident from Article 227(1) of the 1973 Constitution of Pakistan ("the 1973 Constitution"). It reads, " All existing laws shall be brought in conformity with the Injunctions of Islam as laid down in the Holy Quran and Sunnah, in this Part referred to as the Injunctions of Islam, and no law shall be enacted which is repugnant to such injunction". In addition to the Constitutional safeguards, General Zia-ul-Haq, between 1977 and 1988 provided great impetus to Pakistan's process of incorporating Islam into its common law system through the establishment of appellate religious courts and also enactment of the Hudood criminal law, which was consequently criticized for being discriminatory and arbitrary.

Constitutional Provisions

Enshrined in the 1973 Constitution is the fundamental right of persons not to be subject to any action detrimental to the life, liberty, body, reputation or property. While referring to the rights of individuals, Article 4(1) lays down, "To enjoy the protection of law and to be treated in accordance with law in the inalienable right of every citizen. Wherever he may be, and of every other person for the time being within Pakistan." While aspects of privacy can be read into this Article quite emphatically, the 1973 Constitution explicitly recognises the right to privacy, dignity and the inviolability of persons in Article 14(1),"The dignity of man, subject to law, the privacy of home, shall be inviolable". The sanctity of these rights is vigorously upheld as laws inconsistent with fundamental rights are declared to be void to the extent of their inconsistency.

Bodily Privacy

The 1973 Constitution recognises the fundamental right of persons not to be subject to any action detrimental to the life, liberty, body, reputation or property. The Pakistan Penal Code (Act XLV of 1860) refers to the protection of privacy of women in Section 509, upholding the modesty of women.

Communications and Informational Privacy

The Pakistan Telecommunication (Re-organisation) Act 1996 enables investigating authorities under the Act to take cognizance of illegalities in communications. These authorities submit their reports to the courts, ensuring the accountability of such events, as well as legitimising search and seizure in pursuance of intercepted communications. The Act also makes arrangements for authorised interception of communications in cases of national security, although the wide and sweeping powers bestowed under this Section are a cause for concern. Moreover, any person causing annoyance to another through a telephone is liable to criminal punishment under the Telegraph Act, 1885.

Medicaland Financial information is recognised as a unit of privacy in the legal system of Pakistan. The delicate balance between transparency of government action and extent of privacy of information is struck in the Freedom of Information Ordinance, which exempts divulging information regarding personal privacy of individuals, private documents and financial privacy.

As far as digital privacy is concerned, the law in Pakistan is still at a nascent stage. In 2000, Pakistan implemented the National Information Technology Policy and Action Plan, which provided for confidentiality of transactional information. In 2002, an Electronic Transactions Ordinance was passed with a view to recognise and protect electronic transactions, setting up a framework within which privacy of information can be guaranteed and authenticity can be verified. There is no devoted law on data protection yet, although a Draft Electronic Data Protection Bill was published by the Ministry of Information in 2005.

Territorial and Locational Privacy

Akin to notions of privacy of the home in Islamic law, criminal trespass is a punishable offence under the Pakistan Penal Code. Pakistan has an unfortunately intimate relationship with terrorism. The Anti Terrorism Act of 1997 incorporates some provisions which raise concerns as to the sanctity of individual privacy. The Act allows an officer of police, armed forces or civil armed forces to enter and search any premise, and to seize any property they suspect to be connected to a terrorist act, without a warrant. Perhaps what is more worrying is that the entry of an officer is not subject to review, unlike in other Islamic countries like the United Arab Emirates. The trade off between personal liberties and national security is acutely felt in Pakistan, with intelligence agencies carrying on mass surveillance, without any legal framework providing for the same.

III.II Privacy in Bangladesh

Bangladesh identifies itself as a secular nation, although Islam is the state religion. The Constitution of Bangladesh uses the word privacy in the context of both territorial and communications privacy.

Bodily Privacy

The Bangladesh Penal Code, similar to Pakistan's, contains a section guaranteeing the bodily privacy of a woman and prohibiting any form of outraging her modesty. It criminalises assault, and also provides for private defence in case of assault.

Communications Privacy

The privacy of communications is subject to interception for the purpose of public safety, as envisaged in the Telegraph Act, 1885. It also contains provisions regarding unlawful interception of messages, as well as tampering or damaging communications. The Telecommunications (Amendment) Act 2006 gives the police sweeping powers to intercept mobile communications as well. However, a notice was issued to the government after this amendment to demonstrate its legality. Bangladesh also has the Right to Information Act, 2009 to promote transparency in governance, although it has a considerable number of agencies exempt from the Act as well. Provisions for cyber crime are enshrined in the Information and Communication Technology Act, 2006.

Territorial Privacy

In the context of territorial privacy, the Bangladesh Penal Code recognises criminal trespass, house trespass, lurking house trespass and house breaking as offences under Bangladeshi law.

IV. Conclusion

Privacy is a comprehensive term that entails a plethora of claims, making an exact definition of the term difficult to come by. In the absence of an explicit reference to privacy in the Indian Constitution, the Supreme Court has brought the right to privacy within the penumbra of Article 21 through various case laws. In 2010, the Government in its approach paper on privacy claimed that India is not a particularly private nation. In order to comprehensively understand India's modern legal framework, it is imperative to analyze the concepts of traditional law as they existed hitherto the colonial era. Although the term "privacy" is a modern construct, this paper has sought to demonstrate that the notion of privacy was well recognized and protected in traditional Islamic law.

From the discussion above, it is evident that the concept of privacy in Shariah law rests convincingly within the taxonomy adopted in this paper. The Quran and Hadith accommodate concerns surrounding private property, personal autonomy, protection of private communications, domestic life, modesty and the modern idea of surveillance. In addition to this, Islamic jurisprudence ascribes to the idea of a public and private sphere. The public sphere is occupied by society and governmental action, being liable to scrutiny and observation. On the other hand, the private sphere is occupied by the individual and the divine alone, free from any interference except in accordance with Shariah law. Inspite of the term "privacy" not finding explicit mention in the Quran or Hadith, a closer analysis of Shariah reveals privacy as a pervasive theme in Islamic jurisprudence.



Daniel Solove, A Taxonomy of Privacy, Vol. 154, No.3 University of Pennsylvania Law Journal, 477 (2006).

Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard Law Review 193, 193 (1890).

Richard A. Posner, Privacy, Surveillance and the Law, Vol. 75 No. 1 The University of Chicago Law Review 245, 245 (2008).

Blanca Rodríguez Ruiz, Privacy in Telecommunications: A European and an American Approach 39 (1st ed. 1997).

James Q. Whitman, The Two Western Cultures of Privacy : Dignity versus Liberty, 113 Yale Law Journal 1152, 1153 (2004).

Whitman, supra note 5, at 1153.

Solove, supra note 1, at 479.

Ibid. Referencing Lillian r. BeVier, Information About Individuals in the Hands of Government: Some Reflections on Mechanisms for Privacy Protection, 4 WM. & MARY BILL RTS. J. 455, 458 (1995) .

Ibid. Referencing KIM LANE SCHEPPELE, LEGAL SECRETS 184-85 (1988).

Ibid. Referencing 1 J. THOMAS MCCARTHY, THE RIGHTS OF PUBLICITY AND PRIVACY § 5.59 (2d ed. 2005).

Solove, supra note 1, at 560.

Samuel D. Warren & Louis D. Brandeis, supra note 2, at 193.

William L Prosser, Privacy, 48 California Law Review 383,389 (1960).

Solove, supra note 1, at 488.

Data Security Council of India, Policy Paper: Privacy in India. Available at https://www.dsci.in/sites/default/files/Policy%20Paper%20-%20Privacy%20in%20India.pdf.

Department of Personnel and Training, (DoPT) Approach Paper for a Legislation on Privacy. Report available at http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf.

Justice Ajit.P.Shah Committee, Report of the Group of Experts on Privacy, 60. Available at - http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

Bhairav Acharya, at http://freespeechhub.thehoot.org/freetracker/storynew.php?storyid=565&sectionId=10.

DoPT, Approach Paper. supra note 16.

Whitman, supra note 5, at 1154.

Chandran Kukathas, Cultural Privacy, Vol. 91, No. 1 The Monist 68, 69 (2008).

Marc Galanter, Displacement of Traditional Law in Modern India, Vol XXIV, No. 4 Journal of Social Issues 65, 67 (1968).

Stuart Corbridge & John Harriss, Reinventing India: Liberalization, Hindu Nationalism and Popular Democracy 238 (Reprint, 2006).

Galanter, supra note 22, at 66.

Ibid. at 67.

Edward Said, Representing the Colonized: Anthropology's Interlocutors, Vol. 15 No.2 Critical Inquiry 205, 207 (1989).

Mohammad Hashim Kamali, Shari'ah Law, An Introduction 19 (2009)

M Mustafa Al Azami, Studies in Hadith Methodology and Literature 7 (2002).

Id. at 3.

NJ Coulson, A History of Islamic Law 22 (1964)

Kamali, supra note 27, at 19.

Sunan Ibn Majah , Book of Tribulations (Kitab al-Fitan) , #3950, available at http://sunnah.com/ibnmajah/36.

Mohsen Kadivar, An Introduction to the Private and Public Debate in Islam, Vol.70 , No. 3 Social Research 659, 663 (2003).

Lara Aryani, Privacy Rights in Shariah and Shariah-based States, Vol. 3, Iss.2, Journal of Islamic State Practices in International Law, 3 (2007)

Kadivar, supra note 33, at 664.

Ibid. at 665.

Ibid. at 667. Referencing Koleini, Mohammad. Al-Kaafi. Qom, Vol. 2: 353 1388.

Ibid. at 671.

Ibid. at 664.

Social Contract Theory of John Locke(1932-1704) in the Contemporary World , SelectedWorks of Daudi Mwita, Nyamaka (2011) Available at http://works.bepress.com/cgi/viewcontent.cgi?article=1009&context=dmnyamaka.

Kadivar, supra note 33, at 664.

Ibid. at 673.

Abul a'la Mawdudi, Human Rights in Islam 24 (1995). Also available online, at http://books.google.co.in/books?id=RUJWdCOmmxoC&printsec=frontcover#v=onepage&q&f=false.

Aryani, supra note 34, at 13.

This indicates Sura 24 : verse 58.

Holy Quran, 24:58 - O you who have believed, let those whom your right hands possess and those who have not [yet] reached puberty among you ask permission of you [before entering] at three times: before the dawn prayer and when you put aside your clothing [for rest] at noon and after the night prayer. [These are] three times of privacy for you. There is no blame upon you nor upon them beyond these [periods], for they continually circulate among you - some of you, among others. Thus does Allah make clear to you the verses; and Allah is Knowing and Wise. (Translation from Sahih International available at http://quran.com/24/58)

Reza Sadiq, Islam's Fourth Amendment : Search and Seizure in Islamic Doctrine and Muslim Practice, Vol. 40 Georgetown Journal of International Law 703, 730 (2008 - 2009).

Ibid. at 733. Referencing IBRAHIM ABDULLA AL-MARZOUQI, Human Rights in Islamic Law 392 (2000).

Rohen Peterson, The Emperor's New Scanner :Muslim Women at the Intersection of the First Amendment and Full Body Scanners, 22 Hastings Women's Law Journal 339, 343 (2011).

Holy Quran, 24:30 - Tell the believing men to reduce [some] of their vision and guard their private parts. That is purer for them. Indeed, Allah is Acquainted with what they do. (Translation from Sahih International available at http://quran.com/24/30-31).

Holy Quran, 24:31- And tell the believing women to reduce [some] of their vision and guard their private parts and not expose their adornment except that which [necessarily] appears thereof and to wrap [a portion of] their headcovers over their chests and not expose their adornment except to their husbands, their fathers, their husbands' fathers, their sons, their husbands' sons, their brothers, their brothers' sons, their sisters' sons, their women, that which their right hands possess, or those male attendants having no physical desire, or children who are not yet aware of the private aspects of women. And let them not stamp their feet to make known what they conceal of their adornment. And turn to Allah in repentance, all of you, O believers, that you might succeed. (Translation from Sahih Internation, available at http://quran.com/24/30-31).

David Garner, Muslims warned not to go through airport body scanners because they violate Islamic rules on nudity, The daily mail, (Feb 12, 2010). http://www.dailymail.co.uk/news/article-1250616/Muslims-warned-airport-body-scanners-violate-Islamic-rules-nudity.html#ixzz3KF8hS6q3 .

Holy Quran, 33:59 - O Prophet, tell your wives and your daughters and the women of the believers to bring down over themselves [part] of their outer garments. That is more suitable that they will be known and not be abused. And ever is Allah Forgiving and Merciful. (Translation from Sahih International, available at http://quran.com/33/59.)

Eli Alshech, "Do Not Enter Houses Other than Your Own": The Evolution of the Notion of a Private Domestic Sphere in Early Sunnī Islamic Thought Vol. 11, No. 3, Islamic Law and Society 291, 304 (2004).

Holy Quran, 49:12 - O you who have believed, avoid much [negative] assumption. Indeed, some assumption is sin. And do not spy or backbite each other. Would one of you like to eat the flesh of his brother when dead? You would detest it. And fear Allah ; indeed, Allah is Accepting of repentance and Merciful. ( Translation from Sahih International, available at http://quran.com/49/12)

Holy Quran, 24:19 - Indeed, those who like that immorality should be spread [or publicized] among those who have believed will have a painful punishment in this world and the Hereafter. And Allah knows and you do not know. ( Translation from Sahih International, available at http://quran.com/24/19)

Kadivar, supra note 33, at 666.

Ahmad Atif Ahmad, Islam Modernity violence and everyday life 176 (1st ed. 2009)

Kadivar, supra note 33, at 667.

Ibid , at 178.

Ibid.

Alshech, supra note 54, at 291.

Holy Quran, 24:27-8 - O you who have believed, do not enter houses other than your own houses until you ascertain welcome and greet their inhabitants. That is best for you; perhaps you will be reminded. And if you do not find anyone therein, do not enter them until permission has been given you. And if it is said to you, "Go back," then go back; it is purer for you. And Allah is Knowing of what you do. ( Translation from Sahih International, available at http://quran.com/24)

Holy Quran, 2:189 - They ask you, [O Muhammad], about the new moons. Say, "They are measurements of time for the people and for Hajj." And it is not righteousness to enter houses from the back, but righteousness is [in] one who fears Allah. And enter houses from their doors. And fear Allah that you may succeed. (Translation from Sahih International, available at http://quran.com/2)

Alshech, supra note 54, at 308.

Ibid. at 306. Referencing Ibn Abi Hatim, 8 TAF5IRAL-QUR'ANAL-'ADHIM 2566 (Makiabat Nlilr Mustaffi 1999).

Ahmad, supra note 58, at 177.

Alshech, supra note 54, at 324.

Aryani, supra note 34, at 4. Also see Ahmad, supra note 24, at 178.

Alshech, supra note 54, at 310.

Kadivar, supra note 33, at 664.

Moeen Cheema, Beyond Beliefs: Deconstructing the Dominant Narratives of the Islamization of Pakistan's Law, 60 American Journal of Comparative Law 875 (2012).

The Constitution of the Islamic Republic of Pakistan, 1973. Available at http://www.na.gov.pk/publications/constitution.pdf.

Cheema, supra note 72, at 879.

The Constitution of the Islamic Republic of Pakistan, 1973, supra note 73.

Ibid.

Ibid. Article 8 - "(1) Any law, or any custom or usage having the force of law, in so far as it is inconsistent with the rights conferred by this Chapter, shall, to the extent of such inconsistency, be void. (2) The State shall not make any law which takes away or abridges the right so conferred and any law made in contravention of this clause shall, to the extent of such contravention, be void

Ibid. Article 4(2)(a) - "no action detrimental to the life, liberty, body, reputation or property of any person shall be taken except in accordance with law."

Section 509, Pakistan Penal Code (Act XLV of 1860), Available at http://www.oecd.org/site/adboecdanti-corruptioninitiative/46816797.pdf.

Section 32, Pakistan Telecommunication (Re-Organisation) Act, 1996. Available at http://www.pta.gov.pk/media/pta_act_140508.pdf.

Ibid. Section 54.

Section 25-D, Pakistan Telegraph Act, 1885. Available at http://www.fia.gov.pk/law/Offences/26.pdf.

Section 12, Pakistan Medical and Dental Council Code of Ethics. Available at http://www.pmdc.org.pk/LinkClick.aspx?fileticket=v5WmQYMvhz4%3D&tabid=292&mid=845.

http://www.sbp.org.pk/publications/prudential/ordinance_62.pdf

Section 8, Freedom of Information Ordinance, 2002. Available at http://infopak.gov.pk/Downloads/Ordenances/Freedom_of_%20Information_Ordinance2002.pdf.

Pakistan IT Policy and Action Plan, available at http://www.unapcict.org/ecohub/resources/pakistan-information-technology-policy.

Electronic Transactions Ordinance, available at http://www.pakistanlaw.com/eto.pdf.

For a more detailed account, see http://www.supremecourt.gov.pk/ijc/articles/10/1.pdf. Second draft available at http://media.mofo.com/docs/mofoprivacy/PAKISTAN%20Draft%20Law%202nd%20Revision%20.pdf.

Sections 441 - 462, Pakistan Penal Code (XLV of 1860) Chapter XVII, "Offences against Property".

Section 5, Anti Terrorism Act, 1997. Available at http://www.fia.gov.pk/law/ata1997.pdf.

Ibid. Section 10.

Lara Aryani, supra note 34, at 21.

Julhas Alam, Bangladesh moves to retain Islam as state religion, Cns News, http://cnsnews.com/news/article/bangladesh-moves-retain-islam-state-religion.

Article 43, Constitution of Bangladesh. Available at http://www1.umn.edu/humanrts/research/bangladesh-constitution.pdf.

Section 509, Bangladesh Penal Code,1860. Available at http://bdlaws.minlaw.gov.bd/print_sections_all.php?id=11.

Ibid. Sections 351- 358.

Ibid . Section 100.

Section 5, Bangladesh Telegraph Act, 1885. Available at http://bdlaws.minlaw.gov.bd/print_sections_all.php?id=55.

Ibid . Section 24.

Ibid. Section 25.

Bangladesh Penal Code, 1860. supra note 95. Section 441.

Ibid. Section 442.

Ibid. Section 443.

Ibid. Section 445.

See, Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295 : (1964) 1 SCR 332; Govind v. State of Madhya Pradesh, AIR 1975 SC 1378; Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264; People's Union for Civil Liberties (PUCL) v. Union of India, AIR 1997 SC 568; X v. Hospital Z, AIR 1999 SC 495.

DoPT, Approach Paper. supra note 16.

Overview of the Constitutional Challenges to the IT Act

by Pranesh Prakash last modified Dec 19, 2014 09:01 AM
There are currently ten cases before the Supreme Court challenging various provisions of the Information Technology Act, the rules made under that, and other laws, that are being heard jointly. Advocate Gopal Sankaranarayanan who's arguing Anoop M.K. v. Union of India has put together this chart that helps you track what's being challenged in each case.



PENDING MATTERS CASE NUMBER PROVISIONS CHALLENGED
Shreya Singhal v. Union of India W.P.(CRL.) NO. 167/2012 66A
Common Cause & Anr. v. Union of India W.P.(C) NO. 21/2013 66A, 69A & 80
Rajeev Chandrasekhar v. Union of India & Anr. W.P.(C) NO. 23/2013 66A & Rules 3(2), 3(3), 3(4) & 3(7) of the Intermediaries Rules 2011
Dilip Kumar Tulsidas Shah v. Union of India & Anr. W.P.(C) NO. 97/2013 66A
Peoples Union for Civil Liberties v. Union of India & Ors. W.P.(CRL.) NO. 199/2013 66A, 69A, Intermediaries Rules 2011 (s.79(2) Rules) & Blocking of Access of Information by Public Rules 2009 (s.69A Rules)
Mouthshut.Com (India) Pvt. Ltd. & Anr. v. Union of India & Ors. W.P.(C) NO. 217/2013 66A & Intermediaries Rules 2011
Taslima Nasrin v. State of U.P & Ors. W.P.(CRL.) NO. 222/2013 66A
Manoj Oswal v. Union of India & Anr. W.P.(CRL.) NO. 225/2013 66A & 499/500 Indian Penal Code
Internet and Mobile Ass'n of India & Anr. v. Union of India & Anr. W.P.(C) NO. 758/2014 79(3) & Intermediaries Rules 2011
Anoop M.K. v. Union of India & Ors. W.P.(CRL.) NO. 196/2014 66A, 69A, 80 & S.118(d) of the Kerala Police Act, 2011

A Study of the Privacy Policies of Indian Service Providers and the 43A Rules

by Elonnai Hickok last modified Jan 13, 2015 02:37 AM

Written by Prachi  Arya and Kartik Chawla
Edited by: Vipul Kharbanda, Elonnai Hickok, Anandini Rathore, and Mukta Batra


Click to download the PDF

Contents
Executive Summary
Introduction
Objective, Methodology, and Scope of the Study
Objective of Research
Methodology
Scope
Criteria for selection of companies being studied
Overview of Company Privacy Policy and Survey Results
Vodafone
Tata Teleservices Limited
Airtel
Aircel
Atria Convergence Technologies
Observations
International Best Practices
Australia
European Union
Recommendations
Annexure 1
Annexure 2


Executive Summary


India has one of the largest telecom subscriber base in the world, currently estimated at 898 Million users.[1] With over 164.8 Million people accessing the internet [2] in the subcontinent as well, technology has concurrently improved to facilitate such access on mobile devices. In fact, the high penetration rate of the internet in the market can be largely attributed to mobile phones, via which over 80% of the Indian population access the medium.[3]

While this is a positive change, concerns now loom over the expansive access that service providers have to the information of their subscribers. For the subscriber, a company's commitment to protect user information is most clearly defined via a privacy policy. Data protection in India is broadly governed by Rules notified under Section 43A of the Information Technology Act 2000.[4] Amongst other things, the Rules define requirements and safeguards that every Body Corporate is legally required to incorporate into a privacy policy.

The objective of this research is to understand what standards of protection service providers in India are committing to via organizational privacy policies. Furthermore, the research seeks to understand if the standards committed to via organizational privacy policies align with the safeguards mandated in the 43A Rules. Towards this, the research reviews the publicly available privacy policies from seven different service providers - Airtel, Aircel, Vodafone, MTNL, BSNL, ACT, and Tata Teleservices.

The research finds that only Airtel, Vodafone, and Tata Teleservices fully incorporate the safeguards defined in the 43A Rules. Aircel, and ACT incorporate a number of such safeguards though not all. On the other hand BSNL minimally incorporates the safeguards, while MTNL does not provide a privacy policy that is publicly available.

Introduction

The Indian Telecom Services Performance Indicators report by the Telecom Regulatory Authority of India (TRAI) [5] pegs the total number of internet subscribers in India at 164.81 million and the total number of telecom subscribers at 898.02 million, as of March 2013. As mobile phones are adopted more widely, by both rural and urban populations, there is an amalgamation of telecommunications and internet users. Thus, in India, seven out of eight internet users gain access through mobiles phones. [6]

Though this rapid evolution of technology allows greater ease of access to digital communication, it also has led to an increase in the amount of personal information that is shared on the internet. Subsequently, a number of privacy concerns have been raised with respect to how service providers handle and protect and customer data as companies rely on this data not only to provide products and services, but also as a profitable commodity in and of itself. Individuals are thus forced to confront the possible violation of their personal information, which is collected as a quid pro quo by service providers for access to their services and products. In this context, protection of personal information, or data protection, is a core principle of the right to privacy.

In India, the right to privacy has been developed in a piecemeal manner through judicial intervention, and is recognized, to a limited extent, as falling under the larger ambit of the fundamental rights enshrined under Part III of the Constitution of India, specifically those under Article 21. [7] In contrast, historically in India there has been limited legislative interest expressed by the Government and the citizens towards establishing a statutory and comprehensive privacy regime. Following this trend, the Information Technology Act, 2000 (IT Act), as amended in 2008, provided for a limited data protection regime.

However, this changed in 2010 when, concerned about India's robust growth in the fields of IT industry and outsourcing business, an 'adequacy assessment' was commissioned by the European Union (EU), at the behest of India, which found that India did not have adequate personal data protection regime. [8] The main Indian legislation on the personal data security is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules), enacted under Section 43A of the IT Act, which extends the civil remedy by way of compensation in case wrongful loss or gain under Section 43A to cases where such loss or gain results from inadequate security practices and procedures while dealing with sensitive personal data or information. In 2012, the Justice AP Shah group of Experts was set up to review and comment on Privacy,[9] for the purpose of making recommendations which the government may consider while formulating the proposed framework for the Privacy Act.

Objective, Methodology, and Scope of the Study

 

Objective of Research

This research aims to analyse the Privacy Policies of the selected Telecommunications (TSP) and Internet Service Providers (ISP) (collectively referred to as 'service providers' for the purposes of this research) in the context of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ('Rules') in order to gain perspective on the extent to which the privacy policies of different types of service providers in India, align with the Rules. Lastly, this research seeks to provide broad recommendations about changes that could be incorporated to harmonize the respective policies and to bring them in line with the aforementioned Rules.

Methodology

The Privacy Policies[10] of seven identified service providers are sought to be compared vis-a-vis - the requirements under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, (Rules) as notified by way of section 87(2) (ob) read with section 43A of the Information Technology Act, 2000.

Specifically, the Privacy Policies of each of the selected companies are compared against a template that is based on of the essential principles of the Rules respectively, and consists of a series of yes or no questions which are answered on the basis of the respective Privacy Policy. These responses are meant to fulfil the first aim of this research, i.e., provide a perspective into the extent to which these companies follow the Rules and the Principles, and thus the extent to which they respect the privacy of their customers. See Annex 1 for the survey template and the interpretation of the 43A Rules for the development of the survey.

Scope

Criteria for selection of companies being studied

For the purpose of the study the companies selected are limited to service providers - including Telecommunication Service Providers and Internet Service Providers. Four broad categories of companies have been selected, namely (i) State Owned Companies, (ii) Multinational Companies, (iii) Joint Venture companies where one party is an Indian company and the other party is a foreign based company and (iv) Domestic companies which have a localized user base. The companies have been selected on this basis of categorization to better understand if the quality of their respective privacy policies is determined by their market reach and user base.

The privacy policies of the following service providers have been analyzed:

1. State Owned Companies[11]

a. BSNL[12]: Bharat Sanchar Nigam Limited, better known as BSNL, is a state-owned telecommunications company that was incorporated by the Indian government in the year 2000, taking over the functions of Central Government departments of Telecommunications Services (DTS) and Telecom Operations (DTO). It provides, inter alia, landline, mobile, and broadband services, and is India's oldest and largest communication services provider. [13] It had a monopoly in India except for Mumbai and New Delhi till 1992.

b. MTNL[14]: Mahanagar Telephone Nigam Limited is a state-owned telecommunications company which provides its services in Mumbai and New-Delhi in India, and Mauritius in Africa. It was set up by the Indian Government in the year 1986, and just like BSNL, it had a monopoly in the sector till 1992, when it was opened up to other competitors by the Indian government. It provides, inter alia, Telephone, Mobile, 3G, and Broadband services. [15]

2. Multinational Companies

a. Bharti Airtel Ltd:[16] Bharti Airtel, more commonly referred to as Airtel, is the largest provider of mobile telephony and the second largest provider of fixed telephony in India. Its origins lie in the Bharti Group founded by Sunil Bharti Mittal in 1983, and the Bharti Telecom Group which was incorporated in 1986. It is a multinational company, providing services in South Asia, Africa, and the Channel Islands. Among other services, it offers fixed line, cellular, and broadband services. [17] The company also owns a submarine cable landing station in Chennai, connecting Chennai and Singapore.[18]

b. Vodafone[19]: Vodafone is a British multinational telecom company. Its origins lie in the establishment of Racal Telecom in 1982 which then became Racal Vodafone in 1984, which was a joint venture between Racal, Vodafone and Hambros Technology Trust. Racal Telecom was demerged from Racal Electronics in 1991, and became the Vodafone group. [20] The Vodafone group started its operations in India with its predecessor Hutchison Telecom, which was a joint venture of Hutchison Whampoa and the Max Group, acquiring the cellular license for Mumbai in 1994[21], and it bought out Essar's share in the same in the year 2007.[22] As of today, it has the second largest subscriber base in India. After Airtel, [23] Vodafone is the largest provider of telecommunications and mobile internet services in India.[24]

3. Joint Ventures

a. Tata Teleservices[25] - Incorporated in 1996, Tata Teleservices Limited is an Indian telecommunications and broadband company, the origins of which lie in the Tata Group. A twenty-six percent equity stake was acquired by the Japanese company NTT Docomo in Tata Docomo, a subsidiary of Tata Teleservices, in 2008. [26] Tata Teleservices provides services under three brand names, Tata DoCoMo, Virgin Mobile, and T24 Mobile. As a whole, these brands under the head of Tata Teleservices provide cellular and mobile internet services, with the exception of the Tata Sky teleservices brand, which is a joint venture between and Tata Group and Sky. [27]

b. Aircel[28]: Aircel is an Indian mobile headquarter, which was started in Tamil Nadu in the year 1999, and has now expanded to Tamil Nadu, Assam, North-east India and Chennai. It was acquired by Maxis Communication Berhard in the year 2006, and is currently a joint venture with Sindya Securities & Investments Pvt. Ltd. [29] Aircel provides telecommunications and mobile internet services in the aforementioned regions.

4. India based Companies/Domestic Companies -

a. Atria Convergence Technologies (ACT)[30]: Atria Convergence Technologies Pvt. Ltd is an Indian cable television and broadband services company. Funded by the India Value Fund Advisor (IVFA), it is centered in Bangalore, but also provides services in Karnataka, Andhra Pradesh, and Madhya Pradesh.

Overview of Company Privacy Policy and Survey Results

 

This section lays out the ways in which each company's privacy policy aligns with the Rules found under section 43A of the Information Technology Act. The section is organized based on company and provides both a table with the survey questions and yes/no/partial ratings and summaries of each policy. The rationale and supporting documentation for each determination can be found in Annexure 2.

VODAFONE[31]: 43A Rules Survey

Criteria

Yes/No

Clear and Accessible statements of its practices and policies

Whether the privacy policy is accessible through the main website of the body corporate?

Yes

Whether the privacy policy is mentioned or included in the terms and conditions of publicly available documents of the body corporate that collect personal information?

No

Whether the privacy policy can be comprehended by persons without legal knowledge?

Yes

Collection of personal or sensitive personal data/information

Type

Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

Partially

Whether the privacy policy explicitly specifies the type of SPD/I being collected?

Partially

Option

Whether the Privacy Policy specifies that the user has the option to not provide information?

No

Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

No

Grievance Officer

Whether the privacy policy mentions the existence of a grievance officer?

Yes

Whether the privacy policy provides the contact information of the grievance officer

Yes

Purpose of Collection and usage of information

Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

Yes

Disclosure of Information

Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties

Yes

Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?

Yes

Reasonable Security practices and procedures

Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?

Yes


Vodafone

Vodafone's privacy policy partially incorporates the safeguards found in the Rules under 43A.

Vodafone's privacy policy is accessible online, however, it does not include a copy of its policy with a customer application form. The policy merely lists the type of information collected with no categorization as to SPD/I. The information collected includes contact information, location based information, browsing activity and persistent cookies.

There is no provision for consent or choice within the policy. Disclosure of personal information to third parties extends to Vodafone's group companies, companies that provide services to Vodafone, credit reference agencies and directories.

The policy mentions an email address for grievance redressal. In addition, the policy does not lay down any mechanism for correcting personal information that is held with Vodafone.

Vodafone has a non-exhaustive list of purposes of information usage, though these primarily relate to subscriber services, personnel training, and legal or regulatory requirements.

With regard to security practices, Vodafone follows the ISO 27001 Certification as per its 2012 Sustainability Report, however this goes unmentioned under its privacy policy

Tata Teleservices Limited[32]: 43A Rules Survey

Criteria

Yes/No

Clear and Accessible statements of its practices and policies

Whether the privacy policy is accessible through the main website of the body corporate?

Yes

Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

No

Whether the privacy policy can be comprehended by persons without legal knowledge?

Yes

Collection of personal or sensitive personal data/information

Type

Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

Yes

Whether the privacy policy explicitly specifies the type of SPD/I being collected?

Yes

Option

Whether the Privacy Policy specifies that the user has the option to not provide information?

No

Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

No

Grievance Officer

Whether the privacy policy mentions the existence of a grievance officer?

No

Whether the privacy policy provides the contact information of the grievance officer?

No

Purpose of Collection and usage of information

Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

Yes

Disclosure of Information

Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties

Yes

Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?

Yes

Reasonable Security practices and procedures

Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?

Yes

Tata Teleservices Limited

Tata Teleservices Limited's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

The Tata Teleservices Limited privacy policy is accessible on their website, though when applying for a subscription, the terms and conditions do not include the privacy policy. The privacy policy is easy to understand although there are several elements of the 2011 Rules that are unaddressed.

The policy does not make any distinction regarding sensitive personal data or information. As per the policy, TTL collects contact and billing information, information about the equipment the subscriber is using, and information and website usage from its customers.

The purposes of information collection are broadly for managing customer services and providing customized advertising. Information is also collected for security issues, illegal acts and acts that are violative of TTL's policy. TTL's directory services use a customer's name, address and phone number, however a customer may ask for his/her information to not be published on payment of a fee.

As per the policy, the disclosure of information to third parties is limited to purposes such as identity verification, bill payments, prevention of identity theft and the performance of TTL's services. Third parties are meant to follow the guidelines of TTL's privacy policy in the protection of its user information. The consent of subscribers is only required when third parties may use personal information for marketing purposes. Consent is precluded under the previous conditions. Disclosure of information to governmental agencies and credit bureaus is for complying with legally authorised requests such as subpoenas, court orders and the enforcement of certain rights or claims. The policy provides for a grievance officer and in addition, TTL, has a separate Appellate Authority to deal with consumer complaints.

TTL does not follow any particular security standard for the protection of subscriber information, however, it establishes other measures such as limited access to employees, and encryption and other security controls. Although TTL Maharashtra follows the ISO 27001 ISMS Certification, TTL does not seem to follow a security standard for data protection for other regions of its operations.

Airtel[33]: 43A Rules Survey

Criteria

Yes/No

Clear and Accessible statements of its practices and policies

Whether the privacy policy is accessible through the main website of the body corporate?

Yes

Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

Yes

Whether the privacy policy can be comprehended by persons without legal knowledge?

Yes

Collection of personal or sensitive personal data/information

Type

Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

Yes

Whether the privacy policy explicitly specifies the type of SPD/I being collected?

Yes

Option

Whether the Privacy Policy specifies that the user has the option to not provide information?

Yes

Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

Yes

Grievance Officer

Whether the privacy policy mentions the existence of a grievance officer?

Yes

Whether the privacy policy provides the name and contact information of the grievance officer?

Yes

Purpose of Collection and usage of information

Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

Yes

Disclosure of Information

Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties?

Yes

Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?

Yes

Reasonable Security practices and procedures

Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?

Yes

Airtel

Airtel's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.

Airtel's privacy policy incorporates a number of the requirements stipulated in the Rules. Airtel's privacy policy is easily accessible on its website and is clear and easy to understand. The policy defines sensitive personal information, and states that information collected will be used for specified regulatory and business purposes, though it adds that it may be used for other purposes as well. The policy does allow for the withdrawal of consent for providing information, in which case, certain services may be withheld. In addition, Airtel has provided for a grievance officer and abides by the IS/ISO/IEC 27001 security standards. While Airtel allows for the disclosure of information including sensitive personal information to third parties, its policy states that such third parties will follow reasonable security practices in this regard. Concerning disclosure to the government, Airtel shares user information only when it is legally authorised by a government agency. Airtel's policy also provides for an opt-out provision. Such choice remains after subscription of Airtel's services as well. However, withdrawal of consent gives Airtel the right to withdraw its services as well. In terms of disclosure, sharing of user information with third parties is regulated by its Airtel's guidelines on the secrecy of information.

While Airtel lists the purposes for information collection, it states that such collection may not be limited to these purposes alone. In addition, the policy states that user's personal information will be deleted, although it does not state when this will happen. Thus, the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information.

Aircel[34]: 43A Rules Survey

Criteria

Yes/No

Clear and Accessible statements of its practices and policies

Whether the privacy policy is accessible through the main website of the body corporate?

yes

Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

no

Whether the privacy policy can be comprehended by persons without legal knowledge?

Yes

Collection of personal or sensitive personal data/information

Type

Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

Partially

Whether the privacy policy explicitly specifies the type of SPD/I being collected?

Partially

Option

Whether the Privacy Policy specifies that the user has the option to not provide information?

Yes

Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

Yes

Grievance Officer

Whether the privacy policy mentions the existence of a grievance officer?

Yes

Whether the privacy policy provides the contact information of the grievance officer?

Yes

Purpose of Collection and usage of information

Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

Partially

Disclosure of Information

Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties

Partially

Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?

Partially

Reasonable Security practices and procedures

Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?

Yes

Aircel

Aircel's Privacy Policy partially complies with the safeguards in the Rules under 43A.

Aircel's privacy policy is accessible online through its website, though it is not included under the terms and conditions of its customer application. The privacy policy lists the kinds of information that is collected from subscribers, including relevant contact details, call records, browsing history, cookies, web beacons, server log files and location details. The policy does not demarcate information into SPD/I or personal information. Aircel provides subscribers with the right to withdraw consent from the provision of information before and after subscribing, while reserving the right to withdraw its services in this regard. The policy provides the name and contact details of a grievance officer.

In the privacy policy, the stated purposes for use of subscriber information is limited to customer services, credit requirements, market analyses, legal and regulatory requirements, and directory services by Aircel or an authorised third party.

In the policy, the provision on disclosure to governmental agencies is vague and does not mention the circumstances under which personal information would be disclosed to law enforcement. The policy provides for correction of information of a subscriber in case of error and deletion after the purpose of the information is served but does not specify when. Although Aircel follows the ISO 27001 standard, it does not mention this under its policy. It does however, provide for accountability in cases of breach or privacy.

Atria Convergence Technologies[35]: 43A Rules Survey

Criteria

Yes/No

Clear and Accessible statements of its practices and policies

Whether the privacy policy is accessible through the main website of the body corporate?

Yes

Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

information not available

Whether the privacy policy can be comprehended by persons without legal knowledge?

Yes

Collection of personal or sensitive personal data/information

Type

Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

Partially

Whether the privacy policy explicitly specifies the type of SPD/I being collected?

Partially

Option

Whether the Privacy Policy specifies that the user has the option to not provide information?

No

Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

No

Grievance Officer

Whether the privacy policy mentions the existence of a grievance officer?

No

Whether the privacy policy provides the contact information of the grievance officer?

No

Purpose of Collection and usage of information

Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

Yes

Disclosure of Information

Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties

Yes

Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?

Partially

Reasonable Security practices and procedures

Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?

No

Atria Convergence Technologies

Though Atria Convergence Technologies provides a privacy policy on its website, it does not broadly incorporate the safeguards in the Rules under 43A. ACT's privacy policy is easily accessible online and is easy to understand as well. The information collected from subscribers is limited to contact details along with information on whether a subscriber has transacted with any of ACT's business partners. Though the privacy policies refers to disclosing information for the purpose of assisting with investigating, preventing, or take action on illegal behaviour - there is no specific provision concerning disclosure to government and regulatory agencies. The policy does not provide information on any security practices and procedures followed. Provisions for withdrawal of consent or correction of personal information are absent from the policy as well.

BSNL: 43A Rules Survey

Criteria

Yes/No

Clear and Accessible statements of its practices and policies

Whether the privacy policy is accessible through the main website of the body corporate?

No

Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

No

Whether the privacy policy can be comprehended by persons without legal knowledge?

Yes

Collection of personal or sensitive personal data/information

Type

Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

No

Whether the privacy policy explicitly states that it is collecting SPD/I?

No

Option

Whether the Privacy Policy specifies that the user has the option to not provide information?

No

Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

No

Grievance Officer

Whether the privacy policy mentions the existence of a grievance officer?

Yes

Whether the privacy policy provides the contact information of the grievance officer?

Yes

Purpose of Collection and usage of information

Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

Partially

Disclosure of Information

Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties

Yes

Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?

Yes

Reasonable Security practices and procedures

Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?

No

BSNL

BSNL's Privacy Policy broadly does not incorporate the safeguards in the Rules under 43A .

BSNL's privacy is accessible online, though not on the website, and is easy to understand. The policy does not however, categorize SPD/I but defines personal information vaguely as information that helps BSNL identify its customers. As per its policy, subscriber information is used for subscriber services such as identification, assistance etc., credit-worthiness and marketing communications. The policy does not contain any provision on consent and with respect to marketing communications and a customer implicitly agrees to third party usage of personal information. Third parties under the policy are those that provide services on behalf of BSNL, which extend mailing and billing services and market research services.

As per its policy, BSNL may disclose personal information on the basis of legal requirements to credit organisations, BSNL's consultants, government agencies.

With respect to access and correction, BSNL reserves the right to modify its privacy policy without notice to its customers. What is presumably a grievance officer email address has been provided for queries and corrections on personal information, however no further contact details are given.

MTNL

MTNL does not provide a publicly available Privacy Policy.

Observations

This section highlights key trends observed across the privacy policies studied in this research by contrasting the applicable Rule against the applicable provision in the policy.

1. Access and Location of Privacy Policy

Applicable Rule and Principle: According to Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, a Body Corporate must provide a privacy policy on their website. Under Rule 5, all bodies corporate have to convey the purpose(s) for which SPD/I are collected prior to the collection and they can, under certain circumstances, move forward with the collection regardless of consent. While this does not entirely violate the Notice Principle of the National Privacy Principles, it does not meet the rather higher standards of the Principle, which recommends that notice must be provided prior to any form of collection of personal information. In addition, the Rules do not contain provisions regulating bodies corporate, regarding changes to their privacy policies.[36]

Observation : In the survey, it was found that the location and accessibility of a service provider's privacy policy varied. For example:

a. Privacy Policy on main website: Airtel, Aircel, and Vodafone provide a privacy policy that is accessible through the main website of each respective company.

b. Privacy Policy not on website : MTNL does not provide a Privacy Policy on the main website of each of its respective branches across India.

c. Privacy Policy not accessible through main website : TTL and BSNL have a Privacy Policy, but it is not accessible through the main website. For example, The Privacy Policy found on TTL's website is only accessible through the "terms and services" link on the homepage. Similarly, the BSNL privacy policy can only be found through its portal website. [37]

d. Privacy Policy not included in Customer Application form : Almost all of the Service Providers do not include/refer to their Privacy Policy in the Customer Application Form, and some do not display their privacy policy or a link to it on its website's homepage. For example, Airtel is the only Service Provider that refers to their privacy policy in the Customer Application Form for an Airtel service.

e. Collection of personal information before Privacy Policy: In some cases it appears that service providers collect private information before the privacy policy is made accessible to the user. For example, before the homepage of ACT's website is shown, a smaller window appears with a form asking for personal information such as name, mobile and email Id. Although the submission of this information is not mandatory, there is no link provided to the privacy policy at this level of collection of information.

2. Sharing of information with Government

Applicable Rule and Principle: Rule 6, specifically the proviso to Rule 6, and the Disclosure of Information Principle respectively govern the disclosure of information to third parties. Yet, while the proviso to Rule 6 directly concerns the power of the government to access information with or without consent for investigative purposes, the Disclosure of Information Principle only says that disclosure for law enforcement purposes should be in accordance with the laws currently in force.

Observation : Though all service providers did include statements addressing the potential of sharing information with law enforcement or governmental agencies, how this was communicated varied. For example:

a.) Listing circumstances for disclosure to law enforcement : The Privacy Policy of ACT states "We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person". [38] The Privacy Policy of Airtel on the other hand states "Government Agencies: We may also share your personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences." [39] Lastly, TTL states " To investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person" or "To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay". [40]

b.) Listing authorities to whom information will be disclosed to : The privacy policy of Aircel states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to: …8. Persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services".[41] Similarly, Vodafone states "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services and any person or organisation as authorised by laws and regulations applicable in India." [42] While BSNL states "Apart from the above, BSNL may divulge your personal information to: Government bodies, Regulatory Authorities, and other organizations in accordance with the law or as authorised by law…".[43]

3. Readability of Privacy Policies

Applicable Rule and Principle : In subsection (i) of Rule 4 body corporate must provide a privacy policy that is "clear and accessible". Similarly, the Notice Principle requires that the data controller give a " simple-to-understand notice of its information practices to all individuals, in clear and concise language".

Observation : It was found that, particularly with respect to clauses on the collection and disclosure of information, most Privacy Policies use:

a. Vague terminology: For example, in the Privacy Policy of ACT, it states as a purpose of collection "conduct research" while for the collection and disclosure of information it states ,"The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you." [44] Similarly, with regards to the collection of information, Vodafone's Privacy Policy states that it may collect "any other information collected in relation to your use of our products and services". [45]

b. Undefined terminology: On disclosure of information TTL's privacy policy states disclosure is "Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI)" [46] Confusingly, although TTL defines CPNI it does not mention what legal restriction it is referring to, and CPNI is in fact an American term and similar legal restrictions could not be found in India.

4. Information about security practices

Applicable Rule and Principle: The parameter for 'reasonable security practices and procedures' has been detailed comprehensively under Rule 8 of the Rules. The same is also covered in detail under the Openness Principle read with Security Principle. While the Security Principle recommends that the data controller protect the information they collect through reasonable security safeguards, the Openness Principle recommends that information regarding these should be made available to all individuals in clear and plain language.

Observation : With the exception of Airtel, no service provider has comprehensively followed the legal requirements for the purpose of their privacy policy. Thus, while most service providers do mention security practices, many do not provide specific or comprehensive details about their security practices and procedures for data protection, and instead assure users that 'reasonable security' procedures are in place. For example:

a. Comprehensive information about security practices in privacy policy: Airtel and Aircel have provided comprehensive information about their security practices in the companies Privacy Policy.

b. Information about security practice, but not in privacy policy: Vodafone has specified its security standards only in its latest 'Sustainability Report' available on its website. In the case of TTL, the specific security standard it follows is available only for its Maharashtra branch (TTLM) through its annual report.

c. Broad reference to security practices: Many service providers broadly reference security practices, but do not provide specifics. For example, TTL states only "we have implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL." [47]

d. No information about security practices: Some service providers do not mention any details about their security practices and procedures, or whether they even follow any security practices and procedures or not. An example of this would be ACT, which does not mention any security practices or procedures in its Policy.

5. Grievance mechanisms

Applicable Rule and Principle: Rule 5 of the Rules mandates that applicable bodies corporate must designate a 'Grievance Officer' for redressing grievances of users regarding processing of their personal information, and the same is also recommended by the Ninth Principle, i.e., Accountability.

Observation : It was found that adherence with this requirement varied depending on service provider. For example:

a. No Grievance Officer: ACT and MTNL do not provide details of a grievance officer on their websites.

b. Grievance Officer, but no process details: Airtel, TTL, and Vodafone provide details of the Grievance Officer, but no further information about the grievance process is provided.

c. Grievance Officer and details of process: Aircel provides details of the grievance officer and grievance process.

As a note: All service providers with the exception of ACT have a general grievance redressal mechanism in place as documented on TRAI's website. [48] It is unclear whether these mechanisms are functional, and furthermore it is also unclear if these mechanisms can be used for complaints under the IT Act or the Rules, or complaints on the basis of the Principles. It should be further noted that the multiplicity of grievance redressal officers is a cause for concern, as it may lead to confusion.

6. Consent Mechanism

Applicable Rule and Principle : Rules 5 and 6 of the Rules[49] on Collection and Disclosure of information, respectively, require applicable bodies corporate to obtain consent/permission before collecting and disclosing personal information. The Choice and Consent Principle of the National Privacy Principles, as enumerated in the A.P. Shah Report, deals exclusively with choice and consent. [50] Withdrawal of consent is an important facet of the choice and consent principle as evidenced by the Rules[51] and the National Privacy Principles [52].

Observation: Methods of obtaining consent and for what consent was obtained for varied across service providers. For example:

a. Obtaining consent: Some service providers give data subjects with the choice of submitting their personal information (with some exceptions such as for legal requirements) and obtaining their consent for its collection and processing. For example, the policies of Airtel, Aircel, and TTL are the only ones which provide information on the mechanisms used to obtain consent. ACT provides for targeted advertisements based on the personal information of the user. The viewing or interaction of the user of such targeted advertisements is however, considered an affirmation to this third party source, that the user is the targeted criteria. Thus, there appears to be lack of consent in this regard.

b. No Consent or choice offered: Some service providers do not mention consent. For example, Vodafone, and BSNL do not make any mention of choice or consent in their respective privacy policies.

c. Consent for limited circumstances: Some service providers only provide consent in limited circumstances. For example, ACT mentions consent only in relation to targeted advertising. However, this information is potentially misleading, as discussed earlier in the survey.

There is also a certain degree of assumption in all the policies regarding consent, as noted in the survey. Thus, if you employ the services of the company in question, you are implicitly agreeing to their terms even if you have not actually been notified of them. And the vague terminology used by most of the policies leaves quite a lot of wiggle room for the companies in question, allowing them to thereby collect more information than the data subject has been notified of without obtaining his or her consent.

7. Transparency mechanism :

Applicable Rule and Principle: The Openness Principle specifically recommends transparency in all activities of the data controller. [53] The Rules provide a limited transparency mechanism under Rule 8 which require bodies corporate to document their security practices and procedures and Rule 4 which requires them to provide such information via a privacy policy. As a note, these fall short of the level of 'transparency' espoused by the Openness Principle of the National Privacy Principles.

Observation: All service providers fail in implementing adequate mechanisms for transparency.

8. Scope :

Applicable Rule and Principle : Though the Openness Principle does not directly speak of the scope of the policies in question, it implies that policies regarding all data collection or processing should be made publically available. The same is also necessary under Rule 4, which mandates that any body corporate which " collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. "

Observation : Though most of the companies mention the scope of their Privacy Policy and include the information collected through the websites, WAP Services, and use of the company's products and services, some companies do not do so. For instance, the scope of the policy is given rather vaguely in the Airtel's Policy, and the scope of ACT's policy is restricted to the information collected during the usage of their products and services, and not their website. BSNL's privacy policy is worrisome as it seems to restrict its scope to the information collected through the website only, but does not at the same time state that it does not apply to other methods of data collection and processing.

International Best Practices

Canada

The privacy regulation regime in Canada is a mixture of the federal regulations and the provincial regulations. Of the former, the Privacy Act is applicable to the public sector, while the Personal Information Protection and Electronic Documents Act ('PIPEDA') applies to the private sector. There are also federal level sectoral regulations, of which the Telecommunications Act is relevant here. The PIPEDA covers the activities of all businesses and federally regulated industries regarding their collection, use, disclosure, safeguarding and provision of access to their customers' personal information. Further, in 2009, the Canadian Radio-television and Telecommunications Commission ('CRTC'), by virtue of the 'Telecom Regulatory Policy CRTC 2009-657' [54] made ISPs subject to privacy standards higher than the standards given under the PIPEDA, while at the same time allowing them to use Internet Traffic Management Practices ('ITMPs'). [55]

The 2009 policy is progressive as it balances the economic needs of Internet Traffic Management Providers vis-à-vis the privacy concerns of consumers. The need to identify ITMP's is integral in the protection of online privacy, as ITMP's most commonly employ methods such as deep packet inspection which can be used to burrow into personal information of consumers as well.

Recognising that this may not be the current practice, but a possibility in the future, the policy makes certain guidelines for ITMPs. It permits ITMP's that block bad traffic such as spam and malicious software. Nearly all other ITMPs however, require the prior notice of 30 days or more before initialising the ITMP.[56]

ITMP's are to be used only for the defined need of the ISP and not beyond this, and must not be used for behavioural advertising. Secondary ISPs in their contracts with Primary ISPs must agree to the same duties of the latter, that is the personal information entrusted to them is meant for its purpose alone and is not to be disclosed further.

Australia

The central privacy regulation in Australia is the Privacy Act, 1988. The Act defines two sets of privacy principles, the Information Privacy Principles which apply to the public sector, and the National Privacy Principles which apply to the private sector.[57] These principles govern the following: collection,[58] use and disclosure,[59] data quality,[60] security,[61] openness,[62] access and correction,[63] identifiers,[64] anonymity,[65] trans-border data flows,[66] and sensitive information. [67]

The Telecommunications Act, 1997, is also relevant here, as it also governs the use or disclosure of information by telecommunication services providers, [68] but such information is only protected by the Telecommunications Act if it comes to a person's knowledge or possession in certain circumstances. An example of this is Section 276 of the same, which providers that the information protected by that section will be protected only if the person collecting the information is a current or former carrier, carriages service provider or telecommunications contractor, in connection with the person's business as such a carrier, provider or contractor; or if the person is an employee of a carrier, carriage service provider, telecommunications contractor, because the person is employed by the carrier or provider in connection with its business as such a carrier, provider or contractor.

European Union

The most important source of law in the European Union ('EU') regarding Data Privacy in general is the Data Protection Directive ('Directive'). [69] The Directive has a broad ambit, covering all forms of personal data collection and processing, and mandating that such collection or processing follow the Data Protection Principles it sets out.[70] The Directive differentiates between Personal Data and Sensitive Personal Data, [71] with the collection and processing of the latter being subject to more stringent rules. The telecommunications service providers and internet service providers are included in the definition of 'Controller' as set out in the Directive, and are hence subject to the regulations enforced by the member states of the EU under the same. [72] The Directive will soon be superseded by the General Data Protection directive, which is scheduled to come into force in late 2014, with a two-year transition period after that. [73]

In addition to the above, ISPs are also subject to the Directive on Privacy and Electronic Communications[74] and the Data Retention Directive. [75] The Directive on Privacy and Electronic Communications ('E-Privacy Directive') sets out rules regarding processing security, confidentiality of communications, data retention, unsolicited communications, cookies, and a system of penalties set up by the member states under the title of 'Control'. The E-Privacy Directive supplements the original Data Privacy Directive, and replaces a 1997 Telecommunications Privacy directive. The Data Retention Directive does not directly concern the collection and processing of data by a service provider, but only concerns itself with the retention of collected data. It was an amendment to the E-Privacy Directive, which required the member states to store the telecommunications data of their citizens for six to twenty-four months, and give police and security agencies access to details such as IP addresses and time of use of e-mails.

The established practices considered above have the following principles, relevant to the study at hand, in common:

1. Notice

2. Collection Limitation

3. Use Limitation

4. Access and Corrections

5. Security

6. Data Quality and Accuracy

7. Consent

8. Transparency

And the following principles are common between two of the three regimes discussed above:

1. The PIPEDA and the Privacy Act both mention rules regarding Disclosure of collecting information, but the Data Protection Directive does not directly govern disclosure of collected information.

2. The Principles of Accountability is covered by the Data Protection Directive and the PIPEDA, but is not directly dealt with by the Privacy Act

3. The PIPEDA and the Data Protection Directive directly mention the principle of Enforcement, but it is not directly covered by the Privacy Act.

Recommendations

Broadly, service providers across India could take cognizance of the following recommendations to ensure alignment with the Rules found under section 43A and to maximize the amount of protection afforded to customer data.

1. Access and location of privacy policy: Service providers should ensure that the privacy policy is easily accessible through the main page of the company's website. Furthermore, the Privacy Policy should be accessible to users prior to the collection of personal information. All 'User Agreement' forms should include a written Privacy Policy or a reference to the Privacy Policy on the service provider's website.

2. Scope of privacy policy: The privacy policy should address all practices and services offered by the service provider. If a service requires a different or additional privacy policy, a link to the same should be included in the privacy policy on the main website of the service provider.

3. Defining consent: The Privacy Policy should clearly define what constitutes 'consent'. If the form of consent changes for different types of service, this should be clearly indicated.

4. Clear language: The language in the Privacy Policy should be clear and specific, leaving no doubt or ambiguity with regards to the provisions.

5. Transparent security practices: The Privacy Policy should include comprehensive information about a company's security practices should be included in the Privacy Policy. Information pertaining to audits of these procedures should be made public.

6. Defined and specified third parties: The Privacy Policy should define 'third party' as it pertains to the company's practices and specify which third parties information will be shared with.

7. Comprehensive grievance mechanism: The Privacy Policy should include relevant details for users to easily use established grievance mechanisms. This includes contact details of the grievance officers, procedure of submitting a grievance, expected response of the grievance officer (recognition of the grievance, time period for resolution etc.), and method of appealing decision of the grievance officer.

8. Specify laws governing disclosure to governmental agencies and law enforcement: The Privacy Policy should specify under what laws and service providers are required disclose personal information to.

9. Inclusion of data retention practices: The Privacy Policy should include provisions defining the retention practices of the company.

Annexure 1

Explanation and Interpretation of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Section 43A under the Information Technology Act 2000 addresses the protection of sensitive personal data or information and the implementation of an information security management system, and the Rules framed under section 43A attempt establish a holistic data security regime for the private sector.

The following section is a description of the requirements found under section 43A and subsequent Rules with respect to information that must be included in the privacy policy of a 'body corporate' and procedures that must be followed by 'body corporate' with respect to the publishing and notice of a privacy policy. This section also includes an explanation of how each relevant provision has been interpreted for the purpose of this research.

Relevant provisions that pertain to the privacy policy of body corporate

Rule 3: This section defines the term 'Sensitive Personal Data or Information', setting out the six types of information that are considered 'sensitive personal data' including:

i. Password - Defined under the Rules as "a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information"[76].

ii. Financial information - "such as Bank account or credit card or debit card or other payment instrument details" [77]

iii. Physical, physiological and mental health condition

iv. Sexual orientation

v. Medical records and history

vi. Biometric information

The two other broad categories of Sensitive Personal Data or Information that are included in the Rule are - any related details provided to the body corporate, and any information received by the body corporate in relation to the categories listed above. [78]

The proviso to this section excludes any information available in the public domain or which may be provided under the Right to Information Act, 2005 from the ambit of SPD/I.

Under the Rules, Sensitive Personal Data is considered to be a subset of Personal Information - which has been defined by Section 2 (1) (i) as " any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person "[79]

Interpretation: While the Rules are clearly limited to personal and sensitive personal data or information, the use of these terms throughout the Rules is not consistent. For example, some provisions under the Rules ambiguously use the term 'information' in place of the terms 'personal information' and/or 'sensitive personal information'.[80] While 'information' has been defined non-exhaustively as any 'data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated microfiche' in the Act, this definition appears to be overbroad and cannot be applied in that form for the purpose of provisions on privacy policy. [81] Hence, 'information', when used in the Rules, is construed to mean 'personal information' including 'sensitive personal information' for the purpose of this survey.

As per Rule 3, information in the public domain isn't classified as sensitive personal data. This exception may require a relook considering that 'providers' of information' may not want their data to be disclosed beyond its initial disclosure, or in certain cases, they may not even know of its existence in the public domain. Since the notice of collection, purpose and use of information is limited to SPD alone under Rule 5, information in the public domain should be seen together with whether the provider of information has provided the latter directly or to service provider that requires the information. If the source is the information provider directly, it need not be classified as SPD.

On a positive note, the addition of the term "in combination with other information available or likely to be available", gives recognition to the phenomenon of convergence of data. Parts of information that seem of negligible importance, when combined, provide a fuller personal profile of an individual, the recognition of this, in effect, gives a far wider scope to personal information under the Rules.

In the specific context of Privacy Policies, the Rules do not stipulate whether the mandated privacy policy has to explicitly mention SPD/I that is collected or used.{This is mentioned under Rule 4(ii) and (iii)} Since Rules do require that a privacy policy must be clear, it is construed that the privacy policy should explicitly recognize the type of PI and SPD/I being collected by the company.

Rule 4: This rule mandates that a "body corporate that collects, receives possess, stores, deals or handles information of the provider of information". For the purposes of this research, this entity will be referred to as a 'data controller'. According to Rule 4, every data controller must provide a privacy policy on its website for handling of or dealing in personal information including sensitive personal information.

The following details have to be included in the privacy policy -

"(i) Clear and easily accessible statements of its practices and policies;

(ii) Type of personal or sensitive personal data or information collected under rule 3;

(iii) Purpose of collection and usage of such information;

(iv) Disclosure of information including sensitive personal data or information as provided in rule 6;

(v) Reasonable security practices and procedures as provided under rule 8."[82]

Interpretation : The Rules do not provide an adequate understanding of the terms 'clear' and 'accessible', and the terms 'practices' and 'policies' are not defined. For the purpose of this research, 'practices' will be construed to mean the privacy policy of the company. It is deemed to be clear and accessible if it is available either directly or through a link on the main website of the body corporate. To meet the standards set by this Rule, the policy or policies should disclose information about the company's services, products and websites, whenever personal information is collected.

Rule 5: This Rule establishes limits for collection of information. It states that prior informed consent has to be obtained by means of letter, fax or email from the user regarding the purpose of usage for the sensitive personal information sought to be collected. It limits the purpose for collection of SPD/I to collection for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and only if it is considered necessary for that purpose. Thus, the information collected can only be used for the stated purpose for which it has been collected. [83]

Further, Rule 5 (3) provides that consent has to be obtained and knowledge provided to a person from whom personal information is being directly collected - which for service providers - is understood to be through the customer application form. This rule will be deemed to have been complied with when the following information is provided -

a. The fact that the information is being collected.

b. The purpose of such collection.

c. Intended recipients of the collected information.

d. Names and addresses of the agency or agencies collecting and retaining information.

Moreover, it provides that the user has to be given the option of not providing information prior to its collection. In case the user chooses this option or subsequently withdraws consent the body corporate has the option to withhold its services.

This section also provides under Section 5 (2) (a) that the type of information that this Rule concerns itself with can only be collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and if it is considered necessary for that purpose.

It also requires that a Grievance Officer be instated to redress the grievance " expeditiously but within one month from the date of receipt of grievance." The Grievance Redressal process has been discussed in more detail later.

Interpretation: Even though Rule 5 incorporates various major data protection principles and mandates the establishment of a Grievance Redressal Mechanism, neither Rule 5 nor Rule 4 (3) makes a reference to the other. [Rule 4(3) uses the term "such information", and the fact that it follows Rule 4(2) which clearly refers to personal information as well as SPD/I, means that Rule 4(3) also refers to the same]

Prima facie , the scope of Rule 5 is limited to collection of SPD/I. However, Rule 4 (3) ostensibly covers the broad ambit of 'information' which includes SPD/I. Construing these two provisions together using the 'Harmonious Construction' principle [84], Rule 5 could be interpreted to cover personal information for privacy policies under Rule 4.

In addition, Rule 5(3) doesn't expand on the reasonable steps to be taken for intimating the information provider on the extent of disclosure and purpose of collection. This appears as a rather large loophole considering the wide interpretation that can be given to 'reasonable' practices of service providers.

Rule 6: This rule lays down the conditions and procedure for disclosure of information.[85] Under it, the following conditions apply before any disclosure of information by the 'body corporate' to any third party -

a. The body corporate is required to obtain prior permission from the provider of the information, or

b. Permission to disclose has to be agreed on in the contract between the company and the data subject, or

c. Disclosure is necessary for the compliance of a legal obligation.

An exception is made in case the disclosure is made to an authorized and legally mandated Government agency upon request for the purposes of verification of identity, for prevention, detection, and investigation of incidents, specifically including cyber incidents, prosecution, and punishment of offences, in which case no consent from the data subject will be required. Thus, the company does not need user consent to disclose information to authorized law enforcement or intelligence agencies when presented with an authorized request.

Interpretation :

The guidelines for disclosure limit themselves to SPD under Rule 6 leaving a vacuum with respect to information that doesn't fall within the definition of SPD/I. However, Rule 4 (iv)'s applies to 'information including SPD'. Reading the two together, in accordance with the 'Harmonious Construction' principle, the scope of SPD/I in Rule 6 is construed to extend to the same personal information and SPD/I as is covered by Rule 4 (iv), for the limited purpose of the privacy policies under Rule 4.

Rule 7 : This Rule requires that when the data controller transfers SPD/I to another body corporate or person, such a third party must adhere to the same standards of data protection that the body corporate collecting the information in the first instance follows.

Interpretation : Although the privacy policy is not required to provide details of the transfer of information, the fourth sub-section of Rule 4, which concerns itself with the obligation of the body corporate to provide a policy for privacy including information about the disclosure of information to its consumers, incorporates this Rule as it deals with disclosure of information to third parties. Thus, the Policy of the body corporate must include details of the way the data is handled or dealt by the third party, which is shared by the body corporate in question.

Rule 8: This Rule details the criteria for reasonable security practices and procedures.[86] It provides that not only must the body corporate have implemented standard security practices and procedures, but it should also have documented the information security program and policies containing appropriate "managerial, technical, operational and physical security control measures". The Rule specifically uses the example of IS/ISO/IEC 27001 as an international standard that would fulfill the requirements under this provision. The security standards or codes of best practices adopted by the company are required to be certified/audited by a Government approved independent auditor annually and after modification or alteration of the existing practice and procedure. Sub-section (1) of the Rule also gives the body corporate the option of creating its own security procedures and practices for dealing with managerial, technical, operational, and physical security control, and have comprehensive documentation of their information security programme and information security policies. These norms should be as strict as the type of information collected and processed requires. In the event of a breach, the body corporate can be called to demonstrate that these norms were suitably implemented by it.

Interpretation : It is unclear whether the empanelled IT security auditing organizations recognized by CERT-In discussed later are qualified for the purpose of this Rule, but from publicly available information the Data Security Council of India and CERT-In's empanelled Security Auditors seem to be the agencies given this task[87]. With regards to the Privacy Policy or Policies of a company, it is only necessary that the company include as many details as possible regarding the steps taken to ensure the security and confidentiality of the collected information in the Privacy Policy and Policies, and notify them to the consumer.

Other Relevant Policies:

Empanelled Information Technology Security Auditors - CERT-In has created a panel of 'IT Security Auditors' for auditing networks & applications of various organizations of the Government, critical infrastructure organizations and private organizations including bodies corporate.[88] The empanelled IT security auditing organization is required to, inter alia, conduct a " Review of Auditee's existing IT Security Policy and controls for their adequacy as per the best practices vis-à-vis the IT Security frameworks outlined in standards such as COBIT, COSO, ITIL, BS7799 / ISO17799, ISO27001, ISO15150, etc." [89] and conduct and document various assessments and tests. Some typical reviews and tests that include privacy reviews are - Information Security Testing, Internet Technology Security Testing and Wireless Security Testing.[90] For this purpose CERT-In maintains a list of IT Security Auditing Organizations[91].

Criteria for analysis of company policies based on the 43A Rules

1. Clear and Accessible statements of its practices and policies[92] -

i. Whether the privacy policy is accessible through the main website of the body corporate?

ii. Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?

iii. Whether the privacy policy can be comprehended by persons without legal knowledge?

2. Type and acknowledgment of personal or sensitive personal data/information collected [93]-

i. Whether the privacy policy explicitly states that personal and sensitive personal information will be collected.

ii. Whether the privacy policy mentions all categories of personal information including SPD/I being collected?

3. Option to not provide information and withdrawal of consent[94] -

i. Whether the Privacy Policy specifies that the user has the option to not provide information?

ii. Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?

4. Existence of Grievance Officer -

i. Whether the privacy policy mentions the existence of a grievance officer?

ii. Whether the privacy policy provides details of the grievance redressal mechanism?

iii. Whether the privacy policy provides the names and contact information of the grievance officer?

5. Purpose of Collection and usage of information -

i. Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?

6. Disclosure of Information -

i. Whether personal information is shared with third parties (except authorized government agencies/LEA/IA) only with user consent?

ii. Whether the policy specifies that personal information is disclosed to Government agencies/LEA/IA only when legally mandated as per the circumstances laid out in 43A?

7. Reasonable Security practices and procedures -

i. Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure information?


Annexure 2

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules) 2011 and Company SURVEY

1. Bharti Airtel Ltd.

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: Airtel's Privacy Policy[95] is available through the main page of the website and it is mentioned in the Airtel Terms and Conditions and is applicable for Airtel's websites as well as its services and products, such as its telecommunications services. It was determined that the policy can be comprehended by individuals without legal knowledge.

2. Type and acknowledgement of personal or sensitive personal data/information collected: Yes

b. Rationale: Airtel's Privacy Policy indicates that sensitive personal and personal information will be collected, defines sensitive personal information[96], and specifies specific types of personal[97] and sensitive personal information [98] that will be collected.

3. Option to not provide data or information and subsequent withdrawal of consent: Yes

c. Rationale: The Airtel Privacy Policy states that individuals have the right to choose not to provide consent or information and have the right to withdraw consent. The policy notes that if consent/information is not provided, Airtel reserves the right to not provide or to withdraw the services.[99]

4. Existence of Grievance Officer: Yes

a. Rationale: Airtel provides for the contact details of nodal officers[100] and appellate authorities [101] on its website. Additionally the website provides for the 'Office of the Ombudsperson'[102], which is an independent forum for employees and external stakeholders[103] of the company to raise concerns and complaints about improper practices which are in breach of the Bharti Code of Conduct. Additionally, details of the Airtel Grievance Redressal Officers can also be found in the TRAI website.[104]

5. Comprehensive disclosure of purpose of collection and usage of information: Partial

Rationale: Airtel's Privacy Policy indicates eight purposes[105] that information will be collected and used for, but notes that the use and collection is not limited to the defined purposes.

6. Disclosure of Information[106]: Yes

a. Rationale: Airtel has a dedicated section explaining the company's practices around the disclosure and sharing of collected information, including ways in which consent will be collected for the sharing of personal information[107], how collected personal information may be collected internally [108], the disclosure of information to third parties and that the third party will be held accountable for protecting the information through contract[109], the possible transfer of personal information and its purposes[110], and the circumstances under which information will be disclosed to governmental agencies (which reflect the circumstances defined by the Rules.) [111]

7. Existence of reasonable security practices and procedures [112] : Yes

a. Rationale: Airtel's privacy policy has a dedicated section that explains the company's security practices and procedures in place. The policy notes that Airtel's practices and procedures are IS/ISO/IEC 27001 compliant [113], that access is restricted to a need to know basis and that employees are bound by codes of confidentiality[114], and that Airtel works to ensure that third parties also have strong security procedures in place.[115] The policy also provides details on the retention[116] and destruction [117] procedures for personal information, and notes that reasonable steps are taken to protect against hacking and virus attacks.[118]

1. Tata Telecommunication Services (DoCoMo and Virgin Mobile)

1. Clear and Accessible statements of its practices and policies : Partial

a. Rationale: Though Tata DoCoMo has a comprehensive Data Privacy Policy [119] that is applicable to Tata Teleservices Limited's ("TTL") products and services and the TTL website, it is not accessible to the user through the main website. In the Frequently Asked Questions Section of TTL, it is clarified under what circumstances information that you provide is not covered by the TTL privacy policy. [120]

2. Type of personal or sensitive personal data/information collected: Partial

a. Rational: TTL defines personal information[121] but only provides general examples of types of personal information[122] (and not sensitive personal) collected, rather than a comprehensive list. The definitions and examples of information collected are clarified in the FAQs and the Privacy Policy, rather than in the Privacy Policy alone. As a strength, the Privacy Policy clarifies the ways in which TTL will collect information from the user - including the fact that they receive information from third parties like credit agencies. [123]

3. Option to not provide information and withdrawal of consent: N/A

a. Rationale: The TTL Privacy Policy does not address the right of the individual to provide consent/information and to withdraw information/consent.

4. Existence of Grievance Officer: Yes

a. Rationale: TTL has various methods to lodge complaints and provides for an appellate authority. [124] Additionally, details of the Grievance Redressal Officers are provided via the TRAI website.[125]

5. Purpose of Collection and usage of information: Yes

a. Rationale: In its' Privacy Policy, TTL describes the way in which collected information is used. [126] The TTL FAQs further clarify the use of cookies by the company, the use of provided information for advertising purposes, [127] and the use of aggregate and anonymized data.[128]

6. Disclosure of Information: Yes

a. Rationale: In the Privacy Policy and the FAQs page, TTL is transparent about the circumstances on which they will share/disclose personal information with third parties[129], with law enforcement/governmental agencies[130], and with other TTL companies. [131] Interestingly, the TTL FAQ's clarify to the customer that their personal information might be processed in different jurisdictions, and thus would be accessible by law enforcement in that jurisdiction. [132]

7. Reasonable Security practices and procedures: Partial

a. Rationale: TTL's Privacy Policy broadly references that security practices are in place to protect user information, but the policy does not make reference to a specific security standard, or provide detail as to what these practices and procedures are. [133] Although TTL's Privacy Policy does not make mention of any specific security standard, Tata Teleservices (Maharashtra) Limited claims to have been awarded with ISO 27001 ISMS (Information Security Management Systems) Certification in May 2011, and completed its first Surveillance Audit in June 2012[134]. Information on IT security standards adopted by other circles could not be found on the internet.

2. Vodafone

1. Clear and Accessible statements of its practices and policies: Yes

Rationale: Vodafone's Privacy Policy[135] is easily accessible from its website from a link at the bottom, directly from the home page and from all other pages of the website. [136]

2. Collection of personal or sensitive personal data/information: No

Rationale: Type -

a. Personal Information - The amount of details given by the Privacy Policy with regards to the personal information being collected is insufficient, as it does not include a number of relevant facts, and uses is vague language - such as 'amongst other things', implying that information other than that which is notified is being collected.[137]

b. Sensitive Personal Data or Information - The Privacy Policy does not mention the categories or types of SPD/I, as defined under Rule 3, being collected by the service provider explicitly, only gives a general overview of the information that is collected.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The privacy policy does not mention the consent of data subject anywhere, nor does it mention his or her right to withdraw it at any point of time. It also does not mention whether or not the provision of services by Vodafone is contingent on the provision of such information.

4. Existence of Grievance Officer: Yes

a. Rationale: The Privacy Policy explicitly mentions and gives the email address of a grievance redressal officer, though further details about the other offices are given in a separate section of the website.[138]

5. Purpose of Collection and usage of information: Partial

a. Rationale:

The Privacy Policy gives an exhaustive list of purposes for which the collected information can be used by Vodafone, [139] but at the same time the framing of the opening sentence and the usage of the term 'may include' could imply that it can be used for other purposes as well.

6. Disclosure of Information: Yes

a. Rationale:

The Privacy Policy mentions that Vodafone might share the collected information with certain third parties and the terms and conditions which would apply to such a third party.[140] The phrasing does not imply that there are other conditions that have not been mentioned in the policy, under which the information would be shared with a third party. At the same time, the Privacy Policy does not explicitly say that the third party will necessarily follow the privacy and data security procedures and rules laid down in the Privacy Policy.

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Privacy Policy mentions in reasonably clear detail the security practices and procedures followed by Vodafone, and also mentions the circumstances in which the data subject should take care to protect his or her own information, wherein Vodafone will not be liable. [141] Although Vodafone India's Privacy Policy does not specify what their IT Security standard is, its 2012/2013 Sustainability Report available through its international website [142] states that it follows industry practices in line with the ISO 27001 standard and its core data centre in India follows this standard[143].

3. Aircel

1. Clear and Accessible statements of its practices and policies: Yes

Rationale:

The Privacy Policy is accessible from every page of the Aircel website, with a link at the bottom of each page after the specific circle has been chosen. It is reasonably free of legalese and is intelligible.[144]

2. Type of personal or sensitive personal data/information collected: Partial

Rationale: Type -

a. Personal Information

In the Privacy Policy, the repeated usage of the term 'may' creates some doubt about the actual extent of the data collected, and leaves the Privacy Policy quite unclear in this regard. At the same time, the Privacy Policy does include a fairly comprehensive list of personal information that could be collected. [145] The wording in the Privacy Policy thus requires further clarification and specification in order to make a determination on whether or not it provides complete details on the personal information that will be collected.

a. Sensitive Personal Data or Information

The Privacy Policy does not mention SPDI explicitly, which adds to the lack of concrete details as noted earlier.

3. Option to not provide information and withdrawal of consent - Yes

Rationale : The Privacy Policy mentions that users do have the right to refuse to provide or the withdrawal of consent to collect personal information. In such cases, Aircel can respectively refuse or discontinue the provision of its services. [146]

4. Existence of Grievance Officer: Yes

a. Rationale:

Though not directly mentioned in the Privacy Policy, a separate, easily noticeable link at the bottom of each webpage links to the Customer Grievance section. There are different officers in charge of each node, called the Nodal Officers. [147]

5. Purpose of Collection and usage of information: Partial

a. Rationale: The usage of the term 'may' in the section of the Privacy Policy regarding the purpose of collection and usage of information again leaves it ambiguous in this regard, implying that it can just as easily be used for purposes that have not been notified to the data subject.[148]

6. Disclosure of Information: Yes

a. Rationale: Though the Privacy Policy does not specify all the circumstances under which Aircel would share the collected information with a third party, it specifies the terms and conditions that would apply in the cases that it does. [149]

7. Reasonable Security practices and procedures: Yes

a. Rationale:

The Policy gives a reasonable amount of detail about the steps taken by Aircel to ensure the security of the information collected by it, but leaves certain holes uncovered.[150]

4. Atria Convergence Technologies Private Limited (ACT)

1. Clear and Accessible statements of its practices and policies: Yes

a. Rationale: The Policy is intelligible, and is easily accessible from all the webpages of the company's website from a link at the bottom of all pages.[151]

2. Type of personal or sensitive personal data/information collected: Partial

a. Rationale:

Type -

a. Personal Information - Yes -

The Policy mentions the different types of Personal Information which will be collected by ACT if the customer registers with the Company. [152]

a. Sensitive Personal Data or Information -

The categories of SPD/I collected by ACT are not specifically mentioned in the policy, though they are mentioned as part of the general declarations.

3. Option to not provide information and withdrawal of consent: No

a. Rationale: The option of the data subject not providing or withdrawing consent has not been mentioned in the Policy.

4. Existence of Grievance Officer: No

a. Rationale: No Grievance Officer has been mentioned in the Privacy Policy or on the ACT website, nor has any other grievance redressal process been specified.[153]

5. Purpose of Collection and usage of information: Yes

a. Rationale: The Policy mentions the various ways ACT might use the information it collects, though the use of the term 'general' is a cause for concern.[154] The list of purposes for collection given in the Privacy Policy is a very general list.

6. Disclosure of Information: Yes

a. Rationale: The Policy mentions the circumstances in which ACT might share the collected information with a third party, and also mentions that such parties will either be subject to confidentiality agreements, or that the data subject will be notified before his or her information becomes subject to a different privacy policy. It also mentions the exception to above, that being when the information is shared for investigative purposes.[155] At the same time, the intended recipients of the information are not mentioned, and the name and address of agency/agencies collecting and retaining information is not mentioned.

7. Reasonable Security practices and procedures: No

a. Rationale: - The security practices and procedures followed by ACT to protect the information of its customers are not mentioned in the Policy, which is a critical weak point, keeping in mind the requirements of the Rules. [156]


[1] . Telecom Regulatory Authority of India, Press Release 143/2012,(< http://www.trai.gov.in/WriteReadData/PressRealease/Document/PR-TSD-May12.pdf >)

[2] . The Indian Telecom Service Performance Indicators, January-March 2013, Telecom Regulatory Authority of India,. (< http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf >)

[3] . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece >

[4] . In addition, the Unified Access License Framework which allows for a single license for multiple services such as telecom, the internet and television, provides certain security guidelines. As per the model UIL Agreements, privacy of communications is to be maintained and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. For internet services, the Agreement stipulates the keeping an Internet Protocol Detail Record (IPDR) and copies of packets from customer premises equipment (CPE). Accessed at < http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf>

[6] . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece > Accessed..

[7] . Starting with Kharak Singh v. State of UP 1963 AIR SC 1295, the right to privacy has been further confirmed and commented on in other cases, like Govind v.State of M.P (1975) 2 SCC 148: 1975 SCC (Cri) 468. A full history of the development of the Right to Privacy can be found in B.D. Agarwala, Right to Privacy: A Case-By-Case Development, (1996) 3 SCC (Jour) 9, available at http://www.ebc-india.com/lawyer/articles/96v3a2.htm.

[8] . White Paper on EU Adequacy Assessment of India, 3, ("Based on an overall

analysis against the identifiable principles under Article 25, the 2010 Report concludes that India does not at present provide adequate protection to personal data in relation to any sector or to the whole of its private sector or to the whole of its public sector. ") available at < https://www.dsci.in/sites/default/files/WhitePaper%20EU_Adequacy%20Assessment%20of%20India.pdf >

[9] . Planning Commission, Report of the Group of Experts on Privacy, 2012, (< http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf>)

[10] . Though a company's Privacy Policy was the main document analysed for this research, when applicable a company's Terms of Service wavas also reviewed.

[11] . BSNL and MTNL are government companies as defined under section 617, Indian Companies Act, 1956, incorporated under the Indian Companies Act, 1956. Under section 43 A (i) of the Act, a 'body corporate' has been broadly defined as "any company…sole proprietorship or other association of individuals engaged in commercial or professional activities". Therefore, for the purpose of this survey, BSNL and MTNL are recognized as bodies corporate.

[12] . Documents Reviewed: http://portal.bsnl.in/portal/privacypolicy.html

[13] . A full list of its services are available here: < http://bsnl.co.in/opencms/bsnl/BSNL/services/>

[14] . The MTNL website does not provide access to a privacy policy

[15] . A full list of its services are available here <<http://mtnldelhi.in>>

[17] . A full list of services provided by Bharti Airtel is available here: <www.airtel.in>

[18] . http://submarinenetworks.com/stations/asia/india/chennai-bharti

[21] . Vodafone International Holdings v Union of India, WP 1325/2010, Bombay High Court

[22] . 'Vodafone to Buy Additional Essar India Stake for $5 Billion',(Bloomberg, March 31, 2011) < http://www.bloomberg.com/news/2011-03-31/essar-exercises-option-to-sell-5-billion-stake-in-vodafone-essar-venture.html >Accessed 26 May 2014

[24] . Vodafone, supra note 13.

[26] . 'Japan's Docomo acquires 26% stake in Tata Tele'(The Hindu Business Line, November 13 2008) < http://www.thehindubusinessline.in/bline/2008/11/13/stories/2008111352410100.htm .>

[31] . https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker

[33] . http://www.airtel.in/forme/privacy-policy

[34] .http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061

[36] . In 2012, the Minister of State for Communications & Information Technology informed the Rajya Sabha that " (a)ny change in the privacy policy is not within the purview of amended Information Technology Act, 2000",, while discussing changes to Google's privacy policy. Even though the Minister noted that the EU has reported its dissatisfaction with the changed policy, finding that the policy " makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service ", he argued that the Act and Rules therein merely stipulate the publication of a privacy policy which provide " information to the end users as to how their personal information is collected, for which it is collected, processed and secure". Further, when asked how changes to privacy policy affect end users the Minister shifted the responsibility on end users, stating that " (t)he end users… need to fully understand the privacy policy of Google, the consequences of sharing their personal information and their privacy rights before they start using online services ".( < http://rsdebate.nic.in/bitstream/123456789/609109/2/PQ_225_30032012_U1929_p129_p130.pdf#search=%22google%22 >).

[37] . Available at http://portal.bsnl.in/portal/privacypolicy.htm, the privacy policy was found through a search engine and not through a link from the website. An RTI request was submitted to BSNL for a copy of its privacy policy as applicable to all its products, services and websites. BSNL responded by submitting a copy of this privacy policy even though the text of the policy does not clarify the scope.

[41] . See <<www.aircel.com/AircelWar/appmanager/aircel/delhi?_nfpb=true&_pageLabel=P26400194591312373872061>>

[43] . See<< http://portal.bsnl.in/portal/privacypolicy.htm>>

[47] . Ibid

[48] . The complaint center details are available here: < http://www.tccms.gov.in/Queries.aspx?cid=1>

[49] . Rules 5 and 6

[50] . Principle 2, Principle 3, Personal Information Protection and Electronic Documents Act 2000. Available at: << http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html>>

[51] . Rule 5(7),

[52] . Principle 2

[53] . P. 21

[54] . Telecom Regulatory Policy CRTC 2009-657, Review of the Internet traffic management practices of Internet service providers << www.crtc.gc.ca/eng/archive/2009/2009-657.htm>>

[55] . Alex Cameron,CRTC Imposes Super-PIPEDA Privacy Protections for Personal Information Collected by ISPs, Privacy and Information Protection Bulletin, Fasken Martineau, << http://www.fasken.com/files/Publication/4317fd62-0827-4d1d-b836-5b932b3b21db/Presentation/PublicationAttachment/bafbf01e-365c-47f8-86a5-5cf7d7e43787/Bulletin_-_November_2009_-_Cameron.pdf . >> Accessed 21 May 2014

[56] . Bram D. Abramson, Grant Buchanan, Hank Intven, CRTC Shapes Canadian "Net Neutrality" Rules, McCarthy Tetrault. < http://www.mccarthy.ca/article_detail.aspx?id=4720 > Accessed 21 May 2014

[57] . The Privacy Act, 1988, Part III, available at << http://www.comlaw.gov.au/Series/C2004A03712.>>

[58] . Id, note 28, Schedule 3, 1.

[59] . Id, schedule 3, 2.

[60] . Id, schedule 3, 3.

[61] . Id, schedule 3, 4.

[62] . Id, schedule 3, 5.

[63] . Id, schedule 3, 6.

[64] . Id, schedule 3, 7.

[65] . Id, schedule 3, 8.

[66] . Id, schedule 3, 9.

[67] . Id, schedule 3, 10.

[68] . Telecommunications Act, Part 13 (Information or a document protected under Part 13 could relate to many forms of communications, including fixed and mobile telephone services, internet browsing, email and voice over internet telephone services. For telephone-based communications, this would include subscriber information, the telephone numbers of the parties involved, the time of the call and its duration. In relation to internet-based applications, the information protected under Part 13 would include the Internet Protocol (IP) address used for the session, and the start and finish time of each session.)

[69] . Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.

[70] . Id, article 3.

[71] . Id, article 8.

[72] . Id, article 2, (d). (" (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; ")

[73] . European Commission-IP-12/46, 25 January 2012, < http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.>

[74] . Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

[75] . Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

[76] . Rule 2 (h)

[77] . Rule 3 (ii)

[78] . Rule 3 (vii) and (viii)

[79] . Rule 2 (i)

[80] . Rule 4(iii), (iv)

[81] . Section 2(v) of the Act defines 'information'

[82] . Rule 4 (1).

[83] . Rule 5 (5)

[84] . Defined by Venkatarama Aiyar, J as: "The rule of construction is well settled that when there are in an enactment two provisions which cannot be reconciled with each other, they should be so interpreted that, if possible, effect could be given to both" in Venkataramana Devaru v. State of Mysore, AIR 1958 SC 255, p. 268: G. P. Singh, Principles of Statutory Interpretation, 1th ed. 2010, Lexisnexis Butterworths Wadhwa Nagpur. The principle was applied to interpret statutory Rules in A. N. Sehgal v. Raje Ram Sheoram, AIR 1991 SC 1406.

[85] . Rule 6

[86] . Rule 8

[87] . 52nd Report, Standing Committee on Information Technology, 24, available at < http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf. >

[88] . Panel Of Information Security Auditing Organisations, CERT-IN < http://www.cert-in.org.in/PDF/background.pdf>

[89] . Section 1, Guidelines for applying to CERT-In for Empanelment of IT Security Audition Organisation, < http://www.cert-in.org.in/PDF/InfoSecAuditorsEmpGuidelines.pdf>

[90] . Section 2.0, Guidelines for auditee organizations, Version 2.0, IT Security

Auditing Assignment, http://www.cert-in.org.in/PDF/guideline_auditee.pdf

[92] . Rule 4

[93] . Rule 4

[94] . Rule 5 (7)

[96] . 'Information that can be used by itself to uniquely identify, contact or locate a person, or can be used with information available from other sources to uniquely identify an individual. For the purpose of this policy, sensitive personal data or information has been considered as a part of personal information.' Accessed at << http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 >>

[97] . Subscriber's name, father's name, mother's name, spouse's name, date of birth, current and previous addresses, telephone number, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Information related to your utilization of our services which may include your call details, your browsing history on our website, location details and additional information provided by you while using our services. We may keep a log of the activities performed by you on our network and websites by using various internet techniques such as web cookies, web beacons, server log files, etc.

[98] . Password, Financial information -details of Bank account, credit card, debit card, or other payment instrument detail s, Physical, physiological and mental health condition.

[99] . Airtel states that if a customer does not provide information or consent for usage of personal information or subsequently withdraws consent, Airtel reserves the right to not provide the services or to withdraw the services for which the said information was sought, Avaliable at: < http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 >

[102] . See << http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office>>

[103] . Stakeholders are defined as: employee, associate, strategic partner, vendor

[105] . Verification of customer's identity; Complete transactions effectively and bill for products and service; Respond to customer requests for service or assistance; Perform market analysis, market research, business and operational analysis; Provide, maintain and improve Airtel products and services; Anticipate and resolve issues and concerns with Airtel products and services; Promote and market Airtel products and services which it may consider of interest and benefit to customers; and, Ensure adherence to legal and regulatory requirements for prevention and detection of frauds and crimes.

[107] . "Airtel may obtain a customer's consent for sharing personal information in several ways, such as in writing, online, through "click-through" agreements; orally, including through interactive voice response; or when a customer's consent is part of the terms and conditions pursuant to which Airtel provides a service."

[108] . Airtel and its employees may utilize some or all available personal information for internal assessments, measures, operations and related activities…"

[109] . Airtel may at its discretion employ, contract or include third parties external to itself for strategic, tactical and operational purposes. Such agencies though external to Airtel, will always be entities which are covered by contractual agreements. These agreements in turn include Airtel's guidelines to the management, treatment and secrecy of personal information

[110] . Airtel may transfer subscriber's personal information or other information collected, stored, processed by it to any other entity or organization located in India or outside India only in case it is necessary for providing services to a subscriber or if the subscriber has consented (at the time of collection of information) to the same. This may also include sharing of aggregated information with them in order for them to understand Airtel's environment and consequently, provide the subscriber with better services. While sharing personal information with third parties, adequate measures shall be taken to ensure that reasonable security practices are followed at the third party."

[111] . Airtel may share subscribers' personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences.

[113] . Airtel adopts reasonable security practices and procedures, in line with international standard IS/ISO/IEC 27001, to include, technical, operational, managerial and physical security controls in order to protect a customer's personal information from unauthorized access, or disclosure while it is under our control.

[114] . Airtel's security practices and procedures limit access to personal information on need-only basis. Further, its employees are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal information.

[115] . Airtel takes adequate steps to ensure that its third parties adopt reasonable level of security practices and procedures to ensure security of personal information.

[116] . Airtel may retain a subscriber's personal information for as long as required to provide him/her with services or if otherwise required under any law.

[117] . When Airtel disposes of its customers' personal information, it uses reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media)."

[118] . Airtel maintains the security of its internet connections, however for reasons outside of its control, security risks may still arise. Any personal information transmitted to Airtel or from its online products or services will therefore be at a customer's own risk. It observes reasonable security measures to protect a customer's personal information against hacking and virus dissemination.

[119] . See <<http://www.tatadocomo.com/downloads/data-privacy-policy.pdf

[120] . Information that customers provide to non-TTL companies is not covered by TTL's Policy. For example: When customers download applications or make an online purchase from a non-TTL company while using TTL's Internet or wireless services, the information collected by the non-TTL company is not subject to this Policy. When you navigate to a non-TTL company from TTL websites or applications (by clicking on a link or an advertisement, for example), information collected by the non-TTL company is governed by its privacy policy and not TTL's Privacy Policy. If one uses public forums - such as social networking services, Internet bulletin boards, chat rooms, or blogs on TTL or non-TTL websites, any Personal Information disclosed publicly can be read, collected, or used by others. Once one chooses to reveal Personal Information on such a site, the information is publicly available, and TTL cannot prevent distribution and use of that information by other parties. Information on a wireless Customer 's location, usage and numbers dialed, which is roaming on the network of a non-TTL company will be subject to the privacy policy of the non-TTL company, and not TTL's Policy.

[121] . "Personal Information" is any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

[122] . Personal Information - Some general examples -TTL may collect Confidential Data in different forms such as Personal and other Information based on a customer's use of its products and services. Some examples include, Contact Information that allows us to communicate with you -- including your name, address, telephone number, and e-mail address; Billing information-- including payment data, credit history, credit card number, security codes, and service history.Equipment, Performance, TTL Website Usage, Viewing and other Technical Information about use of TTL's network, services, products or websites.

Technical & Usage Information is clarified in the FAQ's as information related to the services provided, use of TTL's network, services, products or websites. Examples of the Technical & Usage Information collected include: Equipment Information that identifies the equipment used on TTL's network, such as equipment type, IDs, serial numbers, settings, configuration, and software. Performance Information about the operation of the equipment, services and applications used on TTL's network, such as IP addresses, URLs, data transmission rates and latencies, location information, security characteristics, and information about the amount of bandwidth and other network resources used in connection with uploading, downloading or streaming data to and from the Internet. TTL Website Usage Information about the use of TTL websites, including the pages visited, the length of time spent, the links or advertisements followed and the search terms entered on TTL sites, and the websites visited immediately before and immediately after visiting one of TTL's sites.TTL also may collect similar information about a customer's use of its applications on wireless devices. Viewing Information about the programs watched and recorded and similar choices under Value added TTL services and products.

[123] . Ways in which TTL collects information: On the purchase or interaction about a TTL product or service provided; Automatically collected when one visits TTL's websites or use its products and services; Other sources, such as credit agencies.

[126] . To provide the best customer experience possible; Provide the services a customer purchases, respond to customer questions; Communicate with customers regarding service updates, offers, and promotions; Deliver customized content and advertising that may be of interest to customers; Address network integrity and security issues; Investigate, prevent or take action regarding illegal activities, violations of TTL's Terms of Service or Acceptable Use Policies

[127] . Site functionality -Cookies and other tracking tools are used to help TTL analyze, manage and improve websites and storing customer preferences. Advertising TTL and its advertising partners, including Yahoo! and other advertising networks, use anonymous information gathered through cookies and other similar technologies, as well as other information TTL or its advertising networks may have, to help tailor the ads a customer sees on its sites.

[128] . TTL collects some Information on an anonymous basis. TTL also may anonymize the Personal Information it collects about customers. It may obtain aggregate data by combining anonymous data that meet certain criteria into groups.

[129] . In Other Circumstances: TTL may provide Personal Information to non-TTL companies or other third parties for purposes such as: To assist with identity verification, and to prevent fraud and identity theft; Enforcing its agreements and property rights; Obtaining payment for products and services that appear on customers' TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; and to comply to legal and regulatory requirements. TTL shares customer Personal Information only with non-TTL companies that perform services on its behalf, and only as necessary for them to perform those services. TTL requires those non-TTL companies to protect any Personal Information they may receive in a manner consistent with this policy. TTL does not provide Personal Information to non-TTL companies for the marketing of their own products and services without a customer's consent. TTL may share aggregate or anonymous Information in various formats with trusted non-TTL entities, and may work with those entities to do research and provide products and services.

[130] . TTL provides Personal Information to non-TTL companies or other third parties (for example, to government agencies, credit bureaus and collection agencies) without consent for certain purposes, such as: To comply with court orders, subpoenas, lawful discovery requests and other legal or regulatory requirements, and to enforce our legal rights or defend against legal claims, To obtain payment for products and services that appear on customer TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; To enforce its agreements, and protect our rights or property; To assist with identity verification, and to prevent fraud and identity theft; To prevent unlawful use of TTL's services and to assist in repairing network outages; To provide information regarding the caller's location to a public safety entity when a call is made to police/investigation agencies, and to notify the public of wide-spread emergencies; To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay; To display name and telephone number on a Caller ID device;

[131] . Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI), the TTL companies may share your Personal Information with each other to make sure your experience is as seamless as possible, and you have the benefit of what TTL has to offer.

[132] . Customers and Users should be aware that TTL affiliates and non-TTL companies that perform services on behalf of TTL may be located outside the country where customers access TTL's services. As a result, when customer Personal Information is shared with or processed by such entities, it may be accessible to government authorities according to the laws of those jurisdictions.

[133] . TTL has implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL. It has established electronic and administrative safeguards designed to secure the information it collects, to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately. Some examples of those safeguards include: All TTL employees are subject to the internal Code of Business Conduct. The TTL Code requires all employees to follow the laws, rules, regulations, court and/or commission orders that apply to TTL's business such as legal requirements and company policies on the privacy of communications and the security and privacy of Customer records. Employees who fail to meet the standards embodied in the Code of Business Conduct are subject to disciplinary action, up to and including dismissal. TTL has implemented technology and security features and strict policy guidelines to safeguard the privacy of customer Personal Information. TTL has implemented encryption or other appropriate security controls to protect Personal Information when stored or transmitted by it; TTL limits access to Personal Information to those employees, contractors, and agents who need access to such information to operate, develop, or improve its services and products; TTL requires caller/online authentication before providing Account Information so that only the customer or someone who knows the customer's account Information will be able to access or change the information.

[136] . "We have created this Privacy Policy to help you understand how we collect, use and protect your information when you visit our web and WAP sites and use our products and services."

[137] . Vodafone may hold information relating to customers that have been provided (such as on an application or registration form) or that it may has obtained from another source (such as its suppliers or from marketing organisations and credit agencies).

This information may include, amongst other things, a customer's name, address, telephone numbers, information on how a customer uses Vodafone's products and services (such as the type, date, time, location and duration of calls or messages, the numbers called and how much a customer spends, and information on his/her browsing activity when visiting one of Vodafone's group companies' websites), the location of a customer's mobile phone from time to time, lifestyle information and any other information collected in relation to his/her use of Vodafone's products and services ("information").

It may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts with its website, and web-related products and services.

It may use a persistent cookie to record details such as a unique user identity and general registration details on your PC. Vodafone states that most browser technology (such as Internet Explorer, Netscape etc) allows one to choose whether to accept cookies or not - a customer can either refuse all cookies or set their browser to alert them each time that a website tries to set a cookie.

[138] . In case of any concerns the privacy officer can be contacted at [email protected]. Additionally details of the Grievance Redressal Officers is provided via the TRAI website. (TRAI website: http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341567851124Vodafone_CC_AA-23072013.pdf _

[139] . The information that Vodafone collects from customers is held in accordance with applicable laws and regulations in India. It may be used by us for a number of purposes connected with its business operations and functions, which include:

2.1 Processing customer orders or applications;

2.2 Carrying out credit checking and scoring (unless Vodafone have agreed otherwise);

2.3 Providing the customer with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering his/her account;

2.4 Billing

2.5 Settling accounts with those who provide related services to Vodafone;

2.6 Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes;

2.7 Carrying out market and product analysis and marketing Vodafone and its group companies' products and services generally;

2.8 Contacting a customer (including by post, email, fax, short text message (SMS), pager or telephone) about Vodafone and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to customers (unless a customer asks us in writing not to). Electronic marketing messages may not include a marketing facility.

2.9 Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that a customer may have in respect of our and our group companies' schemes.

2.10 inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party (subject to any objection or preference a customer may have indicated to us in writing);

2.11 carrying out any activity in connection with a legal, governmental or regulatory requirement on Vodafone or in connection with legal proceedings, crime or fraud prevention, detection or prosecution;

2.12 carrying out activities connected with the running of Vodafone's business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Vodafone's business with respect to a customer or a potential customer.

[140] . In the need for disclosure to third parties, the personal information will only be disclosed to the third parties below:

3.1 Vodafone's group companies who may in India use and disclose your information for the same purposes as us;

3.2 those who provide to Vodafone or its group companies products or services that support the services that we provide, such as our dealers and suppliers;

3.3 credit reference agencies (unless Vodafone has agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Vodafone makes against a customer's name;

3.4 if someone else pays a customer's bill, such as a customer's employer, that person;

3.5 those providing telephone and similar directories or directory enquiry services

3.6 anyone Vodafone transfers business to in respect of which a person is a customer or a potential customer;

3.7 anyone who assists Vodafone in protecting the operation of the Vodafone India networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities;

3.8 persons to whom Vodafone may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services;

3.9 any person or organisation as authorised by laws and regulations applicable in India.

If a customer has opted in to receiving marketing material from Vodafone, it may also provide customer's personal information to carefully selected third parties who we reasonably believe provide products or services that may be of interest to customers and who have contracted with Vodafone India to keep the information confidential, or who are subject to obligations to protect your personal information.

To opt-out of receiving Vodafone marketing materials,customers can send a 'Do Not Disturb' message to Vodafone. If a customer wishes to use Vodafone products or services abroad, his/her information may be transferred outside India to that country. Vodafone's websites and those of its group companies may also be based on servers located outside of India.

[141] . Vodafone takes reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorized access, modification or disclosure.

Vodafone makes every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to it or from its online products or services will be at a customer's own risk, however, it will use its best efforts to ensure that any such information remains secure. Vodafone cannot protect any information that a customer makes available to the general public - for example, on message boards or in chat rooms.

Vodafone may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts.

[144] . http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 (Scope - This Privacy Policy has been created to help customer's understand how Aircel collects, uses and protects customer information when one visits its web and WAP sites and use its products and services.)

[145] . This information may include, amongst other things, customer's name, father's name, mother's name, spouse's name, date of birth, address, telephone numbers, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Aircel may also hold information related to utilization of its services. This may include customer call records, browsing history while surfing Aircel's website, location details and additional information provided by customer while using our services.

Aircel may keep a log of the activities performed by a customer on its websites by using various internet techniques such as web cookies, web beacons, server log files, etc.

Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with Aircel's website, and web-related products and services

Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on customer's Personal Computers.

[146] . In case a customer does not provide information or consent for usage of personal information or later on withdraw consent for usage of the personal information so collected, Aircel reserves the right to discontinue the services for which the said information was sought.

[147] . In case of any feedback or concern regarding protection of personal information, customers can contact Aircel's Circle Care ID. Alternatively, one may also direct your privacy-related feedback or concerns to the Circle Nodal Officer. (e.g. - Delhi Circle Nodal details are as mentioned below):

1. Name: Moushumi De

Contact Number: 9716199209

E-mail: [email protected]

Further it provides for a general customer grievance redressal mechanism

Additionally details of the Grievance Redressal Officers is provided via the TRAI website.

To resolve all concerns, Aircel has established a 2-tier complaint handling mechanism. Level I: Our Customer Touch Points As an Aircel customer you have the convenience to contact at Customer Interface Points via email, post or telephone. Level II - Appellate AuthorityDespite the best efforts put by Aircel's executive, if a customer is still not satisfied with the resolution provided then he/she may submit his/her concern to the Appellate Authority of the circle. Comments - However this information contradicts the mechanism provided under Aircel's Manual of Practice for handling Consumer Complaints which provides for a 3-tier complaint handling mechanism.

[According to the DoT - The earlier three-tier complaint redressal mechanism - Call center, Nodal Center and Appellate Authority, has been replaced by a two-tier one by doing away with the level of Nodal Officer. This is because the Complaint Centres are essentially registration and response centres and do not deal with the resolution of complaints. They only facilitate registration of consumer complaint and the level at which a problem is resolved within a company depends upon the complexity of the issue involved.]

[148] . It may be used by us for a number of purposes connected with our business operations and functions, which include:

1. Processing customer orders or applications.

2. Carrying out credit checking and scoring (unless agreed otherwise).

3. Providing customers with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering a customer's account.

4. Billing (unless there exists another agreed method).

5. Settling accounts with those who provide related services to Aircel.

6. Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes.

7. Carrying out market and product analysis and marketing our and our group companies' products and services generally.

8. Contacting customers (including by post, email, fax, short text message (SMS), pager or telephone) about Aircel and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to a customer (unless a customer says 'no' in writing). Electronic messages need not have an unsubscribe facility.

9. Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that customers may have in respect of Aircel and its group companies' loyalty or reward programmes and other similar schemes.

10. Inclusion in any telephone or similar directory or directory enquiry service provided or operated by Aircel or by a third party (subject to any objection or preference a customer may have indicated in writing).

11. Carrying out any activity in connection with a legal, governmental or regulatory requirement on Aircel or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.

12. Carrying out activities connected with the running of business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Aircel's business with respect to a customer or potential customer. Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with our website, and web-related products and services, to:

● Understand what a customer likes and uses about Aircel's website.

● Provide a more enjoyable, customised service and experience

Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on your Personal Computer.

[149] . Where Aircel needs to disclose your information to third parties, such third parties will be:

1. Group companies who may use and disclose your information for the same purposes as us.

2. Those who provide to Aircel or its group companies products or services that support the services that we provide, such as our dealers and suppliers.

3. Credit reference agencies (unless we have agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Aircel make against your name.

4. If someone else pays a customer's bill, such as an employer.

5. Those providing telephone and similar directories or directory enquiry services.

6. Anyone Aircel transfers its business to in respect of which you are a customer or a potential customer.

7. Anyone who assists Aircel in protecting the operation of the Aircel networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities.

8. Persons to whom Aircel may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services. If a customer has opted in to receiving marketing material from Aircel, it may also provide personal information to carefully selected third parties who it reasonably believes to provide products or services that may be of interest to customers and who have contracted with Aircel to keep the information confidential, or who are subject to obligations to protect customer personal information.

[150] . We adopt reasonable security practices and procedures to include, technical, operational, managerial and physical security control measures in order to protect your personal information from unauthorized access, or disclosure while it is under our control.Our security practices and procedures limit access to personal information on need to know basis. Further, our employees, to the extent they may have limited access to your personal information on need to know basis, are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal informationWe take adequate steps to ensure that our third parties adopt reasonable level of security practices and procedures to ensure security of personal information

We may retain your personal information for as long as required to provide you with services or if otherwise required under any law. We, however assure you that Aircel does not disclose your personal information to unaffiliated third parties (parties outside Aircel corporate network and its Strategic and Business Partners) which could lead to invasion of your privacy

When we dispose off your personal information, we use reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media).

We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification or disclosure. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For example, we store the personal information you provide on computer systems with limited access, which are located in controlled facilities. When we transmit highly confidential information (such as a credit card number or password) over the Internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol. If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always log out before leaving a site or service to protect access to your information from subsequent users.

We make every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from our online products or services will therefore be your own risk, however we will use our best efforts to ensure that any such information remains secure.

[151] . http://www.acttv.in/index.php/privacy-policy

[152] . "When you register, we ask for information such as your name, email address, birth date, gender, zip code, occupation, industry, and personal interests.

The Company collects information about your transactions with us and with some of our business partners, including information about your use of products and services that we offer."

[153] . Not provided for on the TRAI website as ACT is not a telecom.

[154] . The Company can use information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.

The Company collects personal information when you register with the Company, when you use the Company products or services, when you visit the Company pages or the pages of certain partners of the Company. The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you.

[155] . Aircel provide the information to trusted partners who work on behalf of or with the Company under confidentiality agreements. These companies may use customer personal information to help the Company communicate about offers from the Company and marketing partners.

Aircel believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Company's terms of use, or as otherwise required by law.

Aircel transfer information about a customer if the Company is acquired by or merged with another company under a different management. In this event, the Company will notify a customer before information about a customer is transferred and becomes subject to a different privacy policy.

The Company plans to display targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume that people who interact with, view, or click on targeted ads meet the targeting criteria - for example, women ages 18-24 from a particular geographic area.

The Company will not provide any personal information to the advertiser when customers interact with or view a targeted ad. However, by interacting with or viewing an ad a customer consents to the possibility that the advertiser will make the assumption that he/she meets the targeting criteria used to display the ad.

[156] . Rule 8.

Study of Privacy Policies of Indian Service Providers

by Prasad Krishna last modified Dec 21, 2014 03:09 PM

PDF document icon DECEMBER FINAL IT Policy.pdf — PDF document, 743 kB (761748 bytes)

Reply to RTI filed with BSNL regarding Network Neutrality and Throttling

by Tarun Krishnakumar last modified Dec 22, 2014 02:45 PM
As part of its work on Network Neutrality, the Centre for Internet and Society through Tarun Krishnakumar had filed a Right To Information (RTI) application with Bharat Sanchar Nigam Ltd. (BSNL), a state-owned teleco holding a market share of 65 per cent in the Indian land line and broadband markets — regarding its position on and adherence to Network Neutrality principles.

The application — targeted at easing the information asymmetry between internet service providers (ISPs) and consumers — elicited responses that provide interesting insights into the functioning of ISPs in India.

The application queried BSNL about its:

  • Adherence to net neutrality / non-discrimination principles
  • Throttling on the basis of content
  • Throttling on the basis of protocol
  • Limiting traffic / speeds for pornographic websites
  • Limiting traffic / speeds for P2P / torrent connection

In its reply, BSNL denied all forms of throttling on the basis of content and reaffirmed that it is bound by the terms of its ISP license granted by the Department of Telecommunications. The application and response are below:

 

Application:

Request for Information under the Right to Information Act, 2005

To,

Sh. Suresh Kumar
Addl.GM (MIS)  & CPIO ,BSNL Co.
R. No. -29, IR Hall
Eastern Court, Janpath
New Delhi – 110001

Date of application: 08-10-2014

Subject: Network Neutrality / Throttling / Data discrimination policies of BSNL

Please provide information as to the policies of BSNL / decisions taken in respect of the following questions. Please supply where possible a copy of the relevant documents, minutes of meeting, position papers etc.

  1. Does BSNL support the principle of net neutrality and non-discrimination of data?
  2. Does BSNL regulate internet traffic flows depending on the type of content being accessed by the user on its broadband connections?
  3. Does BSNL regulate internet traffic flows depending on the type of protocol being used by the user on its broadband connections?
  4. Please provide details of the various types of content/protocols for which BSNL regulates traffic and the nature of such regulations, restrictions as the case may be.
  5. Please provide a list of traffic for which BSNL engages in limiting internet speed or throttling.
  6. Does BSNL limit internet traffic or upload/download speeds for pornographic websites and content?
  7. Does BSNL limit internet traffic or upload/download speeds for Peer-to-peer or torrent connections?

Please provide copies of all documents that pertain to BSNL’s policies and decisions in this regard.

It is certified that I am a citizen of India and that I do not fall within the BPL category. I am enclosing Rupees thirty (Rs. 30) towards the application fee and photocopying costs under the RTI Act for the information and documents requested. Kindly inform me at the address stated below if any further fees are required to be paid.

Applicant:

Tarun Krishnakumar
Centre for Internet and Society
No.194, 2nd C Cross Road, Domlur II Stage,
Bangalore - 560071

 

RESPONSE FROM BSNL:


To,

Sh. Tarun Krishnakumar
Centre for Internet and Society
No. 194, 2nd C Cross Road, Domulur II stage,
Bengaluru – 560071

Subject: Supply of Information under RTI ACT – 2005

Case of Shri. Tarun Krishnakumar – reg.

Ref:  -   1. No. BSNL/BBNW/RTI Act/Vol II/2012-13/52 dtd 28.10.2014

2. No. 23-744/14-RTI dtd 21.10.2014

With reference to the above subject, for the point wise information furnished as below:

  1. BSNL is following the guidelines as per the ISP License Agreement of DOT.
  2. NO, BSNL is NOT regulating the Internet traffic flow based on content.
  3. NO, BSNL is not regulating the Internet traffic flow based on the type of protocol.
  4. Not Applicable
  5. Not Applicable
  6. NO
  7. NO
  8. The documents relating to above are available on DOT’s website http://dot.gov.in

(Sd/-)

DE Admin and APIO
O/o General Manager
BBNW, BSNL,
5th floor, BG (E), TE Building,
Lazar Road, Fraser Town,
Bengaluru – 560005
Tel No. 080 - 25808878

Copy to:

  1. The Addl. GM (A) & CPIP O/o CGM, BBNW, New Delhi for information pl.

The scanned version of the reply is available here.

Security, Governments, Data

by Prasad Krishna last modified Dec 23, 2014 01:49 PM

ZIP archive icon Surveillance_Invite.docx — ZIP archive, 181 kB (185552 bytes)

Locating Constructs of Privacy within Classical Hindu Law

by Ashna Ashesh and Bhairav Acharya — last modified Jan 01, 2015 01:56 PM
This white paper seeks to locate privacy in Classical Hindu Law, and by doing so, displace the notion that privacy is an inherently ‘Western’ concept that is the product of a modernist legal system.

Introduction: Conceptions of Privacy

Because of the variance exhibited by the various legal, social, and cultural aspects of privacy, it cannot be easily defined. As a legal concept, privacy may form a constitutional claim, a statutory entitlement, a tortious action or an equitable remedy. As a constitutional claim, privacy is either an explicitly recognised right that is capable of independent enforcement, read into a pre-existing right , or located within the penumbra of a larger right. Statutory recognition of privacy may be afforded by both criminal and civil statutes. The offence of criminal defamation for instance, is perceived as an act of violating an individual's privacy by tarnishing his or her reputation. Similarly the provision of in camera trials for divorce proceedings is an illustration of a civil statute implicitly recognising privacy. As a tortious claim the notion of privacy is commonly understood in terms of the right against trespass of property. Equity, co-terminus with a statutory mandate or in isolation, may also be a source of privacy.

Most legal conceptions of privacy in everyday use in India originated from the English common law. Other constitutional and statutory constructions of privacy, even when not found in the common law, arise within a broader modernist system of law and justice that originated in Europe. During the European colonisation of India, the British (and, in a different manner, the French ) attempted to recreate the common law in India through the establishment of a new legal and courts system, and the wholesale importation of the European idea of law. The very notion of privacy, as well as its legal conception, is a product of this legal modernity. In post-colonial societies, the argument against the right to privacy is usually premised on its perceived alien-ness - as a foreign idea brought by colonisers and imposed on a traditionalist society that favoured communitarian living over individual rights - in an effort to discredit it.

The fallacy of this argument lies in its ignorance of the cultural plurality of privacy. To begin with, the idea that is connoted by the modernist notion of privacy pre-dated the introduction of common law in India. By the time of the Enlightenment, Hindu law and Islamic law were established legal systems with rich histories of jurisprudence and diverse schools of law within them, each with their own juristic techniques and rules of interpretation. While neither Hindu law nor Islamic law use a term that readily translates to "privacy", thereby precluding a neat transposition of meanings between them, the notion of privacy existed and can be located in both the legal traditions. In this paper, the term 'privacy' is used to describe both the modernist notion that arises from the principle of personal autonomy as well as the diverse pre-modern concepts in Hindu and Islamic jurisprudence that resemble or relate to this notion. These pre-modern concepts are diverse, and do not permit an easy analysis. For instance, the Manusmriti, which is a source of classical Hindu law, prohibits bathing in tanks that belong to other men. Additionally it prohibits the use of wells, gardens, carriages, beds, seats and houses without the owner's permission. These prohibitions are not driven by the imperatives of privacy alone. The rationale is that in using others' belongings one appropriates a portion of their sins. Hence, these privacy protections are linked to an ideal of purity. Islamic law also restricts the use or misappropriation of another's property. However, this prohibition is designed to protect private property; it has no ideological link to purity.

This paper attempts to locate constructs of privacy in classical Hindu law. The purpose of this exercise is not to privilege one legal system over another. Therefore, we do not intend to normatively assess the existing modernist discourse on privacy. We simply seek to establish the existence of alternate notions of privacy that pre-date modernity and the common law.

The scope of the paper is confined to locating privacy in classical Hindu law. The materials within the realm of classical Hindu law, relevant to this exercise are- the sruti, smriti, and acara. Sruti comprises of the Vedas, Brahmanas, Aranyakas and the Upanishads. It is considered to symbolise the spirit of Hindu law and is not the source of any positivist command as such. Smriti involves various interpretations of the sruti, We have however restricted ourselves to the Dharmashastras in this realm. Acara refers to the body of customary practices.

The review of the material at hand however, is not exhaustive. The reasons for this are twofold- first, given the vast expanse of Hindu jurisprudence, the literature review has been limited; second, there is a limited availability of reliable English translations of ancient legal treatises.

This paper is divided into two parts. The first part of this paper deals with the interface of colonisation with Hindu law and elucidates the nature of Hindu law. With the advent of colonialism, classical Hindu law was gradually substituted by a modernist legal system. Exploring the characteristics of modernity, the factors that contributed to the displacement of classical Hindu law will be identified.

One of the factors that contributed to the displacement was the uncertainty that characterised classical Hindu law. Classical Hindu law was an amalgamation of three sources, as. In an attempt to rule out the uncertainty, and the lack of positive command, the modernisation of Hindu law was brought about. Accordingly this part shall also examine the nature of Hindu law. Furthermore it shall determine whether the application of codified modern Hindu law, is informed by the precepts of classical Hindu law.

Having explicated the nature of Hindu law, the next part will focus on identifying instances of privacy in classical Hindu law.

Before ascertaining specific instances, however, this part will lay down a general understanding of privacy as it existed then. It will be demonstrated that regardless of the absence of an equivalent term, an expectation of privacy existed.

The specific illustrations of privacy will then be mapped out.

Given the different aspects wherein an expectation of privacy exists, there is also a possibility of competing claims. In the event that such conflicts arise, this part will attempt to resolve the same.

Part 1: The Transmogrification of the Nature of Hindu Law

 

The evolution of Hindu jurisprudence can be charted through three phases- classical, colonial, and modern.

In the classical phase, it was embodied by the Dharmashastra which elaborated on customary practices, legal procedure, as well as punitive measures. The Dharamshastra was accompanied by the Vedas, and acara. Whether this body of jurisprudence could be called 'law' in the strict modernist sense of the term is debatable.

Modernity has multifarious aspects. However, we are concerned with modernity in the context of legal systems, for the purpose of this paper. The defining attribute of a modernist legal system is the need for positivist precepts that are codified by a legislature. The underlying rationale for formalised legislation is the need for certainty in law. Law is to be uniformly applied within the territory. The formalised legislation is to be enforced by hierarchized courts. Furthermore this codified law can be modified through provisions for amendment, if need be.

This modernist understanding is what informs the English common law. With the advent of colonialism, common law was imported to India. The modernist legal system was confronted by plural indigenous legal systems here that were starkly different in nature. In the given context, the relevant indigenous system is classical Hindu law. The classical precepts were interpreted by the British. These interpretations coupled with the sources of Classical Hindu law, constituted colonial Hindu law.

It is pertinent to note that these interpretations were undertaken through a modernist lens. The implication was the attempted modernisation of a traditional legal system.

The traditional system of Classical Hindu law did not exhibit any of the introduced features. To begin with not all of classical Hindu law was text based. The problem with the textual treatises was threefold. First, they were not codes enacted by a legislature, but written by various scholars. Second, they were not phrased as positivist precepts. Third, their multiplicity was accompanied with the lack of an established hierarchy between these texts.

Additionally classical Hindu law was the embodiment of dharma, which in itself was an amorphous concept. The constitutive elements ofdharma were law, religious rites, duties and obligations of members of a community, as well as morality. These elements do not however, exhaustively define dharma. There exist varying definitions of dharma, and in some cases even ancient texts dealing with dharma fail to articulate its definition. This is on account of the fact that the meaning of dharma, varied depending on the in which it is used Owing to the fact that classical Hindu jurisprudence was informed by dharma, the former was an amalgamation of law, religion and morality. Therefore it was categorised as jurisprudence that lacked the secularity exhibited by modern positivist law.

The co-existence of law and morality in classical Hindu law has led to various debates regarding its nature. Before explicating the nature of classical Hindu law, its sources must be elaborated on. As referred to, the sources are sruti, smriti, and acara.

Sruti is constituted by the Vedas, Brahmanas, Aranyakas, and Upanishads. Vedas are divine revelations that contain no positive precept per se. They are considered as the spirit of law, and believed to be the source of the rules of dharma. The Vedas are constituted by the Rigveda, Samveda, Yajurveda and Athravaveda. Based on the Vedic texts, treatises have been written elucidating religious practices. These texts are known as the Brahmanas. The Aranyakas and the Upanishads engage in philosophical enquiries of the revelation in the Vedas.

Interpretations of the Sruti by various scholars are embodied in the Smriti. The connotations of smriti are twofold. First, it implies knowledge transmitted through memory, as opposed to knowledge directly revealed by divinity. Additionally, it is the term used to collectively reference the Dharmasutras and Dharmashastra.

Dharmasutras were essentially interpretations of revelation in only prose form, or a mixture of prose and verse. They detailed the duties and rituals to be carried out by a person, through the four stages, of his or her life. The duties laid down also varied depending on the caste of a person. They also laid down guidelines for determining punishments.

Dharmasastras on the other hand were in the verse form. Though their subject matter coincided with the Dharmasutra in terms of domestic duties and rituals, they had a wider ambit. The Dharmasastras also dealt with subjects such as statecraft, legal procedure for adjudicating disputes. In a limited way, they marked the diversification from strictly religious precepts, from those that were legal in nature. For instance the Manusmriti was an amalgamation of law and ritual. The Yajnawalkya Samhita however, has separate parts that deal with customary practices, legal procedure, and punitive measures. The Narada Smriti, in turn deals only with legal procedure and rules of adjudication.

It is opined that in due course of time, the Aryan civilisation diversified. Their life and literature were no longer limited to sacrificial practices, but took on a more 'secular' form. The Arthashastra is evidence of such diversification. Unlike the Dharmashastra, it deals with strategies to be employed in governance, regulations with regard to urban planning, commercialisation of surrogacy, espionage, among other things.

The third source of classical Hindu law, acara refers to customary practices and their authoritativeness was determined by the people. Their prevalence over textual tradition is contentious. Some opine that acara prevails over textual traditions. However, the opposing school of thought believes that customary practices prevail only if the text is unclear or disputed.

Other sources of classical Hindu law include the itihas (epics such as the Mahabharata and Ramayana), and digests written by scholars.

Given the diversity of sources and its non-conformity to positivism, the nature of classical Hindu law is a heavily contested issue. For instance, with regard to the legal procedure in the Dharmashastra, Maynes opines that these rules qualified as law in the modernist sense. Ludo Rocher however, opines that textual treatises would not qualify as law. Classical Hindu law can admittedly not be identified as strictly legal or strictly moral. However, it does in a limited way recognise the distinction between legal procedure and morality. This is to say, it is not merely a source of rituals, but also lays down precepts that are jurisprudentially relevant.

On account of its non-conformity with characteristics of a modernist legal system, classical Hindu law was displaced by its colonial version. The British attempted to accomplish this though the process of codification. The colonial attempts to codify Hindu law were carried forward by the Indian government post-independence. The result was the Hindu Code Bill. The context in which this codification took place must be examined in order to better comprehend this transmogrification. Post-independence, the idea of a Uniform Civil Code had been debated. However it was at odds with the Nehruvian notion of secularity. The codification of Hindu personal law was an attempt at modernising it, without infringing on the religious freedom of Hindus. The idea was to confine the influence of religion to the private sphere. What emerged was the Hindu Code Bill, which served as the blueprint for the Hindu Marriage Act, the Hindu Succession Act, the Hindu Minority and Guardianship Act and, the Hindu Adoption and Maintenance Act. Colonial Hindu law was thus displaced by modern Hindu law.

As Galanter observes however, modernisation through legislations may formalise or even modify classical precepts, but cannot erase them completely. For instance, Section 7 of the Hindu Marriage Act, which prescribes the ceremonial requirements for a Hindu marriage, replicates those prescribed in Classical Hindu law. Additionally a plethora of judicial decisions have relied on or taken into consideration, precepts of ancient Hindu jurisprudence.

It is evident thus that ancient precepts still inform modern Hindu law. Given their relevance, it would be erroneous to write off classical Hindu law as completely irrelevant in a modernist context.

Part II: Precepts of Privacy in Classical Hindu Law

As referred to, we have not come across a terminological equivalent of the term 'privacy' in the course of our research. The linguistic lacuna is admittedly a hurdle in articulating the pre-modern understanding of privacy as found in Hindu jurisprudence. It is not however, an argument against the very existence of privacy. The lack of pre-modern terminology necessitates the usage of modern terms in classifying the aspects of privacy detailed in Hindu jurisprudence.

Thus, broadly speaking, the aspects of privacy we have culled out from the material at hand are those of physical space/ property, thought, bodily integrity, information, communication, and identity. As will be demonstrated these aspects overlap on occasion and are by no means an exhaustive indication. In order to contextualise these aspects within the realm of Hindu jurisprudence, they are detailed below through specific illustrations.

A. Privacy of physical Space/ property

Akin to the modern legal system that first understood privacy in proprietary terms, Hindu jurisprudence too accorded importance to privacy in terms of physical space. This is further illustrated by the similarity between the common law notion of a man's house being his castle, and the institutional primacy accorded by the Naradsmriti to the household . The common denominator here is the recognition of a claim to privacy against the sovereign. This claim operated against society at large as well. For instance, an individual caught trespassing on someone else's property was liable to be fined.

These religious precepts were supplemented by those reflected in texts such as the Arthashastra. By way of illustration the house building regulations prescribed by it are largely informed by the recognition of a need for privacy. To begin with, a person's house should be built at a suitable distance from a neighbour's house, to prevent any inconvenience. In addition the house's doors and windows should ideally not face a neighbours doors and windows directly. The occupants of the house should ensure the doors and windows are suitably covered. Furthermore in the absence of a compelling justification, interference in a neighbour's affairs is penalised.Juxtaposed to religious texts that often perceived privacy as a concept driven by the imperative of purity, the Arthashastra is reflective of a secular connotation of privacy.

Though the household was privileged as the foundational institution in Hindu jurisprudence, claims of privacy extend beyond one's house to other physical objects as well, regardless of whether they were extensions of the household or not. For instance, both the Yajnawalkya Samhita and the Manusmriti condemn the usage of another person's property without his or her permission.

What is noteworthy in the context of personal property is that in an era infamous for the denigration of women, Hindu jurisprudence recognised a woman's claim over property. This property, also known as Stridhana, had varied definitions. In the Yajnawalkya Samhita for instance, it is conceptualised as, "What has been given to a woman by the father, the mother, the husband or a brother, or received by her at the nuptial fire, or given to her on her husband's marriage with another wife, is denominated Stridhana or a woman's property". In the Manusmriti, it is defined as "What was given before the nuptial fire, what was given on the bridal procession, what was given in token of love, and what was received from her brother, mother, or father, that is called the sixfold property of a woman".

Beyond mere cognizance of proprietary rights however, these precepts were also informed by the notion of exclusivity. Consequently, a woman's husband or his family were precluded from using her Stridhana, unless they were in dire straits. Additionally it was a sin for a woman's relatives to use her wealth even if the same was done unknowingly.

B. Privacy of Thought

In addition to the aspect of physical space, a claim to privacy vis-a-vis the intangible realm of thought was afforded by Hindu jurisprudence. In the modern context the link between solitude and privacy has been recognised as early as 1850 by Warren and Brandeis. The key distinction is that in the modern era this need for solitude was seen as a function of the increasing invasion of privacy. In the pre-modern era however, solitude was considered essential for self-actualisation, and not as a response to the increasing invasion of the private realm. Meditation in solitude was perceived as enabling existence in the highest state of being. In fact a life in solitude was identified as a pre-requisite for being liberated.

Though solitude itself is intangible, engaging in meditation would require a tangible solitary space. This is where the privacy of thought overlapped with the aspect of privacy of space. Accordingly, the Arthashastra prescribed that forest areas be set aside for meditation and introspection. It also recognised the need for ascetics to live within these spaces harmoniously, without disturbing each other.

It is evident, that as far as the aspects of privacy were concerned, there were no watertight compartments.

C. Privacy with respect to bodily integrity

A claim to privacy of thought can only be substantively realised when complemented by the notion of privacy with respect to bodily integrity, as corporeal existence serves as a precursor to mental well-being. The inference drawn from the relevant precepts concerning this aspect is that they were largely women-centric. Arguably they were governed by a misplaced patriarchal notion that women's modesty needed to be protected. At best they could be considered as implicit references to an expectation of privacy.

The Manusmriti states, "But she who…goes to public spectacles or assemblies, shall be fined six krishnalas". Restrictions operating during a woman's menstruation were twofold. Her family was prohibited from seeing her. Additionally cohabitation with such a woman was also forbidden. It should be pointed out that that these constructs had little to do with a woman's expectation of privacy. They were forbidden due to the attached implications of impurity that would vest in the defaulter. A woman's autonomy with regard to her body was not regarded as a factor meriting consideration.

However, there were constructs, albeit limited, which were more egalitarian in their approach and did recognise her autonomy. They established that women do have an expectation of privacy in terms of bodily integrity. Sexual assault was considered as an offence. Evidence of this is found in the Yajnawalkya Samhita which states, "If many persons know a woman against her will, each of them should be made to pay a fine of twenty four panas". In addition, the Arthashastra vested in commercial sex workers the right to not be held against their will. Further it expressly states that even a commercial sex worker cannot be forced to engage in sexual intercourse.

Women could make a claim to privacy not only against society at large, but also against their husbands. Ironically, while our contemporary legal system (i.e., the Indian legal system) fails to criminalise marital rape, the Manusmriti considered it an offence. Additionally, husbands were also prohibited from looking at their wives when the latter were in a state of relaxation.

D. Privacy of Information and Communication

While the three aspects explicated above were by and large restricted to the individual, the privacy of information and communication has been largely confined by Hindu jurisprudence to the realm of the sovereign. Both the Manusmriti and the Arthashastra acknowledge the importance of a secret council that aids the king in deliberations. These deliberations are to be carried on in a solitary place that was well-guarded. The decisions made in these deliberations are to be revealed on a need to know basis. That is to say, only persons concerned with the implementation of these decisions are to be informed. The Manusmriti also provides for private deliberation by the king on matters not involving governance. It provides, "At midday or midnight , when his mental and bodily fatigues are over, let him deliberate, either with himself alone or with his ministers on virtue, pleasure, and wealth".

Apart from governance, privacy of information also pertained to certain types of documents that were considered private in nature. These are documents that involve transactions such as partition, giving of a gift, purchase, pledge and debt. What is interesting about this precept is the resemblance it bears to the common law notion of privity. The common characteristic of the documents referred to, is that they concerned transactions undertaken between two or more persons. The rights or obligations arising from these transactions were confined to the signatories of these documents. It could be possible that the privatisation of these documents was aimed at guarding against disruption of transactions via third party intrusions.

The limited reference to private communications is found within the realm of governance, within the context of privacy of information. The only illustration of this that we have come across is the precept in the Arthashastra that requires intelligence to be communicated in code.

E. Privacy of Identity

The final aspect that warrants detailing is the privacy of identity. The notion of privacy of identity can be understood in two ways. The first deals with protection of personal information that could be traced back to someone, thus revealing his or her identity. The second recognises the component of reputation. It seeks to prevent the misappropriation or maligning of a person's identity and thus reputation. In ancient Hindu jurisprudence there is evidence of recognition of the latter. An illustration of the same is offered by the precept which states "For making known the real defects of a maiden, one should pay a fine of a hundred panas". Another precept prescribes that false accusations against anyone in general are punishable by a fine. Additionally, there is also a restriction operating against destroying or robbing a person of his or her virtue. In the modern context, the above would be understood under the rubric of defamation. These precepts are indicative of the fact that defamation was recognised as an offence way before the modern legal system afforded cognizance to the same.

Conclusion

The dominant narrative surrounding the privacy debate in India is that of the alien-ness of privacy. This paper has attempted to displace the notion that privacy is an inherently 'Western' concept that is the product of a modernist legal system. No doubt the common understanding of the legal conception of privacy is informed by modernity. In fact, the research conducted in support of this paper has been synthesised from privacy information through a modernist lens. The fact still remains however, that privacy is an amorphous context, and its conceptions vary across cultures.

To better appreciate the relevance of Classical Hindu law in a modernist context, the nature of Hindu law must be examined first. While Hindu jurisprudence might not qualify as law in the positivist sense of the term, its precepts continue to inform India's statues and judicial pronouncements.

Privacy is subjective and eludes a straitjacketed definition. On occasion this elusiveness is a function of its overlapping and varying aspects. At other times it stems from a terminological lacuna that complicates the explication of privacy. These impediments notwithstanding, it is abundantly clear that the essence of privacy is reflected in Hindu culture and jurisprudence. This may give pause to thought to those who seek to argue that 'collectivist' cultures do not value privacy or exhibit the need for it.


Daniel J. Solove, A Taxonomy of Privacy, University of Pennsylvania Law Review, Vol. 154(3), January 2006.

Id.

Upendra Baxi, Who Bothers About the Supreme Court: The Problem of Impact of Judicial Decisions, available at http://clpr.org.in/wp-content/uploads/2013/08/whobothersabouttheSupremeCourt.pdf (Last visited on December 23, 2014) (The enforceability of rights often sets their individual enjoyment apart from their jurisprudential value); In India, the reading of privacy into Article 21 has not resulted in a mechanism to enforce a standalone right to privacy, See R.H. Clark, Constitutional Sources of the Penumbral Right to Privacy, available at http://digitalcommons.law.villanova.edu/cgi/viewcontent.cgi?article=2046&context=vlr (Last visited on December 23, 2014) (In the United States, the right to privacy was located in the penumbra of the right to personal autonomy).

See PUCL v. Union of India, AIR 1997 SC 568.

See Griswold v. Connecticut, 381 U.S. 479 (1965); Lawrence v. Texas, 539 U.S. 558 (2003).

See The Indian Penal Code, 1850, Section 499.

See The Hindu Marriage Act, 1955 Section 22; The Special Marriage Act, 1954, Section 33.

Bhairav Acharya & Vidushi Marda, Identifying Aspects of Privacy in Islamic Law, available at http://cis-india.org/internet-governance/blog/identifying-aspects-of-privacy-in-islamic-law (Last visited on December 23, 2014).

See Robert Lingat, The Classical Law of India (1973).

Donald R. Davis, Jr., The Spirit of Hindu Law (2010) (This importation must be viewed against the backdrop of the characteristics of the era of Enlightenment wherein primacy was accorded to secular reason and the positivist conception of law. Davis observes "One cannot deny the increasing global acceptance of a once parochial notion of law as rules backed by sanctions enforced by the state. This very modern, very European notion of law is not natural, not a given; it was produced at a specific moment in history and promulgated systematically and often forcibly through the institutions of what we now call the nation-state, especially those nations that were also colonial powers.)"; But see Alan Gledhill, The Influence of Common Law and Equity on Hindu Law Since 1800, available at http://www.jstor.org/stable/755588 (Last visited on December 23, 2014); Werner Menski, Sanskrit Law: Excavating Vedic Legal Pluralism, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1621384 (Last visited on December 23, 2014) (However, this replacement of traditional legal systems did not extend to personal laws. Personal laws in India continue to be community-based, sometimes un-codified, draw from a diverse set of simultaneously applicable sources and traditional schools of jurisprudence.).

Supra note 8, Acharya & Marda.

Privacy International, A New Dawn: Privacy in Asia, available at https://www.privacyinternational.org/reports/a-new-dawn-privacy-in-asia/background (Last visited on December 28, 2013) ("It is only recently that the debate around privacy was stuck in this "collectivist" vs. "individualistic" cultural discourse…we discovered that privacy concerns and the need for safeguards were often embedded deeply in a nation, and not just as a response to a modern phenomenon.").

Privacy International, A New Dawn: Privacy in Asia, available at https://www.privacyinternational.org/reports/a-new-dawn-privacy-in-asia/background (Last visited on December 28, 2013)

J. Duncan M. Derrett, The Administration of Hindu Law by the British, available at http://www.jstor.org/stable/177940 (Last visited on December 23, 2014).

Manusmriti, Chapter IV, 201.

Manusmriti, Chapter IV, 202.

Id.

Wael B. Hallaq, An Introduction to Islamic Law 31 (2009).

Donald R. Davis, Jr., The Spirit of Hindu Law (2010).

Marc Galanter, The Displacement of Traditional Law in Modern India, Journal of Social Issues, Vol. XXIV, No. 4, 1968.

Id.

Supra note 20, Galanter.

Supra note 10, Menski.

Werner Menski, Hindu Law: Beyond Tradition and Modernity (2003).

Id.

Ashcroft as cited in Werner Menski, Hindu Law: Beyond Tradition and Modernity (2003).

Supra note 20, Galanter.

Id.

Id.

Id .

Id .

Id .

Supra note 19, Davis.

Id.

Id.

Id .

Id .

J. Duncan M. Derrett, Introduction to Modern Hindu Law (1963); Supra note 19, Davis.

Supra note 9, Lingat.

Id.

Id.

Id.

Id.

Id.

Id.

Id.

Id.

Id.

John D. Mayne, Hindu Law (1875).

Id.

Supra note 49, Mayne.

Id.

Supra note 19, Davis.

Id.

Id.

Supra note 49, Mayne.

Ludo Rocher, Studies in Hindu Law and Dharamasastra (2012).

For instance the Yajnawalkya Samhita has clear delineations in its chapters, segregating customary practices, legal procedure and punitive measures.

Madhu Kishwar, Codified Hindu Law: Myth and Reality, available at http://www.jstor.org/stable/4401625 (Last visited on December 23, 2014).

Id .

Supra note 59.

Id.

Id.

Id.

Supra note 20, Galanter.

See The Hindu Marriage Act, 1955, Section 7.

Saroj Rani v. Sudarshan Kumar Chadda, AIR 1984 SC 1562 (reflected the importance accorded by classical Hindu law to marital stability); M Govindaraju v. K Munisami Goundu 1996 SCALE (6) 13(The Supreme Court looked to ancient Shudra custom to adjudicate on a matter of adoption); Rajkumar Patni v. Manorama Patni, II (2000) DMC 702 (The Madhya Pradesh High Court, relied on the definition of Stridhan by Manu.).

Supra note 8, Acharya & Marda.

Semayne v. Gresham, 77 Eng. Rep. 194, 195; 5 Co. Rep. 91, 195 (K.B. 1604).

As cited in Julius Jolly, The Minor Law Books 164 (1889), ("A householder's house and field are considered as the two fundamentals of his existence. Therefore let not the king upset either of them; for that is the root of the householders").

Manmath Nath Dutt, The Dharamshastra - Hindu Religious Codes, Volume 1, 103 (1978) (Yajnawalkya Samhita, Chapter II 235-236: "He…who opens the doors of a closed house [without the permission of the master]…should be punished with fifty panas. Such is the law.").

L.N. Rangarajan, Kautalya: The Arthashastra 371 (1992) ("O be built at a suitable distance from the neighbours property so as not to cause inconvenience to the neighbour").

Id ., ("…doors and windows shall be made so as not to cause annoyance by facing a neighbour's door or window directly").

Supra note 72, Rangarajan, ("when the house is occupied the doors and windows shall be suitably covered").

Id., 376.

See Manusmriti, Chapter IV, 201-202.

Supra note 71, Dutt, 27 (Yajnawalkya Samhita, Chapter I , 160: "One should avoid the bed, seat, garden-house and the conveyance belonging to another person.").

Supra note 71, Dutt, 89 (Yajnawalkya Samhita, Chapter II, 146).

Manusmriti, Chapter IX, 194.

Supra note 71, Dutt Volume 2, 276 (Angiras Samhita, Chapter I, 71).

Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, Harvard Law Review, Vol. IV, December 15, 1890, No.5.

Id.

Manusmriti, Chapter IV, 258; Supra note 71, Dutt, 134 (Yajnawalkya Samhita Chapter III, 111: "Having withdrawn the mind, understanding, retentive faculty and the senses from all their objects, the soul, the lord…should be meditated upon.").

Manu Chapter VI, 44.

Supra note 71, Dutt, 186 (Harita Chapter VII, 6: "Situated in a solitary place with a concentrated mind, he should, till death mediate on the atman, that is situated both in the mind and the external world… ").

Supra note 72, Rangarajan, (Arthashastra, 2.2.2).

Supra note72, Rangarajan, (Arthashastra 3.16.33-36).

Manusmriti IX, 84

Supra note 71, Dutt, Volume 2, 350 (Samvarta Samhita,163).

Supra note 71, Dutt, Volume 1, 112 (Yajnawalkya Samhita, Chapter II, 291).

Supra note 71, Dutt, Volume 1, 113 (Yajnawalkya Samhita, Chapter II, 294).

Supra note 72, Ranjarajan (Arthashastra 2.27.14).

Supra note 72, Rangarajan (Arthashastra 4.13.38).

Manusmriti, X, 62

Manusmriti Part VII, Supra note 101, Rangarajan (Arthashastra 1.15.2-5, 1.15.13-17).

Supra note 72, Rangarajan (Arthashastra 1.15.2-5 : The scrutiny of governance related affairs was take place in a secluded and well-guarded spot, where it could not be overheard. No unauthorised person was allowed to approach these meetings.).

Supra note 72, Rangarajan (Arthashastra 1.15.13-17: "…Only those who have to implement it should know when the work is begun or when it has been completed.").

Supra note 72, Rangarajan.

Supra note 71, Dutt, Volume 1, 112 (Yajnawalkya Samhita, Chapter II, 292).

Supra note 71, Dutt, Volume 4, 919 (Vishnu Samhita, Chapter LII, 16).

Roundtable on Indian Privacy Law and Policy

by Bhairav Acharya last modified Dec 27, 2014 02:18 PM
This event was hosted by the Centre for Law and Development of the National University of Advanced Legal Studies (NUALS) in Kochi. It was attended by members of the faculty of NUALS, some students from the 2nd year, 3rd year, 4th year, and 5th year.

The meeting began with a talk by Bhairav Acharya on the origin of privacy law, its jurisprudential evolution, and the current context in which privacy is being debated in India and around the world.

Bhairav began by talking about the nature of privacy law around the world. Privacy has, until recently, never been a right in English common law. Indeed, the tort of invasion of privacy is also relatively incomplete. Privacy is protected through other torts, including the torts of nuisance, trespass, and others. European treaty requirements have foisted a right to privacy upon the British legal system; the contours of this right remain unclear.

American courts, on the other hand, have been more receptive to claims of the right to privacy. There is much in the American political and legal tradition that has contributed to the easy acceptability of privacy claims. Not least among these are the strong emphasis on the individual as the fundamental unit of governance and sovereignty, and the American libertarian tradition of autonomy.

Bhairav then spoke of the right to privacy in India. Early cases in the Supreme Court of India see privacy as a negotiation between the liberties of citizens and the power of the state. In a legal tradition deeply influenced by colonialism, Indian courts readily accepted claims against physical police surveillance and other related rights in the criminal justice process – public rights against the state that were once denied to Indian subjects of colonial rule, but held short of viewing privacy as a necessary individual protection against society. This has resulted in dichotomous privacy jurisprudence.

Bhairav then talked about the contexts in which privacy claims arise in India today. Specifically, he spoke about increasingly sophisticated surveillance techniques and large-scale personal data collection and processing. There are many complexities in both these fields and a lot of time and questions were spent going over them. Surveillance is older than the nation-state; privacy law does not seek the end of surveillance, but only its optimal use. There are many kinds of surveillance, the contemporary debate deals solely with wiretapping and electronic surveillance. Privacy law cannot be blind to the many other kinds of surveillance, including old-fashioned physical surveillance on the road.

Data collection, too, cannot be ended, nor should it for it forms the basis of modern commerce and is tied to India’s economic growth. There were questions and discussion on ‘big data’, data mining, analytics, business models, and other related areas. In India, however, in the absence of an innovative IT industry, the dominant business model is of receiving foreign personal data, usually of Europeans and Americans, to provide cheap processing services. This model depends entirely on comparatively lower Indian wages. Hence, it is not surprising that the first personal data protection rules issued by the Indian government in 2011 applied solely to foreign data that was outsourced to India.

Bhairav then introduced the 2011 draft Right to Privacy Bill that was proposed by the Department of Personnel and Training of the Indian government, as well as the Personal Data Protection Rules issued under the Information Technology Act, 2000. These measures were studied clause-by-clause.

Similarly, Indian law in respect of communications surveillance was analysed in detail. The Indian Telegraph Act 1885, the Indian Telegraph Rules 1951 (including the amendments of 1961, 1999, 2007, and 2014) were looked at in detail. These laws were compared to the Indian Post Office Act 1898 and the Information Technology Act 2000. The 1968 report of the Law Commission of India that examined the wiretapping power and suggested possible overreach was also examined.

Bhairav reviewed Indian law in respect of wiretapping. All Supreme Court case law, especially the cases of Hukum Chand and Peoples Union for Civil Liberties, were analysed. Finally, the group looked at how the legal principles applicable to wiretapping have been extended to electronic and Internet surveillance. Over here, the group studied the two sets of 2011 Rules under the IT Act that enable Internet and email surveillance of both content and metadata.

After a lunch break, the group spoke about possible models for privacy regulation and protection in India. In respect of surveillance, a lot of time was spent discussing the merits and demerits of judicial warranting of surveillance, as opposed to executive authorisations. The consensus of the group, with a few exceptions, was that judicial warranting would not be a suitable model for Indian surveillance, due to several systemic weaknesses. The group also rejected several of the principles proposed by Justice A. P. Shah in the 2012 Report that was commissioned by the Planning Commission.

After a discussion on legislative models, the group discussed, clause-by-clause, the CIS proposal on privacy that was read through by Bhairav. This discussion lasted several hours, and covered many areas.

Relationship Between Privacy and Confidentiality

by Vipul Kharbanda last modified Dec 30, 2014 02:27 PM
The laws of breach of confidentiality and breach of privacy at first glance seem very similar to each other. If a doctor releases health information relating to a patient that s/he is treating then such an act would give rise to a claim both under the law of privacy as well as under the law of confidentiality.

Similar is the case with financial information released by a bank, etc. This makes one wonder exactly where and how it is that the law of breach of privacy intersects with that of the law of confidentiality. An enquiry into such a complex question of law requires a deeper appreciation of the relationship between these two different principles of law which require a better understanding of the origins and evolutions of these principles.

In this paper we shall try to explore the origins of both the law of privacy as well as confidentiality as they have evolved in the field of tort law in India. Although our primary focus is Indian law, however in order to understand the evolution of these principles it is necessary to discuss their evolution in three common law jurisdictions, viz. the United States of America, the United Kingdom and India. The reason for an analysis of these three jurisdictions will become clear as the reader goes further into this paper, however for ease of reference it would be better if the reason is clarified here itself. The concept of a right against breach of confidentiality has existed in English common law for a very long time, however the concept of a claim for breach of privacy originated only in American law, other than some statutory protection granted in the last couple of decades, has still not been granted recognition in English common law.

After a discussion of the evolution of these principles in both American and English law, we will then discuss these principles as they exist in Indian law. This discussion will (or should) at once become easier to understand and digest because of the deeper understanding of the interplay between these two principles gained from a reading of the first two chapters.

Privacy Torts: American Origins

Looking at the origins of privacy law it has been argued by many academics that the law of privacy in common law has its origins in an article published by Samuel Warren and Louis Brandies in the Harvard Law Review in 1890.[1] Warren and Brandeis suggested that one could generalise certain cases on defamation, breach of copyright in unpublished letters, trade secrets and breach of confidence as all based upon the protection of a common value which they called privacy.[2] The authors relied upon the existing body of cases relating to the law of confidentiality and interpreted it in a way so as to create a "right to privacy" which has evolved into a right quite different from the common understanding of confidentiality.

Although there are certain criticisms of the article by Warren and Brandeis, the background in which the article was written and the lacuna that these two scholars were trying to fill in the law of confidentiality as it existed at that time gives some context to the reasons why they felt the need to move away from the existing principles and propose a new principle of law. Samuel Warren and Louis Brandies were both worried about the invasion of personal space by the advent of the news and print media which was experiencing a boom during the late 19th century. [3] Warren and Brandeis were worried that although the existing body of law on confidentiality would protect a person from having their picture put on a postcard by their photographer without their consent,[4] however if there was no relationship between the two persons there would be no remedy available to the aggrieved party. [5]

One of the criticisms of Warren and Brandeis' article is that to propose the existence of a right to privacy they relied heavily on the English case of Prince Albert v. Strange[6]. It has been proposed by some academics that this was a case which dealt with confidentiality and literary property which was characterized by Warren and Brandeis as a privacy case. [7] In this case Prince Albert sought to restrain publication of otherwise unpublished private etchings and lists of works which were made by Queen Victoria. The etchings appeared to have been removed surreptitiously from the private printer to whom these etchings were given and came into the possession of one Mr. Strange who wanted to print and sell the etchings. The case specifically rejected the existence of a right to privacy in the following words:

"The case is not put by the Plaintiff on any principle of trust or contract, but on property; there is nothing to show contract or confidence. It cannot be maintained that privacy constitutes property, or that the Court will interfere to protect the owner in the enjoyment of it; Chadler v. Thompson (3 Camp. 80). In William Aldred's case (9 Rep. 58 b.), Wray C. J. said, "The law does not give an action for such things of delight"."

Infact the case mentioned the term "privacy" only once, but that statement was made in the context of whether a delay in granting an injunction in such cases would defeat the entire purpose of the suit and was not preceeded or followed by any discussion on a distinct right to privacy:

"In the present case, where privacy is the right invaded, postponing the injunction would be equivalent to denying it altogether. The interposition of this Court in these cases does not depend upon any legal right, and to be effectual, it must be immediate."

However, Warren and Brandeis interpreted this case in a different manner and came to the conclusion that the "principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an inviolate personality".[8]

The article further incorporated the language of Judge Cooley's treatise (Cooley on Torts)[9] which used the phrase "the right to be let alone". They said that identifying this common element should enable the courts to declare the existence of a general principle which protected a person's appearance, sayings, acts and personal relations from being exposed in public. [10] However it has been argued by some scholars that this phrase was not used by Judge Cooley with as much import as has been given by Warren and Brandeis in their article. The phrase was used by Judge Cooley in mere passing while discussing why tort law protected against not only batteries but also assaults with no physical contact, and had no connection with privacy rights. [11]

Warren and Brandeis' article started getting almost immediate attention and some amount of recognition from various quarters,[12] though it cannot be said that it was universally well received. [13] However over time this tort of privacy slowly started getting recognized by various Courts throughout the United States and got a huge boost when it was recognized in a brief section in the First Restatement of Torts published in 1939. The right to privacy in American jurisprudence got another boost and became fully entrenched later on specially with the endorsement of Dr. William Prosser who discussed privacy in his treatise on the law of torts, the subsequent editions of which had a more and more elaborate discussion of the tort of privacy. This development of the law was further enhanced by Dr. Prosser's position as a reporter of the Second Restatement of Torts, which imported a four part taxonomy of the privacy tort which had been suggested by Dr. Prosser in his previous works.[14]

Thus we see how, beginning with the article by Warren and Brandeis in 1890, the privacy tort in American jurisprudence developed over the years and became further entrenched due to the influence of William Prosser and his works on the tort of privacy.

Privacy Torts in England: An Elaborate Principle of Confidentiality

The law of confidentiality in English law, as applied in certain specific contexts such as attorney client privileges, [15] doctor patient confidentiality,[16] etc. has been applied since hundreds and even though cases relating to the breach of confidentiality had already existed, however the case of Prince Albert v. Strange,[17] be it due to the interesting facts or the fame of the parties involved, is still considered as the clearest and most well established precedent for the tort of breach of confidence.[18] Similar cases relying upon this tort kept being decided by the English Courts but the tort of confidentiality was further cemented in English common law by the case of Saltman Engineering Co. v. Campbell Engineering Co.,[19] which expanded the application of the principle by holding that the obligation to respect confidence is not limited to only instances where parties have a contractual relationship.

The seminal case on the tort of breach of confidentiality in English law was that of Coco v. A.N Clark (Engineers) Ltd., [20] where an inventor enjoined a moped manufacturer from using design ideas communicated by the inventor during failed contractual negotiations with the manufacturer.[21] In this case Megarry J., held that a case of breach of confidence normally requires three elements to succeed, apart from contract, (i) the information itself must have the necessary quality of confidence about it, (ii) that information must have been imparted in circumstances importing an obligation of confidence, and (iii) there must be an unauthorised use of that information to the detriment of the party communicating it.

Relying on the principles enunciated in the above cases and developed by subsequent decisions, English law relating to the tort of breach of confidentiality developed into a robust and flexible body of law protecting personal and commercial information from disclosure. Infact by the late 1990s, English law was very broad and gradually expanding in its scope of the tort of breach of confidentiality and Courts had stretched the idea of an obligation of confidence so as to include cases where there was not even any communication between the parties, such as secret photography and wiretapping. Further since third parties had already been reposed with an obligation of confidence when they knowingly received confidential material even if they did not have any relationship with the plaintiff, therefore the law of confidence could be extended to parties outside the relationship in which the confidence was initially made. This, although was not as broad and overarching as the American privacy tort, still had the ability to cover a wide range of cases. [22]

While English Courts on the one hand kept trying to expand the scope of the confidentiality tort, they also categorically rejected the existence of a privacy tort on the lines developed under American jurisprudence. The suggestion of the existence of such a privacy tort in English law was most recently rejected by the House of Lords in the case of Wainwright v. Home Office,[23] by Lord Bingham in the following words:

"What the courts have so far refused to do is to formulate a general principle of "invasion of privacy" (I use the quotation marks to signify doubt about what in such a context the expression would mean) from which the conditions of liability in the particular case can be deduced."

In this case the plaintiffs made a claim against the prison authorities for strip searching them before they went to meet an inmate and since the incident occurred before the coming into force of the Human Rights Act, 1998 of the UK had not yet come into force, so the plaintiffs also argued that there was an existing tortuous remedy based on a breach of privacy in common law. While discussing whether English Courts were amenable to or had ever recognized such a common law tort of privacy, the House of Lords cited decisions such as Malone v Metropolitan Police Comr, [24] and R v Khan (Sultan),[25] in both of which the courts refused to recognize a general right to privacy in the context of tapping of telephones.

The absence of any general cause of action for invasion of privacy was also acknowledged by the Court of Appeal in the context of a newspaper reporter and photographer invading into a patient's hospital bedroom in an effort to purportedly interview him and taking photographs, in the case of Kaye v Robertson.[26]

Thus relying on the above line of cases the House of Lords concluded that a general right to privacy does not exist in English common law:

"All three judgments are flat against a judicial power to declare the existence of a high-level right to privacy and I do not think that they suggest that the courts should do so. The members of the Court of Appeal certainly thought that it would be desirable if there was legislation to confer a right to protect the privacy of a person in the position of Mr Kaye against the kind of intrusion which he suffered, but they did not advocate any wider principle."

Thus it is clear that English Courts have time and again denied the existence of an American style right to privacy as emanating from common law. The Courts have instead tried to expand and widen the scope of the tort of confidentiality so as to cover various situations which may arise due to the pervasiveness of technology and which the traditional interpretation of the law of confidentiality was not equipped to deal with.

Therefore it is now a little clearer that the reason for the existence of the confusion between the torts of privacy and confidentiality is that the right to privacy had its origins in the common law precedents but the right to privacy developed as a distinct and separate right in America, primarily due to the influence of Warren and Brandeis's article as well as the works of William Prosser, whereas the Courts in England did not adopt this principle of privacy and instead favored a much more elaborate right to confidentiality. In the Indian context, this has led to some amount of confusion because, Indian case laws, as will be seen in the following chapter, borrowed heavily from American jurisprudence when discussing the right to privacy and not all cases have been able to clearly bring out the difference between the principles of privacy and confidentiality.

Indian Law

Tort of Breach of Privacy

Any analysis of the right to privacy in India, be it in the realm of constitutional law or tort law almost always includes within its ambit a discussion of the two celebrated cases of Kharak Singh v. Union of India[27] and Govind v. State of M.P.,[28] which elevated the right to privacy to the pedestal of a fundamental right under Indian law. However, an unintended consequence of this has been that pretty much every commentator on Indian law includes a discussion of these two cases when discussing the right to privacy, be it under constitutional law or under tort law. However, there is one problem with such an analysis of the right to privacy, viz. these two cases were dealing with a pure constitutional law question and relied upon American case laws to read into Article 21 an inbuilt right to privacy. However from a strictly tort law perspective, these cases are not relevant at all, and the seminal case for the tort of breach of privacy would have to be the Apex Court decision in R. Rajagopal v. State of Tamil Nadu, [29] which specifically recognized this distinction and stated that the right to privacy has two different aspects, (i) the constitutional right to privacy, and (ii) the common law right to privacy.

The facts of the R. Rajagopal case revolve around the publishing of the autobiography written by the prisoner Auto Shankar, who had been placed in jail for committing multiple murders. The autobiography contained proof of involvement of many IAS, IPS officers in his crimes. Although Shankar had initially requested that the magazine print his autobiography, he later requested that his story not be published. The publishers held that it was their right to publish the autobiography while the IPS and IAS officers on the other hand claimed that Auto Shankar was trying to defame them and wanted to ban its publication. The Supreme Court in this case, implicitly accepts the existence of a right to privacy under Indian tort law when

"21.The question is how far the principles emerging from the United States and English decisions are relevant under our constitutional system. So far as the freedom of press is concerned, it flows from the freedom of speech and expression guaranteed by Article 19(1)(a). But the said right is subject to reasonable restrictions placed thereon by an existing law or a law made after the commencement of the Constitution in the interests of or in relation to the several matters set out therein. Decency and defamation are two of the grounds mentioned in clause (2). Law of torts providing for damages for invasion of the right to privacy and defamation and Sections 499/500 IPC are the existing laws saved under clause (2). "

Discussing the distinction between the two aspects of the right to privacy, the Court held:

"The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognized. This right has two aspects which are but two faces of the same coin (1) the general law of privacy which affords a tort action for damages resulting from an unlawful invasion of privacy and (2) the constitutional recognition given to the right to privacy which protects personal privacy against unlawful governmental invasion. The first aspect of this right must be said to have been violated where, for example, a person's name or likeness is used, without his consent, for advertising or non-advertising purposes or for that matter, his life story is written whether laudatory or otherwise and published without his consent as explained hereinafter. In recent times, however, this right has acquired a constitutional status."

After a discussion of the various arguments presented by the parties (a number of which are not relevant for the purposes of this paper), the Supreme Court laid down the following principles regarding freedom of the press and the right to privacy:

(1) The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a "right to be let alone". A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.

(2) The rule aforesaid is subject to the exception, that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others. We are, however, of the opinion that in the interests of decency [Article 19(2)] an exception must be carved out to this rule, viz., a female who is the victim of a sexual assault, kidnap, abduction or a like offence should not further be subjected to the indignity of her name and the incident being publicised in press/media.

(3) There is yet another exception to the rule in (1) above - indeed, this is not an exception but an independent rule. In the case of public officials, it is obvious, right to privacy, or for that matter, the remedy of action for damages is simply not available with respect to their acts and conduct relevant to the discharge of their official duties. This is so even where the publication is based upon facts and statements which are not true, unless the official establishes that the publication was made (by the defendant) with reckless disregard for truth. In such a case, it would be enough for the defendant (member of the press or media) to prove that he acted after a reasonable verification of the facts; it is not necessary for him to prove that what he has written is true. Of course, where the publication is proved to be false and actuated by malice or personal animosity, the defendant would have no defence and would be liable for damages. It is equally obvious that in matters not relevant to the discharge of his duties, the public official enjoys the same protection as any other citizen, as explained in (1) and (2) above. It needs no reiteration that judiciary, which is protected by the power to punish for contempt of court and Parliament and legislatures protected as their privileges are by Articles 105 and 104 respectively of the Constitution of India, represent exceptions to this rule."

The above principles have ruled the roost on the issue of privacy and freedom of the press under Indian law, with certain minimal additions. It has been held by the Delhi High Court that even though a claim for damages may be made under tort law for breach of privacy, the Court may even grant a pre-publication injunction to prevent a breach of privacy.[30] The principles laid down inR. Rajagopal were further clarified in the case of Indu Jain v. Forbes Incorporated, [31] where a case was filed by Indu Jain in the Delhi High Court to stop Forbes magazine from featuring her family in the Forbes List of Indian Billionaires. After a discussion of the various authorities and cases on the issue the Court summarized the principles relating to privacy and freedom of the press and applying those principles rejected the claim of the plaintiff. However for the purposes of our discussion these principles are extremely useful, and have been listed below:

"(V) Public or general interest in the matter published has to be more than mere idle curiosity.

(VI) Public figures like public officials play an influential role in ordering society. They have access to mass media communication both to influence the policy and to counter-criticism of their views and activities. The citizen has a legitimate and substantial interest in the conduct of such persons and the freedom of press extends to engaging in uninhibited debate about the involvement of public figures in public issues and events. (Ref. (1994) 6 SCC 632 R. Rajagopal & Anr. Vs. State of Tamil Nadu & Others Para 18).

(VII) Right to privacy that rests in an individual may be waived by him by express or implied consent or lost by a course of conduct which estops its assertions. Such implication may be deduced from the conduct of the parties and the surrounding circumstances.

(VIII) A public person or personage is one who by his standing, accomplishment, fame, mode of life or by adopting a profession or calling which gives the public a legitimate interest in his doings, affairs and character has so become a public figure and thereby relinquishes at least a part of his privacy.

(IX) The standard to be adopted for assessing as to whether the published material infracts the right to privacy of any individual is that of an ordinary man of common sense and prudence and not an out of ordinary or hyper-sensitive man. (Ref. (2007) 1 SCC 143 Ajay Goswami v. UOI & Ors.).

(X) Even though in this country, the freedom of press does not have presumptive priority as in some other jurisdictions including the United States of America, however the importance of a free media of communication to a healthy democracy has to receive sufficient importance and emphasis.

(XI) In evaluating a relief to be granted in respect of a complaint against infraction of the right to privacy, the court has to balance the rights of the persons complaining of infraction of right to privacy against freedom of press and the right of public to disclosure of newsworthy information. Such consideration may entail the interest of the community and the court has to balance the proportionality of interfering with one right against the proportionality of impact by infraction of the other.

(XII) The publication has to be judged as a whole and news items, advertisements and published matter cannot be read without the accompanying message that is purported to be conveyed to public. Pre-publication censorship may not be countenanced in the scheme of the constitutional framework unless it is established that the publication has been made with reckless disregard for truth, publication shall not be normally prohibited. (Ref.: (2007) 1 SCC 143 Ajay Goswami Vs. UOI & Ors.; (1994) 6 SCC 632 R. Rajagopal & Anr. Vs. State of Tamil Nadu & Others and AIR 2002 Delhi 58 Khushwant Singh & Anr. Vs. Maneka Gandhi)."

Thus we see that the right to privacy in Indian law, even in the realm of tort law has had an inextricable connection with constitutional principles and constitutional cases have had a very huge impact on the development of this right in India. However a perusal of these cases shows that the right to privacy is available only insofar as information which is personal in nature, however in situations where the information is non-personal in nature the right to privacy may not be as useful and this is where, as we shall see below, the tort of breach of confidentiality comes in to fill the void.

Tort of Breach of Confidentiality

While there have been a number of landmark cases in India on the issue of breach of confidence in a contractual or a statutory setting, these cases are not very relevant for a discussion on the tort of breach of confidentiality. This is not to say that the tort of breach of confidentiality is non-existent in Indian law, the Courts here have time and again accepted that there does exist such a tortuous remedy in certain situations. We shall now try to examine the contours of this principle of torts by discussing some of the landmark cases on the topic.

In the case of Petronet LNG Ltd. v. Indian Petro Group and Another, [32] the Delhi High Court considered a claim by a corporation seeking to prevent a news and media group from reporting its confidential negotiations and contracts with counterparties. The claim was based upon both the right to privacy as well as the right to confidentiality but in this case the court, looking at the fact that the plaintiff was a corporation and also the type of information involved denied the claim on the right to privacy. However, it did allow the injunction claimed by the corporation based on the right to confidentiality. Summarizing its discussion of the right to confidentiality, the Court stated thus:

"49. It may be seen from the above discussion, that originally, the law recognized relationships- either through status (marriage) or arising from contract (such as employment, contract for services etc) as imposing duties of confidentiality. The decision in Coco (1969) marked a shift, though imperceptibly, to a possibly wider area or zone. Douglas noted the paradigm shift in the perception, with the enactment of the Human Rights Act; even before that, in Attorney General (2) (also called the Spycatcher case, or the Guardian case) the Court acknowledged that there could be situations -where a third party (likened to a passerby, coming across sensitive information, wafting from the top of a building, below) being obliged to maintain confidentiality, having regard to the nature and sensitivity of the information….."

While discussing the factors that the Court would have to consider while deciding a claim based on the breach of confidentiality, the Delhi High Court relied upon and quoted from English judgments as follows:

"50. Even while recognizing the wider nature of duty - in the light of the Human Rights Act, 1998, and Articles 8 and 10 of the European Convention, it was cautioned that the court, in each case, where breach of confidentiality, is complained, and even found- has to engage in a balancing process; the factors to be weighed while doing so, were reflected in A v. B Plc [2003] QB 195; the latest judgment in H.R.H. Prince of Wales indicates that the court would look at the kind of information, the nature of relationship, etc, and also consider proportionality, while weighing whether relief could be given:

"The court will need to consider whether, having regard to the nature of the information and all the relevant circumstances, it is legitimate for the owner of the information to seek to keep it confidential or whether it is in the public interest that the information should be made public….

..In applying the test of proportionality, the nature of the relationship that gives rise to the duty of confidentiality may be important."

Holding that the principles discussed in the English cases given in the context of individual rights of confidentiality would also hold good in the case of corporations, the Court held that:

"51. Though the reported cases, discussed above, all dealt with individual right, to confidentiality of private information (Duchess of Argyll;Frazer; Douglas; Campbell and H.R.H. Prince of Wales) yet, the formulations consciously approved in the Guardian, and Campbell, embrace a wider zone of confidentiality, that can possibly be asserted. For instance, professional records of doctors regarding treatment of patients, ailments of individuals, particulars, statements of witnesses deposing in investigations into certain types of crimes, particulars of even accused who are facing investigative processes, details victims of heinous assaults and crimes, etc, may, be construed as confidential information, which, if revealed, may have untoward consequences, casting a corresponding duty on the person who gets such information - either through effort, or unwittingly, not to reveal it. Similarly, in the cases of corporations and businesses, there could be legitimate concerns about its internal processes and trade secrets, marketing strategies which are in their nascent stages, pricing policies and so on, which, if prematurely made public, could result in irreversible, and unknown commercial consequences. However, what should be the approach of the court when the aggrieved party approaches it for relief, would depend on the facts of each case, the nature of the information, the corresponding content of the duty, and the balancing exercise to be carried out. It is held, therefore, that even though the plaintiff cannot rely on privacy, its suit is maintainable, as it can assert confidentiality in its information."

Apart from privacy, the law of confidentiality has been used in cases where there has been a definite harm to one side but none of the other laws provide for any relief. This was the situation in the case of Zee Telefilms Limited v. Sundial Communications Pvt Ltd, [33] where a company which developed television and media programming had discussed their concept of a new show with a network during negotiations which could not be finalized. The network however subsequently tried to start a new show which was based on the same concept and idea as the one presented by the plaintiff company. The plaintiff sued the network, inter alia on a claim for breach of confidential information and asked that the network be prevented from airing its show. In this case the plaintiff's claim based on copyright was rejected because copyright only subsists on the expression of an idea and not the idea itself, therefore the tort of breach of confidentiality had to be resorted to in order to give relief to the plaintiffs. Discussing the difference between confidentiality and copyright, the Division Bench of the Bombay High Court held:

"10. The law of the confidence is different from law of copyright. In paragraph 21.2 (page 721), [of Copinger and Skone-James on Copyright (13th Edn.)] the learned author has pointed out that right to restrain publication of work upon the grounds, that to do so would be breach of trust of confidence, is a broader right than proprietary right of copyright. There can be no copyright of ideas or information and it is not infringement of copyright to adopt or appropriate ideas of another or to publish information received from another, provided there is no substantial copying of the form in which those ideas have, or that information has, been previously embodied. But if the ideas or information have been acquired by a person under such circumstances that it would be a breach of good faith to publish them and he has no just case or excuses for doing so, the court may grant injunction against him. The distinction between the copyright and confidence may be of considerable importance with regard to unpublished manuscripts / works submitted, and not accepted, for publication or use. Whereas copyright protects material that has been reduced to permanent form, the general law of confidence may protect either written or oral confidential communication. Copyright is good against the world generally while confidence operates against those who receive information or ideas in confidence. Copyright has a fixed statutory time limit which does not apply to confidential information, though in practice application of confidence usually ceases when the information or ideas becomes public knowledge. Further the obligation of confidence rests not only on the original recipient, but also on any person who received the information with knowledge acquired at the time or subsequently that it was originally given in confidence."

A similar view, in a similar fact situation Single Judge Bench of the Delhi High Court had also came to a similar conclusion in the case of Anil Gupta v. Kunal Das Gupta.[34]

The law of confidentiality has also come to the rescue of employers in attempting to prevent important business and client information from being taken or copied by the employees for their personal gain. In the case of Mr. Diljeet Titus, Advocate v. Mr. Alfred A. Adebare, [35] the Delhi High Court had to decide a claim based on breach of confidentiality when some ex-employees of a law firm tried to take away client lists and drafts of legal agreements and opinions from their earlier employer-law firm. Discussing the importance of preventing employees or former employees from away which such actions, the Court held as follows:

"81. I am in full agreement with the views expressed in Margaret, Duchess of Argyll (Feme Sole) v. Duke of Argyll and Ors. (1965) 1 All ER 611, that a Court must step in to restrain a breach of confidence independent of any right under law. Such an obligation need not be expressed but be implied and the breach of such confidence is independent of any other right as stated above. The obligation of confidence between an advocate and the client can hardly be re-emphasised. Section 16 of the Copyright Act itself emphasizes the aspect of confidentiality de hors even the rights under the Copyright Act. If the defendants are permitted to do what they have done it would shake the very confidence of relationship between the advocates and the trust imposed by clients in their advocates. The actions of the defendants cause injury to the plaintiff and as observed by Aristotle: 'It makes no difference whether a good man defrauds a bad one, nor whether a man who commits an adultery be a good or a bad man; the law looks only to the difference created by the injury."

The Court allowed the claim of the law firm holding that the relationship between a law firm and its attorneys is of a nature where information passed between them would be covered by the law of confidence and would not be allowed to be copied or used by the attorneys for their individual gain.

Recently, in 2009, the principles relating to breach of confidentiality under Indian law were very succinctly summarized by the Bombay High Court in the case of Urmi Juvekar Chiang v. Global Broadcasting News Limited,[36] where in a fact situation similar to the ones in Zee Telefilms case and the Anil Gupta case, the Court discussed a number of previous cases on breach of confidentiality and laid down the following principles:

"8. The principles on which the action of breach of confidence can succeed, have been culled out as

(i) he (Plaintiff) had to identify clearly what was the information he was relying on;

(ii) he (Plaintiff) had to show that it was handed over in the circumstances of confidence;

(iii) he (Plaintiff) had to show that it was information of the type which could be treated as

confidential; and

(iv) he (Plaintiff) had to show that it was used without licence or there was threat to use it…… It is further noted that at interlocutory stage, the Plaintiff does not have to prove (iii) and (iv) referred to above, as he will at the trial. But the Plaintiff must address them and show that he has atleast seriously arguable case in relation to each of them."

From the above discussion on Indian law it is clear that the Courts in India have tried to incorporate the best of both worlds, in the sense that it has taken and adopted the principle of a right to privacy, a breach of which would give rise to an action in torts, from American jurisprudence while rejecting the stand taken by English Courts in rejecting such a right to privacy. However, Indian Courts have often referred to the decisions given by English Courts as well as American Courts in interpreting the principle of the right to confidentiality. Therefore on an overall examination it would appear that insofar as the rights to privacy and confidentiality are concerned, Indian jurisprudence has more in common with American law rather than English law.

Conclusion

The law of privacy does not seem to have existed as a recognizable principle of law before it was propounded in the article by Warren and Brandeis in the Harvard Law Review in 1890. It slowly gained traction in American jurisprudence over the twentieth century but was rejected outright by the Courts in England, which preferred to follow the principle of confidentiality rather than privacy and tried to expand that old principle to fit newer and newer situations. Since Indian law borrows heavily from English law and to a smaller extent also from American law, the Courts in India have accepted both, the principle of a right to privacy as well as a right to confidentiality. This is not to say that the Courts in America do not recognize a right to confidentiality and only accept a right to privacy. Infact American Courts, just like their Indian counterparts, recognize both a right to confidentiality as well as a right to privacy.

Since Indian courts accept both the concept of breach of privacy as well as breach of confidentiality, one should not try to figure out if a particular circumstance is more appropriate for the one over the other, but actually use both principles to supplement one another for achieving the same objective. For example in situations where the conditions required for the application of the law of confidentiality do not exist such as disclosure of personal information by a person who did not receive it in a confidential capacity, one could apply the principle of privacy to prevent such information being disclosed or claim a remedy after disclosure. On the other hand if the information to be disclosed is not of a personal nature then one could try to utilize the law of confidentiality to prevent disclosure or claim damages.


[1] Harry Kalven, Jr., Privacy in Tort Law-Were Warren and Brandeis Wrong?, "31 Law & Contemp. Problems". 326, 327 (1966). Elbridge L. Adams, The Right of Privacy, and Its Relation to the Law of Libel, 39 AM. L. REV. 37 (1905).

[2] Wainwright v. Home Office, 2003 UKHL 53.

[3] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 at 128 and 132 (2007).

[4] Pollard v. Photographic Co., (1888) 40 Ch. D. 345.

[5] It is also said that this concern arose out of the personal experience of Samuel Warren, whose wedding announcement as well as the report on his sister-in-law's death in the newspapers did not go down well with him. http://www.english.illinois.edu/-people-/faculty/debaron/380/380powerpoint/privacy.pdf

[6] (1848) 41 Eng. Rep. 1171 (Ch.).

[7] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[8] Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, "4 Harvard Law Review", 193 at 207 (1890).

[9] Thomas M. Cooley, The Law Of Torts, 2nd Ed., 1888, p. 29.

[10] Wainwright v. Home Office, 2003 UKHL 53.

[11] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[12] As early as in 1891, the case of Schuyler v. Curtis, 45 NYS 787 (Sup. Ct., 1891) involving the erection of a statue of a dead person, recognized the principle proposed in Warren and Brandeis' article.

[13] Most famously the case of Robertson v. Rochester folding Box Co., 64 NE 442 (NY 1902) where the New York Court of appeals specifically rejected a the existence of a right to privacy as proposed by Warren and Brandeis.

[14] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, "96 Georgetown Law Journal", 123 (2007).

[15] Bredd v. Lovelace, (1577) 21 Eng. Rep. 33 (Ch.)

[16] For doctor patient confidentiality we need look no further than the Hippocratic Oath itself which states "Whatever, in connection with my professional service, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret".

[17] (1848) 41 Eng. Rep. 1171 (Ch.).

[18] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[19] [1948] 65 RPC 203.

[20] [1969] RPC 41 (UK).

[21] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[22] Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 GEORGETOWN LAW JOURNAL, 123 (2007).

[23] 2003 UKHL 53.

[24] [1979] Ch 344.

[25] [1997] AC 558.

[26] [1991] FSR 62

[30] Phoolan Devi v. Shekhar Kapoor and others, http://indiankanoon.org/doc/793946/.

ICANN accountability, IANA transition and open questions

by Geetha Hariharan last modified Feb 06, 2015 11:39 AM
On February 3, 2015, the Centre for Communication Governance (NLU, Delhi) hosted a pre-event briefing in light of ICANN52 (Singapore, February 7-12, 2015). Geetha Hariharan attended the event.

At a briefing on ICANN52 organized by the Centre for Communication Governance (NLU, Delhi) on 3 February, 2015 (‘CCG Briefing Event’), consensus was seen on two broad things: ICANN’s processes on IANA transition and accountability are crucial for Internet governance this year, and India’s participation (both municipal and international) is wanting. The meeting, which saw discussion following the Chatham House rules, was attended by members from industry associations, government and civil society. A light parsing of the current proposals from the CWG-Names and CRISP (the names and numbers communities) for IANA transition brought the composition of the transition proposals under scrutiny.

CRISP and the proposed Service Level Agreements:

The proposal from the numbers community, the CRISP, suggests that ICANN and the five RIRs enter into Service Level Agreements. Under the proposal, existing accountability, oversight and policy development mechanisms remain unchanged, with ICANN agreeing to perform IANA functions to meet requisite service levels. If it fails to meet such standards, the RIRs may terminate the contract or refuse to renew it.

The CRISP proposal does not look beyond ICANN for an IANA functions operator, and places its faith entirely in ICANN’s past performance of numbering IANA functions. As so many have said before, the CRISP proposal is blithe in its lack of review mechanism or safeguards, having even fewer safeguards than the CWG-Names proposal. Doubtless, a cause for concern.

CWG-Names and the Four New Entities:

The CWG-Names proposal suggests that four new entities be created to replace the NTIA’s role under the IANA Functions Contract. Under the proposal, ICANN will continue to be the IANA Functions Operator for the present. It will enter into an IANA Functions Contract with “Contract Co.”, a new shell entity which will replace NTIA as the contracting party. Contract Co. is to be a lightweight entity, with few staff or administrative capabilities.

At present, the NTIA performs what it considers a “clerical role” in its oversight of the DNS. However, the IANA Functions Contract also includes review functions, such as the rebidding and renewal process to determine whether ICANN (or some other entity) ought to continue as the IANA functions operator. Under the CWG-Names proposal, these review functions, which also include budget reviews, reporting, etc. are to be carried out by a “Multi-stakeholder Review Team (MRT)”, the terms of whose composition are as yet undecided.

The composition of the MRT is crucial to an independent and representative oversight of IANA. At the CCG Briefing Event, concerns were raised as to the representation of ccTLDs on the MRT. Not all ccTLDs are represented in the ICANN ecosystem, in the ccNSO; 152 ccTLDs are members of the ccNSO. Of course, one may argue that this concern exists under the present IANA functions contract as well. But the devil is in the details, or lack thereof. We don’t know, for instance, who will populate the MRT, whether they will enjoy immunities normally reserved for diplomatic or consular agents, or most importantly, what relationship the MRT will enjoy with ICANN. Will there be a contract with ICANN, or a memorandum of understanding that sets out ICANN’s responsibilities, failing which the IANA contract may be terminated?

The third new creation of the CWG-Names proposal is the “Customer Standing Committee (CSC)”. While the CSC’s composition is also nebulous, its functions are to work with the MRT to establish Service Levels and Performance Indicators for the naming functions, and to receive performance reports from the IANA operator (ICANN). Clause C.2.8 of the present IANA functions contract requires that the IANA operator (ICANN) develop performance standards for all enumerated IANA functions (see Clause C.2.9.1 to C.2.9.4), and also to report on them (Clause C.4). Presumably, the CSC will fill the role of the NTIA’s Contracting Officer’s Representative in receiving these performance reports.

The fourth and final new entity is the “Independent Appeals Panel (IAP)”, the composition of which is also undecided. The IAP is intended to hear and adjudicate all actions related to the root zone or root zone WHOIS, and under the present proposal, the CWG-Names suggests it should be constituted from time to time in the manner of a binding arbitration process. However, it should be noted that the CWG-Names proposal is unclear whether the IAP decisions are binding on or advisory to the ICANN Board. Concerns of the IAP’s composition aside, dangers of making its decisions only advisory to the ICANN Board loom large and real, and the CCG Briefing Event reflected this.

Already, the ICANN Board wields extensive power with regard to policy decisions. For instance, policies developed under the global policy development process by Regional Internet Registries (RIRs) may be rejected by the ICANN Board by a 2/3rds majority vote. Such a rejection may result in a mediation process according to agreed procedure. Another instance is the change in the ICANN Board’s treatment of GAC advice. Prior to the amendment to ICANN’s Bye-laws, the Board was not required to provide reasons for its rejection of GAC advice. In its present form, Article XI, Section 2(1) of ICANN’s Bye-laws make such reasons mandatory. How ought IAP decisions be treated, as binding or advisory? If they are to be binding, ICANN or any other IANA functions operator will have to enter into a legal arrangement (by contract or MoU, or in the best case, an amendment to ICANN Bye-laws).

Dodging the real issues: ICANN incumbency, IANA separation and where will all the money come from?

Both the CWG-Names and CRISP proposals skim past certain issues relating to ICANN’s incumbency in the IANA role. The first concern, of course, is whether ICANN should continue to be the IANA functions operator. Both proposals accept ICANN’s role, suggesting no change. While there are compelling reasons for ICANN’s continued role as IANA functions operator, unquestioning incumbency is equal to lack of accountability. And as neither proposal sets out a review process (the CWG-Names proposal only mentions that the MRT shall have this function), it is a concern.

Perhaps the CCWG-Accountability, convened under the Enhancing ICANN Accountability process, is better equipped to provide suggestions. However, the CCWG-Accountability is hard-pressed for time. Its two Workstreams, dealing with IANA transition related accountability mechanisms and ICANN’s internal accountability, are unlikely to see desired progress before the transition deadline of September 2015. For instance, within the CCWG-Accountability, a debate is ongoing as to ICANN’s composition. At the time of its incorporation, a suggestion that ICANN ought to have statutory members was floated, but turned down. The suggestion has reared its head again in the CCWG-Accountability, to consider checks and balances on the ICANN Board.

The second concern relates to IANA’s continued existence within ICANN, without separation of policy and implementation. This concern has been clamouring for attention for many months. Milton Mueller, for instance, has recommended structural separation of IANA and ICANN, as did I and others during the course of the face-to-face meetings of the CWG-Names (I attended remotely).

A structural separation is beneficial for many reasons. It enforces a simple separation of powers. “When”, as Montesquieu stated, “the legislative and the executive powers are united in the same person, or in the same body of magistrates, there can be no liberty; because apprehensions may rise, lest the same monarch or senate should enact tyrannical laws, to execute them in a tyrannical manner”. Tyranny is speaking in terms too extreme for ICANN, perhaps, it is undeniable that ICANN has grown larger in scope and size from its original incorporation. It was incorporated, as Professor DeNardis has noted [Protocol Politics, 161], to perform technical coordination of the global DNS and other functions performed originally by Jon Postel as IANA.

Today, in addition to technical coordination and policy-setting for names and numbers (through the gPDP), ICANN is a major player in the Internet governance institutional space; its involvement in and aggressive marketing of the NETmundial Initiative is but an example. For instance, ICANN budgets for less than US $10 million for providing core Internet functions out of a US $160 million strong budget (FY2015). It has budgeted, in comparison, US $13 million for travel and meetings alone (FY2015). Separating IANA from ICANN will, as others have suggested, protect it from political or other influences within ICANN.

In any event, once the NTIA terminates the IANA functions contract, IANA is not strictly required to be within the US. At the moment, Clause C.2.1 of the IANA functions contract requires that the IANA functions operator be “a wholly U.S. owned and operated firm or fully accredited United States University or College operating in one of the 50 states of the United States or District of Columbia; b) incorporated within one of the fifty (50) states of the United States or District of Columbia; and c) organized under the laws of a state of the United States or District of Columbia”.

Were structural separation to be achieved, IANA could be incorporated in another, neutral jurisdiction. Not only would be assuage optical considerations and ensure separation of powers, but as our experience with filtering on the Internet shows (see, for instance, the Open Net Initiative’s research), unilateral controls are much harder to enforce when the apparatus is decentralized.

The third concern raised at the CCG Briefing Event concerned the funding of the new entities proposed by the CWG-Names. Would these entities be self-financing, or perhaps ICANN would support them? While some participants felt ICANN could also provide financial support, this would, in my view, bring ICANN too close to its oversight entities, and increase chances of influence.

Collection of Net Neutrality Definitions

by Tarun Krishnakumar last modified Feb 09, 2015 01:33 PM
As part of CIS's inquiry into 'Network Neutrality' in the developing world, we have collected a set of definitions of the term from different sources. The definitions were collated and compiled by Manoj Kurbet, Maitreya Subramaniam and Tarun Krishnakumar under the guidance of Sunil Abraham.

Collection of Net Neutrality Definitions

Please feel free to get in touch if you would like to suggest definitions to be added to this  working database.

Where Does ICANN’s Money Come From? We Asked; They Don’t Know

by Geetha Hariharan last modified Mar 05, 2015 07:43 AM
Just how transparent is ICANN? How responsive are they to requests for information? At CIS, we sent ICANN ten questions seeking information about, inter alia, their revenues, commitment to the NETmundial Principles, Globalisation Advisory Groups and organisational structure. Geetha Hariharan wonders at ICANN's reluctance to respond.

 

Why Is ICANN Here?

The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for critical backbones of the Internet. It manages the root server system, the global allocation of IP addresses, protocol registries and the domain name system (management of gTLDs, ccTLDs, as well as the newly rolled-out “new gTLDs”).

ICANN was incorporated in California in 1998, and was intended as the technical coordination body for the backbone of the Internet. That is, it was to administer the Internet’s domain names and IP addresses, and also manage the Internet root servers.

As a result of an agreement with the National Telecommunications and Information Administration (NTIA) in the US Department of Commerce, ICANN is the IANA functions operator. It carries out the IANA functions, which include making changes to the root zone file (the backbone of the domain name system), allocation of IP address blocks to the five Regional Internet Registries (RIRs), and maintaining protocol parameter registries in collaboration with the Internet Engineering Task Force (IETF). The RIRs are responsible for allocating IP addresses (IPv4 and IPv6) to national and local Internet registries. The IETF develops Internet standards and protocols, such as those within the TCP/IP suite. To be clear, ICANN does not make policy for the IP address or Internet standards/protocols; those are the domains of RIRs and the IETF, respectively.

ICANN, Domain Names and All That Buried Treasure

ICANN is the de facto policy-making body for domain names. Through ICANN’s community Supporting Organisations and Advisory Committees (SOACs) – largely a multi-stakeholder community – ICANN determines policies for dispute resolution (see, for instance, the UDRP for domain name disputes), maintaining the WHOIS database, etc. for domain names.

Under its contracts with Top Level Domain (TLD) Registries, ICANN receives payment for all registrations and/or renewals of domain names. For instance, under the .bharti Registry Agreement, ICANN receives a fixed annual registry free of US $6250. If there are more than 50,000 registrations or renewals of domain names under a TLD (say, .bharti) in a quarter, then ICANN also receives an amount equal to (No. of registrations or renewals X US $0.25). TLD Registries “own” TLDs like .com, and they maintain a list of all the domain names registered under that TLD. There are around 816 such Registry Agreements, and in FY14, ICANN received over US $47 million in Registry fees [see page 7].

Similar agreements exist between ICANN and domain name Registrars accredited by it, too. Domain name Registrars are entities like Go Daddy and Big Rock, from whom people like you and me (or companies) can register domain names. Only Registrars accredited by ICANN can register domain names that will be included in the ICANN DNS, the most frequently used DNS on the Web. Each Registrar pays a yearly accreditation fee of US $4000 to ICANN (see Clause 3.9). Each Registrar also pays to ICANN fees for every domain name registration or renewal. There are over 500 ICANN-accredited Registrars, and in FY14, ICANN received over US $34.5 million in Registrar fees [see page 7].

Now, apart from this, in its IANA operator role, ICANN is responsible for the global allocation of IP addresses (IPv4 and IPv6). From the global pool of IP addresses, ICANN allocates to the five Regional Internet Registries (RIRs), which then allocate to National Internet Registries like the National Internet Exchange of India (NIXI as IRINN), local Internet registries or ISPs. For this, ICANN receives a combined contribution of US $823,000 each year as revenue from RIRs [see, ex.: FY09 Financial Statements, page 3].

And this isn’t all of it! With its new gTLD program, ICANN is sitting on a large treasure trove. Each gTLD application cost US $185,000, and there were 1930 applications in the first round (that’s US $357 million). Where there arose disagreements as to the same or similar strings, ICANN initiated an auction process. Some new gTLDs were auctioned for as high as US $6 million.

So ICANN is sitting on a great deal of treasure (US $355 million in revenues in FY14 and growing). It accumulates revenue from a variety of quarters; the sources identified above are by no means the only revenue-sources. But ICANN is unaware of, or unwilling to disclose, all its sources of revenue.

ICANN's Troubling Scope-creep and Does Transparency Matter?

At CIS, we are concerned by ICANN’s unchecked influence and growing role in the Internet governance institutional space. For instance, under its CEO Fadi Chehade, ICANN was heavily involved backstage for NETmundial, and has set aside over US $200,000 for Mr. Chehade’s brainchild, the NETmundial Initiative. Coupled with its lack of transparency and vocal interests in furthering status quo (for instance, both the names and numbers communities’ proposals for IANA transition want ICANN to remain the IANA functions operator, without stringent safeguards), this makes for a dangerous combination.

The clearest indication lies in the money, one might say. As we have written before, ICANN budgets for less than US $10 million for providing core Internet functions out of a US $160 million strong budget (Budget FY15, page 17). It has budgeted, in comparison, US $13 million for travel and meetings alone, and spent over US $18 million on travel in FY14 (Budget FY15, page 11).

To its credit, ICANN makes public its financial statements (current and historic), and community discussions are generally open. However, given the understandably complex contractual arrangements that give ICANN its revenues, even ploughing through the financials does not give one a clear picture of where ICANN’s money comes from.

So one is left with questions such as the following: Which entities (and how many of them) pay ICANN for domain names? What are the vendor payments received by ICANN and who pays? Who all have paid ICANN under the new gTLD program, and for what purposes? Apart from application fees and auctions, what other heads of payment exist? How much does each RIR pay ICANN and what for, if IP addresses are not property to be sold? For how many persons (and whom all) does ICANN provide pay for, to travel to meetings and other events?

You may well ask why these questions matter, and whether we need greater transparency. To put it baldly: ICANN’s transparency is crucial. ICANN is today something of a monopoly; it manages the IANA functions, makes policy for domain names and is increasingly active in Internet governance. It is without greater (effective) accountability than a mere review by the NTIA, and some teething internal mechanisms like the Documentary Information Disclosure Policy (DIDP), Ombudsman, Reconsideration and Independent Review and the Accountability and Transparency Review (ATRT). I could elaborate on why these mechanisms are inadequate, but this post is already too long. Suffice it to say that by carefully defining these mechanisms and setting out their scope, ICANN has stifled their effectiveness. For instance, a Reconsideration Request can be filed if one is aggrieved by an action of ICANN’s Board or staff. Under ICANN’s By-laws (Article IV, Section 2), it is the Board Governance Committee, comprising ICANN Board members, that adjudicates Reconsideration Requests. This simply violates the principles of natural justice, wherein one may not be a judge in one’s own cause (nemo debet esse judex in propria causa).

Moreover, ICANN serves corporate interests, for it exists on account of contractual arrangements with Registries, Registrars, the NTIA and other sundry entities. ICANN has also troublingly reached into Internet governance domains to which it was previously closed, such as the NETmundial Initiative, the NETmundial, the IGF and its Support Association. It is unclear that ICANN was ever intended to overreach so, a point admitted by Mr. Chehade himself at the ICANN Open Forum in Istanbul (IGF 2014).

Finally, despite its professed adherence to multi-stakeholderism, there is evidence that ICANN’s policy-making and functioning revolve around small, cohesive groups with multiple professional inter-linkages with other I-Star organisations. For instance, a revolving door study by CIS of the IANA Coordination Group (ICG) found that 20 out of 30 ICG members had close and longterm ties with I-Star organisations. This surely creates concern as to the impartiality and fairness of the ICG’s decision-making. It may, for instance, make a pro-ICANN outcome inevitable – and that is definitely a serious worry.

But ICANN is intended to serve the public interest, to ensure smooth, stable and resilient running of the Internet. Transparency is crucial to this, and especially so during the IANA transition phase. As advisor Jan Scholte asked at ICANN52, what accountability will ICANN exercise after the transition, and to whom will it be accountable? What, indeed, does accountability mean? The CCWG-Accountability is still asking that question. But meanwhile, one among our cohorts at CIS has advocated transparency as a check-and-balance for power.

The DIDP process at ICANN may prove useful in the long run, but does it suffice as a transparency mechanism?

ICANN's Responses to CIS' DIDP Requests

Over December ’14 and January ’15, CIS sent 10 DIDP requests to ICANN. Our aim was to test and encourage transparency from ICANN, a process crucial given the CCWG-Accountability’s deliberations on ways to enhance ICANN’s accountability. We have received responses for 9 of our requests. We summarise ICANN’s responses in a table: please go here.

A glance at the table above will show that ICANN’s responses are largely negative. In 7 requests out of 9, ICANN provides very little new information. Though the responses are detailed, the majority of information they provide is already identified in CIS’ requests. For instance, in the response to the NETmundial Request, ICANN links us to blogposts written by CEO Fadi Chehade, where he notes the importance of translating the NETmundial Principles into action. They also link us to the Final Report of the Panel on Global Internet Cooperation and Governance Mechanism, and ICANN’s involvement in the NETmundial Initiative.

However, to the query on ICANN’s own measures of implementing the NETmundial Principles – principles that it has lauded and upheld for the entire Internet governance community – ICANN’s response is surprisingly evasive. Defending lack of action, they note that “ICANN is not the home for implementation of the NETmundial Principles”. But ICANN also responds that they already implement the NETmundial Principles: “Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework” (emphasis provided). One wonders, then, at the insistence on creating documents involving such high-level principles; why create them if they’re already implemented?

Responses to other requests indicate that the DIDP is, in its current form, unable to provide the transparency necessary for ICANN’s functioning. For instance, in the response to the Ombudsman Request, ICANN cites confidentiality as a reason to decline providing information. Making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline a DIDP request. But it is also important to investigate these reasons. ICANN’s Ombudsman is appointed by the ICANN Board for 2 year terms, under Clause V of ICANN’s Bylaws. The Ombudsman’s principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly”. The Ombudsman reports only to the ICANN Board, and all matters before it are kept confidential, including the names of parties and the nature of complaints. The Ombudsman reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy.

This creates a closed circle in which the Ombudsman operates. The ICANN Board appoints the Ombudsman. He/she listens to complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. However, neither the names of parties, the nature of complaints, nor the decisions of the Ombudsman are publicly available. Such a lack of transparency throws doubt on the functioning of the Ombudsman himself – and on his independence, neutrality and the extent of ICANN’s influence on him/her. An amendment of ICANN’s Bylaws would then be imperative to rectify this problem; this matter is squarely within the CCWG-Accountability’s mandate and should be addressed.

As is clear from the above examples, ICANN’s DIDP is an inadequate tool to ensure transparency functioning. The Policy was crafted without community input, and requires substantial amendments to make it a sufficient transparency mechanism. CIS’ suggestions in this regard shall be available in our next post.


CIS' Annual Reports are here. Our audit is ongoing, and the Annual Report for 2013-14 will be up shortly. Pranav Bidare (3rd year) of the National Law School, Bangalore assisted with research for this post, and created the table of CIS' DIDP requests and responses.

Indian Netizens Criticize Online Censorship of ‘Jihadi’ Content

by Subhashish Panigrahi last modified Feb 10, 2015 02:43 AM
The article on online censorship by Subhashish Panigrahi was published in Global Voices on January 6, 2015.

Click to view the article on Global Voices here.

Indian Netizens Criticize Online Censorship of ‘Jihadi’ Content · Global Voices

Mock-up of a blocked URL
Mock-up of a blocked URL (Image: Subhashish Panigrahi, CC-by-SA 3.0)

The Government of India in the last week of 2014 asked Internet service providers (ISPs) to block 32 websites including code repository Github, video streaming sites Vimeo and Dailymotion, online archive Internet Archive, free software hosting site Sourceforge and many other websites on the basis of hosting anti-India content from the violent extremist group known as ISIS.

The blanket block on many resourceful sites has been heavily criticized on social media and blogs by reviving the hashtag #GoIblocks that evolved in the past against internet censorship by the government.

View image on Twitter


Govt orders blocking

Nikhil Pahwa at MediaNama notes that this time many ISPs published the list of the blocked sites:

Typically, users are not informed about which websites are blocked, so this was a welcome move from the ISP.

Say No to Censorship. #GOIBlocks

“Say No to Censorship. #GOIBlocks” (taken from Facebook page of Free Software Foundation, Tamil Nadu)

In 2012, opposition party leader Narendra Modi (who is now India's Prime Minister) tweeted against the URL blocks by the earlier ruling of India's National Congress when then-Minister of Communications and Information Technology Kapil Sibal ordered to block 300 websites. Many eyebrows were raised when Modi repeated the move this time around.

View image on Twitter

Internet censorship in India has been increasingly prominent since 1999 when Pakistani newspaper Dawn was blocked by the Videsh Sanchar Nigam Limited for post-Kargil War views against India. These caught heavy criticism from netizens, often under the hashtag #IdiotKapilSibal. Since then there have been many instances of government-mediated censorship, particularly with the enactment of India's Information Technology Act of 2000.

Arvind Gupta, head of Information Technology for India's ruling Bharatiya Janata Party, tweeted to clarify that the sites were blocked as advised by the Anti-Terrorism Squad.

The websites that have been blocked were based on an advisory by Anti Terrorism Squad, and were carrying Anti India content from ISIS. 1/2

After agreeing to remove anti-India content posted by accounts that appeared to have some association with ISIS, weebly.comvimeo.comPastebindailymotion.com and gist.github.com were unblocked.

These websites have undertaken not to allow pasting of such propaganda information on their website and also work with the government to remove such material as per the compliance with the laws of land.

-  Ministry of Communications and Information Technology, Government of India (posted in Business Standard)

Action has been initiated to unblock -- http://weebly.com , http://vimeo.com , http://dailymotion.com and (1/2)

File

by Prasad Krishna last modified Feb 11, 2015 04:12 PM

OpenDocument Spreadsheet icon FILE1.ods — OpenDocument Spreadsheet, 10 kB (10395 bytes)

Search Engine and Prenatal Sex Determination: Walking the Tight Rope of the Law

by Geetha Hariharan last modified Feb 12, 2015 06:05 AM
In Sabu George v. Union of India, the Supreme Court is looking at the constitutionality of sex-selection ads appearing on search engines, either as search results or ads placed on the search pages. Balaji Subramanian and Geetha Hariharan analyse the relevant provision of the Pre-Natal Diagnostic Techniques Act, 1994.

 

The Supreme Court, in Sabu George v. Union of India and Ors. (WP (C) 341/2008), is looking into the presence of material regarding pre-natal sex determination on search engines such as Google, Bing, and Yahoo!. The petitioner alleges that search engines have been displaying content that falls foul of §22 of the Pre-Natal Diagnostic Techniques Act, 1994, as amended in 2002 (“the Act”).

The relevant parts of §22 that search engines are alleged to have violated are as follows:

22. Prohibition of advertisement relating to pre-natal determination of sex and punishment for contravention.-

  1. No person, organization, Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic, including clinic, laboratory or centre having ultrasound machine or imaging machine or scanner or any other technology capable of undertaking determination of sex of foetus or sex selection shall issue, publish, distribute, communicate or cause to be issued, published, distributed or communicated any advertisement, in any form, including internet, regarding facilities of pre-natal determination of sex or sex selection before conception available at such centre, laboratory, clinic or at any other place.
  2. No person or organization including Genetic Counselling Centre, Genetic Laboratory or Genetic Clinic shall issue, publish, distribute, communicate or cause to be issued, published, distributed or communicated any advertisement in any manner regarding pre-natal determination or preconception selection of sex by any means whatsoever, scientific or otherwise” (emphasis supplied)

Explanation.- For the purposes of this section, ‘advertisement’ includes any notice, circular, label, wrapper or any other document including advertisement through internet or any other media in electronic or print form and also includes any visible representation made by means of any hoarding, wall-painting, signal, light, sound, smoke or gas.

From a cursory reading, it would appear that the section serves as a clear and unequivocal ban on advertisements for clinics or other laboratories that perform pre-natal sex determination. However, the Supreme Court seems to have landed itself into a mess by muddling the distinction between web/online advertisements (in the sense that the word has been used in the quoted provision) and organic search results. The court has received little assistance from the words of the statute, since the Act contains no exhaustive definition of ‘advertisement’. The closest thing to such a definition is the explanation to §22, which only specifies that the term is inclusive of some common forms of adverts – label wrappers, audiovisual representations, etc. This is not a definition, and does not expand the meaning of the word to include organic search results, which are commonly understood not to be advertisements (see here and here, for example). This distinction was pointed out to the court in the submission of the Group Coordinator, Cyber Laws Formulation and Enforcement Division, Department of Information Technology, as noted by the bench in its order dated the 4th of December 2014.

It is our view that this distinction is of vital importance to the entire debate surrounding the PNDT Act, and therefore we have clearly differentiated between organic search results and “sponsored links”, or advertisements, wherever required.

In order to examine whether search engines were in compliance with the law, we systematically searched for terms most likely to trigger advertisements that would violate §22 of the Act. Further, we selected search engines across the market spectrum, from high-revenue organisations likely to have performed comprehensive due diligence (Google, Bing, etc.) to relatively low-revenue operators who did not have offices in India, or dedicated service offerings specific to India, and were therefore unlikely to have taken special measures to comply with the provisions of the PNDT Act (Yandex, DuckDuckGo, etc.). Further, where search engines had India-specific websites, we checked to see whether there was any difference in the advertising outputs of the India site and the US site.

Since the advertising systems work on a bidding mechanism, where the same keywords were likely to trigger different ads based on the rates selected by advertisers, our methodology also included making multiple (five, in most cases) iterations of searches that yielded advertisements, even if the ads displayed were not violative of the Act.

Online Advertisements

The results of this analysis (tabulated below) are surprising, to say the least. First, we found that major search engines such as Google, Yahoo and Bing (constituents of the advertising alliance, the Yahoo! Bing Network) did not display incriminating ads for many of the searches we attempted [see Table 1 below]. In searches for “sex selective abortion”, for example, Google even provided sponsored links to NGOs attempting to generate awareness against the practice. Nor were any non-compliant ads present on their US sites. No violative ads were observed on Yandex. DuckDuckGo did display a questionable advertisement for the term “prenatal sex determination”, but we shall discuss this in detail later.

SearchEngine

However, there were some advertisements of questionable legal status. In Google, for instance, our searches for “Dubai indian pregnancy centre” and a litany of similar searches showed searches that featured international services. These services for sex-selection would, presumably, extend to India [see Table 2 below].

Table 1

Search Engine
"UAE pregnancy gender"
"Dubai Indian pregnancy gender""Pregnancy gender determination"

"Prenatal ultrasound India"

"Dubai India sex ultrasound"

Google (.com, .co.in)
Advertisements of fertility centres in the Middle East, that conduct sex determination tests. Some prominently feature assistance to international patients.
Advertisements of UK Laboratory that sells Prenatal Gender Test Kits. Prominently featured International shipping.
No ads.
Offers Pre-natal Ultrasound scans, does not conduct sex determination test.
Does not mention explicit sex determination or International Services.
Yahoo
No ads. No ads. Advertisements of Ultrasound Laboratory in the USA that conducts sex determination tests.
No ads. No ads.
Bing No ads. No ads. No ads. No ads. No ads.

 

Advertisements within Search Results

We also examined the search results themselves to check whether the links led to advertisements. On the basis of our searches we found that there are instances both in Google and Yahoo!, where, when we clicked on the search result, we were directed to advertisements. Bing and Rediff, in these searches, did not lead to any prohibited links. Our findings are tabulated below:

Search Engine"Indian pregnancy gender"
"Foetal sex determination""Ultrasound pregnancy"
"Ultrasound screening""Is my baby boy or girl""Baby boy or girl""Pregnancy gender determination"
Google (.com, .co.in) No ads. Yes. Gender Predictor Kit (baby2see.com/gender/study_ultrasound.html). No ads. Yes. Gender Scan (ultrasound-direct.com/babybond-pregnancy-scans/gender-scan/). No ads. No ads. No ads.
Yahoo Potentially violative. Intelligender Gender Prediction Test (intelligender.com/gender-myths.html). Yes. Gender Predictor Kit (baby2see.com/gender/study_ultrasound.html). No ads. No ads. Potential violation. Gender Predictor (mybabyboyorgirl.com). No ads. No ads.
Bing No ads. No ads. No ads. Yes several results No ads. No ads. No ads.
Rediff No ads. No ads. No ads. No ads. No ads. No ads. No ads.

Given that some search results do indeed seem to violate §22, we then examined the advertising policies of those search engines alleged to display prohibited advertisements in Sabu George – Google, Yahoo! and Bing.

Advertising Policies of Search Engines

The Yahoo! Bing Network, in its advertising guidelines, has an entire section dedicated to ads for pharmacy and health care products and services. In it, there exists a comprehensive list of advertisements prohibited specifically due to the existence of Indian law – such as, for example, ads for miracle cures. Further, under the ‘Family Planning’ category on the same page, the Network acknowledges the existence of regulatory restrictions against advertisements for abortion services, paternity tests, and pre-natal sex determination in India. The consequences of non-compliance with the guidelines are laid out clearly on the same page – they include ad disapprovals, domain blocks, and account suspensions. Despite this, a search for “pregnancy gender determination” displayed an advertisement of an ultrasound lab in the United States that conducts sex determination tests [Table 2].

Google’s Adwords service has a similar policy statement, titled ‘Legal requirements & serving limitations’ for advertisements on its network. At the outset, Google asserts that the advertiser is responsible for the legality of the ad’s contents:

“As an advertiser, you're always responsible for ensuring that you comply with all applicable laws and regulations, in addition to Google's advertising policies, for all of the locations where your ads are showing. The guidelines below are intended to help highlight some areas where we've seen advertisers violate legal requirements in the past. However, this is not an exhaustive list of legal issues that you may need to consider, so we urge you to do your own research regarding appropriate advertising practices for the place where your business operates, as well as any other places where your ads are showing.”

Further, in its list of local legal requirements, under the head of ‘Regulated Products & Services’, Google clearly acknowledges that existing legal prohibitions shall be enforced against advertisements for, inter alia, infant food products and gender determination in India. Advertisements for infant food products are prohibited under §3(a) of the Infant Milk Substitutes Act, 2003. As with the Yahoo! Bing Network, the consequences for violating the advertising guidelines include disapproval of the ad, disabling of the domain from the ad network, and suspension of accounts. Despite these precautions, Google did show display some advertisements that would fall foul of §22, such as those we found in Table 2.

But it seems, at least, that in the case of major search engines, there exist concrete policies to back the relative lack of advertisements violating §22 of the PNDT Act. However, it is possible that these policies were evolved after the Writ Petition in Sabu George was filed in 2008.

Sources connected to the case indicate that the petitioner has alleged the presence of violative ads, and we have no data regarding 2008 advertising policies at either of these search engines. The Yahoo! Bing Network, however, does have an Editorial guidelines change log, stretching back all the way to the Network’s inception in 2012. The log does not detail any changes to the policy against ads for sex determination in India, so it follows that the Yahoo! Bing Network policy has existed at least from September 2012.

Interestingly, Yandex, the Russian search provider, appears to have prevented ads relating to pre-natal sex determination for different reasons. In its Advertising Requirements, Yandex mandates several restrictions on advertisements relating to medicines, medical products and medical services, which require licenses, registrations with Russian federal authorities, etc. to be produced to Yandex before an ad can be placed. Yandex has placed these restrictions in pursuance of Russian federal laws, but it appears that they have had the unintended consequence of keeping the site clear of advertisements that violate §22 of the PNDT Act, as well.

Finally, we come to the case of DuckDuckGo, which displayed questionable content in response to the term “prenatal sex determination” – an ad for ultrasound imaging services provided in the US. A similar ad was seen on Yahoo, as noted earlier. Even this, however, would not be a violation of the Act, since the service was located outside India, and the ad was placed by a foreign citizen residing in a foreign jurisdiction.

It is well-known that India is one of the few countries that has a ban on pre-natal sex determination, and it is a documented practice for couples to travel abroad and undergo diagnostic tests that enable them to discern the sex of the foetus – Thailand has been a destination of choice, if news reports are to be believed. Further, such non-Indian advertisements were seen on Google around 2009, and the argument made by Google’s counsel then stands today – that the situation was akin to an Indian library buying Thai magazines containing sex determination-related advertisements and making them available to the Indian public. Those ads are not targeted at Indians; the magazines were not meant for India. If the ad included invitations to foreigners (“Internationally famous for sex selection!”; “Sex of babies from around the world determined!”), and was published knowing that Indians would read it, then there is a greater likelihood that §22 of the Act stands violated. For instance, Google’s results for “UAE pregnancy gender” showed advertisements of fertility centres in the Middle East, some of which advertise for international patients.

In any event, since there exists no ban against the advertiser in his own jurisdiction, it would lead to an absurd result for search engines to be prosecuted for showing such ads to the Indian public, especially when the advertised service is not meant for or available in India. Displaying such a result would be especially detrimental to low-revenue search engines such as DuckDuckGo, who would be unable to conduct adequate due diligence to protect themselves from similar provisions in other Indian laws.

Organic Search Results

Having dealt with the issue of advertising against the provisions of §22, we now shift our focus to organic search results. At the outset, we must acknowledge the fact that the words of the statute specify “advertisement”, and it remains to be seen whether organic search results can be treated as advertisements if they are aimed at selling a product or service to prospective consumers for a price. If organic search results are to be treated as advertisements under §22, then it would amount to imposing an unnaturally high burden on search engines.

As intermediaries, search engines will be given the responsibility to scrutinise and curate the content that they display. Such a model is problematic on several levels. If intermediaries (search engines, in this case) were charged with the responsibility of policing their search results, a chilling effect will, in all likehood, befall online content – search engines, being profit-driven business institutions, will naturally choose to ‘err on the side of caution’, and would rather see some legitimate content taken down rather than risk the possibility of expensive, time-consuming litigation or penalties. In fact, when given the responsibility to take down data and curate organic search results, intermediaries are ham-handed.

Such an approach would necessitate the creation of large and complex structures, much like the means used by the DMCA in the US. Only large, reasonably high-revenue search engines will be able to put in place such mechanisms, so the law creates an undesriable entry barrier. Also, curating search results for content violative of §22 would be even more arduous than curating results for DMCA violations, since under DMCA, there is concrete private incentive for rights-holders to report DMCA violations to search engines. There exists no such incentive for individuals to petition search engines to remove §22 violations, and this affects its effectiveness. For these reasons, it is problematic to read organic search results within the ambit of §22.

Of course, the government can and should expect that online advertisements for sex selection services, inviting people to learn the sex of their foetus, are prohibited. It may do this for reasons of public health and safety, and in order to reduce female-selective abortions. But search results, unlike advertisements, contain medical information, links to anti-sex-selection campaigns and information about female foeticide. It would be unfortunate for the government to expect search providers to actively curate the content of a dynamic ecosystem such as the internet, while at the same time ensuring that legitimate content is preserved.

Sabu George and What Can Be Done

Lamentably, the Supreme Court does not appear to have entered this debate at all. In the latest arguments in Sabu George, the Solicitor General of India Mr. Ranjit Kumar offered the government’s hand in filtering and blocking sex-selection advertisements. Mr. Kumar stated that, “if the URL and the I.P. addresses are given along with other information by the respondents”, and also listing keywords, the Union of India can order website blocking under §69A of the Information Technology Act, 2000 (amended). The Union’s stance, it would seem, is that either the search engines should block offending ads by themselves, or block on the basis of directions issued by the government.

In its order of 28 January 2015, the Supreme Court has directed that, as an interim measure, “Google, yahoo and Micro Soft [sic] shall not advertise or sponsor any advertisement which would violate Section 22 of the PCPNDT Act, 1994. If any advertise [sic] is there on any search engine, the same shall be withdrawn forthwith by the respondents”. The Court plans to hear arguments on the “total blocking of items that have been suggested by the Union of India” on the next hearing date, February 11, 2015.

Instead of hearing arguments on the feasibility of total blocking of offending online ads, the Supreme Court should ask whether organic search results constitute advertisements. These results are those that appear as the product of the search algorithm, and would take much time and expense to curate. It would also amount to time-consuming and disproportionate content inspection by the search engines. In any event, it seems that the major search engines do comply in large part with §22 of the PNDT Act. Where offending ads are found (like we did during our searches), the notice-and-takedown procedure under §79 of the Information Technology Act, 2000 can be put to intelligent use.

The second option noted by the Court, filtering or blocking on the basis of URLs or IP addresses, also stand the danger of overbreadth or overblocking. Such overblocking is routine across filtering regimes in many jurisdictions; for ex., see the Open Net Initiative’s note on filtering (“Filtering’s Inherent Flaws”). It is a danger better averted. In any event, a filtering regime would not affect organic search results, and so the doubt as to the scope of §22 remains.


Pranesh Prakash provided invaluable feedback. Balaji Subramanian and Pranav Bidare performed the searches on different engines. Balaji Subramanian is at NALSAR University of Law, Hyderabad, and is in his 2nd year of law. Pranav Bidare is in his 3rd year of law at the National Law School, Bangalore.

Preliminary Submission on "Internet Governance Issues" to the Associated Chambers of Commerce & Industry of India

by Geetha Hariharan last modified Feb 12, 2015 02:52 PM
On January 30, 2015, Associated Chambers of Commerce & Industry of India (ASSOCHAM) held a consultation on Internet governance. A committee was set up to draft a report on Internet governance, with a focus on issues relevant to India. The Centre for Internet and Society (CIS) is represented on the committee, and has provided its preliminary comments to ASSOCHAM.

ASSOCHAM convened a meeting of its members and other stakeholders, at which CIS was represented. At this meeting, inputs were sought on Internet governance issues relevant for India, on which the industry body proposed to make comments to the Ministry of External Affairs, Government of India. Such a discussion, proposing to consolidate the views of ASSOCHAM members in consultation with other stakeholders, is a commendable move. This submission presents preliminary comments from the Centre for Internet and Society (CIS) in light of ASSOCHAM's consultation on Internet governance.

I. About CIS

1. CIS is a non-profit research organization that works, inter alia, on issues relating to privacy, freedom of expression, intermediary liability and internet governance, access to knowledge, open data and open standards, intellectual property law, accessibility for persons with disabilities, and engages in academic research on the budding Indian disciplines of digital natives and digital humanities.

2. CIS engages in international and domestic forums for Internet governance. We are a Sector-D member of the International Telecommunications Union (ITU),[1] and participated in the World Conference on International Telecommunications (WCIT), 2012 (Dubai) [2] and the Plenipotentiary Conference, 2014 (Busan).[3] We have also participated in the WSIS+10 Multistakeholder Preparatory Platform (MPP)[4] and the WSIS+10 High Level Event, organized by the ITU.[5]

3. CIS is also a member of the Non-Commercial Users Constituency (NCUC) at ICANN. Pranesh Prakash, our Policy Director, held a position on the NCUC Executive Committee from December 2013 to November 2014.[6]

4. CIS has been engaging at the Internet Governance Forum (IGF) since 2008, and has organized and participated in over 60 panels to date.[7] We have also organized panels at the Asia-Pacific Regional IGF (APrIGF). [8] Our Executive Director Sunil Abraham is a member of the Multistakeholder Advisory Group (MAG) for the India-IGF, and has attended in its meetings.[9] We are also in the process of developing international principles for intermediary liability, in collaboration with international civil society organisations like EFF and Article19. [10]

II. Structure of Submission

5. In this submission, we identify issues in Internet governance where engagement from and within India is necessary. In particular, brief descriptions of issues such as freedom of expression and privacy online, cyber-security, critical Internet resources and ICANN, multistakeholderism and net neutrality are provided.

III. Internet Governance Issues

6. The history of the Internet is unique, in that it is not exclusively government-regulated. Though governments regulate the Internet in many ways (for instance, by ordering website blocking or filtering, licensing of ISPs, encryption controls, investment caps, etc.), the running of the Internet is largely in the hands of private businesses, technical organisations and end-users.

7. International processes like the World Summit on Information Society (WSIS), and forums such as ICANN, the ITU, the IGF and the UN are involved in governing in the Internet in many ways. Regional organisations like the OECD, APEC and the Shanghai Cooperation Organisation (SCO) are also involved (for instance, in cyber-security matters).

8. The issues surrounding Internet governance are many, and range from telecom infrastructure and technical coordination to human rights and access to information.

Rights Online

9. The status of 'human rights online' has come under discussion, with the NETmundial Outcome Document affirming that offline rights must also be protected online. These issues are important in the context of, among others, the large scale violations of privacy in light of the Snowden Revelations,[11] and increased instances of website blocking and takedowns in different parts of the world.[12]

10. Internationally, issues of freedom of speech, privacy and access or the digital divide (though it is debatable that the latter is a human right) are discussed at the UN Human Rights Council, such as the resolution on human rights and the Internet, and the UN Human Rights Commissioner's report on the right to privacy in the digital age , which discusses the need for checks and balances on digital mass surveillance. During the Universal Periodic Review of India in 2012, India noted a recommendation from Sweden to " ensure that measures limiting freedom of expression on the internet is based on clearly defined criteria in accordance with international human rights standard ".

11. Freedom of speech and privacy are also relevant for discussion at the ITU.[13] For instance, at the Plenipotentiary meeting in 2014 (Busan), India proposed a resolution that sought, among other things, complete traceability of all Internet communications. [14] This has implications for privacy that are not yet addressed by our domestic laws. A Privacy Bill and such other protections are only in the pipeline in India.[15]

12. At ICANN as well, the root zone management function may affect freedom of expression. If, for instance, a top level domain (TLD) such as .com is erased from the root zone file, hundreds of thousands of websites and their content can be wiped from the World Wide Web. A TLD can be erased by Verisign if a request to that effect is raised or accepted by ICANN, and signed off on by the National Telecommunications and Information Administration (NTIA) of the US government. Similarly,the WHOIS database, which contains information about the holders of domain names and IP addresses, has implications for privacy and anonymity.

13. In India, the judiciary is currently adjudicating the constitutionality of several provisions of the Information Technology Act, 2000 (as amended in 2008), including S. 66A, S. 69A and S. 79. A series of writ petitions filed, among others, by the Internet Service Providers Association of India (ISPAI) and Mouthshut.com, relate to the constitutionality of the nature of content controls on the Internet, as well as intermediary liability. [16]

14. A judgment on the constitutionality of Ss. 66A, 69A and 79 are crucial for end-users and citizens, as well as companies in the Internet ecosystem. For instance, an uncertain intermediary liability regime with penalties for intermediaries - S. 79, IT Act and Intermediaries Guidelines Rules, 2011 - disincentivises ISPs, online news websites and other content providers like Blogger, Youtube, etc. from allowing free speech to flourish online. [17] The ongoing cases of Kamlesh Vaswani v. UOI and Sabu George v. UOI also have consequences for ISPs and search engines, as well as for fundamental rights.[18] International and domestic engagement is desirable, including in consultations with the Law Commission of India (for instance, the consultation on media laws).

Critical Internet Resources

15. Critical Internet Resources form the backbone of the Internet, and include management of IP addresses, the domain name system (DNS) and the root zone. [19] ICANN, a global non-profit entity incorporated in California, manages the IANA functions (Internet Assigned Numbers Authority) for the global Internet. These functions include allocating the global pool of IP addresses (IPv4 and IPv6) to Regional Internet Registries (RIRs), administering the domain name system and maintaining a protocol registry.

16. At present, the IANA functions are performed under a contract with the NTIA. On March 14, 2014, the NTIA announced its intention to transition oversight of the IANA functions to an as-yet-undetermined "global multi-stakeholder body". The deadline for this transition is September 30, 2015, though the NTIA has expressed its willingness to renew the IANA contract and extend the deadline. ICANN was charged with convening the transition process, and set up the IANA Coordination Group (ICG), a team of 30 individuals who will consolidate community input to create a transition proposal. At the moment, thenames (CWG-Names),numbers (CRISP) and protocols (IETF) communities are debating existing draft proposals. A number of new entities with which ICANN will have contractual arrangements have been proposed. At ICANN's meetings in Singapore (February 7-12, 2015) and Buenos Aires (June 2015), these proposals will be discussed.

17. At the same time, a parallel track to examine ICANN's own transparency and accountability has been introduced. The CCWG-Accountability is considering ICANN's accountability in two Workstreams: first, in light of the IANA transition and second, a revision of ICANN's policies and by-laws to strengthen accountability. ICANN's accountability and transparency are crucial to its continued role in Internet governance.

18. Several issues arise here: Should ICANN continue to remain in the US? Should the IANA Functions Department be moved into a separate entity from ICANN? Ought ICANN's by-laws be amended to create oversight over the Board of Directors, which is now seen to have consolidated power? Ought ICANN be more transparent in its financial and operational matters, proactively and reactively?

19. It is, for instance, beneficial to the stability of the Internet and to India if the IANA department is separate from ICANN - this will ensure aseparation of powers. Second, stronger transparency and accountability mechanisms are necessary for ICANN; it is a growing corporate entity performing a globally Internet function. As such, granular information about ICANN's revenues and expenses should be made public. See, for ex.,CIS' request for ICANN's expenses for travel and meetings, and ICANN's response to the same.

20. The most ideal forum to engage in this is ICANN, and within India, working groups on Internet governance at the Ministry level. As such, ASSOCHAM may seek open, transparent and inclusive consultations with the relevant departments of the Government (the Ministry of External Affairs, DeitY, Department of Telecommunications). At ICANN, industry bodies can find representation in the Business Constituency or the Commercial Stakeholders Group. Additionally, comments and proposals can be made to the ICG and the CCWG-Accountability by anyone.

Cyber-security

21. Cyber-security is often used as an umbrella-term, covering issues ranging from network security (DNSSEC and the ICANN domain), cyber-crime, and cyber-incidents such as the Distributed Denial of Service attacks on Estonian public institutions and the Stuxnet virus that attacked Iran's nuclear programme. Within the ITU, spam and child safety online are also assessed as security issues (See Study Group 17 under ITU-T).

22. At the international level, the UN Group of Governmental Experts has published three reports to date, arguing also that in cyber-security incidents, international humanitarian law will apply. International humanitarian law applies during armed attacks on states, when special rules apply to the treatment of civilians, civilian and military buildings, hospitals, wounded soldiers, etc.

23. The ITU also launched a Global Cybersecurity Agenda in 2007, aiming at international cooperation. Such cooperative methods are also being employed at the OSCE, APEC and the SCO, which have developed drafts of Confidence Building Measures. The Global Conferences on Cyberspace (London 2011, Budapest 2012, Seoul 2013, The Hague 2015) resulted in, inter alia, the Budapest Convention on Cybercrime. India has not ratified the Convention, and remains tight-lipped about its security concerns.

24. Surveillance and monitoring of online communications is a crucial issue in this regard. In India, the surveillance power finds its source in S. 5, Telegraph Act, 1888, and the Rule 419A of the Telegraph Rules, 1951. Further, S. 69 of the Information Technology Act, 2000 and the Interception Rules, 2009 enable the government and authorized officers to intercept and monitor Internet traffic on certain grounds. Information regarding the implementation of these Rules is scant.

25. In any event, the applicability of targeted surveillance should be subject to judicial review , and a balance should be struck between fundamental rights such as freedom of speech and privacy and the needs of security. An accountability model such as that present in the UK for the Interception of Communications Commissioner may provide valuable insight.

26. In India, the government does not make public information regarding its policies in cyber-security and cybercrime. This would be welcome, as well as consultations with relevant stakeholders.

Models of Internet Governance

27. Multi-stakeholderism has emerged as one of the catchphrases in Internet governance. With the display of a multi-stakeholder model at NETmundial (April 2014), controversies and opinions regarding the meaning, substance and benefits of multi-stakeholderism have deepened.

28. The debates surrounding stakeholder-roles in Internet governance began with ¶49 of the Geneva Declaration of Principles and ¶35 of the Tunis Agenda, which delineated clear roles and responsibilities. It created a 'contributory' multi-stakeholder model, where states held sovereign authority over public policy issues, while business and civil society were contributed to 'important roles' at the 'technical and economic fields' and the 'community level', respectively.

29. As the WGEC meeting (April 30-May 2, 2014) demonstrated, there is as yet no consensus on stakeholder-roles. Certain governments remain strongly opposed to equal roles of other stakeholders, emphasizing their lack of accountability and responsibility. Civil society is similarly splintered, with a majority opposing the Tunis Agenda delineation of stakeholder-roles, while others remain dubious of permitting the private sector an equal footing in public policy-making.

30. The positions in India are similarly divided. While there is appears to be high-level acceptance of "multi-stakeholder models" across industry, academia and civil society, there exists no clarity as to what this means. In simple terms, does a multi-stakeholder model mean that the government should consult industry, civil society, academia and the technical community? Or should decision-making power be split among stakeholders? In fact, the debate is more specific.

31. In India, the Multistakeholder Advisory Group (MAG) for the India-IGF was established in February 2014, and some meetings were held. Unfortunately, neither the minutes of the meetings nor action points (if any) are publicly available.

32. The Indian government's position is more complex. At the 68th UN General Assembly session in 2011, India argued for a (multilateral) 50-member UN Committee on Internet-related Policies (CIRP). However, the Ministry for Communications and Information Technology (MCIT) has, over the years, presented differing views at the IGF and ITU through its two departments: DeitY and DoT. Further, at the meetings of the Working Group on Enhanced Cooperation (WGEC), India has presented more nuanced views, suggesting that certain issues remain within the governmental domain (such as cyber-security and child online protection). At the 9th IGF (Istanbul, September 2014), Mr. R.S. Sharma of the DeitY echoed such a view of delineated roles for stakeholders.

33. A clear message from the Indian government, on whether it favours multistakeholderism or governmental policy authority for specific issues, would be invaluable in shaping opinion and domestic processes. In any event, a transparent consultative procedure to take into account the views of all stakeholders is desirable.

Emerging Issues

Net Neutrality

34. In simple terms, net neutrality concerns differential treatment of packets of data by carriers such as ISPs, etc. over networks. The issue has gained international attention following the U.S. FCC's regulatory stance, and the U.S. Court of Appeal's 2014 decision in Verizon v. FCC. Though this decision turned on the interpretation of 'broadband providers' under the Communications Act, 1934, net neutrality has since been debated in the US, both by the FCC and other stakeholders. There is no international consensus in sight; the NETmundial Outcome Document recognized net neutrality as an emerging issue (page 11, no. IV).

35. In India, a TRAI consultation on Over-The-Top Services on August 5, 2014 brought concerns of telecom and cellular operators to light. OTTs were seen as hijacking a portion of telcos' revenues, and as lacking consumer protection and privacy safeguards. While these concerns are legitimate, net neutrality regulation is not yet the norm in India. In any event, any such regulation must take into account the consequences of regulation on innovation, competition, and consumer choice, as well as on the freedom of the medium (which may have detrimental impacts freedom of expression).

36. Though net neutrality regulation is being mooted, there is as yet anarray of definitions of 'net neutrality'. The views of telcos themselves differ in India. Further study on the methods of identifying and/or circumventing net neutrality is necessary before a policy position can be taken.

IV. Conclusions

37. CIS welcomes ASSOCHAM's initiative to study and develop industry-wide positions on Internet governance. This note provides brief descriptions of several issues in Internet governance where policy windows are open internationally and domestically. These issues include freedom of expression and privacy under Part III (Fundamental Rights) of the Constitution of India. The Supreme Court's hearing of a set of cases alleging unconstitutionality of Ss. 66A, 69, 69A and 79 (among others) of the IT Act, 2000, as well as consultations on issues such as pornography by the Rajya Sabha Parliamentary Committee and media laws by the Law Commission of India are important in this regard.

38. International and domestic engagement is necessary in the transition of stewardship of the IANA functions, as well as ICANN's own accountability and transparency measures. Similarly, in the area of cyber-security, though several initiatives are afoot internationally, India's engagement has been cursory until now. A concrete position from India's stakeholders, including the government, on these and the question of multi-stakeholderism in Internet governance would be of immense assistance.

39. Finally, net neutrality is an emerging issue of importance to industry's revenues and business models, and to users' rights such as access to information and freedom of expression.


[1] CIS gets ITU-D Sector Membership, goo.gl/PBGKWt (l.a. 8 Feb. 2015).

[2] Letter for Civil Society Involvement in WCIT, goo.gl/gXpYQD (l.a. 8 Feb. 2015).

[3] See, ex., Hariharan, What India's ITU Proposal May Mean for Internet Governance, goo.gl/hpWaZn (l.a. 8 Feb. 2015).

[4] Panday, WSIS +10 High Level Event: Open Consultation Process MPP: Phase Six: Fifth Physical Meeting, goo.gl/3XR24X (l.a. 8 Feb. 2015).

[5] Hariharan, WSIS+10 High Level Event: A Bird's Eye Report, goo.gl/8XkwyJ (l.a. 8 Feb. 2015).

[6] Pranesh Prakash elected as Asia-Pacific Representative to the Executive Committee of NonCommercial Users Constituency, goo.gl/iJM7C0 (l.a. 8 Feb. 2015).

[7] See, ex., CIS@IGF 2014, goo.gl/Werdiz (l.a. 8 Feb. 2015).

[8] Multi-stakeholder Internet Governance: The Way Ahead , goo.gl/NuktNi; Minimising legal risks of online Intermediaries while protecting user rights, goo.gl/mjQyww (l.a. 8 Feb. 2015).

[9] First Meeting of the Multistakeholder Advisory Group for India Internet Governance Forum, goo.gl/NCmKRp (l.a. 8 Feb. 2015).

[10] See Zero Draft of Content Removal Best Practices White Paper, goo.gl/RnAel8 (l.a. 8 Feb. 2015).

[11] See, ex., UK-US surveillance regime was unlawful 'for seven years', goo.gl/vG8W7i (l.a. 9 Feb. 2015).

[12] See, ex., Twitter: Turkey tops countries demanding content removal, goo.gl/ALyO3B (l.a. 9 Feb. 2015).

[13] See, ex., The ITU convenes a programme on Child Online Protection, goo.gl/qJ4Es7 (l.a. 9 Feb. 2015).

[14] Hariharan, Why India's Proposal at the ITU is Troubling for Internet Freedoms, goo.gl/Sxh5K8 (l.a. 9 Feb. 2015).

[15] Hickok, Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill, goo.gl/454qA6 (l.a. 9 Feb. 2015).

[16] See, Supreme Court Of India To Hear Eight IT Act Related Cases On 11th April 2014 - SFLC, goo.gl/XLWsSq (l.a. 9 Feb. 2015).

[17] See, Dara, Intermediary Liability in India: Chilling Effects on Free Expression on the Internet, goo.gl/bwBT0x (l.a. 9 Feb. 2015).

[18] See, ex., Arun, Blocking online porn: who should make Constitutional decisions about freedom of speech?,goo.gl/NPdZcK; Hariharan & Subramanian, Search Engine and Prenatal Sex Determination: Walking the Tight Rope of the Law, goo.gl/xMj4Zw (l.a. 9 Feb. 2015).

[19] CSTD, The mapping of international Internet public policy issues, goo.gl/zUWdI1 (l.a. 9 Feb. 2015).

Security and Surveillance – Optimizing Security while Safeguarding Human Rights

by Elonnai Hickok last modified Feb 13, 2015 02:41 AM
The Centre for Internet and Society (CIS) on December 19, 2014 held a talk on “Security and Surveillance – Optimizing Security while Safeguarding Human Rights.

The talk focused on a project that is being undertaken by CIS in collaboration with Privacy International, UK. Initiated in 2014, the project seeks to study the regulatory side of surveillance and related technologies in the Indian context. The main objective of the project is to initiate dialogue on surveillance and security in India, government regulation, and the processes that go into the same. The talk saw enthusiastic participation from civil society members, policy advisors on technology, and engineering students.

During the event it was highlighted that requirements of judicial authorization, transparency and proportionality are currently lacking in the legal regime for surveillance in India and at the same time India has a strong system of ‘security’ that service providers must adhere to – which works towards enhancing cyber security in the country.

Discussions played out with regard to how most of the nine intelligence agencies that are authorized to intercept information in India are outside the ambit of parliamentary oversight, the RTI and the CAG, making them virtually unaccountable to the Indian public.

Another conversation focused on the sharing of information between various intelligence agencies within the country, and the fact that this area is virtually unregulated. The discussion then steered to cyber-security in general, emerging technologies used by the Government of India for surveillance, cooperative agreements for surveillance technologies that India has with other countries, the export and import of such technologies from India, and most importantly, the role of service providers in the surveillance debate, and the regulations they are subject to.

A common theme seemed to be emerging from the discussion was that the agencies responsible for regulating information interception and surveillance in the country are shockingly unaccountable to the Indian public. As an active civil society member noted today - “There is no oversight/monitoring of the agencies themselves, so there’s no way anyone would even know of how many instances of surveillance or unauthorized interception have actually occurred.”

The talk successfully concluded with inputs from members of the audience, and a broad consensus on the fact that the Government of India would have to adhere to stronger regulatory standards, harmonized surveillance standards, stronger export and import certification standards, etc., in order to make surveillance in India more transparent and accountable. As was stated at the talk, “We don’t have a problem with the concept of surveillance per se, - it has more to do with its problematic implementation”.

Reply to RTI Applications filed with respect to Foreign Contractors and Vendors of IT and Telecommunication Enterprises

by Lovisha Aggarwal — last modified Feb 25, 2015 02:13 PM
An RTI application was filed by the Sh. Matthew Thomas on August 06, 2014 enquiring about the details of the foreign contractors and vendors of certain Information Technology and Telecommunication enterprises. Mr. Mathews in his application asked some specific questions.

Information sought in the RTI Application

The specific questions asked are as follows:

1. Names, addresses in India and abroad of all their contractors and vendors who are foreign firms, even if they have registered offices in India.

2. Permission to inspect files pertaining to subject matter.

3. Details of the orders placed in each of the past 3 or more years on each of their contractors and details of the orders placed in each of the past 3 or more years on each of their contractors where the amount is for Rs. 50 crore or more.

Enterprises to which the RTI Application was addressed

The application was sent to the following enterprises:

1. Department of Electronics & Information Technology, Ministry of Communications and Information Technology, Government of India

2. Department of Telecommunications, Ministry of Communications and Information Technology, Government of India

3. Information Technology Branch, Department of Food, Supplies & Consumer Affairs, Government of NCT of Delhi

4. Centre for Development of Telematics (C-DOT) - an Indian Government owned telecommunications technology development centre which designs and develops digital exchanges and intelligent computer software applications.

5. Centre for Development of Advanced Computing (C-DAC) - a research and development organization under the Department of Electronics and Information Technology, Government of India.

6. Bharat Sanchar Nigam Ltd. (BSNL) - an Indian state-owned telecommunications company. It is India's oldest and largest communication service provider.

Reply to the RTI Application

The reply to the information sought in the RTI application by these enterprises is as follows:

1. Department of Electronics & Information Technology, Ministry of Communications and Information Technology, Government of India

The RTI application was addressed to the Deputy Director of the department who forwarded the application to the Joint Director directing him to provide the requisite information directly to the applicant or transfer the application to the concerned Central Public Information Officers (CPIOs) if the subject matter did not pertain to his division. In response, the Joint Director of the Department of Electronics & Information Technology said that the information on the subject matter was NIL as far as Engineering/BM section, Fire, Security and Protocol Sections of Department of Electronics and Information Technology is concerned.

2. Department of Telecommunications, Ministry of Communications and Information Technology, Government of India

The RTI application was forwarded by the Deputy Secretary & Nodal Officer (RTI) of the Department of Telecommunications to the following divisions for providing the requisite information directly to the applicant or transferring the application to the concerned Central Public Information Officers (CPIOs) if the subject matter did not pertain to their division and their replies are as under:-

a. Investment Promotion Cell: The Director (IP Cell) & CPIO said that no information was available as the subject matter of the application did not pertain to IP Cell.

b. Access Services-I Division: Director (AS-I) & CPIO asked to treat the information as NIL.

c. Licensing Finance - II Branch: Director (IF-II) & CPIO asked to treat the information as NIL as the matter did not pertain to that branch.

d. Licensing Finance - III Branch: Director (IF-III) & CPIO asked to treat the information as NIL as the matter did not pertain to that branch.

e. Deputy Wireless Adviser: CPIO & Deputy Wireless Adviser to the Govt of India of WPC Wing, SACFA Sectt. said that the information sought was not available with that PlO.

3. Information Technology Branch, Department of Food, Supplies & Consumer Affairs, Government of NCT of Delhi

The Public Information Officer (HQ) of the Information Technology Branch of Department of Food, Supplies & Consumer Affairs forwarded the RTI application to Assistant Commissioner (Policy), Food and Supplies Department and Public Information Officer (HQ), Food and Supplies Department to provide the Para wise information directly to the applicant in accordance with section 5(4) of RTI Act as the record related to the information sought was said to be available with their office. Section 5(4) of RTI Act reads, "The Central Public Information Officer or State Public Information Officer, as the case may be, may seek the assistance of any other officer as he or she considers it necessary for the proper discharge of his or her duties." However, a reply hasn't been received from the Assistant Commissioner (Policy), Food and Supplies Department and Public Information Officer (HQ), Food and Supplies Department yet.

4. The Centre for Development of Telematics

Referring the information sought in the RTI application as vague, the Centre for Development of Telematics asked the applicant to clearly define the information requirements and the period for which it required. The Centre claimed that the information sought at present would lead to handing over of a large amount of data which would require application of significant resources of public authority, since the number of the vendors and contractors could be more than seven hundred in numbers of different categories, namely, component vendors, equipment suppliers, administrative service contractors, etc. The reply was in consistency with section 7(9) of the Right to Information Act which reads, "An information shall ordinarily be provided in the form in which it is sought unless it would disproportionately divert the resources of the public authority or would be detrimental to the safety or preservation of the record in question."

5. Centre for Development of Advanced Computing

The Centre for Development of Advanced Computing disregarded the information sought by the applicant and observed that theinformation sought was vague in nature, not specific and open ended, therefore, could not be termed as Information under the RTI Act without providing any further explanation in this regard.

6. Bharat Sanchar Nigam Ltd. (BSNL), Government of India Enterprise

The RTI application was referred to the MM cell of BSNL by the AdditionaI General Manager (MIS) & CPIO of BSNL (RTI Cell) who replied that no information with respect to the names, addresses in India and abroad of all their contractors and vendors who are foreign firms, even if they have registered offices in India was available. As far as the third question regarding details of the orders placed in each of the past 3 or more years on each of their contractors and details of the orders placed in each of the past 3 or more years on each of their contractors where the amount was for Rs. 50 crore or more was concerned, the AGM of MM cell said that the information could be provided for specific contractor.

Right to Information (RTI) Requests to BSNL and MTNL Regarding Security Equipment

by Maria Xynou last modified Feb 25, 2015 03:04 PM
As part of research, on July 2, 2013, the Centre for Internet and Society (CIS) had sent Right to Information (RTI) requests to two of the largest internet service providers (ISPs) in India: Mahanagar Telephone Nigam Limited (MTNL) and Bharat Sanchar Nigam Limited (BSNL) requesting answers to some questions.

Answers to the following questions were requested:

  1. Please list the companies from which MTNL/BSNL has bought all its security equipment.
  2. What type of security equipment does MTNL/BSNL use to assist Indian law enforcement agencies in detecting and preventing crime, terrorism and all other illegal activity? Please provide the certification for all such equipment.
  3. What malware does MTNL/BSNL test for? What does MTNL/BSNL use for testing malware in its networks?
  4. Which proxy server does MTNL/BSNL use and is it used for filtering data? If so, what type of data is being filtered and for what purpose? Is authorisation required and if so, by whom?
  5. Does MTNL/BSNL use FinFly ISP? If so, who authorises its use and under what conditions?

M. K. Sheda, the appellate authority of MTNL, responded to the above questions on August 3, 2013 with the following answers:

  1. MTNL procures all its equipment through an open competitive bidding process and the details of all past tenders are available on the MTNL website. Equipment from multiple vendors are operational in GSM MTNL Packet-Core Network and specific names cannot be given due to security reasons.
  2. MTNL uses the security equipment by the Department of Telecommunications, Government of India, to assist Indian law enforcement agencies. The details cannot be disclosed as the information is classified as "secret" as per MTNL IT Policy Revision 2.0 and also comes under Section -8 (1) (a) and (d) of the RTI Act 2005.
  3. MTNL GSM Packet Core equipment for data access uses MTNL ISP as its interface with external entities. Thus information is pertaining to MTNL ISP and hence a reply may please be taken from the GM (Broadband) unit.
  4. Same answer as "3" above.
  5. Same answer as "3" above.

BSNL has still not responded to the above questions.


Click below to download the respective files:

  1. RTI Application to BSNL
  2. Reply from MTNL

BSNL RTI Application

by Prasad Krishna last modified Feb 25, 2015 02:57 PM

PDF document icon BSNL.pdf — PDF document, 656 kB (672226 bytes)

Reply from MTNL to RTI Application

by Prasad Krishna last modified Feb 25, 2015 03:03 PM

PDF document icon MTNL reply.pdf — PDF document, 1489 kB (1525667 bytes)

The Centre for Internet and Society joins Worldwide Campaign to Discover Depth of GCHQ's Illegal Spying

by Elonnai Hickok last modified Mar 01, 2015 06:13 AM
The Centre for Internet and Society has joined an international campaign to allow anyone in the world to request whether Britain’s intelligence agency GCHQ has illegally spied on them.

The platform and campaign has been developed in response to a recent court ruling that GCHQ unlawfully obtained millions of private communications from the NSA up until December 2014. This decision allows not only British citizens, but anyone in the world, to ask GCHQ if the individual’s records were unlawfully shared by the NSA.

Individuals who wish to take part in this process can sign up here: https://www.privacyinternational.org/illegalspying

Privacy International intends to collate the inquiries from around the world and submit them to the UK Investigatory Powers Tribunal. Those who have been found to have been illegally spied on can then seek the deletion of their records, including emails, phone records, and internet communications. Given the mass surveillance capabilities of the NSA and GCHQ, and that the agencies “share by default” the information they collect, an unlimited number of people could have been affected by the unlawful spying.

The Investigatory Powers Tribunal, the UK court solely responsible for overseeing intelligence agencies, ruled on 6 February that intelligence sharing between the United States and the United Kingdom was unlawful prior to December 2014, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. It was only due to revelations made during the course of this case, which relied almost entirely on documents disclosed by Edward Snowden, that the intelligence sharing relationship became subject to public scrutiny.

The decision was the first time in the Tribunal’s history that it had ruled against the actions of the intelligence and security services.

According to the Centre for Internet and Society – this is a great example of transparency and the ability for individuals to access information held by the government. It is also an important step towards government accountability with respect to state surveillance.

Eric King, Deputy Director of Privacy International, said:

“We have known for some time that the NSA and GCHQ have been engaged in mass surveillance, but never before could anyone explicitly find out if their phone calls, emails, or location histories were unlawfully shared between the US and UK. The public have a right to know if they were illegally spied on, and GCHQ must come clean on whose records they hold that they should never have had in the first place.

There are few chances that people have to directly challenge the seemingly unrestrained surveillance state, but individuals now have a historic opportunity finally hold GCHQ accountable for their unlawful actions.”


Brief on “Did GCHQ Spy on You Illegally?”

Privacy International on Monday February 16th 2015 launched a campaign and platform allowing people to ask the UK’s surveillance court, the Investigatory Powers Tribunal, if GCHQ spied on people illegally. This comes on the heels of our recent legal victory in the IPT, who found that all intelligence sharing from the NSA to GCHQ prior to December 2014 was unlawful.

As on February 17th night, we had over 10,000 signatures, and at the end of today we expect to have more updated figures.

While this has been successful thus far, we need your help!

We need the support of other organisations to truly make this work, and we want your organisation to join as a partner. Being a partner in this can look a few different ways: you can send out emails to your organisation's members, tweet out the links to the platform, or send out a press release to your media contacts telling them you joined the effort.

We hope you can join, and below we try to address some questions we've been getting about the campaign. There's also an additional FAQ more specifically addressing the campaign itself.

What is PI doing?

Simply put: Giving people the chance to remedy illegal government activity and hold intelligence agencies accountable. When someone submits their information through this platform, they are allowing us to go to the IPT on their behalf to find out if they were illegally spied on by GCHQ.

People could have gone directly to the IPT to ask, but that process is difficult to engage in. We wanted to create a simple, low-barrier way to give people the chance to find out if they were victims of illegal spying.

Why are you doing this?

This action is not just about satisfying curiosity. Sure, lots of us are interested in knowing whether our emails have been caught in the NSA and GCHQ’s dragnet surveillance operations, and hopefully through this platform we’ll be able to find out. But, this campaign is about much more than that.

It is about making GCHQ understand the very personal and individual implications of mass surveillance. And it is about ending the feeling of powerlessness that many of us have felt since discovering, thanks to Edward Snowden, the reality of the almost total surveillance that we’re under.

We have never done a public campaign like this, but we felt that this ruling was too important to pass up. People have a right to know if they were illegally spied on, and if so, request that their records are deleted. We want to help them assert those rights, and we think you can help too.

Why should my organisation join?

We don't get many victories in this space, but we have a rare opportunity to give people the chance to do something! Not just sign a petition, but directly hold intelligence agencies accountable and challenge proven illegal government activity.

Numbers are important too, not just important to brag about. The greater number of people who sign up actually increases our likelihood of success. That's because when we submit people's details to the IPT, one of the possible outcomes could be that the court tests a sample to see if/where illegality occurred.

The more people who sign up, the greater chance there is we can prove that people were illegally spied on. If that's the case, we could request that GCHQ delete ALL the records they obtained from NSA prior to December to 2014.

To do that, we need as many people to join. We are not merely interested in building a list, this is not a stunt, and we have no interest in poaching your members. It's simple – more people means greater chance of success.

Also, this is going to be a long fight on our front. We are going to be dealing with this campaign for the next few months if not few years. As each turn comes along the way, we are going to need your help to keep pressure up and keep people involved. Nothing good comes easy!

Is it only for British citizens?

No. This literally affects everyone who has ever used a phone or computer prior to December 2014, which is pretty much every single person.

So, anyone around the world is eligible to join this petition! No matter where you are, you’re entitled under British law to bring a claim in the courts to find out whether you were illegally spied on. Given the degree of intelligence collection by the NSA and its close relationship with the British intelligence services, it’s entirely possible that your communications have been scooped up and unlawful handed over to the UK.

So, what can you do?

Four actions you can do:

  • Declare your organisation’s support for the campaign! Email [email protected] and we'll add your name to the partner section on the petition page.
  • Tweet the link for the petition to your followers: www.privacyinternational.org/illegalspying using the hashtag #DidGCHQSpyOnYou
  • Email your supporters and members and encourage them to join the campaign - if you need further information you can point them to the FAQ on our website or included in this pack: https://www.privacyinternational.org/?q=node/495
  • Tweet at or contact notable people in your city or country - we’ve been tweeting Members of Parliament, influential journalists, movie stars, whomever!

FAQ on action

URL: https://privacyinternational.org/?q=node/495

Who is able to join?

EVERYONE! The implications of our recent legal victory against GCHQ in the Investigatory Powers Tribunal means that all intelligence sharing from the NSA to GCHQ was unlawful. Because people located all over the world are affected by illegal intelligence sharing, not only British citizens, but anyone in the world, can ask if their records collected by the NSA were unlawfully shared with GCHQ.

Why are we doing this?

Intelligence agencies' culture of secrecy have allowed them, for too long, to avoid public accountability. Whether it’s secret hearings in closed court rooms or committees equipped only with rubber stamps, intelligence agencies like GCHQ have never been forced to answer to the public for their actions.

We think you have a right to know whether you have been caught up in GCHQ and NSA's illegal intelligence sharing. If so, you have a right to demand that data be deleted. Privacy International wants to help you assert those rights.

Wait what? Why do I have to give GCHQ my data?

We know it sounds absurd but it's the only way! The Tribunal can't act by itself, so it needs people to come forward to file complaints. We've kept information needed to a minimum, but the IPT requires more than your name to attempt to find your communications in GCHQ’s massive databases. If they do locate your data, you can ask them to delete it. Hopefully, if enough people sign up, we can show just how widespread Five Eyes mass surveillance and intelligence sharing is, and get the reform we all need!

Will this tell me if GCHQ are currently spying on me?

No. This campaign will only tell you if NSA shared your communications with GCHQ before December 2014. It won't tell you if GCHQ shared communications with NSA. It also won't tell you if GCHQ intercepted your communications by themselves. Should Privacy International be successful in our appeal to the European Court of Human Rights maybe this will change, but for now, this is limited to just whether NSA shared your communications with GCHQ before December 2014.

What will happen once I have entered my details?

After you hit submit, you'll receive an email asking you to confirm your participation. Make sure you click that link, otherwise your submission won't go through. While these few details are all we need from you now, we may need more information from you in the future. By entering your details, you authorise Privacy International and their legal team to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your rights under Article 8 and Article 10 of the UK Human Rights Act have been violated and to request your records be deleted.

How will I know my communications were illegal shared with GCHQ?

If the IPT find that your communications were illegally shared with GCHQ, they have to tell you. The Investigatory Powers Tribunal has a statutory obligation to investigate any complaint made against GCHQ. When they receive a complaint, if they think they have all the information required to make a determination, then they will do so, and inform you of the outcome. If not, the IPT can demand more information, a meeting or inspection of files held by GCHQ.

Do I get anything if I have been spied on?

Yes. If the IPT is able to establish that you have been illegally spied on, they have to tell you. You will receive a declaration that your privacy rights have been violated and you can request that any information unlawfully obtained be deleted.

WiIl GCHQ hold onto my details when they are handed over to them?

No. GCHQ are only allowed to keep your details for the purposes of establishing whether or not they spied on you illegally and for the duration of the investigation by the IPT.

How soon will I receive an answer to whether I was caught up in NSA and GCHQ's illegal spying?

It might be a while. This is the first time that such a large group action has been mounted against GCHQ so count on it being many months, and likely years before this action is completed. Nothing worth doing is easy!

Is this for all of NSA and GCHQ's programmes?

This legal campaign deals with information collected by the NSA and shared with GCHQ before December 2014, specifically PRISM and UPSTREAM. It doesn't deal with GCHQ initiated interception, but if we're successful with our appeal with the European Court of Human Rights, maybe that could change!

Is my email address and phone number enough for GCHQ to find all records?

No. Unfortunately, we imagine many of GCHQ's databases are unindexed or indexed by a "selector" which could be an IP address, a cookie, a hardware address or almost anything else. For people who want the most comprehensive records searched, much more personal information would have to be provided. Currently we are asking for only your email address and phone number to enable the greatest number of people access to this campaign. If you want to provide more detailed information and a range of selectors to GCHQ, consider submitting your own individual complaint here. We hope to have a detailed guide on how to do so in the next few days.

What are Privacy International going to do with this data?

By entering your details you are authorising Privacy International to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your privacy rights have been violated. We will provide you with updates on the case and won't use the information for any other purpose. We will only share it with our lawyers, GCHQ and the Investigatory Powers Tribunal.

Table of CIS DIDP Requests

by Geetha Hariharan last modified Mar 05, 2015 06:42 AM
CIS sent 10 DIDP requests to ICANN, and we received responses for 9 of them. As this table shows, the majority of ICANN's responses are negative. In 7 requests out of 9, ICANN provides no new information apart from what CIS had already identified in the Requests.

Microsoft Excel spreadsheet icon DIDP Table of CIS Requests.xls — Microsoft Excel spreadsheet, 44 kB (45056 bytes)

DIDP Request #1: ICANN's Expenditures on "Travel & Meetings"

by Geetha Hariharan last modified Mar 05, 2015 08:00 AM
CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of expenditure by ICANN at its Meetings. CIS' request and ICANN's response are detailed below.

CIS' Request

18 December 2014

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Request for itemized details of expenditure by ICANN at its Meetings

We would like to thank Mr. Calvez and Mr. Gupta for providing information regarding ICANN’s domain name revenues for the fiscal year ending June 30, 2014.[1] We would like to request further information through the DIDP.

In the Audited Financial Statements for the fiscal year ended June 30, 2014, the “statements of activities” provides Total Expenses (for ICANN and New gTLD) as USD 124,400,000.[2] For the fiscal year ended June 30, 2013, the Total Expenses (ICANN and New gTLD) noted is USD 150,362,000.

According to the statement, this covers expenses for Personnel, Travel and meetings, Professional services and Administration. Quarterly Reports note that the head “Travel and meetings” includes community support requests.[3] In addition to these heads, Quarterly Reports include “Bad debt expenses” and “Depreciation expenses”. The manner of accounting for these is explained in Note 2 to the Notes to Financial Statements.[4] Note 2 explains that the expenses statement is prepared by “functional allocation of expenses” to identifiable programs or support services, or otherwise by methods determined by the management.

For the purposes of our research into normative and practised transparency and accountability in Internet governance, we request, to begin with, current and historical information regarding itemized, detailed expenses under the head “Travel and meetings”. We request this information from 1999 till 2014. We request that such information be categorized and sub-categorised as follows:

Total and Individual Expenses for each meeting (categorised by meeting and year):

1. Total and individual expenses for ICANN staff (differentiated by department and name of each individual attending the event, including dates/duration of attendance);

-    Also broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each ICANN staff member who attended the event to be named.

2. Total and individual expenses for members of ICANN Board (listed by each Board member and dates/duration of attendance);

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each Board member to be named.

3. Total and individual expenses for members of ICANN constituencies (ALAC, ATRT, ccNSO, GAC, GNSO, etc.)

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named.

4. Total and individual expenses for ICANN fellows

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their region and stakeholder affiliation.

5. Total and individual expenses incurred for any other ICANN affiliate or liaison (ISOC, IETF, IAB, etc.)

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their affiliation.

6. Total and individual expenses incurred for any other person, whether or not directly affiliated with ICANN

-    Broken down into each individual expense (flights, accommodation, per diem or separate local transport, food and other expenses).

-    Each attendee for whom ICANN covered expenses to be named, including their affiliation.

Please note that we request the above-detailed information for ICANN meetings, and also other meetings for which ICANN may provide financial support (for instance, CWG-Stewardship or CWG-Accountability). We request, as a preliminary matter, a list of all meetings to which ICANN provides and has, in the past, provided financial support (1999-2014).

We note that some information of this nature is available in the Travel Support Reports.[5] However, the Travel Support Reports are available only from 2008 (Cairo meeting), and are not available for ICANN48 to ICANN51. Further, the Travel Support Reports do not exhibit the level of granularity necessary for research and scrutiny. As explained above, we request granular information for all meetings.

In our view, providing such information will not violate any individual or corporate rights of ICANN, its Staff, Board, Affiliates/Liaisons or any other individual. Public corporations and even private organisations performing public functions may be subjected to or accept an increased level of transparency and accountability. We believe this is of especial importance to ICANN, as it is involved in a process to enhance its accountability, intrinsically related to IANA Stewardship Transition. We expressed similar views in our initial comment to “Enhancing ICANN Accountability”.[6] Increased transparency from ICANN may also address accountability concerns present across stakeholder-groups both within and outside ICANN.

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

 

ICANN's Response

ICANN responded to the above request for information within the stipulated time of 30 days. ICANN’s response is here. A short summary of CIS's request and ICANN's response can be found in this table (Request S. no. 1).

 


[1] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

[2] See ICANN Financial Statements As of and For the years ended June 30, 2014 and 2013, pages 7, 19-20, https://www.icann.org/en/system/files/files/financial-report-fye-30jun14-en.pdf.

[3] For instance, see ICANN FY14 Financial Package: For the nine months ending March 2014, pages 2-5, https://www.icann.org/en/system/files/files/package-fy14-31mar14-en.pdf.

[4] Supra note 1, page 14.

[5] See Community Travel Support, https://www.icann.org/resources/pages/travel-support-2012-02-25-en#reports.

[6] See CIS Comments on Enhancing ICANN Accountability, http://cis-india.org/internet-governance/blog/cis-comments-enhancing-icann-accountability.

DIDP Request #2: Granular Revenue/Income Statements from ICANN

by Geetha Hariharan last modified Mar 05, 2015 08:07 AM
CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking current and historical details of ICANN's income/revenue from its various sources. CIS' request and ICANN's response are detailed below.

 

CIS Request

22 December 2014

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Request for granular income/revenue statements of ICANN from 1999-2014

Earlier this month, on 3 December 2014, Mr. Samiran Gupta presented CIS with detailed and granular information regarding ICANN’s domain names income and revenues for the fiscal year ended June 30, 2014. This was in response to several requests made over a few months. The information we received is available on our website.[1]

The information mentioned above was, inter alia, extremely helpful in triangulating ICANN’s reported revenues, despite and in addition to certain inconsistencies between the Annual Report (FY14) and the information provided to us.

We recognize that ICANN makes public its current and historical financial information to a certain extent. Specifically, its Operating Plan and Budget, Audited Financial Statements, Annual Reports, Federal and State Tax Filings, Board Compensation Report and ccTLD Contributions Report are available on the website.[2]

However, a detailed report of ICANN’s income or revenue statement, listing all vendors and customers, is not available on ICANN’s website. Our research on accountability and transparency mechanisms in Internet governance, specifically of ICANN, requires information in such granularity. We request, therefore, historical data re: income and revenue from domain names (1999-2014), in a manner as detailed and granular as the information referenced in FN[1]. We would appreciate if such a report lists all legal entities and individuals who contribute to ICANN’s domain names income/ revenue.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

 

ICANN Response

ICANN's response to CIS's request can be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 2).

 


[1] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

[2] See Historical Financial Information for ICANN, https://www.icann.org/resources/pages/historical-2012-02-25-en.

DIDP Request #3: Cyber-attacks on ICANN

by Geetha Hariharan last modified Mar 05, 2015 08:16 AM
CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of cyber-attacks on ICANN, and ICANN's internal and external responses to the same. CIS' request and ICANN's response are detailed below.

 

CIS Request

24 December 2014

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Geoff Bickers, Team Lead, ICANN Computer Incident Response Team (CIRT) & Director of Security Operations

Mr. John Crain, Chief Security, Stability and Resiliency Officer

Members of the ICANN-CIRT & ICANN Security Team

Sub: Details of cyber-attacks on ICANN

We understand that ICANN recently suffered a spear-phishing attack that compromised contact details of several ICANN staff, including their email addresses; these credentials were used to gain access to ICANN’s Centralized Zone Data System (CZDS).[1] We are glad to note that ICANN’s critical functions and IANA-related systems were not affected.[2]

The incident has, however, raised concerns of the security of ICANN’s systems. In order to understand when, in the past, ICANN has suffered similar security breaches, we request details of all cyber-attacks suffered or thought/suspected to have been suffered by ICANN (and for which, therefore, investigation was carried out within and outside ICANN), from 1999 till date. This includes, naturally, the recent spear-phishing attack.

We request information regarding, inter alia,

(1)  the date and nature of all attacks, as well as which ICANN systems were compromised,

(2)   actions taken internally by ICANN upon being notified of the attacks,

(3)  what departments or members of staff are responsible for security and their role in the event of cyber-attacks,

(4)  the role and responsibility of the ICANN-CIRT in responding to cyber-attacks (and when policies or manuals exist for the same; if so, please share them),

(5)   what entities external to ICANN are involved in the identification and investigation of cyber-attacks on ICANN (for instance, are the police in the jurisdiction notified and do they investigate? If so, we request copies of complaints or information reports),

(6)  whether and when culprits behind the ICANN cyber-attacks were identified, and

(7)  what actions were subsequently taken by ICANN (ex: liability of ICANN staff for security breaches should such a finding be made, lawsuits or complaints against perpetrators of attacks, etc.).

Finally, we also request information on the role of the ICANN Board and/or community in the event of such cyber-attacks on ICANN. Also, when was the ICANN-CIRT set up and how many incidents has it handled since its existence? Do there exist contingency procedures in the event of compromise of IANA systems (and if so, what)?

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

 

ICANN Response

ICANN responded to our request by noting that it is vague and broad in both time and scope. In response, ICANN has provided information regarding certain cyber-incidents already in the public domain, while noting that the term "cyber-attack" is both wide and vague. While the information provided is undoubtedly useful, it is anecdotal at best, and does not provide a complete picture of ICANN's history of vulnerability to cyber-attacks or cyber-incidents, or the manner of its internal response to such incidents, or of the involvement of external law enforcement agencies or CIRTs in combating cyber-incidents on ICANN.

ICANN's response may be found here. A short summary our request and ICANN's response may be found in this table (Request S. no. 3).


[1] See ICANN targeted in spear-phishing attack, https://www.icann.org/news/announcement-2-2014-12-16-en.

[2] See IANA Systems not compromised, https://www.icann.org/news/announcement-2014-12-19-en.

DIDP Request #4: ICANN and the NETmundial Principles

by Geetha Hariharan last modified Mar 05, 2015 08:28 AM
CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of ICANN's implementation of the NETmundial Principles that it has endorsed widely and publicly. CIS' request and ICANN's response are detailed below.

 

CIS Request

27 December 2014

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Sub: Details of implementation by and within ICANN of the NETmundial Outcome Document (April ‘14)

We express our appreciation at ICANN’s prompt acknowledgement of our previous DIDP request, and await the information. We would, in the meanwhile, request information regarding ICANN’s internal measures to implement the NETmundial Outcome Document.[1]

In a post titled Turning Talk Into Action After NETmundial,[2] Mr. Chehade emphasized the imperative to carry forward the NETmundial principles to fruition. In nearly every public statement, Mr. Chehade and other ICANN representatives have spoken in praise and support of NETmundial and its Outcome Document.

But in the absence of binding value to them, self-regulation and organizational initiatives pave the way to adopt them. There must be concrete action to implement the Principles. In this regard, we request information about mechanisms or any other changes afoot within ICANN, implemented internally in recognition of the NETmundial Principles.

At the IGF in Istanbul, when CIS’ Sunil Abraham raised this query,[3] Mr. Chehade responded that mechanisms ought to and will be undertaken jointly and in collaboration with other organisations. However, institutional improvements are intra-organisational as well, and require changes within ICANN. An example would be the suggestions to strengthen the IGF, increase its term, and provide financial support (some of which are being achieved, though ICANN’s financial contribution to IGFSA is incongruous in comparison to its financial involvement in the NETmundial Initiative).

From ICANN, we have seen consistent championing of the controversial NETmundial Initiative,[4] and contribution to the IGF Support Association.[5] There are also mechanisms instituted for IANA Stewardship Transition and Enhancing ICANN Accountability,[6] as responses to the NTIA’s announcement to not renew the IANA functions contract and related concerns of accountability.

In addition to the above, we would like to know what ICANN has done to implement the NETmundial Principles, internally and proactively.

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

 

ICANN Response

ICANN's response to the above request disappointingly linked to the very same blogpost we note in our request, Turning Talk Into Action After NETmundial. Following this, ICANN points us to their involvement in the NETmundial Initiative. On the question of internal implementation, ICANN's response is defensive, to say the least. "ICANN is not the home for the implementation of the NETmundial Principles", they say. In any event, ICANN defends that it already implements the NETmundial Principles in its functioning, a response that comes as a surprise to us. "Many of the NETmundial Principles are high-level statements that permeate through the work of any entity – particularly a multistakeholder entity like ICANN – that is interested in the upholding of the inclusive, multistakeholder process within the Internet governance framework", notes ICANN's response. Needless to say, ICANN's response falls short of responding to our queries.

Finally, ICANN notes that our request is beyond the scope of the DIDP, as it does not relate to ICANN's operational activities. Notwithstanding that our query does in fact seek ICANN's operationalisation of the NETmundial Principles, we are now confused as to where to go to seek this information from ICANN. If the DIDP is not the effective transparency tool it is aimed to be, who in ICANN can provide answers to these questions?

ICANN's response may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 4).


[1] See NETmundial Multi-stakeholder Statement, http://netmundial.br/wp-content/uploads/2014/04/NETmundial-Multistakeholder-Document.pdf.

[2] See Chehade, Turning Talk Into Action After NETmundial, http://blog.icann.org/2014/05/turning-talk-into-action-after-netmundial/.

[3] See ICANN Open Forum, 9th IGF 2014 (Istanbul, Turkey), https://www.youtube.com/watch?v=Cio31nsqK_A.

[4] See McCarthy, I’m Begging You To Join, The Register (12 December 2014), http://www.theregister.co.uk/2014/12/12/im_begging_you_to_join_netmundial_initiative_gets_desperate/.

[5] See ICANN Donates $50k to Internet Governance Forum Support Association, https://www.icann.org/resources/press-material/release-2014-12-18-en.

[6] See NTIA IANA Functions’ Stewardship Transition & Enhancing ICANN Accountability Processes, https://www.icann.org/stewardship-accountability.

DIDP Request #5: The Ombudsman and ICANN's Misleading Response to Our Request

by Geetha Hariharan last modified Mar 06, 2015 11:11 AM
CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of the complaints received and resolved, parties involved and the nature of complaints under the Ombudsman process. CIS' request and ICANN's response are detailed below. ICANN's response is misleading in its insistence on confidentiality of all Ombudsman complaints and resolutions.

 

CIS Request

26 December 2014

To:
Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, CEO and President

Mr. Chris LaHatte, Ombudsman, ICANN

Sub: Details regarding complaints submitted to the ICANN Ombudsman

We are very pleased to note that ICANN’s transparency and accountability mechanisms include maintaining a free, fair and impartial ombudsman. It is our understanding that any person with a complaint against the ICANN Board, staff or organization, may do so to the designated ombudsman.[1] We also understand that there are cases that the ICANN ombudsman does not have the authority to address.

In order to properly assess and study the efficiency and effectiveness of the ombudsman system, we request you to provide us with the following information:

(i) A compilation of all the cases that have been decided by ICANN ombudsmen in the history of the organization.

(ii) The details of the parties that are involved in the cases that have been decided by the ombudsmen.

(iii)A description of the proceedings of the case, along with the party that won in each instance.

Further, we hope you could provide us with an answer as to why there have been no ombudsman reports since the year 2010, on the ICANN website.[2] Additionally, we would like to bring to your notice that the link that provides the ombudsman report for the year 2010 does not work.

In order to properly assess the mechanism that ICANN uses for grievance redressal, it would be necessary to examine the details of all the cases that ICANN ombudsmen have presided over in the past. In this regard, kindly provide us with the above information.

We do hope that you will be able to furnish this information to us within the stipulated time period of 30 days. Do not hesitate to contact us if you have any doubts regarding our queries. Thank you so much.

Yours sincerely,
Lakshmi Venkataraman
NALSAR University of Law, Hyderabad,
for Centre for Internet & Society
W: http://cis-india.org

 

ICANN Response

In its response, ICANN declines our request on grounds of confidentiality. It refers to the ICANN Bylaws on the office of the Ombudsman to argue that all matters brought before the Ombudsman "shall be treated as confidential" and the Ombudsman shall "take all reasonable steps necessary to preserve the privacy of, and to avoid harm to, those parties not involved in the complaint being investigated by the Ombudsman". ICANN states that the Ombudsman publishes Annual Reports, in which he/she provides a "consolidated analysis of the year's complaints and resolutions", including "a description of any trends or common elements of complaints received". In sum, ICANN states that making Ombudsman Requests public would violate ICANN Bylaws, and topple the independence and integrity of the Ombudsman.

These are, perhaps, valid reasons to decline our DIDP request. But it is important to investigate ICANN's reasons. The ICANN Board appoints the Ombudsman for 2 year terms, under Article V of ICANN’s Bylaws. As we note in an earlier post, the Ombudsman’s principal function is to receive and dispose of complaints about unfair treatment by the ICANN Board, Staff or constituency. He/she reports to the ICANN Board alone. He/she also reports on the categories of complaints he receives, and statistics regarding decisions in his Annual Reports; no details are forthcoming for stated reasons of confidentiality and privacy. It is clear, therefore, that the Ombudsman receives and disposes of complaints under a procedure that is inadequately transparent.

ICANN argues, however, that for reasons of confidentiality and integrity of the Ombudsman office, ICANN is unable to disclose details regarding Ombudsman complaints, the complainants/respondents and a description of the proceedings (including the decision/resolution). Indeed, ICANN states its "Bylaws and the Ombudsman Framework obligates the Ombudsman to treat all matters brought before him as confidential and 'to take reasonable steps necessary to preserve the privacy of, and to avoid harm to, those parties not involved in the complaint being investigated by the Ombudsman'.” For this reason, ICANN considers that "Disclosing details about the parties involved and the nature of the cases that have been decided by the Ombudsmen would not only compromise the confidentiality of the Ombudsman process but would also violate the ICANN Bylaws and the Ombudsman Framework."

While the privacy of parties both involved and "not involved in the complaint" can be preserved (by redacting names, email addresses and other personal identification), how valid is ICANN's dogged insistence on confidentiality and non-disclosure? Let's look at Article V of ICANN's Bylaws and the Ombudsman Framework both.

Do ICANN Bylaws bind the Ombudsman to Confidentiality?

Under Article V, Section 1(2) of ICANN's Bylaws, the Ombudsman is appointed by the ICANN Board for a 2 year term (renewable). As noted earlier, the Ombudsman's principal function is to “provide an independent internal evaluation of complaints by members of the ICANN community who believe that the ICANN staff, Board or an ICANN constituent body has treated them unfairly” or inappropriately (Art. V, Section 2). The Ombudsman is not a judge; his conflict resolution tools are "negotiation, facilitation, and 'shuttle diplomacy'.

According to Art. V, Section 3(3), the Ombudsman has access to "all necessary information and records from staff and constituent bodies" to evaluate complaints in an informed manner. While the Ombudsman can access these records, he may not "publish if otherwise confidential". When are these records confidential, then? Section 3(3) supplies the answer. The confidentiality obligations are as "imposed by the complainant or any generally applicable confidentiality policies adopted by ICANN". For instance, the complainant can waive its confidentiality by publishing the text of its complaint and the Ombudsman's response to the same (such as the Internet Commerce Association's complaint regarding the Implementation Review Team under the new gTLD program), or a complaint may be publicly available on a listserv. In any event, there is no blanket confidentiality obligation placed on the Ombudsman under ICANN's Bylaws.

Moreover, the Ombudsman also publishes Annual Reports, in which he/she provides a "consolidated analysis of the year's complaints and resolutions", including "a description of any trends or common elements of complaints received". That is, the Ombudsman's Annual Report showcases a graph comparing the increase in the number of complaints, categories of complaints (i.e., whether the complaints fall within or outside of the Ombudsman's jurisdiction), and a brief description of the Ombudsman's scope of resolution and response. The Annual Reports indicate that the mandate of the Ombudsman's office is extremely narrow. In 2014, for instance, 75 out of 467 complaints were within Mr. LaHatte's jurisdiction (page 5), but he notes that his ability to intervene is limited to "failures in procedure". As an input to the ATRT2 Report noted, the Office of the Ombudsman “appears so restrained and contained” (page 53). As the ATRT2 noted, "ICANN needs to reconsider the Ombudsman’s charter and the Office’s role as a symbol of good governance to be further incorporated in transparency processes"; the Office's transparency leaves much to be desired.

But I digress.

The Ombudsman is authorised to make reports on any complaint and its resolution (or lack thereof) to the ICANN Board, and unless the Ombudsman says so in his sole discretion, his reports are to be posted on the website (Art. V, Section 4(4)). The Ombudsman can also report on individual requests, such as Mr. LaHatte's response to a complaint regarding a DIDP denial (cached). Some reports are actually available on the Ombudsman page; the last published report dates back to 2012, though in 2013 and 2014, the Ombudsman dealt with more complaints within his jurisdiction than in 2012 or prior. So ICANN's argument that disclosing the information we ask for in our DIDP Request would violate ICANN Bylaws and the confidentiality of the Ombudsman is misleading.

Does the Ombudsman Framework Prohibit Public Reporting?

So if ICANN Bylaws do not ipso facto bind the Ombudsman's complaint and conflict resolution process to confidentiality, does the Ombudsman Framework do so?

The Ombudsman does indeed have confidentiality obligations under the Ombudsman Framework (page 4). All matters brought before the Ombudsman shall be treated as confidential, and the identities of parties not involved in the complaint are required to be protected. The Ombudsman may reveal the identity of the complainant to the ICANN Board or Staff only to further the resolution of a complaint (which seems fairly obvious); this obligation is extended to ICANN Board and Staff as well.

As the Framework makes crystal clear, the identity of complainants are to be kept confidential. Nothing whatsoever binds the Ombudsman from revealing the stakeholder group or affiliation of the complainants - and these are possibly of more importance. What stakeholders most often receive unfair or inappropriate treatment from ICANN Board, Staff or constituent bodies? Does business suffer more, or do non-commercial users, or indeed, governments? It is good to know what countries the complaints come from (page 4-5), but given ICANN's insistence on its multi-stakeholder model as a gold standard, it is important to know what stakeholders suffer the most in the ICANN system.

In fact, in the first page, the Ombudsman Framework says this: "The Ombudsman may post complaints and resolutions to a dedicated portion of the ICANN website (http://www.icann.org/ombudsman/): (i) in order to promote an understanding of the issues in the ICANN community; (ii) to raise awareness of administrative fairness; and (iii) to allow the community to see the results of similar previous cases. These postings will be done in a generic manner to protect the confidentiality and privilege of communicating with the Office of Ombudsman." But the ICANN website does not, in fact, host records of any Ombudsman complaints or resolutions; it links you only to the Annual Reports and Publications.

As I've written before, the Annual Reports provide no details regarding the nature of each complaint, their origins or resolution, and are useful if the only information we need is bare statistics of the number of complaints received. That is useful, but it's not enough. Given that the Ombudsman Framework does allow complaint/resolution reporting, it is baffling that ICANN's response to our DIDP request chooses to emphasise only the confidentiality obligations, while conveniently leaving out the parts enabling and encouring reporting.

Should ICANN Report the Ombudsman Complaints?

Of course it should. The Ombudsman is aimed at filling an integral gap in the ICANN system - he/she listens to complaints about treatment by the ICANN Board, Staff or constituent bodies. As the discussions surrounding the appeal procedures in the CWG-Names show, and as the ATRT2 recommendations on Reconsideration and Independent Review show, conflict resolution mechanisms are crucial in any environment, not least a multi-stakeholder one. And in an organisation that leaves much desired by way of accountability and transparency, not reporting on complaints against the Board, staff or constituencies seems a tad irresponsible.

If there are privacy concerns regarding the identities of complainants, their personal identifying information can be redacted. Actually, in the complaint form, adding a waiver-of-confidentiality tick-box would solve the problem, allowing the complainant to choose whether to keep his/her complaint unreportable. But the details of the respondents ought to be reported; as the entity responsible and accountable, ICANN should disclose whom complaints have been made against.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 5).

 


[1] See What the Ombudsman can do for you, https://www.icann.org/resources/pages/contact- 2012-02-25-en.

[2] See Annual Reports & Publications, https://www.icann.org/resources/pages/reports-96-2012- 02-25-en.

The Surveillance Industry in India – An Analysis of Indian Security Expos

by Divij Joshi last modified Mar 08, 2015 12:25 PM
The author talks about the surveillance industry in India and analyses Indian security expos.

Introduction

The 'Spy Files', a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world - a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals.[1] These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites. Moreover, the unregulated and undiscerning nature of the industry means that it has enabled governments (and also private agencies) across the world - from repressive dictatorships to governments in western democracies with a growing track record of privacy and civil liberties infringements - to indulge in secretive, undemocratic and often illegal surveillance of their citizens. The Spy Files and related research have revealed how the mass surveillance industry utilizes the rhetoric of national security and counter-terrorism to couch technologies of surveillance.

'Security' and the Normalization Of Surveillance

New technologies undoubtedly create a potential for both malicious as well as beneficial use for society. Surveillance technologies are a prime example, having both enabled improvements in law enforcement and security, but at the same time creating unresolved implications for privacy and civil liberties. These technologies expose what Lawrence Lessig describes as 'latent ambiguities' in the law - ambiguities that require us to assess the implications and effects of new technologies and how to govern them, and most importantly, to choose between conflicting values regarding the use of technologies, for example, increased security as against decreased privacy.[2]

Unfortunately, In India, the ambiguity seems to have been resolved squarely in favour of surveillance - under the existing regulatory regime, surveillance is either expressly mandated or unregulated, and requires surveillance to be built into the architecture and design of public spaces like internet and telephone networks, or even public roads and parks. Most of these regulations or mechanisms are framed without democratic debate, through executive mechanisms and private contracts with technology providers, without and public accountability or transparency.

For example, under the telecom licensing regime in India, the ISP and UASL licenses specifically require lawful interception mechanisms through hardware or software to be installed by the licensees, for information (Call Data Records, Packet Mirroring, Call Location) to be provided to 'law enforcement agencies', as specified by the Government.[3] Section 69 of the Information Technology Act, the main legislation governing the Internet in India, read with the rules framed under the Act, makes it incumbent upon 'intermediaries' to provide surveillance facilities at the behest of government agencies.[4]

Beyond this, the State and its agencies Section 69 and 69B of the IT Act empower the government to intercept and monitor any data on the Internet. The Telegraph Act also permits wiretapping of telephony.[5] The proposed Central Monitoring System by the Central Government would give state agencies centralized access to all telecommunications in real time, on telephony or on the Internet. Other surveillance schemes include the Keyword Tracking system NETRA, as well as several state government proposed comprehensive CCTV-surveillance schemes for cities. [6] Clearly, therefore, there is a massive market for surveillance technologies in India.

Tracking the Surveillance Market

The Mass surveillance industry by its very nature is closed, secretive and without democratic oversight, Insights into the prevalence, nature and scope of the companies that form this industry, or the technologies that are utilized are far and few. No democratic debate about surveillance can take place in such a paradigm. In this context, security expos and exhibitions provide critical insight into this industry. Several of the important revelations about the industry in the past have been from examinations of large exhibitions in which the various governmental and industry actors participate, and therefore, such analysis is critical to the debate surrounding mass surveillance. Such exhibitions are a logical starting point because they are one of the few publically accessible showcases of surveillance-ware, and are also a congregation of most major players who are part of this market both as suppliers and purchasers.

Our research identified at least 13 exhibitions in India that specifically cater to the surveillance industry. A brief outline of each of these exhibitions is provided below:

1. Secutech India (Brochures: 2015 -http://www.secutechindia.co.in/pdf/secutech%20brochure.pdf)

The Secutech Expo is an exhibition held in Bombay and Delhi since 2011, to showcase Information Security, Electronic Security and Homeland Security technologies. Secutech also organizes the Global Digital Surveillance Forum, a conference amongst the stakeholders of digital surveillance industry in India.[7]

Exhibitors: Ivis; Matrix Comsec; Neoteric; Smartlink; Kanoe; Micro Technologies; Aditya Infrotech; CoreTech Solutions; Merit Lilin; Schneider Electric; Pash systems; Nettrack Technologies Pvt Ltd.; QNAP; Axxonsoft; Hk Vision (China); Alhua; Axis; Vivotech (Taiwan); Endroid (USA); Vantge (UK); Pelco (France); Advik; Hi Focus (UK); ESMS; Keeper (China); Neoteric; Vizor, etc

Visitors: The visitor profile and target audience consists of government and defense agencies, besides private agencies.

Technologies on display: Digital surveillance, biometrics, CCTV and RFID are some categories of the technologies which are showcased here.

2. IFSEC India (Brochures: 2013 - http://www.ifsecindia.com/uploads/IFSEC%20INDIA%20brochure%202013.pdf; 2014 - http://www.ubmindia.in/ifsec_india/uploads/IFSEC_INDIA_Brochure_CS5_new_low.pdf.)

IFSEC India, an extension of IFSEC UK, the 'worlds largest security exhibition', proclaims to be South Asia's largest security exhibition with 15,000 participants in its latest edition, including a special segment on surveillance. It has been held in either Bombay or Delhi since 2007.

Exhibitors: Honeywell; Infinova; Radar Vision; QNAP; Ensign; Winposee; Bosch; Comguard; Verint; ACSG; Ensign etc.

Visitors: Visitors include government agencies such as the Central Industrial Security Force, Border Security Force, Department of Internal Security, Railway Protection Force and the Department of Border Management.

Technologies on display: RFID, Video Surveillance, Surveillance Drones, IP Surveillance, Digital Surveillance and Monitoring were some of the categories of technologies on display.

3. India International Security Expo (Brochures: 2014 - http://www.indiasecurityexpo.com/images/e_brochure.pdf)

Held in New Delhi since 1996, and organized by the Ministry of Home Affairs, the expo is described as "India's largest show case of goods and services related to Homeland Security, Fire Safety, Traffic Management, Industrial Safety and Public Safety, Hospitality and Reality Security." With specific reference to the changing 'modus operandi of crime by using technology', the Expo focuses on using surveillance technologies for law enforcement purposes.

Exhibitors: Intellivision (USA); Intex (India); ESC Baz (Israel); Sparsh Securitech; Source Security (USA); Intellivision (USA); Interchain Solutions; ESSI; Kritikal; Matrix; Pace Solutions etc.

Visitors: According to the show's brochure, visitors include Central & State Police Organisations, Paramilitary Forces, Policy-makers from the Government, Industrial Establishments, Security Departments of Educational, Retail, Hospitality, Realty & other sectors, Colonisers, Builders, RWAs, System Integrators Large business houses and PSU's.

Technologies on display: Access control systems, surveillance devices, RFID, traffic surveillance and GPS Tracking.

4. Secure Cities Expo (Brochures: 2013 - http://securecitiesindia.com/Secure_Cities_2013_Brochure.pdf; 2014 - http://securecitiesindia.com/images/2014/SC_2014_Brochure.pdf.)

Secure Cities Expo has been organized since 2008, on the platform of providing homeland security solutions and technologies to government and private sector participants.

Exhibitors: Dell; Palo Alto Networks; Motorola; Konnet; Vian Technologies; Quick Heal; Intergraph, GMR, Tac Technologies, Steria, Teleste, Elcom, Indian Eye Security; Mirasys; CBC Group; Verint (USA); IBM (USA); Digitals; EyeWatch; Kanoe; NEC (Japan); ACSG Corporate; ESRI (USA), etc.

Visitors: Visitors include government and law enforcement agencies including the Ministry of Home Affairs as well as systems integrators and private firms including telecom firms.

Technologies on display: CCTV, Biometrics, Covert Tracking and Surveillance Software, Communication Interception, Location and Tracking systems, and IT Security.

5. Defexpo India (Brochures: No publically available brochures)

By far India's largest security exposition, the Ministry of Defense has organized Defexpo India since 1999, showcasing defense, border, and homeland security systems from technology providers internationally.

Exhibitors: Aurora Integrated; Airbus Defence (France); Boeing (USA); Hacking Team (Italy); Kommlabs (Germany); Smoothwall; Atlas Electronik; Cyint; Audiotel International; Cobham; Tas-Agt; Verint; Elsira (Elbit) (Israel); IdeaForge; Comint; Controp; Northrop Gruman; Raytheon; C-DoT; HGH Infrared (Israel); Okham Solutions (France); Septier (Israel); Speech Technology Centre (Russia); Aerovironment (USA); Textron; Sagem (France); Amesys (France); Exelis; ITP Novex (Israel), etc.

Visitors: The latest edition of the Expo saw participation from governmental delegations from 58 countries, besides Indian governmental and law enforcement authorities.

Technologies on display: The entire spectrum of surveillance and homeland security devices is on display at Defexpo, from Infrared Video to Mass Data Interception.

6. Convergence India Expo (Brochures: 2012 - http://convergenceindia.org/download/CI2012-PSR.pdf; 2014 -http://www.convergenceindia.org/pdf/CI-2014-Brochure.pdf; 2015 - http://www.convergenceindia.org/pdf/brochure-2015.pdf.)

Convergence India, being held in New Delhi since 1991, is a platform for interaction between Information and Communication Technology providers and purchasers in the market. In recent years, the expo has catered to the niche market for IT surveillance.

Exhibitors: ELT (UK); Comguard; Fastech; Synway (China); Saltriver; Anritsu (Japan); Cdot; Fastech; Rahul Commerce; Deviser Electronics; RVG Diginet; Blue Coat (USA); Cyberoam (USA); ZTE (China); Net Optics (USA); Controp; Comint etc.

Visitors: Visitors include Paramilitary Forces, Cable Operators, Government Ministries and PSU's and Telecom and Internet Service Providers.

Technologies on Display: Biometrics, Content Filtering, Data Mining, Digital Forensics, IP-Surveillance, Embedded Softwares, Network Surveillance and Satellite Monitoring were some of the technologies on display.

7. International Police Expo (Brochures: 2014 - http://www.nexgengroup.in/exhibition/internationalpoliceexpo/download/International_Police_Expo_2014.pdf.)

The International Police Expo held in New Delhi focuses on providing technologies to police forces across India, with specific focus on IT security and communications security.

Exhibitors: 3G Wireless Communications Pvt Ltd; Motorola Solutions; Cyint; Matrix Comsec; Cellebrite; Hayagriva; MKU; CP Plus etc.

Visitors: Visitors include State Police, Procurement Department, CISF, CRPF, RAF, BSF, Customs, GRPF, NDRF, Special Frontier Force, Para Commandos, Special Action Group, COBRA and PSU's and educational institutes, stadiums and municipal corporations, among others.

Technologies on display: Technologies include RFID and surveillance for Internal Security and Policing, CCTV and Monitoring, Vehicle Identification Systems, GPS, Surveillance for communications and IT, Biometrics and Network surveillance.

8. Electronics For You Expo (EFY Expo) ( 2014 - http://2013.efyexpo.com/wp-content/uploads/2014/03/efy_PDFisation.pdf; 2015 - http://india.efyexpo.com//wp-content/uploads/2014/03/5th%20EFY%20Expo%20India_Brochure.pdf.)

EFY Expo is a electronics expo which showcases technologies across the spectrum of electronics industry. It has been held since 2010, in New Delhi, and is partnered by the Ministry of Communications and IT and the Ministry of Electronics and IT.

Exhibitors: Vantage Security; A2z Securetronix; Avancar Security; Digitals security; Securizen Systems; Vision Security; Mangal Security Systems, etc.

Visitors: The visitors include Government Agencies and ministries as well as systems integrators and telecom and IT providers.

Technologies on display: Identification and Tracking Products and Digital Security Systems are a specific category of the technologies on display.

9. Indesec Expo (Brochures: 2009 - http://www.ontaero.org/Storage/14/897_INDESEC_Oct11-13_2009.pdf. )

An exhibition focused on homeland security, and sponsored by the Ministry of Home Affairs, the expo has been held since 2008 in New Delhi, which includes a specific category for cyber security and counter terrorism.

Exhibitors: Rohde and Schwarz; Salvation Data; AxxonSoft; KritiKal; Shyam Networks; Teledyne Dalsa; Honeywell; General Dynamics; Northrop Grumman; Interchain Solutions, etc.

Visitors: Visitors include officials of the central government, central police and paramilitary forces, Ministry of Defence, central government departments, institutes and colleges, state government and police and ports and shipping companies.

10. Next Generation Cyber Threats Expo

Held since 2012 in New Delhi and Mumbai, the Next Generation Cyber Threats Expo focuses on securing cyber infrastructure and networks in India.

Exhibitors: Ixia, CheckPoint, etc.

Visitors: Visitors include Strategic Planning Specialists, Policy Makers and Law Enforcement among others.

11. SmartCards/RFID/e-Security/Biometrics expo (Brochures: 2013 - http://cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013 ; 2015 - http://www.smartcardsexpo.com/pdf/SmartCards_Expo_2015_Brochure_$.pdf)

These expos are organized by Electronics Today in Delhi or Mumbai since 1999 and supported by the Ministries of Commerce, Home Affairs and External Affairs. They showcase various identification solutions, attended by hundreds of domestic and international exhibitors.

Visitors: Target audiences include central and local level law enforcement and government organizations, Colleges and Universities, and defense forces.

12. Com-IT Expo (Brochure: 2014 - http://www.comitexpo.in/doc/Brochure.pdf)

This expo has been organized by the Trade Association of Information and Technology in Mumbai since 2008, and focuses on software and hardware Information Technology, with specific focus on IT security and surveillance.

Visitors: Visitors include Government Agencies, Airport Authorities, Police and Law Enforcement, Urban Planners, etc.

Technologies Displayed: CCTV's, Surveillance Devices and IP Cameras, etc.

13. GeoIntelligence India (Brochures: 2013 - http://www.geointelligenceindia.org/2013/Geointelligence%20India%20Brochure.pdf; 2014 - http://geointworld.net/Documents/GeoInt_Brochure_2014.pdf.)

It is an exposition held in New Delhi since 2014, organized by Geospatial Media and Communications Pvt Ltd, and is 'dedicated to showcasing the highest levels of information exchange and networking within the Asian defense and security sector.'

Exhibitors: ESRI (USA); BAE Systems (UK); Leica (Switzerland); Helyx (UK); Digital Globe; Intergraph; Trimble (USA); RSI Softech; Silent Falcon etc.

Visitors: Visitors included the Director General of Information Systems, CRPF, Manipur, Delhi, Haryana and Nagaland Police, CBI, ITBP, NSDI, SSB, National Investigation Agency, Signals Intelligence Directorate among others.

Surveillance Wares in India - The Surveillance Exhibits and what they tell us about the Indian Surveillance Industry

An analysis of the above companies and their wares give us some insight into what is being bought and sold in the surveillance industry, and by whom. Broadly, the surveillance technologies can be grouped in the following categories:

Video Surveillance and Analysis

IP Video Surveillance and CCTV are quickly becoming the norm in public spaces. Emerging video surveillance tools allow for greater networking of cameras, greater fields of vision, cheaper access and come with a host of tools such as facial recognition and tracking as well as vehicle tracking. For example, IBM has developed an IP Video Analytics system which couples monitoring with facial recognition.[8] USA's Intellivision also offers analytics systems which enable licence plate tracking, facial recognition and object recognition.[9] HGH Infrared's Spynel system allows infrared wide-area surveillance,[10] and CBC's GANZ allows long-range, hi-resolution surveillance. [11]

Video surveillance is gradually infiltrating public spaces in most major cities, with Governments promoting large-scale video surveillance schemes for security, with no legal sanctions or safeguards for protecting privacy.

Companies showcasing Video Surveillance: 3G Wireless Communications Pvt Ltd, Motorola Solutions (USA), Bosch, CP Plus, Ivis, Aditya Infotech, Micro technologies, Core Tech (Denmark), Merit Lilin , Schneider Electric, Shyam Systems, Dalsa, Honeywell, Teleste, Mirasys, CBC Group, Infinova, Radar Vision, QNAP, Ensign, Winposee, Bosch, Hik Vision (China), Alhua, Axis Communications, Vivotech (Taiwan), Endroid (USA), Vantge (UK), Pelco (France), Advik, Hi Focus (UK), ESMS, Keeper (China), Neoteric, Vizor, Verint (USA), IBM (USA), Digitals Security, Intellivision (USA), Intex, Esc Baz (Israel), Sparsh Securitech, A2zsecuretronix, Avancar Security, Securizen Systems, Vision Security, HGH Infrared (Israel).

RFID/Smart Cards/Biometric Identification

India has begun the implementation of the Unique Identification Programme for its 1.2 billion strong population, combining a host of identification technologies to provide a unique identification number and Aadhar Card - promoted as an all-purpose ID. However, this remains without legislative sanction, and continues in the face of severe privacy concerns. Such centralized, accessible databases of ostensibly private information present a grave threat to privacy. RFID, Smart Cards and Biometric Identification technologies (like the Aadhar) all make individual monitoring and surveillance significantly easier by enabling tracking of individual movements, consumer habits, attendance, etc.

Companies showcasing Identification Technologies:

AxxonSoft, Matrix Comsec, Ensign, Hi focus, Intellivision (USA), Interchain solutions, Inttelix, Kanoe, NEC (Japan), Pace, Realtime, Secugen, Source Security (USA), Spectra, Speech technology centre (Russia), BioEnable Technologies.

(For a more detailed list, see the Smart Cards Expo Brochures, linked above)

Mass Data Gathering, Monitoring and Analysis

The age of Big Data has led to big surveillance. Information and communication technologies now host significant amounts of individual data, and the surveillance industry makes all of this data accessible to a surveyor. Government mandated surveillance means any and all forms of communication and data monitoring are being implemented in India - there are network taps on telephony and deep packet inspection on internet lines, which makes telephone calls, SMS, VoIP, Internet searches and browsing and email all vulnerable to surveillance, constantly monitored through systems like the Central Monitoring System. Moreover, centralized information stores enable data mining - extracting and extrapolating data to enable better surveillance, which is what India's NATGRID aims to do.

Hacking Team Italy, Blue Coat USA and Amesys France, three of the five companies identified as 'enemies of the internet' for enabling dictatorships to use surveillance to quell dissent and violate human rights,[12] have all presented surveillance solutions at Defexpo India. Cyberoam USA and ZTE China also market Deep Packet Inspection technology,[13] while ESRI's Big Data suite allows analysis through mass surveillance and analysis of social media and publically available sources. [14]

Indian companies showcasing mass data monitoring technologies include Cyint, Fastech DPI tools,[15] Kommlabs VerbaProbe packet switching probes,[16] and ACSG's OSINT, which allows Big Data social media surveillance and Call Data Record analysis.[17]

Companies showcasing Data Gathering and Monitoring technologies:

Cobham, Comguard, Cyint, ELT (UK), Fastech, Hacking Team (Italy), Smoothwall (USA), Verint Systems (USA), Cyint technologies, Atlas Electronik (Germany), Audiotel International (UK), Avancar, Cobham (UK), ELT (UK), Eyewatch, Kommlabs, Mangal Security Systems, Merit Lilin (Taiwan), Ockham Solutions (France), Septier (Israel), Synway (China), ACSG Corporate, Amesys (France), Anritsu (Japan), Axis (Sweden), BAE Systems (UK), Blue Coat (USA), C-dot, Comint, Cyberoam (USA), Deviser Electronics, Elsira (Elbit) (Israel), Esri (USA), Exelis, General Dynamics (USA), Helyx (UK), ITP Novex (Israel), Leica (Switzerland), Net Optics (Ixia) (USA), Northrop Gruman (USA), Rahul Commerce, Rohde And Schwarz (Germany), RVG Diginet, Tas-Agt, Trueposition (USA), Zte Technologies (China).

Cell-Phone Location Tracking and Vehicle Monitoring

A number of technologies enable location tracking through vehicle GPS, GLONASS or other location technologies. RFID or optical character recognition further enables Automatic Number Plate Recognition, which can be exploited to enable vehicle surveillance to track individual movements. Embedded hardware and software on mobile phones also allows constant transmission of location data, which is exploited by surveillance agencies to track individual movements and location.

Companies showcasing Cell-Phone Location Tracking technologies: Verint, Eyewatch, Septier (Israel), True Position (USA),

Companies showcasing Vehicle Monitoring technologies: Hi-techpoint technologies pvt ltd, Axxonsoft, Essi, Fareye, Intellivision (USA), Interchain Solutions, ITP Novex (Israel), Kaneo, Kritikal, NEC (Japan), Saltriver Infosystems, Vision Security Systems.

Air/Ground Drones and Satellite Surveillance

The use of unmanned drones for security purposes is being adopted for law enforcement and surveillance purposes across the world, and India is no exception, using UAV's for surveillance in insurgency-hit areas,[18] amongst other uses, while still having no regulations for their use.[19] Drones, both aerial and ground level, are capable of large-scale territorial surveillance, often equipped with high-technology video surveillance that allows for efficient monitoring at the ground level.

Digital Globe offers satellite reconnaissance surveillance coupled with Big Data analysis for predictive monitoring. [20] Controp offers cameras specifically for aerial surveillance, while Sagem's Patroller Drone and Sperwer, and Silent Falcon's Solar Powered surveillance drone are Unmanned Aerial Vehicles (UAV's) for aerial video surveillance. Auruora Integrated, [21] and IdeaForge are Indian companies which have developed UAV surveillance drones in collaboration with Indian agencies.[22]

Companies showcasing Drone Surveillance: Aurora Integrated, Controp (Israel), Aerovironment (USA), Digital Globe (USA), ESRI (USA), Intergraph (USA), RSI Softech, Sagem (France), Silent Falcon (UAS), Textron (USA), Trimble (USA), Northrop Grumman (USA).



[1] Wikileaks, The Spy Files, available at https://www.wikileaks.org/the-spyfiles.html.

[2] Lawrence Lessig, Code V 2.0.

[3] For more information on the licensing regime, see 'Data Retention in India', available at http://cis-india.org/internet-governance/blog/data-retention-in-india.

[4] Rule 13, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[5] Section 5, Indian Telegraph Act, 1885.

[6] See, for example, the Bangalore Traffic Police CCTV Scheme, http://www.bangaloretrafficpolice.gov.in/index.php?option=com_content&view=article&id=66&btp=66 ; the surveillance scheme supported by the MPLAD Scheme, http://mplads.nic.in/circular08112012.pdf; Mumbai's proposed video surveillance scheme, http://www.business-standard.com/article/companies/wipro-tata-ibm-reliance-among-31-bids-for-cctv-scheme-in-mumbai-112112600160_1.html.

[7] Information on the Forum is available at http://gdsf-india.com/Global-Digital-Surveillance-Forum1/images/GDSF-Bengaluru-Conference-program.pdf.

[8] http://www-01.ibm.com/support/knowledgecenter/SS88XH_1.6.0/iva/int_i2frs_intro.dita

[9] http://www.intelli-vision.com/products/recognition-suite

[10] http://www.hgh-infrared.com/Products/Optronics-for-security

[11] http://www.ifsecglobal.com/cbc-high-end-surveillance-tech-on-display-at-ifsec-india/

[12] http://surveillance.rsf.org/en/category/corporate-enemies/

[13] http://www.cyberoam.com/firewall.html

[14] http://www.esri.com/products/arcgis-capabilities/big-data

[15] http://www.fastech-india.com/packetBrokers.html

[16] http://www.kommlabs.com/products-verbaprobe.asp

[17] http://www.acsgcorporate.com/osint-software.html

[18] http://timesofindia.indiatimes.com/india/UAV-proves-ineffective-in-anti-Maoist-operations/articleshow/20400544.cms

[19] http://dronecenter.bard.edu/drones-in-india/

[20] https://www.digitalglobe.com/products/analytic-services

[21] http://www.aurora-is.com/

[22] http://www.ideaforge.co.in/home/

Peng Hwa's Trip Report

by Prasad Krishna last modified Mar 08, 2015 03:14 PM
Peng Hwa had visited CIS and he has written a trip report.

PDF document icon Report to Sunil.pdf — PDF document, 100 kB (103017 bytes)

A Selection of Tweets on How to Make Crowdmaps Effectual for Mapping Violence against Women

by Rohini Lakshané last modified Mar 12, 2015 12:42 AM
This is a collection of tweets by Rohini Lakshane on making crowdmaps more effective for mapping gender violence. The compilation of tweets has been republished by GenderIT.org.


For more see the original published on the website of Gender IT.org on February 19, 2015.

DIDP Request #6: Revenues from gTLD auctions

by Geetha Hariharan last modified Mar 10, 2015 10:59 AM
CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking information regarding revenues received from gTLD auctions. CIS' request and ICANN's response are detailed below.

 

CIS Request

12 January 2015

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Sub: Revenues from gTLD auctions

It is our understanding that an auction for a Generic Top Level Domain (gTLD) is used as a last-resort mechanism in order to resolve string contention, i.e., when there are groups of applications for same or confusingly similar new gTLDs. As of now, the ICANN website only furnishes information of the winning applicant and the winning price, as regards each new gTLD auction.[1] We have observed that information regarding the bids from all other applicants is not available. The revenue information provided to us[2] does not include revenues from new gTLDs.

In this regard, we request you to provide us with the following information:

(i)    How many gTLDs have been sold via the auction process, since its inception?

(ii)   What were the starting and winning bids in the ICANN auctions conducted?

(iii) What revenue has ICANN received from the gTLD auctions, since the first ICANN auction was conducted? Please also provide information about the winner (name, corporate information provided to/ available with ICANN).

(iv) How are proceeds from the gTLD auction process utilized?

We believe that this information will give us a framework for understanding the gTLD auction process within ICANN. Furthermore, it will assist us in understanding the manner and purpose for which the proceeds from the auctioning process are utilized, in the broader structure of ICANN transparency and accountability.

We hope that our request will be processed within the stipulated time period of 30 days. Do let us know if you require any clarifications on our queries.

Warm regards,

Lakshmi Venkataraman,

IV Year, NALSAR University of Law, Hyderabad,

for Centre for Internet & Society

W: http://cis-india.org

 

ICANN Response

ICANN's response to the above query is positive. ICANN states that all information surrounding the auctions is available on the New gTLDs microsite, and on the Auctions page: http://newgtlds.icann.org/en/applicants/auctions. The current status of auction proceeds and costs are available at http://newgtlds.icann.org/en/applicants/auctions/proceeds, and auction results are at https://gtldresult.icann.org/application-result/applicationstatus/auctionresults. The utilization of proceeds from the auctions is yet to be decided by the ICANN Board: “[auction] proceeds will be reserved and earmarked until the Board determines a plan for the appropriate use of the funds through consultation with the community. Auction proceeds are net of any Auction costs. Auction costs may include initial set-up costs, auction management fees, and escrow fees.”

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 6).


[1] See Auction Results, https://gtldresult.icann.org/application-result/applicationstatus/auctionresults.

[2] See ICANN reveals hitherto undisclosed details of domain names revenues, http://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014.

DIDP Request #7: Globalisation Advisory Groups

by Geetha Hariharan last modified Mar 17, 2015 10:07 AM
CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking information regarding the creation and dissolution of the President's Globalisation Advisory Groups. The GAGs were created to advise the ICANN Board on its globalisation efforts, and to address questions on Affirmation of Commitments (AOC), policy structures, legal structure, root server system, the IANA multistakeholder accountability, and Internet governance. CIS' request and ICANN's response are detailed below.

CIS Request

12 January 2015

To:
Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Ms. Theresa Swineheart, Senior Advisor to the President on Strategy

Mr. Samiran Gupta, ICANN India

Sub: Creation and dissolution of the President’s Globalisation Advisory Groups

On 17 February 2014, at a Special Meeting of the ICANN Board, the Board passed a resolution creating the President’s Globalisation Advisory Groups.1 Six Globalisation Advisory Groups were created, including on IANA globalization, legal structures, Internet governance, the Affirmation of Commitments, policy structures and the root server system.2 According to the minutes of the meeting, the Advisory Groups were to meet with the community at ICANN49 (Singapore, March 2014), make recommendations to the Board, and the Board would present their reports at ICANN50 (London, June 2014).3 Mr. Chehade was vested with the authority to change the Advisory Groups and their composition without the need for a further resolution, but the manner of dissolution was not laid out.

ICANN lists the Advisory Groups on its “Past Groups” page, with no further information.4 Presumably, the Groups remained in existence for at most one month. No explanation is provided for the reasons regarding the dissolution of all the Advisory Groups. There are no reports or transcripts of meetings with the community at ICANN49 or recommendations to Mr. Chehade or the Board.

The Globalisation Advisory Groups covered issues crucial for ICANN and the global Internet governance community, including its seat (“Legal Structures”), the Affirmation of Commitments (considered critical for ICANN’s accountability), the IANA stewardship transition, and ICANN’s (increasing) involvement in Internet governance. Given this, we request the following information:

  • Of the six Globalisation Advisory Groups created, is any Group active as of today (12 January 2015)?
  • When and how many times did any of the Groups meet?
  • On what date were the Groups dissolved? Were all Groups dissolved on the same date?
  • By what mechanism did the dissolution take place (oral statement, email)? If the dissolution occurred by way of email or statement, please provide a copy of the same.
  • Did any of the six Globalisation Advisory Groups present any report, advice, or recommendations to Mr. Chehade or any member(s) of the Board, prior to their dissolution? If yes, please provide the report/recommendations (if available) and/or information regarding the same.
  • Why were the Advisory Groups dissolved? Has any reason been recorded, and if not, please provide an explanation.
We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.
Thank you very much.

Warm regards,
Geetha Hariharan
Centre for Internet & Society

 

ICANN Response

ICANN's response to this request is positive. ICANN states that the Board did indeed set up the six Globalisation Advisory Groups (GAGs) on 17 February 2014 to tackle issues surrounding ICANN's globalisation efforts. The Affirmation of Commitments (AOC), policy structures, legal structure, root server system, the IANA multistakeholder accountability, and Internet governance were issues taken up by the GAGs. However, after the NTIA made its announcement regarding the IANA transition in March 2014, the GAGs were disbanded so as to avoid duplication of work on issues that "had a home in the global multistakeholder discussions". As a result, by a Board resolution dated 27 March 2014, the GAGs were dissolved.

This is an example of a good response to an information request. Some documentation regarding the creation and dissolution of the GAGs existed, such as the Board resolutions. The response points us to these documents, and summarises the reasons for the GAGs' creation and dissolution.

It is possible that this response is clear/comprehensive because the GAGs no longer exist, and in any event, did not perform any work worth writing about. Queries about ICANN's involvement in Internet governance (NETmundial, the NETmundial Initiative, etc.) garner responses that are, to say it informally, cage-y and surrounded by legalese.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 7).


[1] See Approved Board Resolutions | Special Meeting of the Board, https://www.icann.org/resources/board-material/resolutions-2014-02-17-en.

[2] See President’s Globalisation Advisory Groups, https://www.icann.org/en/system/files/files/globalization-19feb14-en.pdf.

[3] See Minutes | Special Meeting of the Board, https://www.icann.org/resources/board- material/minutes-2014-02-17-en.

[4] See Past Committees, Task Forces, and Other Groups, https://www.icann.org/resources/pages/past-2012-02-25-en.

Indian Law and the Necessary Proportionate Principles

by Elonnai Hickok last modified Mar 14, 2015 02:15 AM

PDF document icon 2.e GSMA Presentation.pdf — PDF document, 431 kB (441778 bytes)

GSMA Research Outputs

by Elonnai Hickok last modified Apr 06, 2015 02:18 PM
This is a collection of research under our GSMA project that we have undertaken in collaboration with Privacy International. The research has sought to understand different legal and regulatory aspects of security and surveillance in India and consists of blog entries and reports. Any feedback or comment is welcome.

Indian Law and the Necessary Proportionate Principles

The presentation shows that there are no comprehensive provisions for the principles of legitimate aim, competent judicial authority, proportionality, transparency, etc. whereas these are partially present for the principles of legality, necessity, adequacy, public oversight, safeguards for international cooperation, etc. The presentation also looks at the Indian intelligence agencies and shows us that there are nine agencies authorized to intercept communications along with at least eleven additional agencies. It further dwelves into the establishment and structure of Indian intelligence agencies and whom they report to, the sharing of information internationally as well as nationally. It shows us that India has MLAT agreements with 36 countries and request to CBI can be initiated informally or formally through court order. It then lists out the various regulatory and important bodies responsible for national security. Some cases of unlawful interception / leaks have been discussed along with examples of arrests based on digital evidence. The various government schemes, the telecommunication companies in India, telecom licenses requirements, government developed security and surveillance solutions, private security companies, security expos, export, import and selling of security and surveillance equipment, and the way forward are also discussed.

Click to download the PDF

Security, Surveillance and Data Sharing Schemes and Bodies in India

Following the 2008 Mumbai terrorist attacks, India had implemented a wide range of data sharing and surveillance schemes. Though developed under different governments the purpose of these schemes has been to increase public safety and security by tackling crime and terrorism. As such, two data sharing schemes have been proposed - the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & Systems (CCTNS), as well as several surveillance systems, such as the Lawful Intercept and Monitoring (LIM) system, the Network Traffic Analysis system (NETRA), state Internet Monitoring Systems and the Central Monitoring System (CMS). This chapter details the various schemes and provides policy recommendations for their improvement, with regards to the protection of the right to privacy and other human rights.

Click to download the PDF

Export and Import of Security Technologies in India: QA

The write-up examines in question-answer format the standards regulating the export of technologies that can be used for surveillance purposes, the department and legislation that governs exports and imports of security technologies in India, the procedure for obtaining an export licence for the export of SCOMET items, what is ITC (HS) and why is it important, and examples of ITC codes for technologies that can facilitate security or surveillance. The research finds answers to all these queries.

Click to download the PDF

Regulation of CCTV’s in India

In light of the increasing use and installation of CCTV’s in cities across India, and the role that CCTVs play in the Home Ministry's plans for implementing "Mega Policing Cities", this blog seeks to review various attempts to regulate the use of CCTV's in India, review international best practices, and provide preliminary recommendations for the regulation of CCTV's in India.

Click to download the PDF

Mutual Legal Assistance Treaties (MLATs) and Cross Border Sharing of Information in India

It is unclear the exact process that intelligence agencies in India share information with other agencies internationally. India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training is designated as the National Central Bureau of India.

Click to download the PDF

Composition of Service Providers in India

Telecom, at present, is one of the fastest-growing industries in India. As of January 2014, according to the Telecom Regulatory Authority of India (TRAI) there are 922 million wireless and over the wire subscribers in India, and 56.90 million broadband subscribers including wired, wireless and wimax subscribers. India’s overall wireless teledensity was quoted as having 893.31million subscribers, with a 0.79% (7.02 million) monthly addition.

Click to download the PDF

The Surveillance and Security Industry in India - An Analysis of Indian Security Expos

The ‘Spy Files’, a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world – a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals. These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites.

Click to download the PDF

An Analysis of News Items and Cases on Surveillance and Digital Evidence in India

In a technologically advanced era, with preponderance of electronic communications in both professional and social interactions and the ability to store such information in digital form, digital evidence has gained significance in civil as well as criminal litigation in India. In order to match the pace with the progressive technology, the Indian Courts have embarked on placing more and more reliance on the digital evidence and a portion of such digital evidence is obtained through electronic surveillance.

Click to download the PDF

Policy Recommendations for Surveillance Law in India and an Analysis of Legal Provisions on Surveillance in India and the Necessary & Proportionate Principles

The Government of India has created a legal framework which supports the carrying out of surveillance by authorities through its various laws and license agreements for service providers. The Centre for Internet and Society (CIS) acknowledges that lawful, warranted, targeted surveillance can potentially be a useful tool in aiding law enforcement agencies in tackling crime and terrorism. However, current Indian laws and license agreements appear to overextend the Government's surveillance capabilities in certain cases, while inadequately safeguarding individuals' right to privacy and data protection.

Click to download the PDF

The Surveillance Industry in India

India has the world's second largest population, an expanding middle class and undoubtedly a huge market which attracts international investors. Some of the world's largest corporations have offices in India, such as Google Incorporated and BlackBerry Limited. In the Information Age, the market revolves around data and companies which produce technologies capable of mining such data are on the rise. Simultaneously, companies selling surveillance technologies appear to be on the peak too, especially since the global War on Terror requires law enforcement agencies around the world to be equipped with the latest surveillance gear.

Click to download the PDF

State of Cyber Security and Surveillance in India: A Review of the Legal Landscape


The issue of cyber security and surveillance, especially unauthorised surveillance, though traditionally unprioritised, has recently gained much traction due to the increasing number of news reports regarding various instances of unauthorised surveillance and cyber crimes. In the case of unauthorised surveillance, more than the frequency of the instances, it is their sheer magnitude that has shocked civil society and especially civil rights groups. In the background of this ever increasing concern regarding surveillance as well as increasing concerns regarding cyber security due to the increased pervasiveness of technology in our society, this paper tries to discuss the legal and regulatory landscape regarding surveillance as well as cyber security.

Click to download the PDF

Composition of Service Providers in India

by Lovisha Aggarwal — last modified Mar 14, 2015 02:48 AM

PDF document icon 7.g The Composition of Service Providers in India.pdf — PDF document, 409 kB (418942 bytes)

The Surveillance Industry in India

by Maria Xynou last modified Mar 14, 2015 03:20 AM

PDF document icon 1.d The Surveillance Industry in India.pdf — PDF document, 680 kB (696666 bytes)

DIDP Request #8: ICANN Organogram

by Geetha Hariharan last modified Mar 17, 2015 11:39 AM
CIS sent ICANN a request under its Documentary Information Disclosure Policy, seeking details of its oragnisational structure and headcount of all staff. CIS' request and ICANN's response are detailed below.

 

CIS Request

13 January 2015

To:

Mr. Steve Crocker, Chairman of the Board

Mr. Fadi Chehade, President and CEO

Mr. Samiran Gupta, ICANN India

Sub: ICANN organogram

In order to understand ICANN’s organizational structure, decision-making and day-to-day functioning, may we request an organogram of ICANN. We request that the organogram include ICANN’s reporting hierarchy, mentioning positions held in all departments. Wherever possible (such as middle and senior management), we request names of the ICANN staff holding the positions as well. Along with this, could you also provide a count per department of the number of ICANN staff employed in all departments as of this date?

We await your favorable response and the requested information within the prescribed time limit. Please do not hesitate to contact us should you require any clarifications.

Thank you very much.

Warm regards,

Geetha Hariharan

Centre for Internet & Society

W: http://cis-india.org

 

ICANN Response

ICANN does not provide all the information we requested, but it responded with the following:

First, ICANN has responded that its current staff headcount is approx. 310. ICANN states that it already makes publicly available an organisational chart. This is immensely useful, for it sets out the reporting hierarchies at senior and mid-managerial levels. However, it doesn't tell us the organisational structure categorised by all departments and staff in the said departments. The webpages of some of ICANN's departments list out some of its staff; for instance, Contractual Compliance, Global Stakeholder Engagement and Policy Development (scroll down).

What you will notice is that ICANN provides us a list of staff, but we cannot be sure whether the team includes more persons than those mentioned. Second, a quick glance at the Policy Development staff makes clear that ICANN selects from outside this pool to coordinate the policy development. For instance, the IANA Stewardship Transition (the CWG-IANA) is supported by Ms. Grace Abuhamad, who is not a member of the policy support staff, but coordinates the IANA mailing list and F2F meetings anyway. What this means is that we're no longer certain who within ICANN is involved in policy development and support, whom they report to, and where the Chinese walls lie. This is why an organogram is necessary: the policy-making and implementation functions in ICANN may be closely linked because of staff interaction, and effective Chinese walls would benefit from public scrutiny.

Now, ICANN says that one may explore staff profiles on the Staff page. While short biographies/profiles are available for most staff on the Staff page, it's unclear what departments they work in, how many staff members work each in department, whom they report to, and what the broad range of their responsibilities include.

Privacy concerns do not preclude the disclosure of such information for two reasons. First, staff profiles imply a consent to making staff information public (at least their place in the organisational structure, if not their salaries, addresses, phone extension numbers, etc.). Second, such information is necessary and helpful to scrutinise the effectiveness of ICANN's functioning. Like the example of the policy-making process mentioned above, greater transparency in internal functioning will itself serve as a check against hazards like partisanism, public comment aggregation, drafting of charters for policy-making and determining scope, etc. While the functioning itself may or need not change, scrutiny can ensure responsibility from ICANN and its staff.

ICANN's response to our DIDP request may be found here. A short summary of our request and ICANN's response may be found in this table (Request S. no. 8).

No more 66A!

by Geetha Hariharan last modified Mar 26, 2015 02:01 AM
In a landmark decision, the Supreme Court has struck down Section 66A. Today was a great day for freedom of speech on the Internet! When Section 66A was in operation, if you made a statement that led to offence, you could be prosecuted. We are an offence-friendly nation, judging by media reports in the last year. It was a year of book-bans, website blocking and takedown requests. Facebook’s Transparency Report showed that next to the US, India made the most requests for information about user accounts. A complaint under Section 66A would be a ground for such requests.

Section 66A hung like a sword in the middle: Shaheen Dhada was arrested in Maharashtra for observing that Bal Thackeray’s funeral shut down the city, Devu Chodankar in Goa and Syed Waqar in Karnataka were arrested for making posts about Narendra Modi, and a Puducherry man was arrested for criticizing P. Chidambaram’s son. The law was vague and so widely worded that it was prone to misuse, and was in fact being misused.

Today, the Supreme Court struck down Section 66A in its judgment on a set of petitions heard together last year and earlier this year. Stating that the law is vague, the bench comprising Chelameshwar and Nariman, JJ. held that while restrictions on free speech are constitutional insofar as they are in line with Article 19(2) of the Constitution. Section 66A, they held, does not meet this test: The central protection of free speech is the freedom to make statements that “offend, shock or disturb”, and Section 66A is an unconstitutional curtailment of these freedoms. To cross the threshold of constitutional limitation, the impugned speech must be of such a nature that it incites violence or is an exhortation to violence. Section 66A, by being extremely vague and broad, does not meet this threshold. These are, of course, drawn from news reports of the judgment; the judgment is not available yet.

Reports also say that Section 79(3)(b) has been read down. Previously, any private individual or entity, and the government and its departments could request intermediaries to take down a website, without a court order. If the intermediaries did not comply, they would lose immunity under Section 79. The Supreme Court judgment states that both in Rule 3(4) of the Intermediaries Guidelines and in Section 79(3)(b), the "actual knowledge of the court order or government notification" is necessary before website takedowns can be effected. In effect, this mean that intermediaries need not act upon private notices under Section 79, while they can act upon them if they choose. This stops intermediaries from standing judge over what constitutes an unlawful act. If they choose not to take down content after receiving a private notice, they will not lose immunity under Section 79.

Section 69A, the website blocking procedure, has been left intact by the Court, despite infirmities such as a lack of judicial review and non-transparent operation. More updates when the judgment is made available.

Internet censorship will continue in opaque fashion

by Sunil Abraham last modified Mar 26, 2015 02:07 AM
A division bench of the Supreme Court has ruled on three sections of the Information Technology Act 2000 - Section 66A, Section 79 and Section 69A. The draconian Section 66A was originally meant to tackle spam and cyber-stalking but was used by the powerful elite to crack down on online dissent and criticism.

The article by Sunil Abraham was published in the Times of India on March 25, 2015.


Section 79 was meant to give immunity to internet intermediaries for liability emerging from third-party speech, but it had a chilling effect on free speech because intermediaries erred on the side of caution when it came to deciding whether the content was legal or illegal.

And Section 69A was the web blocking or internet censorship provision, but the procedure prescribed did not adhere to the principles of natural justice and transparency. For instance, when books are banned by courts, the public is informed of such bans but when websites are banned in India, there's no clear message from the Internet Service Provider.

The Supreme Court upheld 69A, so web blocking and internet censorship in India will continue to happen in an opaque fashion which is worrying. But on 66A and 79, the landmark judgment protects the right to free speech and expression. It struck down 66A in entirety, saying the vague and imprecise language made the provision unconstitutional and it interfered with "the right of the people to know - the market place of ideas - which the internet provides to persons of all kinds". However, it only read down Section 79 saying "unlawful acts beyond what is laid down" as reasonable restrictions to the right to free speech in the Constitution "obviously cannot form any part" of the section. In short, the court has eliminated any additional restrictions for speech online even though it admitted that the internet is "intelligibly different" from traditional media and might require additional laws to be passed by the Indian Parliament."

Historic day for freedom of speech and expression in India

by Vidushi Marda last modified Mar 26, 2015 02:19 AM
In a petition that finds its origin in a simple status message on Facebook, Shreya Singhal vs Union of India marks a historic reinforcement of the freedom of speech and expression in India.

The article by Vidushi Marda was published in Bangalore Mirror on March 25, 2015.


Hearing a batch of writ petitions, the bench comprising Justices Rohinton F Nariman and J Chelameswar considered the constitutionality of three provisions of the Information Technology Act, 2000. The provisions under consideration were Section 66A, dealing with punishment of sending offensive messages through communication services, Section 69A which discusses website blocking and Section 79, dealing with intermediary liability.

The intent behind Section 66A was originally to regulate spam and cyber stalking, but in the last seven years not a single spammer has been imprisoned.

Instead, innocent academics have been arrested for circulating caricatures. The Court struck down the section in its entirety, declaring it unconstitutional.

It held that the language of the section was "nebulous" and "imprecise" and did not satisfy reasonable restrictions under A. 19(2) of the Constitution of India.

Section 79 was meant to result in the blossoming of free speech since it stated that intermediaries will not be held liable for content created by their users unless they refused to act on take-down notices. Unfortunately, intermediaries were unable to decide whether content was legal or illegal, and when the Centre for Internet and Society in 2011 sent flawed take-down notices to seven prominent national and international intermediaries, they erred on the side of caution and over-complied, often deleting legitimate content. By insisting on a court order, the Supreme Court has eliminated the chilling effect of this Section.

Block orders issued by the Indian government to telecom operators and ISPs were shrouded in opacity.

The process through which such orders were developed and implemented was not within public scrutiny. When a film is banned, it becomes part of public discourse, but website blocking does not enjoy the same level of transparency. The person whose speech has been censored is not notified or given an opportunity to be heard as part of the executive process. Unfortunately, in dealing with Section 69A, the Court chose to leave it intact, stating that it is a "narrowly drawn provision with several safeguards."

On balance, this is a truly a landmark judgment as it is the first time since the 1960s that the Supreme Court has struck down any law in its entirety for a violation of free speech.

India's Supreme Court Axes Online Censorship Law, But Challenges Remain

by Subhashish Panigrahi last modified Mar 27, 2015 02:38 AM
The Supreme Court of India took a remarkable step to protect free expression on March 24, 2015, striking down controversial section 66A of the IT Act that criminalized “grossly offensive” content online. In response to a public interest litigation filed by Indian law student Shreya Singhal, the court made this landmark judgement calling the section “vague”, “broad” and “unconstitutional”. Since Tuesday's announcement, the news has trended nationally on Twitter, with more than 50,000 tweets bearing the hashtags #Sec66A and #66A.
India's Supreme Court Axes Online Censorship Law, But Challenges Remain

Cartoon by Manjul, shared widely on social media.

The blog entry by Subhashish Panigrahi was originally published by Global Voices Online on March 25, 2015. Pranesh Prakash is quoted.


Section 66A allowed police to arrest any person who sent online communications deemed “grossly offensive” or known to be false. This has enabled the government take down many websites with allegedly objectionable content. Among various cases since the law was updated in 2008, two people were arrested for making comments on Facebook regarding India's prime minister Narendra Modi and one man was arrested for commenting on public service closures following the death of political leader Bal Thakrey.

The now-defunct Section 66A reads as follows:

66-A. Punishment for sending offensive messages through communication service, etc.
—Any person who sends, by means of a computer
resource or a communication device,—
(a) any information that is grossly offensive or has menacing character; or
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal
intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device; or
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or
recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.

Internet rights advocate and lawyer Pranesh Prakash, who works with the Center for Internet and Society in Bangalore, has been one of the law's most outspoken critics in recent years. Immediately following the ruling, he tweeted:

Tweet

Nikhil Pahwa, independent journalist and founder of the MeddiaNama blog, offered his take on the ruling:

This is a great decision for freedom of speech in India…66A is far too vague, and lends itself to arbitrary implementation by the police, especially phrases like “grossly offensive”, annoyance, inconvenience, ill will. Remember that even the right to offend is an integral part of free speech.

Journalist and author Sagarika Ghose sarcastically wondered if the government of India would retroactively offer recompense for all of the actions taken against citizens for violating 66A.

Sagarika

Some were playful in their response to the decision. Siddharth Sing set out to “test” the efficacy of the ruling with a tweet mocking prominent public figures in Indian politics:

Siddharth

Section 69, which provides authorities with the power to censor websites that “create communal disturbance, social disorder, or affect India's relationship with other countries” was upheld however. The Court has yet to clarify this decision. CIS India's Pranesh Prakash tweeted:

Unfortunately 69A (website blocking) has been upheld despite many issues, incl lack of transparency. Need to read full judgment to see why.

— Pranesh Prakash (@pranesh_prakash) March 24, 2015

Tuesday's decision comes after the government of India was heavily criticized in January 2015 for blocking 32 websites in the country.

What 66A Judgment Means For Free Speech Online

by Geetha Hariharan last modified Mar 27, 2015 04:50 PM
This week India's Supreme Court redefined the boundaries of freedom of speech on the internet. With the Court's decision in Shreya Singhal & Ors. v. Union of India, Section 66A of the Information Technology Act, 2000, has been struck down in entirety and is no longer good law.

Geetha Hariharan's article was originally published in the Huffington Post on March 26, 2015.


This week India's Supreme Court redefined the boundaries of freedom of speech on the internet. With the Court's decision in Shreya Singhal & Ors. v. Union of India, Section 66A of the Information Technology Act, 2000, has been struck down in entirety and is no longer good law. Through a structured, well-reasoned and heartening judgment, the court talks us through the nuances of free speech and valid restrictions. While previously, intermediaries were required to take down content upon suo moto determination of lawfulness, Section 79(3)(b) of the Act -- the intermediary liability provision -- has been read down to require actual knowledge of a court order or a government notification to take down content. Section 69A of the Act and its corresponding Rules, the provisions enabling the blocking of web content, have been left intact by the court, though infirmities persist.

The Supreme Court's decision comes at a critical moment for freedom of speech in India. In recent years, the freedom guaranteed under Article 19(1)(a) of the Constitution has suffered unmitigated misery: Wendy Doniger's The Hindus: An Alternative History was banned for hurting religious sentiments, publisher Orient Blackswan fearing legal action stayed its release of an academic work on sexual violence in Ahmedabad, the author Perumal Murugan faced harsh criticism for his novel One Part Woman and chose to slay his authorial identity.

"The Supreme Court's decision comes at a critical moment for freedom of speech in India. In recent years, the freedom guaranteed under Article 19(1)(a) of the Constitution has suffered unmitigated misery."

The tale of free speech on the Internet is similar. In response to takedown requests, intermediaries prefer to tread a safe path, taking down even legitimate content for fear of triggering penalties under Section 79 of the IT Act. The government has blocked websites in ways that transgress the bounds of 'reasonable restrictions' on speech. Section 66A alone has gathered astounding arrests and controversy. In 2012, Shaheen Dhada and her friend were arrested in Maharashtra for observing that Bal Thackeray's funeral shut down Mumbai, Devu Chodankar in Goa and Syed Waqar in Karnataka were arrested in 2014 for making posts about PM Narendra Modi, and a Puducherry man was arrested for criticizing P. Chidambaram's son. The misuse of Section 66A, and the inadequacy of other provisions of the IT Act, were well-documented.

Section 66A: No longer draconian

In a writ petition filed in 2012, the law student Shreya Singhal challenged the constitutionality of Section 66A on grounds, inter alia, of vagueness and its chilling effect. More petitions were filed challenging other provisions of the IT Act including Section 69A (website blocking) and Section 79 (intermediary liability), and these were heard jointly by justices Rohinton F. Nariman and G. Chelameshwar. Section 66A, implicating grave issues of freedom of speech on the internet, was at the centre of the challenge.

"It is difficult -impossible, in fact - to foresee or predict what speech is permitted or criminalised under Section 66A. As a result, there is a chilling effect on free speech online, resulting in self-censorship."

Section 66A makes it a criminal offence to send any online communication that is "grossly offensive" or "menacing", or false information sent for the purposes of causing "annoyance, inconvenience, insult, injury, obstruction, enmity, hatred, ill will", etc. These terms are not defined. Neither do they fall within one of the eight subjects for limitation under Article 19(2). It is difficult -impossible, in fact - to foresee or predict what speech is permitted or criminalised under Section 66A. As a result, there is a chilling effect on free speech online, resulting in self-censorship.

With yesterday's decision, the Supreme Court has struck down Section 66A on grounds of vagueness, excessive range and chilling effects on speech online. What is perhaps most uplifting is the court's affirmation of the value of free speech. In the midst of rising conservatism towards free speech, the Court reminds us that an "informed citizenry" and a "culture of open dialogue" are crucial to our democracy. Article 19(1)(a) shields us from "occasional tyrannies of governing majorities", and its restriction should be within Constitutional bounds enumerated in Article 19(2).

What speech is protected?

There are three types of speech, the court says: Discussion, advocacy and incitement. Discussion and advocacy are at the heart of Article 19(1)(a), and are unquestionably protected. But when speech amounts to incitement - that is, if it is expected to cause harm, danger or public disorder- it can be reasonably restricted for any of these reasons: public order, sovereignty and integrity of India, security of the State and friendly relations with foreign states.

" The Union of India argued that Section 66A is saved by the clauses "public order", "defamation", "incitement to an offence" and "decency, morality". But as the court finds that these are spurious grounds."

Section 66A, however, does not meet the legal standards for any of the limitation-clauses under Article 19(2), and so is unconstitutional. The Union of India argued that Section 66A is saved by the clauses "public order", "defamation", "incitement to an offence" and "decency, morality". But as the court finds that these are spurious grounds. For instance, Section 66A covers "all information" sent via the Internet, but does not make any reference (express or implied) to public order. Section 66A is not saved by incitement, either. The ingredients of "incitement" are that there must be a "clear tendency to disrupt public order", or an express or implied call to violence or disorder, and Section 66A is remarkably silent on these. By its vague and wide scope, Section 66A may apply to one-on-one online communication or to public posts, and so its applicability is uncertain. For these grounds, Section 66A has been struck down.

For freedom of speech on the internet, this is fantastic news! The unpredictability and threat of Section 66A has been lifted. Political commentary, criticism and dialogue are clearly protected under Article 19(1)(a). Of course, the government is still keen to regulate online speech, but the bounds within which it may do so have been reasserted and fortified.

Section 69A and website blocking

Section 69A empowers the government and its agencies to block websites on any of six grounds: "in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above". The blocking procedure is set out in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. It requires that a Committee for Examination of Request (CER) examines each blocking request, and gives the content-generator or host 48 hours to make a representation. The Secretary of the Department of Electronics and Information Technology then issues the blocking direction to the intermediary.

"[The court has] failed to consider the impact of Section 69A and its Rules. Our free speech rights as listeners are equally affected when legitimate websites containing information are blocked. Transparency, blockpage notifications and judicial review are essential to determine whether each blocking direction is valid."

Now, the Supreme Court decision has left Section 69A and its Rules intact, stating that it is a "narrowly drawn provision with several safeguards". However, the Court has overlooked some crucial details. For instance, no judicial review is available to test the validity of each blocking direction. Moreover, Rule 14 of the Blocking Rules requires that all blocking requests and directions are kept confidential. This means that neither the content-generator, nor the reader/listener or general public, will have any idea of how many blocking directions have been issued or why. There is no standard blockpage display in India, either, and this further aggravates the transparency problem.

Lamentably, the Supreme Court has not considered this. Though the court has recognised and upheld the rights of viewers, readers and listeners in its decision on Section 66A, it failed to consider the impact of Section 69A and its Rules on readers and listeners. Our free speech rights as listeners are equally affected when legitimate websites containing information are blocked. Transparency, blockpage notifications and judicial review are essential to determine whether each blocking direction is valid.

Section 79 and the intermediary as a judge

Section 79 provides a safe harbour for intermediaries: if they abide by the requirements of Section 79(2), they retain immunity. But under Section 79(3)(b), intermediaries can lose their immunity from prosecution if, after receiving a takedown notice, they do not take down content in three circumstances: (1) if they have actual knowledge that third-party information within their control is being used to commit an unlawful act (i.e., by suo moto deciding the lawfulness of content); (2) if a court order requires takedown of content; (3) if a government notification requires takedown. Rule 3(4) of the Intermediaries Guidelines Rules, 2011 has a similar provision.

"The Supreme Court has wisely put an end to private adjudication of lawfulness. Section 79(3)(b) and Rule 3(4) have been read down to mean that the intermediary must have actual knowledge of a court order or government notification."

This leads to a situation where a private intermediary is responsible for deciding what constitutes lawful content. Previous studies have shown that, when placed in such a position, intermediaries prefer overbroad blocking to escape liability. As readers, we can then only access uncontroversial content. But the freedom of speech includes, as the European Court of Human Rights emphasised in Otto-Preminger Institut, the freedom to "offend, shock and disturb".

In Shreya Singhal, the Supreme Court has wisely put an end to private adjudication of lawfulness. Section 79(3)(b) and Rule 3(4) have been read down to mean that the intermediary must have actual knowledge of a court order or government notification. Even if an intermediary chooses not to act in response to a private takedown notice, it will retain its immunity under Section 79.

With Shreya Singhal, India has reaffirmed its protections for freedom of speech on the internet. One may now freely speak online without fear of illegitimate and unconstitutional prosecution. However, a re-examination of the blocking procedure, with its infirmities and direct impact on speech diversity, is essential. But today, we celebrate!

Big win for freedom of speech. Really?

by Sunil Abraham last modified Mar 29, 2015 01:20 AM
The 66A ruling was historic, but what about the provisions regulating speech online and offline that still exist within the ITA, the IPC and other laws.

The article was published in Bangalore Mirror on March 29, 2015.


The Shreya Singhal v. Union of India ruling on the Information Technology Act 2000 (ITA) was truly a historic moment in Indian free speech jurisprudence. Few anticipated the striking down of the draconian Sec. 66A in its entirety, for introducing additional unconstitutional limits to free speech through its vague and imprecise language. The Supreme Court also read down Sec. 79(3)(b) and the intermediary liability rules — requiring a court order or a government notification to take down content and relieving intermediaries of the responsibility for determining legality of content. However, the court left the provision for website blocking, 69A, as it stood.

66A criminalised those that use a computer resource or a communication device to send one of the three classes of information listed below — some of which was redundant as they were already offences under the IPC (sections indicated in brackets below) or other sections of the ITA:

  1. Information that was grossly offensive or menacing in character;
  2. False information for causing annoyance, inconvenience, danger, obstruction, insult, injury [44], criminal intimidation [506], enmity, hatred [295A] or ill will.
  3. Annoying or inconvenient message - to deal spam OR to deceive or to mislead the addressee or recipient about the origin of such messages - presumably for phishing, which incidentally is dealt with more properly in Sec. 66D of ITA.

The regulatory vacuum created by the striking down of 66A can be addressed by parliament by ITA to reintroduce a well-crafted anti-spam provision that does not infringe upon human rights.

The intermediary liability section 79 and the associated rules were introduced to encourage free speech by granting immunity to intermediaries for content created by their users, unless they failed to act on take down notices. However, this provision proved to have a chilling effect on free speech, with risk-aversive intermediaries over-complying with takedown notices as they were unable to distinguish between legal and illegal content. Shreya Singhal solves half the problem - whether intermediaries decide either to remove or retain content in response to take down notices sent by non-government entities and individuals they remain immune from liability. But government entities can continue to censor speech using takedown notices without any oversight, transparency or adherence to the principles of natural justice. The recently launched Manila Principles developed by the CIS and others gives a more complete set of best practices that could be used to fix Sec. 79 through an amendment. For example - "abusive or bad take down notices should be penalized."

Website-blocking under 69a is mostly an opaque procedure as per the letter of the law as it does not require the user to be informed [because the alternative of informing the intermediary is deemed sufficient], and given a chance to be heard, and a secrecy rule prevents all documentation related to the procedure from being disclosed to the public. There is both an optimistic and a pessimistic view on what the bench has said when it upheld this section. Constitutional law expert Gautam Bhatia is of the view that the judge has made informing the user mandatory and has also overridden the secrecy provision by requiring a written order that can be assailed through writ petitions. But a more pessimistic reading is that the bench found the section constitutional and was satisfied with the safeguards and was only reiterating the procedure in the judgment. The trouble is the opacity of the procedure is worse than the current text of the law - there is no evidence that users have ever been notified and RTI requests for documentation related to block orders have been rejected using the secrecy rule.

Does the striking down of 66A mean that speech on the internet is completely free and completely unregulated? No, several provisions that regulate speech online and offline still exist within the ITA, the IPC and other laws. Within the ITA - infringing the privacy of individuals [ 66E], transmission of obscene material [67], including sexually explicit material [Sec. 67A], and also child pornography [67B], the Cyber Cafe Rules which require intermediaries to install web filters.

In the IPC, several sections regulate speech that define closely the intent and ingredients required in a precise way, something 66A did not do. Sedition is defined in Sec. 124A, with restrictions on speech in the case of causing hatred, contempt or disaffection towards the state. Promoting enmity between different groups on grounds of religion, race, place of birth, residence, language etc is criminalised [153A], and imputations or assertions prejudicial to national integration are also prohibited [153B]. Certain restrictions on speech have also been made in terms of protecting the privacy and dignity of individuals for ex. disclosure of a victim's identity in sensitive cases [228], insulting the modesty of a woman [509]. Defamation [499] and conduct intended to cause public mischief by way of statements, rumours, reports [505] remain criminalized; and in 2013 cyber stalking [354D] has also been added.

[with inputs from Vidushi Marda] The author is the director of The Centre for Internet and Society

Three reasons why 66A verdict is momentous

by Pranesh Prakash last modified Mar 29, 2015 04:22 PM
Earlier this week, the fundamental right to freedom of expression posted a momentous victory. The nation's top court struck down the much-reviled Section 66A of the IT Act — which criminalized communications that are "grossly offensive", cause "annoyance", etc — as "unconstitutionally vague", "arbitrarily, excessively, and disproportionately" encumbering freedom of speech, and likely to have a "chilling effect" on legitimate speech.

The article was published in the Times of India on March 29, 2015.


It also struck down Sec 118(d) of the Kerala Police Act on similar grounds. This is a landmark judgment, as it's possibly the first time since 1973's Bennett Coleman case that statutory law was struck down by the Supreme Court for violating our right to free expression.

The SC also significantly 'read down' the draconian 'Intermediary Guidelines Rules' which specify when intermediaries — website hosts and search engines — may be held liable for what is said online by their users. The SC held that intermediaries should not be forced to decide whether the online speech of their users is lawful or not. While the judgment leaves unresolved many questions — phrases like "grossly offensive", which the SC ruled were vague in 66A, occur in the Rules as well — the court's insistence on requiring either a court or a government order to be able to compel an intermediary to remove speech reduces the 'invisible censorship' that results from privatized speech regulation.

The SC upheld the constitutional validity of Sec 69A and the Website Blocking Rules, noting they had several safeguards: providing a hearing to the website owner, providing written reasons for the blocking, etc. However, these safeguards are not practised by courts. Na Vijayashankar, a legal academic in Bengaluru, found a blogpost of his — ironically, on the topic of website blocking — had been blocked by a Delhi court without even informing him. He only got to find out when I published the government response to my RTI on blocked websites. Last December, Github, Vimeo and some other websites were blocked without being given a chance to contest it. As long as lower courts don't follow "principles of natural justice" and due process, we'll continue to see such absurd website blocking, especially in cases of copyright complaints, without any way of opposing or correcting them.

There are three main outcomes of this judgment. First is the legal victory: SC's analysis while striking down 66A is a masterclass of legal clarity and a significant contribution to free speech jurisprudence. This benefits not only future cases in India, but all jurisdictions whose laws are similar to ours, such as Bangladesh, Malaysia and the UK.

Second is the moral victory for free speech. Sec 66A was not merely a badly written law, it became a totem of governmental excess and hubris. Even when political parties realized they had passed 66A without a debate, they did not apologize to the public and revise it; instead, they defended it. Only a few MPs, such as P Rajeev and Baijayant Panda, challenged it. Even the NDA, which condemned the law in the UPA era, supported it in court. By striking down this totem, the SC has restored the primacy of the Constitution. For instance, while this ruling doesn't directly affect the censor board's arbitrary rules, it does morally undermine them.

Third, this verdict shows that given proper judicial reading, the Indian constitutional system of allowing for a specific list of purposes for which reasonable restrictions are permissible, might in fact be as good or even better in some cases, than the American First Amendment. The US law baldly states that Congress shall make no law abridging freedom of speech or of the press. However, the US Supreme Court has never held the opinion that freedom of speech is absolute. The limits of Congress's powers are entirely judicially constructed, and till the 1930s, the US court never struck down a law for violating freedom of speech, and has upheld laws banning obscenity, public indecency, offensive speech in public, etc. However, in India, the Constitution itself places hard limits on Parliament's powers, and also, since the first amendment to our Constitution, allows the judiciary to determine if the restrictions placed by Parliament are "reasonable". In the judgment Justice Nariman quotes Mark Antony from Julius Caesar. He could also have quoted Cassius: "The fault, dear Brutus, is not in our stars, but in ourselves." Judges like Justice Nariman show the constitutional limits to free speech can be read both narrowly and judiciously: we can no longer complain about the Constitution as the primary reason we have so many restrictions on freedom of expression.

Bloomberg.pdf

by Prasad Krishna last modified Apr 03, 2015 06:17 AM

PDF document icon Bloomberg.pdf — PDF document, 145 kB (148496 bytes)

Tech Law Forum

by Prasad Krishna last modified Apr 03, 2015 04:34 PM

ZIP archive icon TLF Tech Weekend.docx — ZIP archive, 88 kB (91110 bytes)

Security, Governments and Data: Technology and Policy

by Nehaa Chaudhari last modified Apr 04, 2015 05:49 AM

PDF document icon CIS&ORF conference report.pdf — PDF document, 214 kB (219923 bytes)

Security, Governments and Data: Technology and Policy

by Elonnai Hickok last modified Apr 04, 2015 05:59 AM
On January 8, 2015, the Centre for Internet and Society, in collaboration with the Observer research foundation, hosted the day long conference "Security, Governments, and Data: Technology and Policy" The conference discussed a range of topics including internet governance, surveillance, privacy, and cyber security.

The full report written and compiled by Lovisha Aggarwal and Nehaa Chaudhari and edited by Elonnai Hickok can be accessed here.


The conference was focused on the technologies, policies, and practices around cyber security and surveillance. The conference reached out to a number of key stakeholders including civil society, industry, law enforcement, government, and academia and explored the present scenario in India to reflect on ways forward. The conference was a part of CIS’s work around privacy and surveillance, supported by Privacy International.

Welcome Address

The welcome address opened with a reference to a document circulated by CIS in 2014 which contained hypothetical scenarios of potential threats to Indian cyber security. This document highlighted the complexity of cyber security and the challenges that governments face in defending their digital borders. When talking about cyber security it is important that certain principles are upheld and security is not pursued only for the sake of security. This approach allows for security to be designed and to support other rights such as the right of access, the right to freedom of expression, and the right to privacy. Indeed, the generation, use, and protection of communications data by the private sector and the government are a predominant theme across the globe today. This cannot be truer for India, as India hosts the third largest population on the internet in the world.

During the welcome, a brief introduction to the Centre for Internet and Society was given. It was noted that CIS is a 6.5 half year old organization that is comprised of lawyers, mathematicians, sociologists, and computer scientists and works across multiple focus areas including accessibility, internet governance, telecom, openness, and access to knowledge. CIS began researching privacy and surveillance in 2010, and has recently begun to expand their research into cyber security. The purpose of this is to understand the relationship between privacy, surveillance, and security and is the beginning of a learning process for CIS. In 2013 CIS undertook a process to attempt to evolve a legal regime to intelligently and adequately deal with privacy in India. Industry specific requirements are key in the Indian context and this process was meant to try and evolve a consensus on what a privacy law in India should look like by bringing together key stakeholders for roundtables. CIS is now in the final stages of preparing individual legal proposals that will be sent to the Government – to hopefully have an informed Privacy Law in India. This event represents CIS’s first attempt to have a simultaneous dialogue on surveillance, cyber security, and privacy. As part of this event and research CIS is trying to understand the technology and market involved in surveillance and cyber security as these are important factors in the development of policy and law.

What Does Facebook's Transparency Report Tell Us About the Indian Government's Record on Free Expression & Privacy?

by Pranesh Prakash last modified Apr 05, 2015 05:08 AM
Given India's online population, the number of user data requests made by the Indian government aren't very high, but the number of content restriction requests are not only high on an absolute number, but even on a per-user basis.

Further, Facebook's data shows that India is more successful at getting Facebook to share user data than France or Germany.  Yet, our government complains far more about Facebook's lack of cooperation with Indian authorities than either of those countries do.  I think it unfair for any government to raise such complaints unless that government independently shows to its citizens that it is making legally legitimate requests.

Since the Prime Minister of India Shri Narendra Modi has stated that "transparency and accountability are the two cornerstones of any pro-people government", the government ought to publish a transparency report about the requests it makes to Internet companies, and which must, importantly, provide details about how many user data requests actually ended up being used in a criminal case before a court, as well as details of all their content removal requests and the laws under which each request was made.

At the same time, Facebook's Global Government Requests Report implicitly showcases governments as the main causes of censorship and surveillance.  This is far from the truth, and it behoves Facebook to also provide more information about private censorship requests that it accedes to, including its blocking of BitTorrent links, it's banning of pseudonymity, and the surveillance it carries out for its advertisers.

The Supreme Court Judgment in Shreya Singhal and What It Does for Intermediary Liability in India?

by Jyoti Panday last modified Apr 17, 2015 11:59 PM
Even as free speech advocates and users celebrate the Supreme Court of India's landmark judgment striking down Section 66A of the Information Technology Act of 2000, news that the Central government has begun work on drafting a new provision to replace the said section of the Act has been trickling in.

The SC judgement in upholding the constitutionality of Section  69A (procedure for blocking websites) and in reading down Section 79 (exemption from liability of intermediaries) of the IT Act, raises crucial questions regarding transparency, accountability and under what circumstances may reasonable restrictions be placed on free speech on the Internet. While discussions and analysis of S. 66A continue, in this post I will focus on the aspect of the judgment related to intermediary liability that could benefit from further clarification from the apex court and in doing so, will briefly touch upon S. 69A and secret blocking.

Conditions qualifying intermediary for exemption and obligations not related to exemption

The intermediary liability regime in India is defined under S. 79 and assosciated rules that were introduced to protect intermediaries for liability from user generated content and ensure the Internet continues to evolve as a “marketplace of ideas”. But as intermediaries may not have sufficient legal competence or resources to deliberate on the legality of an expression, they may end up erring on the side of caution and takedown lawful expression. As a study by Centre for Internet and Society (CIS) in 2012 revealed, the criteria, procedure and safeguards for administration of the takedowns as prescribed by the rules lead to a chilling effect on online free expression.

S. 69A grants powers to the Central Government to “issue directions for blocking of public access to any information through any computer resource”. The 2009 rules allow the blocking of websites by a court order, and sets in place a review committee to review the decision to block websites as also establishes penalties for the intermediary that fails to extend cooperation in this respect.

There are two key aspects of both these provisions that must be noted:

a) S. 79 is an exemption provision that qualifies the intermediary for conditional immunity, as long as they fulfil the conditions of the section. The judgement notes this distinction, adding that “being an exemption provision, it is closely related to provisions which provide for offences including S. 69A.”

b) S. 69A does not contribute to immunity for the intermediary rather places additional obligations on the intermediary and as the judgement notes “intermediary who finally fails to comply with the directions issued who is punishable under sub-section (3) of 69A.” The provision though outside of the conditional immunity liability regime enacted through S. 79 contributes to the restriction of access to, or removing content online by placing liability on intermediaries to block unlawful third party content or information that is being generated, transmitted, received, stored or hosted by them. Therefore restriction requests must fall within the contours outlined in Article 19(2) and include principles of natural justice and elements of due process.

Subjective Determination of Knowledge

The provisions for exemption laid down in S. 79 do not apply when they receive “actual knowledge” of illegal content under section 79(3)(b). Prior to the court's verdict actual knowledge could have been interpreted to mean the intermediary is called upon its own judgement under sub-rule (4) to restrict impugned content in order to seek exemption from liability. Removing the need for intermediaries to take on an adjudicatory role and deciding on which content to restrict or takedown, the SC has read down “actual knowledge” to mean that there has to be a court order directing the intermediary to expeditiously remove or disable access to content online. The court also read down “upon obtaining knowledge by itself” and “brought to actual knowledge” under Rule 3(4) in the same manner as 79(3)(b).

Under S.79(3)(b) the intermediary must comply with the orders from the executive in order to qualify for immunity. Further, S. 79 (3)(b) goes beyond the specific categories of restriction identified in Article 19(2) by including the term “unlawful acts” and places the executive in an adjudicatory role of determining the illegality of content. The government cannot emulate private regulation as it is bound by the Constitution and the court addresses this issue by applying the limitation of 19(2) on unlawful acts, “the court order and/or the notification by the appropriate government or its agency must strictly conform to the subject matters aid down in Article 19(2).”

By reading down of S. 79 (3) (b) the court has addressed the issue of intermediaries complying with takedown requests from non-government entities and has made government notifications and court orders to be consistent with reasonable restrictions in Article 19(2). This is an important clarification from the court, because this places limits on the private censorship of intermediaries and the invisible censorship of opaque government takedown requests as they must and should adhere, to the boundaries set by Article 19(2).

Procedural Safeguards

The SC does not touch upon other parts of the rules and in not doing so, has left significant procedural issues open for debate. It is relevant to bear in mind and as established above, S. 69A blocking and restriction requirements for the intermediary are part of their additional obligations and do not qualify them for immunity. The court ruled in favour of upholding S. 69A as constitutional on the basis that blocking orders are issued when the executive has sufficiently established that it is absolutely necessary to do so, and that the necessity is relatable to only some subjects set out in Article 19(2). Further the court notes that reasons for the blocking orders must be recorded in writing so that they may be challenged through writ petitions. The court also goes on to specify that under S. 69A the intermediary and the 'originator' if identified, have the right to be heard before the committee decides to issue the blocking order.

Under S. 79 the intermediary must also comply with government restriction orders and the procedure for notice and takedown is not sufficiently transparent and lacks procedural safeguards that have been included in the notice and takedown procedures under S. 69. For example, there is no requirement for committee to evaluate the necessity of issuing the restriction order, though the ruling does clarify that these restriction notices must be within the confines of Article 19(2). The judgement could have gone further to directing the government to state their entire cause of action and provide reasonable level of proof (prima facie). It should have also addressed issues such as the government using extra-judicial measures to restrict content including collateral pressures to force changes in terms of service, to promote or enforce so-called "voluntary" practices.

Accountability

The judgement could also have delved deeper into issues of accountability such as the need to consider 'udi alteram partem' by providing the owner of the information or the intermediary a hearing prior to issuing the restriction or blocking order nor is an post-facto review or appeal mechanism made available except for the recourse of writ petition. Procedural uncertainty around wrongly restricted content remains, including what limitations should be placed on the length, duration and geographical scope of the restriction. The court also does not address the issue of providing a recourse for the third party provider of information to have the removed information restored or put-back remains unclear. Relatedly, the court also does not clarify the concerns related to frivolous requests by establishing penalties nor is there a codified recourse under the rules presently, for the intermediary to claim damages even if it can be established that the takedown process is being abused.

Transparency

The bench in para 113 in addressing S. 79 notes that the intermediary in addition to publishing rules and regulations, privacy policy and user agreement for access or usage of their service has to also inform users of the due diligence requirements including content restriction policy under rule 3(2). However,  the court ought to have noted the differentiation between different categories of intermediaries which may require different terms of use. Rather than stressing a standard terms of use as a procedural safeguard, the court should have insisted on establishing terms of use and content restriction obligations that is proportional to the role of the intermediary and based on the liability accrued in providing the service, including the impact of the restriction by the intermediary both on access and free speech. By placing requirement of disclosure or transparency on the intermediary including what has been restricted under the intermediary's own terms of service, the judgment could have gone a step further than merely informing users of their rights in using the service as it stands presently,  to ensuring that users can review and have knowledge of what information has been restricted and why. The judgment also does not touch upon broader issues of intermediary liability such as proactive filtering sought by government and private parties, an important consideration given the recent developments around the right to be forgotten in Europe and around issues of defamation and pornography in India.

The judgment, while a welcome one in the direction of ensuring the Internet remains a democratic space where free speech thrives, could benefit from the application of the recently launched Manila principles developed by CIS and others. The Manila Principles is a framework of baseline safeguards and best practices that should be considered by policymakers and intermediaries when developing, adopting, and reviewing legislation, policies and practices that govern the liability of intermediaries for third-party content.

The court's ruling is truly worth celebrating, in terms of the tone it sets on how we think of free speech and the contours of censorship that exist in the digital space. But the real impact of this judgment lies in the debates and discussions which it will throw open about content removal practices that involve intermediaries making determinations on requests received, or those which only respond to the interests of the party requesting removal. As the Manila Principles highlight a balance between public and private interests can be obtained through a mechanism where power is distributed between the parties involved, and where an impartial, independent, and accountable oversight mechanism exists.


Freedom of Expression in Digital Age

by Prasad Krishna last modified Apr 12, 2015 03:51 AM

PDF document icon FOEX invite-1.pdf — PDF document, 206 kB (211029 bytes)

Multiple Aspects Need to be Addressed as the Clamour Grows for Network Neutrality

by Sunil Abraham last modified Apr 16, 2015 01:33 PM
In the global debate there are four violations of Network Neutrality that are considered particularly egregious.

The article was published in DNA on April 16, 2015.


One — blocking of destinations or services in order to force the consumer to pay extra charges for access, two — not charging or zero-rating of certain destinations and services with or without extraction of payment from the sender or destination, and three — throttling or prioritisation of traffic between competing destinations or services and four — specialised services wherein the very same Internet infrastructure is used to provide non-Internet but IP based services such as IP-TV.

The main harms of network neutrality violations are as follows: one, censorship by private parties without legal basis; two, innovation harms because the economic threshold for new entrants is raised significantly; three, competition harms as monopolies become more entrenched and then are able to abuse their dominant position; four, harms to diversity because of the nudge effect that free access to certain services and destinations has on consumers reducing the infinite plurality of the Internet to a set of menu options. The first and fourth harm could result in the Internet being reduced to a walled garden.

It is insufficient to try and address this with networking rules for engineers such as “all packets should be treated equally.” But a set of principles could be developed that can help us grow access without violating network neutrality. Wikimedia Foundation has already developed their principles which they call “Wikipedia Zero Operating Principles”. In India our principles could include the following. One, no blocking without legal basis. Two, transparency — all technical and commercial arrangements are to be disclosed to the public. Three, non-exclusivity — all arrangements should be available to all parties, no special deals for those you favour. Four, non-discrimination between equals — technologies and entities that are alike should be treated alike. Five, necessity — whilst some measure may be required occasionally when there is network congestion they should be rolled back in a time-bound fashion.

Once these principles are enforced through a network neutrality regulation, ISPs and telecom operators will be allowed to innovate with business and payment models. Steve Song, inventor of Village Telco says “My preferred take on zero-rating would be to zero-rate gprs/edge data in general so that there is a minimum basic access for all.” My colleague Pranesh Prakash says “One possibility, of many, is to create a single marketplace or exchange for zero-rating, through which one can zero-rate on all telecom networks for standard tiered rates that they publish, and terms that are known to the regulator. Banning is akin to a brahmastra in a regulator's arsenal: it should not be used lightly” Jochai Ben-Avie of Mozilla told me yesterday of experiments in Bangladesh where consumers watch an advertisement everyday in exchange for 5Mb of data. My own suggestion to address the harms caused by walled gardens would be to make them leak – mandate that unfettered access to the Internet be provided every other hour.

There is many other ways in which the Internet has been transformed in India and other countries but these are not commonly considered network neutrality violations. Here are some examples.  One, blocking of port 25 — a port that is commonly used to relay email spam. Two, blocking of port 80 – so that domestic connections cannot be used to host web servers. Three, the use of private IP addresses, ISPs who are delaying migration to IPv6 infrastructure because of cost implications leverage their IPv4  address inventory by using Carrier Grade — Network Address Translators [CG-NATs].  Four, asymmetric connections where download speeds for consumers are faster than upload speeds. With the exception of the first example — all of them affect end users negatively but do not usually impact corporations and therefore have been  unfortunately sidelined in the global debate.

The TRAI consultation paper reveals many of the concerns of the telecom operators that go beyond the scope of network neutrality. Many of these concerns are very legitimate. There is a scarcity of spectrum  — this could partially be addressed by auctioning more spectrum, scientific management of spectrum, promotion of shared spectrum and unlicensed spectrum. Their profit margins are thinning – this could be addressed by dismantling the Universal Service Obligation Fund, it is after all as Rohan Samarajiva puts it “a tax on the poor.” Internet companies don't pay taxes – this could be addressed by the Indian government, by adopting the best practices from the OECD around preventing tax avoidance. But some of their concerns cannot be addressed because of the technological differences between telecom and Internet networks. While it is relatively easy to require telecom companies to provide personal information and allow for interception of communications, those Internet companies that use end-to-end encryption cannot divulge personal information or facilitate interception because it is technologically impossible. While the first two concerns could be addressed by TRAI, the last two should be addressed by other ministries and departments in the Indian government.

There are other concerns that are much more difficult to address without the deep understanding of latest advancements in radio communication, signal processing and congestion control techniques in packet switched networks. A telecom expert who did not wish to be identified told me that “even 2G TDM voice is 10 to 15 times more efficient when compared to VOIP. IP was developed to carry data, and is therefore not an efficient mode to carry voice as overhead requirement for packets destroys the efficiency on voice. Voice is best carried close to the physical layer where the overheads are lowest.” He claims that since “VOIP calls are spectrally inefficient they should be discouraged” through differential pricing. We need accessible scientific literature and monitoring infrastructure so that an evidence base around concerns like this can be created so as to address them effectively through regulatory interventions.

You know you have reached a policy solution when all concerned stakeholders are equally unhappy. Unfortunately, the TRAI consultation paper assumes that Internet companies operate in a regulatory vacuum and therefore places much unnecessary focus on the licensing of these companies. This is a disastrous proposal since the Internet today is the result of “permission-less innovation”. The real issue is network neutrality and one hopes that after rigorous debate informed by scientific evidence TRAI finds a way to spread unhappiness around equally.


The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation which has zero-rating alliances with telecom operators in many countries across the world.

Fear, Uncertainty and Doubt

by Sunil Abraham last modified Apr 17, 2015 01:44 AM
Much confusion has resulted from the Section 66A verdict. Some people are convinced that online speech is now without any reasonable restrictions under Article 19 (2) of the Constitution. This is completely false.

There are many other provisions within the IT Act that still regulate speech online, for example the section on obscenity (Sec. 67) and also the data protection provision (Sec. 43A). Additionally there are provisions within the Indian Penal Code and other Acts that regulate speech both online and offline. For example, defamation remains a criminal offence under the IPC (Sec. 499), and disclosing information about children in a manner that lowers their reputation or infringes their privacy is also prohibited under the Protection of Children from Sexual Offences Act, 2012 (Sec. 23).

Others are afraid that the striking down of Section 66A results in a regulatory vacuum where it will be possible for bad actors to wreak havoc online because the following has been left unaddressed by the IT Act.

  1. Criminal Intimidation: The phrase "criminal intimidation" was included in Sec. 66A(b), but the requirement was that intimidation should be carried out using "information which he knows to be false". Sec. 506 of the IPC which punishes criminal intimidation does not have this requirement and is therefore a better legal route for affected individuals, even though the maximum punishment is a year shorter than the three years possible under the IT Act.
  2. Cyber-stalking: A new section for stalking - Sec. 345 D - was added into the IPC in 2013 which also recognised cyber stalking. The definition within Sec.345D is more precise compared to the nebulous phrasing in Sec. 66A, which read - "monitors the use by a woman of the internet, email or any other form of electronic communication, commits the offence of stalking".
  3. Phishing: Sec. 66A (c) dealt with punishment to people who "deceive or mislead the addressee or recipient about the origin of such messages". Sec.66D, which will be the operative section after this verdict, deals with "cheating by impersonation" and forms a more effective safeguard against phishing.

Cyber-bulling of children is arguably left unaddressed. Most importantly, spam, the original intention behind 66A, now cannot be tackled using any existing provision of the law. However, the poorly drafted section made it impossible for law enforcement to crack down on spammers. A 2005 attempt by the ITU to produce model law for spam based on a comparative analysis of national laws resulted in several important best practices that were ignored during the 2008 Amendment of the Act. For example, the definition of spam must cover the following characteristics - mass, unsolicited and commercial. All of which was missing in 66A.

Good quality law must be drafted by an open, participatory process where all relevant stakeholders are consulted and responded to before bills are introduced in parliament.


 

A scanned copy of the article was published in the Deccan Chronicle on March 26, 2015.
Fear, Uncertainty and Doubt

Shreya Singhal and 66A

by Sunil Abraham last modified Apr 19, 2015 08:09 AM
Most software code has dependencies. Simple and reproducible methods exist for mapping and understanding the impact of these dependencies. Legal code also has dependencies --across court orders and within a single court order. And since court orders are not produced using a structured mark-up language, experts are required to understand the precedential value of a court order.

The article was published in the Economic and Political Weekly Vol-L No.15.  Vidushi Marda, programme officer at the Centre for Internet and Society, was responsible for all the research that went into this article. PDF version here.


As a non–lawyer and engineer, I cannot authoritatively comment on the Supreme Court’s order in Shreya Singhal vs Union of India (2015) on sections of the Information Technology Act of 2000, so I have tried to summarise a variety of views of experts in this article. The Shreya Singhal order is said to be unprecedented at least for the last four decades and also precedent setting as its lucidity, some believe, will cause a ripple effect in opposition to a restrictive understanding of freedom of speech and expression, and an expansiveness around reasonable restrictions. Let us examine each of the three sections that the bench dealt with.

The Section in Question

Section 66A of the IT Act was introduced in a hastily-passed amendment. Unfortunately, the language used in this section was a pastiche of outdated foreign laws such as the UK Communications Act of 2003, Malicious Communications Act of 1988 and the US Telecommunications Act, 1996.1 Since the amendment, this section has been misused to make public examples out of innocent, yet uncomfortable speech, in order to socially engineer all Indian netizens into self-censorship.2

Summary: The Court struck down Section 66A of the IT Act in its entirety holding that it was not saved by Article 19(2) of the Constitution on account of the expressions used in the section, such as "annoying," "grossly offensive," "menacing,", "causing annoyance." The Court justified this by going through the reasonable restrictions that it considered relevant to the arguments and testing them against S66A. Apart from not falling within any of the categories for which speech may be restricted, S66A was struck down on the grounds of vagueness, over-breadth and chilling effect. The Court considered whether some parts of the section could be saved, and then concluded that no part of S66A was severable and declared the entire section unconstitutional. When it comes to regulating speech in the interest of public order, the Court distinguished between discussion, advocacy and incitement. It considered the first two to fall under the freedom of speech and expression granted under Article 19(1)(a), and held that it was only incitement that attracted Article 19(2).

Between Speech and Harm

Gautam Bhatia, a constitutional law expert, has an optimistic reading of the judgment that will have value for precipitating the ripple effect. According to him, there were two incompatible strands of jurisprudence which have been harmonised by collapsing tendency into imminence.3 The first strand, exemplified by Ramjilal Modi vs State of UP4 and Kedar Nath Singh vs State of Bihar,5 imported an older and weaker American standard, that is, the tendency test, between the speech and public order consequences. The second strand exemplified byRam Manohar Lohia vs State of UP,6 S Rangarajan vs P Jagjivan Ram,7 andArup Bhuyan vs Union of India,8 all require greater proximity between the speech and the disorder anticipated. In Shreya Singhal, the Supreme Court held that at the stage of incitement, the reasonable restrictions will step in to curb speech that has a tendency to cause disorder. Other experts are of the opinion that Justice Nariman was doing no such thing, and was only sequentially applying all the tests for free speech that have been developed within both these strands of precedent. In legal activist Lawrence Liang's analysis, "Ramjilal Modi was decided by a seven judge bench and Kedarnath by a constitutional bench. As is often the case in India, when subsequent benches of a lower strength want to distinguish themselves from older precedent but are unable to overrule them, they overcome this constraint through a doctrinal development by stealth. This is achieved by creative interpretations that chip away at archaic doctrinal standards without explicitly discarding them."9

Compatibility with US Jurisprudence

United States (US) jurisprudence has been imported by the Indian Supreme Court in an inconsistent manner. Some judgments hold that the American first amendment harbours no exception and hence is incompatible with Indian jurisprudence, while other judgments have used American precedent when convenient. Indian courts have on occasion imported an additional restriction beyond the eight available in 19(2)-the ground of public interest, best exemplified by the cases of K A Abbas10 and Ranjit Udeshi.11 The bench in its judgment-which has been characterised by Pranesh Prakash as a masterclass in free speech jurisprudence12-clarifies that while the American first amendment jurisprudence is applicable in India, the only area where a difference is made is in the "sub serving of general public interest" made under the US law. This eloquent judgment will hopefully instruct judges in the future on how they should import precedent from American free speech jurisprudence.

Article 14 Challenge

The Article 14 challenge brought forward by the petitioners contended that Section 66A violated their fundamental right to equality because it differentiated between offline and online speech in terms of the length of maximum sentence, and was hence unconstitutional. The Court held that an intelligible differentia, indeed, did exist. It found so on two grounds. First, the internet offered people a medium through which they can express views at negligible or no cost. Second, the Court likened the rate of dissemination of information on the internet to the speed of lightning and could potentially reach millions of people all over the world. Before Shreya Singhal, the Supreme Court had already accepted medium-specific regulation. For example in K A Abbas, the Court made a distinction between films and other media, stating that the impact of films on an average illiterate Indian viewer was more profound than other forms of communication. The pessimistic reading of Shreya Singhal is that Parliament can enact medium-specific law as long as there is an intelligible differentia which could even be a technical difference-speed of transmission. However, the optimistic interpretation is that medium-specific law can only be enacted if there are medium-specific harms, e g, phishing, which has no offline equivalent. If the executive adopts the pessimistic reading, then draconian sections like 66A will find their way back into the IT Act. Instead, if they choose the optimistic reading, they will introduce bills that fill the regulatory vacuum that has been created by the striking down of S66A, that is, spam and cyberbullying.

Section 79

Section 79 was partially read down. This section, again introduced during the 2008 amendment, was supposed to give legal immunity to intermediaries for third party content by giving a quick redressal for those affected by providing a mechanism for takedown notices in the Intermediaries Guidelines Rules notified in April 2011. But the section and rules had enabled unchecked invisible censorship13 in India and has had a demonstrated chilling effect on speech14 because of the following reasons:

One, there are additional unconstitutional restrictions on speech and expression. Rule 3(2) required a standard "rules and regulation, terms and condition or user agreement" that would have to be incorporated by all intermediaries. Under these rules, users are prohibited from hosting, displaying, uploading, modifying, publishing, transmitting, updating or sharing any information that falls into different content categories, a majority of which are restrictions on speech which are completely out of the scope of Article 19(2). For example, there is an overly broad category which contains information that harms minors in any way. Information that "belongs to another person and to which the user does not have any right to" could be personal information or could be intellectual property. A much better intermediary liability provision was introduced into the Copyright Act with the 2013 amendment. Under the Copyright Act, content could be reinstated if the takedown notice was not followed up with a court order within 21 days.15 A counter-proposal drafted by the Centre for Internet and Society for "Intermediary Due Diligence and Information Removal," has a further requirement for reinstatement that is not seen in the Copyright Act.16

Two, a state-mandated private censorship regime is created. You could ban speech online without approaching the court or the government. Risk-aversive private intermediaries who do not have the legal resources to subjectively determine the legitimacy of a legal claim err on the side of caution and takedown content.

Three, the principles of natural justice are not observed by the rules of the new censorship regime. The creator of information is not required to be notified nor given a chance to be heard by the intermediary. There is no requirement for the intermediary to give a reasoned decision.

Four, different classes of intermediaries are all treated alike. Since the internet is not an uniform assemblage of homogeneous components, but rather a complex ecosystem of diverse entities, the different classes of intermediaries perform different functions and therefore contribute differently to the causal chain of harm to the affected person. If upstream intermediaries like registrars for domain names are treated exactly like a web-hosting service or social media service then there will be over-blocking of content.

Five, there are no safeguards to prevent abuse of takedown notices. Frivolous complaints could be used to suppress legitimate expressions without any fear of repercussions and given that it is not possible to expedite reinstatement of content, the harm to the creator of information may be irreversible if the information is perishable. Transparency requirements with sufficient amounts of detail are also necessary given that a human right was being circumscribed. There is no procedure to have the removed information reinstated by filing a counter notice or by appealing to a higher authority.

The judgment has solved half the problem by only making intermediaries lose immunity if they ignore government orders or court orders. Private takedown notices sent directly to the intermediary without accompanying government orders or courts order no longer have basis in law. The bench made note of the Additional Solicitor General's argument that user agreement requirements as in Rule 3(2) were common practice across the globe and then went ahead to read down Rule 3(4) from the perspective of private takedown notices. One way of reading this would be to say that the requirement for standardised "rules and regulation, terms and condition or user agreement" remains. The other more consistent way of reading this part of the order in conjunction with the striking down of 66A would be to say those parts of the user agreement that are in violation of Article 19(2) have also been read down.

This would have also been an excellent opportunity to raise the transparency requirements both for the State and for intermediaries: for (i) the person whose speech is being censored, (ii) the persons interested in consuming that speech, and (iii) the general public. It is completely unclear whether transparency in the case of India has reduced the state appetite for censorship. Transparency reports from Facebook, Google and Twitter claim that takedown notices from the Indian government are on the rise.17 However, on the other hand, the Department of Electronics and Information Technology (DEITY) claims that government statistics for takedowns do not match the numbers in these transparency reports.18 The best way to address this uncertainty would be to require each takedown notice and court order to be made available by the State, intermediary and also third-party monitors of free speech like the Chilling Effects Project.

Section 69A

The Court upheld S69A which deals with website blocking, and found that it was a narrowly-drawn provision with adequate safeguards, and, hence, not constitutionally infirm. In reality, unfortunately, website blocking usually by internet service providers (ISPs) is an opaque process in India. Blocking under S69A has been growing steadily over the years. In its latest response to an RTI (right to information)19 query from the Software Freedom Law Centre, DEITY said that 708 URLs were blocked in 2012, 1,349 URLs in 2013, and 2,341 URLs in 2014. On 30 December 2014 alone, the centre blocked 32 websites to curb Islamic State of Iraq and Syria propaganda, among which were "pastebin" websites, code repository (Github) and generic video hosting sites (Vimeo and Daily Motion).20 Analysis of leaked block lists and lists received as responses to RTI requests have revealed that the block orders are full of errors (some items do not exist, some items are not technically valid web addresses), in some cases counter speech which hopes to reverse the harm of illegal speech has also been included, web pages from mainstream media houses have also been blocked and some URLs are base URLs which would result in thousands of pages getting blocked when only a few pages might contain allegedly illegal content.21

Pre-decisional Hearing

The central problem with the law as it stands today is that it allows for the originator of information to be isolated from the process of censorship. The Website Blocking Rules provide that all "reasonable efforts" must be made to identify the originator or the intermediary who hosted the content. However, Gautam Bhatia offers an optimistic reading of the judgment, he claims that the Court has read into this "or" and made it an "and"-thus requiring that the originator must also be notified of blocks when he or she can be identified.22

Transparency

Usually, the reasons for blocking a website are unknown both to the originator of material as well as those trying to access the blocked URL. The general public also get no information about the nature and scale of censorship unlike offline censorship where the court orders banning books and movies are usually part of public discourse. In spite of the Court choosing to leave Section 69A intact, it stressed the importance of a written order for blocking, so that a writ may be filed before a high court under Article 226 of the Constitution. While citing this as an existing safeguard, the Court seems to have been under the impression that either the intermediary or the originator is normally informed, but according to Apar Gupta, a lawyer for the People's Union for Civil Liberties, "While the rules indicate that a hearing is given to the originator of the content, this safeguard is not evidenced in practice. Not even a single instance exists on record for such a hearing."23 Even worse, block orders have been unevenly implemented by ISPs with variations across telecom circles, connectivity technologies, making it impossible for anyone to independently monitor and reach a conclusion whether an internet resource is inaccessible as a result of a S69A block order or due to a network anomaly.

Rule 16 under S69A requires confidentiality with respect to blocking requests and complaints, and actions taken in that regard. The Court notes that this was argued to be unconstitutional, but does not state their opinion on this question. Gautam Bhatia holds the opinion that this, by implication, requires that requests cannot be confidential. Chinmayi Arun, from the Centre for Communication Governance at National Law University Delhi, one of the academics supporting the petitioners, holds the opinion that it is optimism carried too far to claim that the Court noted the challenge to Rule 16 but just forgot about it in a lack of attention to detail that is belied by the rest of the judgment.

Free speech researchers and advocates have thus far used the RTI Act to understand the censorship under S69A. The Centre for Internet and Society has filed a number of RTI queries about websites blocked under S69A and has never been denied information on grounds of Rule 16.24 However, there has been an uneven treatment of RTI queries by DEITY in this respect, with the Software Freedom Law Centre25 being denied blocking orders on the basis of Rule 16. The Court could have protected free speech and expression by reading down Rule 16 except for a really narrow set of exceptions wherein only aggregate information would be made available to affected parties and members of the public.

Conclusions

In Shreya Singhal, the Court gave us great news: S66A has been struck down; good news: S79(3) and its rules have been read down; and bad news: S69A has been upheld. When it comes to each section, the impact of this judgment can either be read optimistically or pessimistically, and therefore we must wait for constitutional experts to weigh in on the ripple effect that this order will produce in other areas of free speech jurisprudence in India. But even as free speech activists celebrate Shreya Singhal, some are bemoaning the judgment as throwing the baby away with the bathwater, and wish to reintroduce another variant of S66A. Thus, we must remain vigilant.

Notes

1 G S Mudur (2012): "66A 'Cut and Paste Job,'" The Telegraph, 3 December, visited on 3 April, 2015, http://www.telegraphindia.com/1121 203/jsp/frontpage/story_16268138.jsp

2 Sunil Abraham (2012): "The Five Monkeys and Ice Cold Water," Centre for Internet and Society, 26 September, visited on 3 April 2015, http://cis-india.org/internet-governance/www-deccan-chronicle-sep-16-201...

3 Gautam Bhatia (2015): "The Striking Down of 66A: How Free Speech Jurisprudence in India Found Its Soul Again," Indian Constitutional Law and Philosophy, 26 March, visited on 4 April 2015, https://indconlawphil.wordpress.com/2015/03/26/the-striking-down-of-sect...

4 Ramjilal Modi vs State of UP, 1957, SCR 860.

5 Kedar Nath Singh vs State of Bihar, 1962, AIR 955.

6 Ram Manohar Lohia vs State of UP, AIR, 1968 All 100.

7 S Rangarajan vs P Jagjivan Ram, 1989, SCC(2), 574.

8 Arup Bhuyan vs Union of India, (2011), 3 SCC 377.

9 Lawrence Liang, Alternative Law Forum, personal communication to author, 6 April 2015.

10 K A Abbas vs Union of India, 1971 SCR (2), 446.

11 Ranjit Udeshi vs State of Maharashtra,1965 SCR (1) 65.

12 Pranesh Prakash (2015): "Three Reasons Why 66A Verdict Is Momentous"/ Times of India/(29 March). Visited on 6 April 2015, http://timesofindia.indiatimes.com/home/sunday-times/all-that-matters/Th...

13 Pranesh Prakash (2011): "Invisble Censorship: How the Government Censors Without Being Seen," The Centre for Internet and Society, 14 December, visited on 6 April 2015, http://cis-india.org/internet-governance/blog/invisible-censorship

14 Rishabh Dara (2012): "Intermediary Liability in India: Chilling Effects on Free Expression on the Internet," The Centre for Internet and Society, 27 April, visited on 6 April 2015, http://cis-india.org/internet-governance/chilling-effects-on-free-expres... .

15 Rule 75, Copyright Rules, 2013.

16 The Draft Counter Proposal is available at http://cis-india.org/internet-governance/counter-proposal-by-cis-draft-i...

17 According to Facebook's transparency report, there were 4,599 requests in the first half of 2014, followed by 5,473 requests in the latter half. Available at https://govtrequests.facebook. com/country/India/2014-H2/ also see Google's transparency report available at http: //www.google. com/transparencyreport/removals/government/IN/?hl=en and Twitter's report, available at https:// transparency.twitter.com/country/in

18 Surabhi Agarwal (2015): "Transparency Reports of Internet Companies are Skewed: Gulashan Rai," Business Standard, 31 March, viewed on 5 April 2015, http://www.business-standard.com/article/current-affairs/transparency-re... .

19 http://sflc.in/deity-says-2341-urls-were-blocked-in-2014-refuses-to-reve...

20 "32 Websites Go Blank," The Hindu, 1 January 2015, viewed on 6 April 2015, http://www.thehindu.com/news/national/now-modi-govt-blocks-32-websites/a...

21 Pranesh Prakash (2012): "Analysing Latest List of Blocked Sites (Communalism and Rioting Edition)," 22 August, viewed on 6 April 2015, http://cis-india.org/internet-governance/blog/analysing-blocked-sites-ri... . Also, see Part II of the same series at http://cis-india.org/internet-governance/analyzing-the-latest-list-of-bl... and analysis of blocking in February 2013, at http://cis-india.org/internet-governance/blog/analyzing-latest-list-of-b...

22 Gautam Bhatia (2015): "The Supreme Court's IT Act Judgment, and Secret Blocking," Indian Constitutional Law and Philosophy, 25 March, viewed on 6 April 2015, https://indconlawphil.wordpress.com/2015/03/25/the-supreme-courts-it-act...

23 Apar Gupta (2015): "But What about Section 69A?," Indian Express, 27 March, viewed on 5 April 2015, http://indianexpress. com/article/opinion/ columns/but-what-about-section-69a/

24 Pranesh Prakash (2011): DIT's Response to RTI on Website Blocking, The Centre for Internet and Society, 7 April, viewed on 6 April 2015, http://cis-india.org/internet-governance/blog/rti-response-dit-blocking ). Also see http://cis-india.org/internet-governance/blog/analysis-dit-response-2nd-... and http://cis-india.org/internet-governance/resources/reply-to-rti-applicat...

25 http://sflc.in/wp-content/uploads/2015/04/RTI-blocking-final-reply-from-...

Shreya Singhal Judgment

by Prasad Krishna last modified Apr 19, 2015 08:06 AM

PDF document icon CM_L_15_110415_Sunil_Abraham.pdf — PDF document, 236 kB (242519 bytes)

DeitY says 143 URLs have been Blocked in 2015; Procedure for Blocking Content Remains Opaque and in Urgent Need of Transparency Measures

by Jyoti Panday last modified Apr 30, 2015 07:37 AM
Across India on 30 December 2014, following an order issued by the Department of Telecom (DOT), Internet Service Providers (ISPs) blocked 32 websites including Vimeo, Dailymotion, GitHub and Pastebin.

In February 2015, the Centre for Internet and Society (CIS) requested the Department of Electronics and Information Technology (DeitY) under the Right to Information Act, 2005 (RTI Act) to provide information clarifying the procedures for blocking in India. We have received a response from DeitY which may be seen here.

In this post, I shall elaborate on this response from DeitY and highlight some of the accountability and transparency measures that the procedure needs. To stress the urgency of reform, I shall also touch upon two recent developments—the response from Ministry of Communication to questions raised in Parliament on the blocking procedures and the Supreme Court (SC) judgment in Shreya Singhal v. Union of India.

Section 69A and the Blocking Rules

Section 69A of the Information Technology Act, 2008 (S69A hereinafter) grants powers to the central government to issue directions for blocking of access to any information through any computer resource. In other words, it allows the government to block any websites under certain grounds. The Government has notified rules laying down the procedure for blocking access online under the Procedure and Safeguards for Blocking for Access of Information by Public Rules, 2009 (Rules, 2009 hereinafter). CIS has produced a poster explaining the blocking procedure (download PDF, 2.037MB).

There are three key aspects of the blocking rules that need to be kept under consideration:

Officers and committees handling requests

Designated Officer (DO) – Appointed by the Central government, officer not below the rank of Joint Secretary.
Nodal Officer (NO) – Appointed by organizations including Ministries or Departments of the State governments and Union Territories and any agency of the Central Government.
Intermediary contact–Appointed by every intermediary to receive and handle blocking directions from the DO.
Committee for Examination of Request (CER) – The request along with printed sample of alleged offending information is examined by the CER—committee with the DO serving as the Chairperson and representatives from Ministry of Law and Justice; Ministry of Home Affairs; Ministry of Information and Broadcasting and representative from the Indian Computer Emergency Response Team (CERT-In). The CER is responsible for examining each blocking request and makes recommendations including revoking blocking orders to the DO, which are taken into consideration for final approval of request for blocking by the Secretary, DOT.
Review Committee (RC) – Constituted under rule 419A of the Indian Telegraph Act, 1951, the RC includes the Cabinet Secretary, Secretary to the Government of India (Legal Affairs) and Secretary (Department of Telecom). The RC is mandated to meet at least once in 2 months and record its findings and has to validate that directions issued are in compliance with S69A(1).

Provisions outlining the procedure for blocking

Rules 6, 9 and 10 create three distinct blocking procedures, which must commence within 7 days of the DO receiving the request.

a) Rule 6 lays out the first procedure, under which any person may approach the NO and request blocking, alternatively, the NO may also raise a blocking request. After the NO of the approached Ministry or Department of the State governments and Union Territories and/or any agency of the Central Government, is satisfied of the validity of the request they forward it to the DO. Requests when not sent through the NO of any organization, must be approved by Chief Secretary of the State or Union Territory or the Advisor to the Administrator of the Union Territory, before being sent to the DO.

The DO upon receiving the request places, must acknowledge receipt within 24 four hours and places the request along with printed copy of alleged information for validation by the CER. The DO also, must make reasonable efforts to identify the person or intermediary hosting the information, and having identified them issue a notice asking them to appear and submit their reply and clarifications before the committee at a specified date and time, within forty eight hours of the receipt of notice.

Foreign entities hosting the information are also informed and the CER gives it recommendations after hearing from the intermediary or the person has clarified their position and even if there is no representation by the same and after examining if the request falls within the scope outlined under S69A(1). The blocking directions are issued by the Secretary (DeitY), after the DO forwards the request and the CER recommendations. If approval is granted the DO directs the relevant intermediary or person to block the alleged information.

b) Rule 9 outlines a procedure wherein, under emergency circumstances, and after the DO has established the necessity and expediency to block alleged information submits recommendations in writing to the Secretary, DeitY. The Secretary, upon being satisfied by the justification for, and necessity of, and expediency to block information may issue an blocking directions as an interim measure and must record the reasons for doing so in writing.

Under such circumstances, the intermediary and person hosting information is not given the opportunity of a hearing. Nevertheless, the DO is required to place the request before the CER within forty eight hours of issuing of directions for interim blocking. Only upon receiving the final recommendations from the committee can the Secretary pass a final order approving the request. If the request for blocking is not approved then the interim order passed earlier is revoked, and the intermediary or identified person should be directed to unblock the information for public access.

c) Rule 10 outlines the process when an order is issued by the courts in India. The DO upon receipt of the court order for blocking of information submits it to the Secretary, DeitY and initiates action as directed by the courts.

Confidentiality clause

Rule 16 mandates confidentiality regarding all requests and actions taken thereof, which renders any requests received by the NO and the DO, recommendations made by the DO or the CER and any written reasons for blocking or revoking blocking requests outside the purview of public scrutiny. More detail on the officers and committees that enforce the blocking rules and procedure can be found here.

Response on blocking from the Ministry of Communication and Information Technology

The response to our RTI from E-Security and Cyber Law Group is timely, given the recent clarification from the Ministry of Communication and Information Technology to a number of questions, raised by parliamentarian Shri Avinash Pande in the Rajya Sabha. The questions had been raised in reference to the Emergency blocking order under IT Act, the current status of the Central Monitoring System, Data Privacy law and Net Neutrality. The Centre for Communication Governance (CCG), National Law University New Delhi have extracted a set of 6 questions and you can read the full article here.

The governments response as quoted by CCG, clarifies under rule 9—the Government has issued directions for emergency blocking of a total number of 216 URLs from 1st January, 2014 till date and that a total of 255 URLs were blocked in 2014 and no URLs has been blocked in 2015 (till 31 March 2015) under S69A through the Committee constituted under the rules therein. Further, a total of 2091 URLs and 143 URLs were blocked in order to comply with the directions of the competent courts of India in 2014 and 2015 (till 31 March 2015) respectively. The government also clarified that the CER, had recommended not to block 19 URLs in the meetings held between 1st January 2014 upto till date and so far, two orders have been issued to revoke 251 blocked URLs from 1st January 2014 till date. Besides, CERT-In received requests for blocking of objectionable content from individuals and organisations, and these were forwarded to the concerned websites for appropriate action, however the response did not specify the number of requests.

We have prepared a table explaining the information released by the government and to highlight the inconsistency in their response.

Applicable rule and procedure outlined under the Blocking Rules

Number of websites

2014

2015

Total

Rule 6 - Blocking requests from NO and others

255

None

255

Rule 9 - Blocking under emergency circumstances

-

-

216

Rule 10 - Blocking orders from Court

2091

143

2234

Requests from individuals and orgs forwarded to CERT-In

-

-

-

Recommendations to not block by CER

-

-

19

Number of blocking requests revoked

-

-

251

In a response to an RTI filed by the Software Freedom Law Centre, DeitY said that 708 URLs were blocked in 2012, 1,349 URLs in 2013, and 2,341 URLs in 2014.

Shreya Singhal v. Union of India

In its recent judgment, the SC of India upheld the constitutionality of 69A, stating that it was a narrowly-drawn provision with adequate safeguards. The constitutional challenge on behalf of the People’s Union for Civil Liberties (PUCL) considered the manner in which the blocking is done and the arguments focused on the secrecy present in blocking.

The rules may indicate that there is a requirement to identify and contact the originator of information, though as an expert has pointed out, there is no evidence of this in practice. The court has stressed the importance of a written order so that writ petitions may be filed under Article 226 of the Constitution. In doing so, the court seems to have assumed that the originator or intermediary is informed, and therefore held the view that any procedural inconsistencies may be challenged through writ petitions. However, this recourse is rendered ineffective not only due to procedural constraints, but also because of the confidentiality clause. The opaqueness through rule 16 severely reigns in the recourse that may be given to the originator and the intermediary. While the court notes that rule 16 requiring confidentality was argued to be unconstitutional, it does not state its opinion on this question in the judgment. One expert, holds the view that this, by implication, requires that requests cannot be confidential. However, such a reading down of rule 16 is yet to be tested.

Further, Sunil Abraham has pointed out, “block orders are unevenly implemented by ISPs making it impossible for anyone to independently monitor and reach a conclusion whether an internet resource is inaccessible as a result of a S69A block order or due to a network anomaly.” As there are no comprehensive list of blocked websites or of the legal orders through which they are blocked exists, the public has to rely on media reports and filing RTI requests to understand the censorship regime in India. CIS has previously analysed the leaked block lists and lists received as responses to RTI requests which have revealed that the block orders are full of errors and blocking of entire platforms and not just specific links has taken place.

While the state has the power of blocking content, doing so in secrecy and without judical scrutiny, mark deficiencies that remain in the procedure outlined under the provisions of the blocking rules . The Court could read down rule 16 except for a really narrow set of exceptions, and in not doing so, perhaps has overlooked the opportunities for reform in the existing system. The blocking of 32 websites, is an example of the opaqueness of the system of blocking orders, and where the safeguards assumed by the SC are often not observed such as there being no access to the recommendations that were made by the CER, or towards the revocation of the blocking orders subsequently. CIS filed the RTI to try and understand the grounds for blocking and related procedures and the response has thrown up some issues that must need urgent attention.

Response to RTI filed by CIS

Our first question sought clarification on the websites blocked on 30th December 2014 and the response received from DeitY, E-Security and Cyber Law Group reveals that the websites had been blocked as “they were being used to post information related to ISIS using the resources provided by these websites”. The response also clarifies that the directions to block were issued on 18-12-2014 and as of 09-01-2015, after obtaining an undertaking from website owners, stating their compliance with the Government and Indian laws, the sites were unblocked.

It is not clear if ATS, Mumbai had been intercepting communication or if someone reported these websites. If the ATS was indeed intercepting communication, then as per the rules, the RC should be informed and their recommendations sought. It is unclear, if this was the case and the response evokes the confidentiality clause under rule 16 for not divulging further details. Based on our reading of the rules, court orders should be accessible to the public and without copies of requests and complaints received and knowledge of which organization raised them, there can be no appeal or recourse available to the intermediary or even the general public.

We also asked for a list of all requests for blocking of information that had been received by the DO between January 2013 and January 2015, including the copies of all files that had accepted or rejected. We also specifically, asked for a list of requests under rule 9. The response from DeitY stated that since January 1, 2015 to March 31, 2015 directions to block 143 URLs had been issued based on court orders. The response completely overlooks our request for information, covering the 2 year time period. It also does not cover all types of blocking orders under rule 6 and rule 9, nor the requests that are forwarded to CERT-In, as we have gauged from the ministry's response to the Parliament. Contrary to the SC's assumption of contacting the orginator of information, it is also clear from DeitY's response that only the websites had been contacted and the letter states that the “websites replied only after blocking of objectionable content”. 

Further, seeking clarification on the functioning of the CER, we asked for the recent composition of members and the dates and copies of the minutes of all meetings including copies of the recommendations made by them. The response merely quotes rule 7 as the reference for the composition and does not provide any names or other details. We ascertain that as per the DeitY website Shri B.J. Srinath, Scientist-G/GC is the appointed Designated Officer, however this needs confirmation. While we are already aware of the structure of the CER which representatives and appointed public officers are guiding the examination of requests remains unclear. Presently, there are 3 Joint Secretaries appointed under the Ministry of Law and Justice, the Home Ministry has appointed 19, while 3 are appointed under the Ministry of Information and Broadcasting. Further, it is not clear which grade of scientist would be appointed to this committee from CERT-In as the rules do not specify this. While the government has clarified in their answer to Parliament that the committee had recommended not to block 19 URLs in the meetings held between 1st January 2014 to till date, it is remains unclear who is taking these decisions to block and revoke blocked URLs. The response from DeitY specifies that the CER has met six times between 2014 and March 2015, however stops short on sharing any further information or copies of files on complaints and recommendations of the CER, citing rule 16.

Finally, answering our question on the composition of the RC the letter merely highlights the provision providing for the composition under 419A of the Indian Telegraph Rules, 1951. The response clarifies that so far, the RC has met once on 7th December, 2013 under the Chairmanship of the Cabinet Secretary, Department of Legal Affaits and Secretary, DOT. Our request for minutes of meetings and copies of orders and findings of the RC is denied by simply stating that “minutes are not available”. Under 419A, any directions for interception of any message or class of messages under sub-section (2) of Section 5 of the Indian Telegraph Act, 1885 issued by the competent authority shall contain reasons for such direction and a copy of such order shall be forwarded to the concerned RC within a period of seven working days. Given that the RC has met just once since 2013, it is unclear if the RC is not functioning or if the interception of messages is being guided through other procedures. Further, we do not yet know details or have any records of revocation orders or notices sent to intermediary contacts. This restricts the citizens’ right to receive information and DeitY should work to make these available for the public.

Given the response to our RTI, the Ministry's response to Parliament and the SC judgment we recommend the following steps be taken by the DeitY to ensure that we create a procedure that is just, accountable and follows the rule of law.

The revocation of rule 16 needs urgent clarification for two reasons:

  1. Under Section 22 of the RTI Act provisions thereof, override all conflicting provisions in any other legislation.
  2. In upholding the constitutionality of S69A the SC cites the requirement of reasons behind blocking orders to be recorded in writing, so that they may be challenged by means of writ petitions filed under Article 226 of the Constitution of India.

If the blocking orders or the meetings of the CER and RC that consider the reasons in the orders are to remain shrouded in secrecy and unavailable through RTI requests, filing writ petitions challenging these decisions will not be possible, rendering this very important safeguard for the protection of online free speech and expression infructuous. In summation, the need for comprehensive legislative reform remains in the blocking procedures and the government should act to address the pressing need for transparency and accountability. Not only does opacity curtial the strengths of democracy it also impedes good governance. We have filed an RTI seeking a comprehensive account of the blocking procedure, functioning of committees from 2009-2015 and we shall publish any information that we may receive.

Response from DeitY Clarifying Procedures for Blocking

by Prasad Krishna last modified Apr 29, 2015 02:36 PM

PDF document icon Response Deity.pdf — PDF document, 2556 kB (2617537 bytes)

Don't Do Nothing. Take a Stand on Net Neutrality.

by T. Vishnu Vardhan last modified May 08, 2015 02:11 PM
Are you wondering what Net Neutrality is, and why the term has suddenly got so much attention in India among the Netizens? Do you need to be concerned about Net Neutrality? We will try to address these in this short post on Net Neutrality.

The blog post was published by NDTV on April 13, 2015.


First things first. Net Neutrality (or Network Neutrality) is a globally-accepted principle of keeping the Internet freedom intact. Now you may wonder who is threatening Internet freedom, or how that is even possible. Well, it is.

By who? Your Internet Service Provider (ISP). Some also use the term MISP, which means Mobile Internet Service Provider. How can they do it? By simply not treating the data on the Internet equally. Let's make it even simpler with an example. Imagine your cable network provider promises you access to ATV, BTV, CTV and DTV (of course we know you get 300+ channels!) and takes a monthly subscription fee. Now you have a favourite show on DTV that you have been watching for a year. Suddenly your cable network provider comes to some business arrangement with ATV (let's call it sharing revenues!) and starts tweaking his signal. So your DTV signal becomes faint and you keep getting frozen frames and breaking sounds, whereas the audio video quality of ATV is superb. Not only that, your channel numbers are automatically reset, and the channel number on which you used to watch DTV now is configured to ATV.

The same thing, when it happens in the Internet context, is called breaking Net Neutrality. That is, the ISP starts discriminating which App you can use better, which sites will stream video faster, and so on and so forth. So by breaking Net Neutrality, the ISPs, by joining hands with some big companies (content providers) will build walled Internet gardens within which your experience of the world wide web will be limited. The <www> will no more be "world wide web" but will be "walled within my web"!

Is this bad? Well, most of the Internet fraternity that believes in the unending freedom the Internet provides thinks so. For budding App makers, e-biz players, etc. it is quite a jolt. A large corporate player like Facebook can easily team up with ISPs and rob the level playing field to all these budding players. Because the ISPs can potentially discriminate against the budding players or newcomers, there is a fair chance that you are curtailing innovation and new entrepreneurship on the Internet. Well "make in India" may still happen, but with limited large players who could potentially cannibalize the Internet!

If you are a simple consumer of the Internet and not bothered about the business dynamics, the violation of net neutrality will affect you too. Definitely not in terms of increased Internet data pack prices. In fact, there is a fair chance that you will be given freebies like "Buy this Internet Data Pack and you will get 3 months free of Facebook usage". However, in the bargain, over the long run, we all will lose out on something precious that money cannot always buy, something that is considered inherent to the Internet ... the FREEDOM to choose and the FREEDOM to express.

Let's look at the other side of the coin. Why is it that the ISPs want to do this? They have realized that some data providers (those who build Apps, websites, etc.) are making quite a big buck and they want a share of that profit, because they need to meet their large infrastructural costs that they have incurred in setting up towers, cables, etc. They are bleeding, they say, and need to find sustainable business models. They do not want to burden the consumer by increasing the data charges and this is an ingenious way of making their business sustainable. Win-win scenario, only at the cost of Freedom. To hell with Freedom, we give you Internet for FREE!

To deal with this issue effectively, Telecom Regulatory Authority of India (TRAI) has put out a consultation paper called Regulatory Framework for Over-the-top (OTT) services for feedback from stakeholders. It's available here. If you use the Internet in India (either on mobile or on a system) then you too are a stakeholder. We hope that this post will help you to participate in the consultation process.

The Hazards of a Non-neutral Internet

by Geetha Hariharan last modified May 27, 2015 04:07 PM
Spurred by recent events, India’s policy circles are dancing to the complex tunes of net neutrality. Airtel came under fire for pricing calls made over the Internet differentially; it has since withdrawn this plan. Airtel and Reliance Communications are caught in the storm as Airtel Zero and Internet.org, the Facebook-spearheaded product for low-cost Internet access, face stiff criticism for violating net neutrality. Companies like Flipkart, which earlier supported these products, have stepped back and are throwing their weight behind net neutrality. The Department of Telecommunications has set up a six-member panel to consult on net neutrality.

A modified version of the blog entry was published as an article titled "A must for free speech" in the Week on April 18, 2015


Responding to concerns, the Telecom Regulatory Authority of India (TRAI) released a consultation paper on OTT services on March 27, 2015. TRAI has called for public comments to be sent by April 24, 2015, and counter-comments to be sent by May 8, 2015. The TRAI consultation paper raises several crucial issues, including net neutrality. Given the heightened interest in the issue, let us two steps back and revisit the basics about net neutrality.

What is net neutrality?

In the simplest terms, net neutrality is the principle by which the carrier (telco/ISP like Reliance, Airtel) is prohibited from discriminating between any two ‘packets’ of data carried over its network. That is, ISPs ought not treat data packets differently, no matter what the content, source or price.

It follows, then, that when packets are given differential treatment, the principle of net neutrality is violated. As Centre for Internet and Society’s Sunil Abraham explains, differential treatment may occur in many ways: first, carriers may provide consumers with free access to certain websites or web content, while charging the sender or destination; second, ISPs may throttle traffic of one website/company to give it priority over other sites (the website will then load faster than others); third, ISPs may refuse access to some websites unless consumers or content-providers pay extra charges. Other violations abound too; this list is merely illustrative.

Diversity, Innovation & Competition: The Costs of Net Non-neutrality

Let us take zero-rating to explore the impacts of a net neutrality violation. In Internet.org and Airtel Zero, companies like Facebook and Flipkart (prior to the latter’s withdrawal) pay to provide users with free access to their cluster of websites; these are examples of “zero-rating”. Telcos and content-providers like Facebook argue that this is crucial to expand Internet access in price-sensitive markets like India. While this is an important consideration, zero-rating can have detrimental impacts on free speech and diversity, competition and innovation. It can result in “walled gardens” and a diversity-trap, where the only sites we can access are the walled gardens of curated information compiled by Facebook and the like.

Today, we can access an unprecedented variety of content across freely accessible platforms. We pay for our Internet connections and for data, but the content we access is neither set nor monitored by ISPs or content-providers, unless legally mandated to do so under Section 69 of Information Technology Act, 2000. Our freedom to access and receive diverse information is not curated by the companies themselves (as Facebook would in Internet.org) or their ability to pay ISPs to carry traffic. But with zero-rating, preferential access or traffic throttling, content diversity will suffer.

Of course, impact of receding diversity of content may not be felt in the short term, if access is made the priority. However, if net non-neutrality is allowed to continue in perpetuity, this may result in corporate curation and censorship of content. Moreover, since established players can better shell out the money needed for zero-rated or prioritised access, new companies and start-ups may find their entry blocked. Such a possibility is vexing for innovation, as greater costs will disincentivise smaller players from entering the market. There is also an impact on competition: entrenched players who can afford to pay carriers will dig their heels deeper, and become the sole curators of content. This is censorship by market design.

Access and Self-preservation, say the Telcos

Some telecom operators and ISPs argue that zero-rating is essential for universal access to data services, a dream of the Digital India mission. They also stress that OTTs like Whatsapp, Viber, Skype and others are free-riding on their networks and usurping their revenue, since it is the telcos and not OTTs who pay licence fees and spectrum charges. Finally, telcos and ISPs say that treating packets differently is a form of network and traffic management; such management is crucial to an efficient and open Internet, and is an age-old practice of operators.

Of course, traffic and network management practices do exist, and operators do block or manage speeds during congestion periods or when there are security threats. As users, we also experience different Internet speeds depending on the hardware and software employed by operators, the time of day, the type of content accessed (video/ audio/ text), etc. As Christopher Yoo says, operators should be free to experiment with network management practices (‘network diversity’) so long as consumers and competition suffer no detriment.

But as reports show, net non-neutrality practices have negative impacts on speech diversity, innovation and competition, among others. Any proposal to grant legal recognition to net non-neutrality practices like zero-rating, traffic-prioritization or others, which depend on the consumer or content-provider’s ability to pay and result in differential treatment of data packets, must answer these concerns and provide safeguards. In Shreya Singhal, the Supreme Court affirmed the value of freedom of speech and diversity; saying that “…a culture of open dialogue is important”, the Court declared that “…we need to tolerate unpopular views”. Internet companies and telcos provide the platforms to make such views available. Through traffic prioritization and zero-rating, and by chilling innovation and competition, net neutrality violations can stifle speech diversity. The Department of Telecom and TRAI must remember this when debating a net neutrality regulation.

Internet Intermediaries Law and Innovation Panel

by Prasad Krishna last modified Jun 14, 2015 02:47 PM

OpenDocument Presentation icon Internet Intermediaries Law and Innovation Panel 02062015.odp — OpenDocument Presentation, 301 kB (308683 bytes)

Re-thinking Tomorrow

by Prasad Krishna last modified Jun 19, 2015 02:10 PM

PDF document icon Rethinking.pdf — PDF document, 209 kB (214308 bytes)

Document Actions